Appendix A: Compliance Risk Indicators
Board and Management Oversight
Board and management oversight factors should be evaluated commensurate with the credit union’s size, complexity, and risk profile. Compliance expectations below extend to third-party relationships.
Factor | Low | Moderate | High |
---|---|---|---|
Factor
Oversight and Commitment |
Low
Board and management fully understand all aspects of compliance risk and exhibit a clear commitment to compliance. Commitment is communicated throughout the credit union. Board and management demonstrate strong commitment and oversight to the credit union’s compliance management system. Significant compliance resources are provided, including systems, capital, and human resources. Staff is knowledgeable, empowered and held accountable for compliance with consumer laws and regulations. Management conducts comprehensive and ongoing due diligence and oversight of third parties consistent with NCUA expectations to ensure that the credit union complies with consumer protection laws and regulations. Where appropriate, the credit union exercises strong oversight of third parties’ policies, procedures, internal controls and training to ensure consistent oversight of compliance responsibilities. |
Moderate
Board and management reasonably understand the key aspects of compliance risk. Commitment to compliance is reasonable and satisfactorily communicated. Board and management provide satisfactory oversight of the credit union’s compliance management system. Compliance resources are adequate and staff is generally able to ensure the credit union is in compliance with consumer laws and regulations. Management conducts adequate and ongoing due diligence and oversight of third parties to ensure that the credit union complies with consumer protection laws and regulations. They adequately oversee third parties’ policies, procedures, and internal controls, and training to ensure appropriate oversight of compliance responsibilities. |
High
Board and management does not understand, or has chosen to ignore key aspects of compliance risk. The importance of compliance is not emphasized or communicated throughout the organization. Management has not established or enforced accountability for compliance performance. Board and management oversight, resources, and attention to the credit union’s compliance management system are deficient or non-existent. Compliance resources are inadequate or seriously deficient and are ineffective at ensuring the credit union’s compliance with consumer laws and regulations. Management does not adequately conduct due diligence and oversight of third parties to ensure that the credit union complies with consumer protection laws and regulations, nor do they adequately oversee third parties’ policies, procedures, internal controls, and training to ensure appropriate oversight of compliance responsibilities. |
Factor
Change Management |
Low
Management anticipates and responds promptly to changes in applicable laws and regulations, market conditions and products and services offered by evaluating the change and implementing responses across impacted lines of business. Management conducts due diligence in advance of product changes, considers the life cycle of a product before implementing the change, and reviews the change after implementation to determine whether actions taken have achieved planned results. |
Moderate
Management responds timely and adequately to changes in applicable laws and regulations, market conditions, and products and services offered by evaluating the change and implementing responses across impacted lines of business. Management evaluates product changes before and after implementing the change. |
High
Management does not respond adequately or timely or fails to respond to changes in applicable laws and regulations, market conditions, and products and services offered. |
Factor
Comprehension, Identification and Management of Risk |
Low
The credit union has a strong control culture that has proven effective. Compliance management systems are sound and minimize the likelihood of excessive or serious future violations. Management has a good understanding and effectively identifies compliance risks, including emerging risks, in the credit union’s products, services, and other activities. Management effectively manages those risks, including through comprehensive self-assessments. |
Moderate
Compliance management systems are adequate to avoid significant or frequent violations or noncompliance. Management understands and adequately identifies compliance risks, including emerging risks, in the credit union’s products, services, and other activities. Management adequately manages those risks including through self-assessments. |
High
Compliance management systems are deficient, reflecting an inadequate commitment to risk management. Management does not understand or identify compliance risks, including emerging risks, in the credit union’s products, services, and other activities. |
Factor
Corrective Action and Self-Identification |
Low
Management proactively identifies issues and promptly responds to compliance risk management deficiencies and any violations of laws or regulations, including taking corrective action. |
Moderate
Management adequately responds to and corrects deficiencies and/or violations, including adequate corrective action, in the normal course of business. |
High
Management does not adequately respond to compliance deficiencies and violations including those related to corrective action, or those responses, including those relating to examination findings that are seriously deficient. |
Compliance Program
Compliance Program factors should be evaluated commensurate with the credit union’s size, complexity, and risk profile. Compliance expectations below extend to third-party relationships.
Factor | Low | Moderate | High |
---|---|---|---|
Factor
Policies and Procedures |
Low
Compliance policies and procedures and third-party relationship management programs are strong, comprehensive, and provide standards to effectively manage compliance risk in the products, services, and activities of the credit union. |
Moderate
Compliance policies and procedures and third-party relationship management programs are adequate to manage the compliance risk in the products, services, and activities of the credit union. |
High
Compliance policies and procedures and third-party relationship management programs are inadequate (or absent) at managing the compliance risk in the products, services and activities of the credit union. |
Factor
Training |
Low
Compliance training is comprehensive, timely, and specifically tailored to the particular responsibilities of the staff receiving it, including those responsible for product development, marketing, and customer service. The compliance training program is updated proactively in advance of the introduction of new products or new consumer protection laws and regulations to ensure that all staff are aware of compliance responsibilities before roll out. |
Moderate
Compliance training outlining staff responsibilities is adequate and provided timely to appropriate staff. The compliance training program is updated to encompass new products and to comply with changes to consumer protection laws and regulations. |
High
Compliance training is not adequately comprehensive, timely, updated, or appropriately tailored to the particular responsibilities of the staff. Compliance training may be seriously deficient or absent. |
Factor
Monitoring and/or Audit |
Low
Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems are comprehensive, timely, and successful at identifying and measuring material compliance risk management throughout the credit union. Programs are monitored proactively to identify procedural or training weaknesses to preclude regulatory violations. Program modifications are made expeditiously to minimize compliance risk. |
Moderate
Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems adequately address compliance risks throughout the credit union. |
High
Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems are absent or do not adequately address risks involving products, services or other activities including, timing and scope. |
Factor
Consumer Complaint Response |
Low
Processes and procedures for addressing consumer complaints are strong. Consumer complaint investigations and responses are prompt and thorough. Management monitors consumer complaints to identify risks of potential consumer harm, program deficiencies, and customer service issues and takes appropriate action. |
Moderate
Processes and procedures for addressing consumer complaints are adequate. Consumer complaint investigations and responses are generally prompt and thorough. Management adequately monitors consumer complaints and responds to issues identified. |
High
Processes and procedures for addressing consumer complaints are deficient, absent, or inadequate. Consumer complaint investigations and responses are not thorough or timely, or are deficient, or absent. Management does not adequately monitor consumer complaints, monitoring is seriously deficient, or management exhibits a disregard for complaints or preventing consumer harm. |
Violations of Law and Consumer Harm
Factor | Low | Moderate | High |
---|---|---|---|
Factor
Root Cause |
Low
Violations are the result of minor weaknesses, if any, in the compliance risk management system. |
Moderate
Violations are the result of modest weaknesses in the compliance risk management system. |
High
Violations are the result of material weaknesses, or serious or critical deficiencies in the compliance risk management system. |
Factor
Severity |
Low
Type of consumer harm, if any, resulting from the violations would have minimal impact on consumers. |
Moderate
Type of consumer harm resulting from the violations would have limited impact on consumers. |
High
Type of consumer harm resulting from the violations would have considerable or serious impact on consumers. |
Factor
Duration |
Low
Violations and resulting consumer harm, if any, occurred over a brief period of time. |
Moderate
Violations and resulting consumer harm, if any, occurred over a limited period of time. |
High
Violations and resulting consumer harm, if any, occurred over an extended period of time, or have been long-standing or repeated. |
Factor
Pervasiveness |
Low
Violations and resulting consumer harm, if any, are isolated in number. |
Moderate
Violations and resulting consumer harm, if any, are limited in number. |
High
Violations and resulting consumer harm, if any, are numerous, or widespread in multiple products or services. |