Risk-focused
Compliance
Examination
Component |
Component Description |
Results of Audit |
| Off-site CMS Review |
In preparing for a compliance examination, examiners send each bank a Compliance Information and Document Request that provides examiners with sufficient information to begin an off-site evaluation of an institution’s compliance management system. At this point, emphasis is placed on reviews of written practices, policies, and procedures; bank forms and disclosures; and bank audit data. This off-site review provides the initial assessment of the quality of an institution’s CMS in light of the risks associated with the level and complexity of the institution’s business operations and product and service offerings. |
Examiners generally complied with policies and procedures related to risk-scoping compliance examinations, in that: (1) justification for the extent of the work to be conducted for each compliance area was provided in the RPSMs, (2) a justification for areas not tested during the examination was documented, (3) areas not tested at the previous examination were included in the current examination scope for transaction testing or spot checks, and (4) areas for which violations had been found at previous compliance examinations were included in the scope of the current examination for transaction testing or spot checks. |
| Development of the RPSM |
The results of the off-site assessment of the CMS, to include the proposed on-site testing plan, are documented in the RPSM. The RPSM is designed to assess the CMS, operational areas, and issues to be investigated or targeted. In addition, the RPSM contains the Risk Profile Matrix, which summarizes perceived risk in each of the CMS elements regarding major operational areas. Examiners use the matrix to develop a compliance risk profile for an institution, using various sources of information about the institution’s business lines, organizational structure, operations, and past supervisory performance. |
Examiners generally complied with risk-scoping documentation requirements, as follows: (1) requirements for preparing the RPSM were met for the banks in our sample; and (2) the RPSMs provided an adequate analysis of the bank’s CMS and were broad enough to provide an understanding of the organizational structure of an institution, its related activities, and compliance risks associated with each of the institution’s activities. In addition, the use of RPSMs as a planning tool provides examiners an adequate method for making an initial off-site assessment of whether the institutions’ management and board of directors identify, understand, and adequately control the compliance risks facing the financial institution. |
| On-site Transaction Testing and Spot Checks |
During the on-site portion of the risk-focused compliance examination, examiners determine actual bank practice through extensive discussions with bank management and staff, reviews of relevant documents, and testing of selected bank transactions. The extent of transaction testing and spot checks is based on the examiner’s assessment of the institution’s compliance risk profile, such as whether an operational area is determined to be high risk or the institution’s compliance management efforts appear weak. |
There is insufficient evidence in examination workpapers or reports for DSC to assure that the extent of on-site transaction testing and spot checks was appropriate. Compliance examination workpapers were not always maintained in a manner that ensures the work performed during the on-site portion of the review is adequately documented, including transaction testing and spot checks to ensure the reliability of the institution’s compliance review function. Also, examiners did not always document whether the examination reviewed all the compliance areas in the planned scope of review. |
