Evaluating Compliance Risk - Updated Compliance Risk Indicators

This supervisory letter provides an updated list of Compliance Risk Indicators (see Appendix A) that are a part of NCUA’s Risk-Focused Examination program. Also enclosed is the updated AIRES questionnaire for Compliance Risk.¹ The guidance in this document applies whenever field staff evaluates compliance risk in a federally insured credit union. Field staff will begin using the updated list of Compliance Risk Indicators for any supervisory evaluations of Compliance Risk started on or after March 31, 2017.²

The updated list of Compliance Risk Indicators builds upon the current set of indicators and provides additional guidance for field staff in assigning the compliance risk rating – one of the existing seven risk categories in the Risk-Focused Examination program. The update reflects transformations in technology, business models, and members’ banking habits since the list of Compliance Risk Indicators were originally developed in 2002. The update results in a more comprehensive, integrated and transparent framework in evaluating a credit union’s ability to manage its risk of violations and non-compliance with applicable laws and regulations.

The updated list of Compliance Risk Indicators does not create a new compliance rating, does not separate consumer compliance from overall compliance, and does not impose any new or higher supervisory expectations for credit unions.

Exam Procedures

NCUA’s assessment of compliance risk encompasses all of the federal consumer financial protection laws and regulations NCUA enforces, as well as other relevant laws and regulations that govern the operation of credit unions, such as the Bank Secrecy Act, the Flood Disaster Protection Act, and the SAFE Act. Field staff will continue to reflect their conclusion about a credit union’s compliance risk, and management of that risk, in the compliance risk rating,³ the Management CAMEL component rating, and the CAMEL composite rating as appropriate.⁴

NCUA’s approach to examining a credit union’s compliance with applicable laws and regulations remains risk-focused with appropriate consideration given to a credit union’s size, complexity, and risk profile. Field staff will draw on their professional judgment to target their efforts to the areas of greatest existing and potential risk. Field staff’s supervisory evaluation will typically focus primarily on evaluating the sufficiency of a credit union’s overall approach to managing compliance risk– also referred to as a compliance management system. As reflected in the updated Indicators, compliance risk is best managed by an institution when its compliance management systems are proactive; that is, they promote self-identification and self-correction of any identified compliance deficiencies.

Field staff’s evaluation will also routinely include specific and/or in-depth reviews of some areas of special emphasis based on statutory requirements,⁵ changes to laws or regulations, broad trends, or institution specific risk factors.⁶ The supervisory evaluation of compliance need not, and typically does not, include specific or in-depth evaluations of compliance with all applicable laws and regulations or extensive transaction testing.

The updated framework incorporates and adds detail to the current Compliance Risk Indicators to aid field staff in evaluating compliance risk. The updated Compliance Risk Indicators framework has three broad categories: Board and Management Oversight; Compliance Programs; and Violations of Law and Consumer Harm. Each category has several factors, (briefly summarized below). Field staff will assess the first two with consideration given to a credit union’s size, complexity, and risk profile. In particular, field staff will consider:

1. Board and Management Oversight
   • Commitment to the credit union’s compliance management system.
   • Effectiveness of change management processes.
   • Risk management associated with products, services, and activities.
   • Self-identification efforts and corrective actions taken.
2. Compliance Program
   • The effectiveness of a credit union’s compliance management system.
   • Policies and procedures, training, monitoring and audit programs, and complaint resolution.
3. Violations of Law and Consumer Harm (if applicable)
   • Pervasiveness of the violation.
   • Root cause of the violation.
   • Severity of the violation or any consumer harm.
   • Duration of the violation.

In assigning a Compliance Risk rating, field staff consider the totality of the Compliance Risk Indicators. Any single or small subset of Compliance Risk Indicators is not necessarily determinative of the existence of lower or higher risk. An effective risk assessment is a composite of multiple factors. Depending upon the circumstances, certain factors - such as the quality of the credit union’s overall approach to compliance management, or the existence of pervasive or severe violations - may be weighted more heavily than others.

See Appendix A for the full chart of Compliance Risk Indicators.

If you have any questions on the material in this letter, please direct them to your immediate supervisor or regional management.

Sincerely,

/s/

Larry Fazio
Director
Office of Examination & Insurance