TABLE OF CONTENTS
This report presents the results of our audit of the Federal Deposit Insurance Corporation (FDIC) Division of Supervision and Consumer Protectionís (DSC) process for risk-focused compliance examinations of FDIC-supervised institutions. The overall audit objective was to determine whether DSCís risk-focused compliance examination process results in examinations that are adequately planned and effective in assessing financial institution compliance with consumer protection laws and regulations. Specifically, we determined whether DSC examiners are adequately risk-scoping compliance examinations, conducting appropriate levels of transaction testing, and making sound risk-scoping decisions in relying on the work of the financial institutionsí internal or external compliance review functions. Appendix I of this report discusses our objective, scope, and methodology in detail.
The FDIC is responsible for evaluating FDIC-supervised financial institutionsí compliance with federal consumer protection laws and regulations, including institutional performance under the Community Reinvestment Act (CRA). To evaluate compliance, the FDIC conducts examinations of institutional practices regarding fair lending, privacy, and other consumer protection laws. During the compliance examination, examiners must ensure that institutions have adequately addressed all areas related to the rules and regulations listed in Table 1 on the following page.
Table 1: Consumer Protection Laws and Regulations
Noncompliance with these laws and regulations by financial institutions can result in civil liability and negative publicity as well as the FDICís imposition of formal or informal supervisory corrective actions to correct the identified violations. Some consumer protection laws and regulations require financial institutions to provide consumers with information intended to help in making informed decisions about financial services and products. As part of the compliance examination process, the FDIC reviews the information and disclosures that are provided to consumers by FDIC-supervised institutions in accordance with consumer protection laws and regulations. Also, DSC considers an institution's compliance with fair lending, privacy, and other consumer protection laws and its performance under the CRA when reviewing an institution's application for entry into or expansion within the insured depository institution system. During the 2-year period from July 1, 2003 through June 30, 2005, DSC conducted 4,153 compliance and CRA examinations.
In June 2003, DSC revised its program for examining institutions for compliance with consumer protection laws and regulations. Under the Revised Compliance Examination Procedures (Transmittal No. 2003-021, dated June 6, 2003), DSC compliance examinations combined a risk-based examination process with an in-depth evaluation of an institutionís compliance management system (CMS),[ 1 ] resulting in a top-down, risk-focused approach to examinations. The risk-focused approach is intended to make the examination process more effective and efficient and reduce the examination burden on banks. The risk-focused approach also helps examiners in determining the depth of review of each functional area and improves the consistency of analysis across regional and field offices. The risk-focused approach recognizes that the banking industryís compliance responsibilities continue to grow and become more complex with changes in financial products and services. Moreover, the focus on an institutionís compliance program places emphasis on the institutionís responsibility to ensure it complies with consumer protection laws.
Effective June 30, 2004, DSC made additional modifications to the examination procedures as they relate to the contents of the Report of Examination and the risk-focused planning documents Ė the Risk Profile and Scope Memorandum (RPSM) and the Compliance Information and Document Request (CIDR). Appendix II provides a detailed description of these modifications.
Compliance examinations are conducted every 12 to 36 months, depending on an institutionís size and the compliance and CRA ratings assigned at the most recent examination.[ 2 ] Each compliance regulation and law is not reviewed at every compliance examination. If no transaction testing in a particular regulatory area has been conducted in the previous examination, a spot check should be conducted at the current examination, even if there are no risk indicators.[ 3 ] For reporting purposes, the risk-focused examination approach combines the results of the CRA evaluation and the compliance examination into one report when CRA performance is evaluated at alternate examinations. The single report focuses on an institutionís CMS and includes only significant violations. (Appendix III provides the significant violations found during the compliance examinations for the banks in our sample.) Examiners identify other violations separately to bank management, and they are tracked by the FDIC.
RESULTS OF AUDIT
We found that DSC examiners generally complied with the policies and procedures related to risk-scoping compliance examinations and that the RPSMs prepared by examiners provided an adequate basis for planned examination coverage. The examiners reviewed bank policies, procedures, disclosures, and forms for compliance with consumer protection laws and regulations for each examination we reviewed and planned for transaction testing or spot checks in all compliance areas over the course of two consecutive examinations Ė a period of 2 to 6 years, depending on an institutionís size and ratings.
However, we found that examination documentation did not always show the transaction testing or spot checks conducted during the on-site portion of the examinations, including testing to ensure the reliability of the institutionsí compliance review functions. Also, examiners did not always document whether the examination had reviewed all the compliance areas in the planned scope of review. As a result, DSC cannot assure that the extent of testing was appropriate except for those areas in which examiners had identified violations and included them in Reports of Examination. Table 2 on the next page shows the components of a risk-focused compliance examination and our related audit results.Table 2: Audit Results on Risk-focused Compliance Examinations
DOCUMENTATION OF ON-SITE TESTING PERFORMED DURING COMPLIANCE EXAMINATIONS
Examiners did not adequately document the scope of the work performed during the on-site portion of the compliance examinations. Specifically, for the examinations we reviewed, examination workpapers did not always contain sufficient information to identify examiner transaction testing or spot checks conducted during the on-site portion of examinations or whether the examination reviewed all areas in the planned scope of review. Documentation is lacking because examiners did not comply with DSC policy that requires they document their work. As a result, DSC cannot assure that the extent of testing was appropriate for assessing institutional compliance with regulations except for those areas in which examiners had identified violations and included them in Reports of Examination.
Documenting Compliance Examination Findings and Transaction Testing
DSCís June 2003 DSCís June 2003 Revised Compliance Examination (Transmittal No. 2003-021, dated June 6, 2003) section entitled, Documenting Examination Findings, states that examination documentation should demonstrate a clear trail of decisions and supporting logic within a specified area. Documentation should provide a written record of the examinerís decisions and analysis and provide support for facts or opinions in the Report of Examination. A well-constructed examination documentation file provides sufficient information to reconstruct the examinerís decision process for each step of the examination. The information should provide support for the examinerís decision to include or exclude a regulation or area of review from the scope of the examination and for significant findings. Additionally, examiners should conduct on-site transaction testing for the operational areas included in the scope of the review.[ 4 ] The number of transactions and the particular regulatory requirements to be reviewed should be carefully tailored to weaknesses identified in the CMS as it relates to specific operational areas. In addition, the revised procedures instruct examiners to prepare an examiner summary workpaper for each regulation or area reviewed. This summary, in conjunction with the RPSM, should allow subsequent examiners to clearly identify the scope of work performed and the basis for the examinerís conclusion.
DSCís Compliance Examination Manual, Appendix H, entitled, Sampling Guidelines for Compliance and CRA, instructs examiners to use judgment in determining the number of loans to be reviewed, depending upon specific circumstances. In addition, not all loan types or characteristics must be sampled at each examination; however, ďemphasis should be placed on those types of loans that evidenced concerns in the past and those that could result in reimbursable violations.Ē The policy also states that (1) statistical sampling is the preferred method and should be used to the greatest extent possible; (2) the examiner should clearly document in the workpapers the sampling method utilized, loan universe and sample size(s), and sampling results; and (3) examiners should select independent loan samples for the compliance, CRA, and fair lending portions of the examination.
In June 2004, DSC issued Updated Compliance Examination Procedures, Transmittal No. 2004 032, effective June 30, 2004. According to the June 2004 procedures, the RPSM will be used solely for pre-examination planning. Examiners should no longer update the RPSM to reflect changes in the examination scope or to duplicate findings contained in the Report of Examination. However, examination workpapers need to reflect any material changes in scope and the support for those changes. Material increases or reductions in the examination scope must also be noted in examination workpapers.
Documenting Reviews of Institutionsí Compliance Review Functions
The Updated Compliance Examination Procedures require examiners to conduct documentation reviews and to interview management regarding the assessment of a bankís compliance review functions. The procedures provide a list of questions for the interview and a list of documents that should be reviewed. Based on the interviews and materials reviewed, examiners are to develop and document a preliminary assessment of the institutionís performance related to compliance reviews and determine whether the institutionís compliance review function is generally strong, adequate, or weak and the assumptions on which the assessment is based. This determination is initially made off-site by an examiner and is based on the examinerís assessment of the scope and frequency of the institutionís compliance reviews, the adequacy of written compliance reports, board of director and senior management responses to those reports, and the institutionís follow-up procedures to verify that the corrective actions were lasting and effective. In addition, the section of the Compliance Examination Manual entitled, Transaction Sampling and Testing, states that depending on the importance of a component, the examiner may find it appropriate to spot check a few transactions to show support for a favorable conclusion by the compliance review function. If no transaction testing in a particular regulatory area has been done in the previous examination, then spot checks should be done at the current examination, even if there are no risk indicators. If testing is not considered necessary to support conclusions about an element of the CMS or with respect to a particular operational area, examiners should retain appropriate documentation in the workpapers and include comments in the RPSM and/or the compliance examination report to support this conclusion.
Examiner Documentation of On-site Transaction Testing and Spot Checks
Our review of compliance examination workpapers showed that for 20 of the 36 examinations we reviewed, examiners had not documented the extent of transaction testing or spot checks they performed during the on-site portion of the examination. Some of the Reports of Examination contained comments related to the transaction testing and spot checks conducted. However, the comments related only to areas of violations identified during the examination and did not address the entire scope of the examination. As a result, we could not determine whether all areas included in the planned examination scope had been reviewed or to what extent examiners tested or spot checked transactions unless examiners had identified violations in compliance areas in the Report of Examination.
As a result of the lack of documentation to support on-site transaction testing and spot checks conducted during compliance examinations, DSC cannot assure that the extent of testing was appropriate except for those areas in which examiners identified violations and included them in Reports of Examination. In addition, the lack of examination documentation can affect subsequent examinations in that it will be more difficult for examiners to decide the appropriate scope of those examinations. DSC management plans to reassess the revised compliance examination procedures in relation to using the RPSM solely for pre-examination planning.
We recommend that the Director, DSC, clarify and reinforce requirements that examiners adequately document the scope of the work performed, including transaction testing and spot checks of the reliability of the institutionsí compliance review functions, during the on-site portion of compliance examinations.
CORPORATION COMMENTS AND OIG EVALUATION
On September 16, 2005, the Acting Director, DSC, provided a written response to the draft report. The response is presented in Appendix IV of this report. We did not include the attachments to DSCís response in Appendix IV, which were excerpts from Regional Director Memorandum No. 2005-035, DSCís June 2003 Revised Compliance Examination, dated August 18, 2005. DSC concurred with the recommendation, stating that guidance had been issued related to:
This guidance was distributed to all DSC staff on August 31, 2005.
OIG Evaluation: We determined that the agreed-to corrective action has been completed and is effective. This recommendation is resolved, dispositioned, and closed.
Appendix V contains a summary of managementís response to the recommendation and the status of the recommendation as of the date of this report.
The overall objective of this audit was to determine whether DSCís risk-focused compliance examination process results in examinations that are adequately planned and effective in assessing financial institution compliance with consumer protection laws and regulations. Specifically, we determined whether DSC examiners are adequately risk-scoping compliance examinations and conducting appropriate levels of transaction testing and making sound risk-scoping decisions when relying on the work of the financial institutionsí internal or external compliance review functions. We performed our audit from October 2004 through August 2005 in accordance with generally accepted government auditing standards.
Scope and Methodology
The scope of the audit was limited to a review of banks examined under the revised DSC risk-focused compliance examination policies and procedures in the Revised Compliance Examination Procedure, dated June 30, 2004. To accomplish our objective, we reviewed the most current and the prior compliance examination reports and corresponding examination workpaper files, policies, and procedures related to the compliance review function, prior OIG audit reports and DSC Internal Review reports, laws and regulations, and management tracking reports for each examination. We also interviewed DSC management officials and staff at FDIC headquarters and three regional offices.
The judgmental sample included 36 FDIC-supervised banks for which compliance examinations had been conducted from August 2003 through November 2004 at 3 FDIC regional offices. Our sample included 14 ď1Ē rated banks, 14 ď2Ē rated banks and 8 ď3Ē rated banks.[ 5 ] The asset sizes of the banks ranged from $8.5 million to $1.2 billion. The compliance examinations in our sample resulted in 11 banks whose compliance ratings were downgraded, 7 banks whose ratings were upgraded, and 18 banks whose ratings remained the same. Of the 36 banks, 8 had corrective supervisory actions imposed on them as a result of the compliance examinations: 2 banks were issued Memorandums of Understanding, and 6 banks were encouraged to adopt Bank Board Resolutions. [ 6 ] The eight banks had a compliance examination rating of ď3.Ē
Pertinent Laws and Regulations
Compliance examinations are the primary means the FDIC uses to determine whether a financial institution is meeting its responsibilities to comply with the requirements of federal consumer laws and regulations. DSC has established policies and procedures for risk-focused compliance examinations in the FDIC Compliance Examination Manual. For the banks in our sample, the procedures generally were followed, although examination workpapers did not always contain sufficient information to identify examiner transaction testing or spot checks conducted during the on-site portion of examinations or whether the examination reviewed all areas in the planned scope of review. Our review did not find any instances of FDIC noncompliance with pertinent laws and regulations.
Reliance on Computer-based Data, Government Performance and Results Act, Fraud and Illegal Acts, and Internal Control
Validity and Reliability of Data from Computer-based Systems
We used computer-based data for background information and in generating a universe of examinations from which to select our sample. We reviewed examination records that supported data from the DSC System of Uniform Reporting of Compliance and CRA Examinations (SOURCE)[ 7 ] and the Scheduling, Hours, and Reporting Package (SHARP)[ 8 ] reporting systems to determine the accuracy of data used during the audit. The SOURCE system is used to: (a) generate examination schedules that support workload projections by incorporating quarterly planning and benchmark hours, (b) capture examination summary information, (c) store examination documents for divisional sharing and historical reference, and (d) support legislatively mandated reporting. The SHARP system is an hours-based tracking system that provides uniformity in collecting examination hours information. Based on our review, we found that the SHARP system does not provide detailed information on work conducted by examiners. Also, the SHARP system does not have time codes for all of the regulations reviewed during compliance examinations. According to our discussions with DSC staff, SHARP is not used to track or monitor examination coverage of regulations Ė the system is more useful for field office management.
In fulfilling its primary supervisory responsibilities, the FDIC pursues two strategic goals: FDIC-supervised institutions are safe and sound and consumersí rights are protected, and FDIC-supervised institutions invest in their communities.[ 9 ]
Two strategic objectives support the consumer rights strategic goals. The first strategic objective is that consumers have access to easily understood information about their rights and the disclosures due them under consumer protection and fair lending laws. The FDICís annual performance goals related to this objective are:
The second strategic objective is that FDIC-supervised institutions comply with consumer protection, CRA, and fair lending laws. The FDICís annual performance goals related to this objective are:
None of the strategic goals, strategic objectives, or performance goals related directly to the objectives of our audit.
Fraud and Illegal Acts
Our audit program did include steps for providing reasonable assurance of detecting fraud or illegal acts. We did not identify any illegal acts or abuse or potential areas susceptible to illegal acts or abuse.
Internal Controls Reviewed
During the audit, we gained an understanding of relevant control activities related to compliance examinations by examining DSC policies and procedures as presented in the DSCís Compliance Examination Manual and Regional Directors Memoranda. We identified DSCís internal controls related to the risk-focused examination process for compliance examinations. Specifically, we reviewed the systems used for measuring, monitoring, and reporting program performance; compliance with laws, regulations, policies, and procedures; and the reliability of computer-based data. We also reviewed the results of DSC Internal Control Reviews related to compliance examinations. We identified documentation weaknesses related to the on-site portion of compliance examinations as discussed in the finding section of this report.
Summary of Prior Audit Coverage
On March 26, 2002, the OIG issued Audit Report 02-009, Division of Compliance and Consumer Affairsí Risk-Scoping Process for Fair Lending Examinations, on the fair lending examination risk-scoping process as conducted by the Division of Compliance and Consumer Affairs.[ 10 ] The objective of the audit was to assess: (1) the adequacy of the Federal Financial Institutions Examination Council (FFIEC) Interagency Fair Lending Examination Procedures for the FDICís pre-examination planning for fair lending examinations of small banks, (2) the FDICís implementation of the FFIEC interagency procedures as they relate to identifying fair lending risks during the off-site pre-examination planning phase of the fair lending reviews, and (3) the related DCA internal controls. The 2002 audit focused on the FDICís application of the FFIEC Interagency Fair Lending Procedures and did not directly relate to the scope of our audit.
Effective June 30, 2003, DSC implemented revised procedures to enhance the FDIC's compliance examination process by focusing increased attention on an institutionís compliance management system. As noted in the DSC Memorandum entitled, Revised Compliance Examination Procedures, Transmittal No. 2003-021, dated June 6, 2003, the revised procedures combined the risk-based examination process with an in-depth evaluation of an institutionís CMS. Examiners were required to evaluate how well an institutionís compliance responsibilities are administered and managed, consistent with the level and complexity of its operations. The purpose of this approach was to allow examiners to devote more attention to those institutions requiring additional supervisory attention to help improve weak compliance functions and reduce the risks of future noncompliance. The new procedures did not change existing fair lending examination procedures or CRA performance evaluations. According to the revised procedures, all financial institutions would benefit from a comprehensive assessment of compliance management systems. The examinerís identification of root causes of compliance management deficiencies and regulatory violations would serve as a blueprint for helping institution management improve its operations. Moreover, the revised compliance examination procedures would elevate the importance of comprehensive compliance risk management by institutions of all sizes.
Effective June 30, 2004, DSC updated the compliance examination procedures. As noted in the DSC Memorandum entitled, Updated Compliance Examination Procedures, Transmittal No. 2004-032, dated June 30, 2004, modifications to the examination procedures were centered in three distinct components of the compliance examination program: Report of Examination comments, the RPSM, and the CIDR.
Significant violations found during the compliance examinations for the 36 banks in our sample are identified below. Significant violations are defined as deficiencies that may adversely impact the financial institution. We found that 75.6 percent of the total significant violations related to seven regulations: Truth in Lending, Equal Credit Opportunity, Real Estate Settlement Procedures Act, Truth in Savings, Home Mortgage Disclosure Act, Flood Insurance, and Expedited Funds Availability. The scope of this audit did not include a detailed review of the significant violations; however, we plan to include an audit of supervisory actions taken for compliance-related violations in our Fiscal Year 2006 Assignment Plan.
This table presents the management response on the recommendation in our report and the status of the recommendation as of the date of report issuance.
b Dispositioned Ė The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.
c Once the OIG dispositions the recommendation, it can then be closed.