Division of Supervision and Consumer Protectionís
Risk-Focused Compliance Examination Process

September 2005
Report No. 05-038

AUDIT REPORT

FDIC OIG, Office of Audits

Background and
Purpose of Audit


The FDIC is responsible for evaluating financial institution compliance with consumer protection laws and regulations. To evaluate compliance, the FDIC conducts examinations of institutionsí compliance practices. In June 2003, the FDICís Division of Supervision and Consumer Protection (DSC) revised its program for examining institutional compliance with consumer protection laws and regulations. Under the new program, DSC compliance examinations combine a risk-based examination process with an in-depth evaluation of an institutionís compliance management system, resulting in a top-down, risk-focused approach to examinations.

The overall audit objective was to determine whether DSCís risk-focused compliance examination program results in examinations that are adequately planned and effective in assessing financial institution compliance with consumer protection laws and regulations.

FDIC, Federal Deposit Insurance Corporation


Results of Audit


We found that DSC examiners generally complied with the policies and procedures related to risk-scoping compliance examinations and that the Risk Profile and Scoping Memorandums prepared by examiners provided an adequate basis for planned examination coverage. The examiners reviewed bank policies, procedures, disclosures, and forms for compliance with consumer protection laws and regulations for each examination we reviewed and planned for transaction testing or spot checks in all compliance areas over the course of two consecutive examinations Ė a period of 2 to 6 years, depending on an institutionís size and ratings. Additionally, examiners conducted transaction testing or spot checks in those areas for which violations had been found at previous compliance examinations.

However, we found that examination documentation did not always show the transaction testing or spot checks conducted during the on-site portion of the examinations, including testing to ensure the reliability of the institutionsí compliance review functions. Examiners also did not always document whether the examination reviewed all the compliance areas in the planned scope of review. As a result, DSC cannot assure that the extent of testing was appropriate except for those areas in which examiners had identified violations and included them in Reports of Examination.

Recommendation and Management Response

We recommended that DSC clarify and reinforce requirements that examiners adequately document the scope of the work performed, including transaction testing and spot checks of the reliability of the institutionsí compliance review functions, during the on-site portions of compliance examinations. FDIC management agreed with the recommendation and has taken corrective action.

Consumer Protection Laws and Regulations
Lending Specialty
Truth in Lending
Equal Credit Opportunity Act
Flood Insurance
Real Estate Settlement Procedures Act
Fair Credit Reporting
Credit Practices Rule
Fair Housing Act
Homeownership Counseling
Homeowners Protection Act
Home Mortgage Disclosure Act
Preservation of Consumer Claims and Defenses
Consumer Leasing
Community Reinvestment Act Technical Requirements
Advertising of Membership
Branch Closings
Right to Financial Privacy
Privacy of Consumer Financial Information
Non-Deposit Products
Electronic Banking
Fair Debt Collection Practices
Interstate Banking & Branching Efficiency Act
Childrenís Online Privacy Protection Act
Deposit

        Electronic Funds Transfer
        Truth in Savings
        Expedited Funds Availability
        Interest on Deposits

Source: DSC Compliance Examination Manual. [ D ]




TABLE OF CONTENTS

BACKGROUND
RESULTS OF AUDIT
DOCUMENTATION OF ON-SITE TESTING PERFORMED DURING COMPLIANCE EXAMINATIONS
   Documenting Compliance Examination Findings and Transaction Testing
   Documenting Reviews of Institutionsí Compliance Review Functions
   Examiner Documentation of On-site Transaction Testing and Spot Checks
   Recommendation
CORPORATION COMMENTS AND OIG EVALUATION
APPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY
APPENDIX II: RISK-FOCUSED COMPLIANCE EXAMINATION GUIDELINES
APPENDIX III: SIGNIFICANT VIOLATIONS CONTAINED IN THE REPORTS OF EXAMINATION FOR THE SAMPLE BANKS
APPENDIX IV: CORPORATION COMMENTS
APPENDIX V: MANAGEMENT RESPONSE TO RECOMMENDATION
TABLES
Table 1: Consumer Protection Laws and Regulations
Table 2: Audit Results on Risk-focused Compliance Examinations



FDIC OIG letterhead

DATE: September 23, 2005

MEMORANDUM TO: Christopher J. Spoth, Acting Director
Division of Supervision and Consumer Protection

FROM: Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]
Assistant Inspector General for Audits

SUBJECT: Division of Supervision and Consumer Protectionís Risk-Focused
Compliance Examination Process

(Report No. 05-038)

This report presents the results of our audit of the Federal Deposit Insurance Corporation (FDIC) Division of Supervision and Consumer Protectionís (DSC) process for risk-focused compliance examinations of FDIC-supervised institutions. The overall audit objective was to determine whether DSCís risk-focused compliance examination process results in examinations that are adequately planned and effective in assessing financial institution compliance with consumer protection laws and regulations. Specifically, we determined whether DSC examiners are adequately risk-scoping compliance examinations, conducting appropriate levels of transaction testing, and making sound risk-scoping decisions in relying on the work of the financial institutionsí internal or external compliance review functions. Appendix I of this report discusses our objective, scope, and methodology in detail.

BACKGROUND

The FDIC is responsible for evaluating FDIC-supervised financial institutionsí compliance with federal consumer protection laws and regulations, including institutional performance under the Community Reinvestment Act (CRA). To evaluate compliance, the FDIC conducts examinations of institutional practices regarding fair lending, privacy, and other consumer protection laws. During the compliance examination, examiners must ensure that institutions have adequately addressed all areas related to the rules and regulations listed in Table 1 on the following page.

Table 1: Consumer Protection Laws and Regulations
Lending Specialty
Truth in Lending
Equal Credit Opportunity Act
Flood Insurance
Real Estate Settlement Procedures Act
Fair Credit Reporting
Credit Practices Rule
Fair Housing Act
Homeownership Counseling
Homeowners Protection Act
Home Mortgage Disclosure Act
Preservation of Consumer Claims and Defenses
Consumer Leasing
Community Reinvestment Act Technical Requirements
Advertising of Membership
Branch Closings
Right to Financial Privacy
Privacy of Consumer Financial Information
Non-Deposit Products
Electronic Banking
Fair Debt Collection Practices
Interstate Banking & Branching Efficiency Act
Childrenís Online Privacy Protection Act
Deposit

        Electronic Funds Transfer
        Truth in Savings
        Expedited Funds Availability
        Interest on Deposits

Source: DSC Compliance Examination Manual. [ D ]

Noncompliance with these laws and regulations by financial institutions can result in civil liability and negative publicity as well as the FDICís imposition of formal or informal supervisory corrective actions to correct the identified violations. Some consumer protection laws and regulations require financial institutions to provide consumers with information intended to help in making informed decisions about financial services and products. As part of the compliance examination process, the FDIC reviews the information and disclosures that are provided to consumers by FDIC-supervised institutions in accordance with consumer protection laws and regulations. Also, DSC considers an institution's compliance with fair lending, privacy, and other consumer protection laws and its performance under the CRA when reviewing an institution's application for entry into or expansion within the insured depository institution system. During the 2-year period from July 1, 2003 through June 30, 2005, DSC conducted 4,153 compliance and CRA examinations.

In June 2003, DSC revised its program for examining institutions for compliance with consumer protection laws and regulations. Under the Revised Compliance Examination Procedures (Transmittal No. 2003-021, dated June 6, 2003), DSC compliance examinations combined a risk-based examination process with an in-depth evaluation of an institutionís compliance management system (CMS),[ 1 ] resulting in a top-down, risk-focused approach to examinations. The risk-focused approach is intended to make the examination process more effective and efficient and reduce the examination burden on banks. The risk-focused approach also helps examiners in determining the depth of review of each functional area and improves the consistency of analysis across regional and field offices. The risk-focused approach recognizes that the banking industryís compliance responsibilities continue to grow and become more complex with changes in financial products and services. Moreover, the focus on an institutionís compliance program places emphasis on the institutionís responsibility to ensure it complies with consumer protection laws.

Effective June 30, 2004, DSC made additional modifications to the examination procedures as they relate to the contents of the Report of Examination and the risk-focused planning documents Ė the Risk Profile and Scope Memorandum (RPSM) and the Compliance Information and Document Request (CIDR). Appendix II provides a detailed description of these modifications.

Compliance examinations are conducted every 12 to 36 months, depending on an institutionís size and the compliance and CRA ratings assigned at the most recent examination.[ 2 ] Each compliance regulation and law is not reviewed at every compliance examination. If no transaction testing in a particular regulatory area has been conducted in the previous examination, a spot check should be conducted at the current examination, even if there are no risk indicators.[ 3 ] For reporting purposes, the risk-focused examination approach combines the results of the CRA evaluation and the compliance examination into one report when CRA performance is evaluated at alternate examinations. The single report focuses on an institutionís CMS and includes only significant violations. (Appendix III provides the significant violations found during the compliance examinations for the banks in our sample.) Examiners identify other violations separately to bank management, and they are tracked by the FDIC.

RESULTS OF AUDIT

We found that DSC examiners generally complied with the policies and procedures related to risk-scoping compliance examinations and that the RPSMs prepared by examiners provided an adequate basis for planned examination coverage. The examiners reviewed bank policies, procedures, disclosures, and forms for compliance with consumer protection laws and regulations for each examination we reviewed and planned for transaction testing or spot checks in all compliance areas over the course of two consecutive examinations Ė a period of 2 to 6 years, depending on an institutionís size and ratings.

However, we found that examination documentation did not always show the transaction testing or spot checks conducted during the on-site portion of the examinations, including testing to ensure the reliability of the institutionsí compliance review functions. Also, examiners did not always document whether the examination had reviewed all the compliance areas in the planned scope of review. As a result, DSC cannot assure that the extent of testing was appropriate except for those areas in which examiners had identified violations and included them in Reports of Examination. Table 2 on the next page shows the components of a risk-focused compliance examination and our related audit results.

Table 2: Audit Results on Risk-focused Compliance Examinations
Risk-focused
Compliance
Examination
Component
Component Description Results of Audit
Off-site CMS Review In preparing for a compliance examination, examiners send each bank a Compliance Information and Document Request that provides examiners with sufficient information to begin an off-site evaluation of an institutionís compliance management system. At this point, emphasis is placed on reviews of written practices, policies, and procedures; bank forms and disclosures; and bank audit data. This off-site review provides the initial assessment of the quality of an institutionís CMS in light of the risks associated with the level and complexity of the institutionís business operations and product and service offerings. Examiners generally complied with policies and procedures related to risk-scoping compliance examinations, in that: (1) justification for the extent of the work to be conducted for each compliance area was provided in the RPSMs, (2) a justification for areas not tested during the examination was documented, (3) areas not tested at the previous examination were included in the current examination scope for transaction testing or spot checks, and (4) areas for which violations had been found at previous compliance examinations were included in the scope of the current examination for transaction testing or spot checks.
Development of the RPSM The results of the off-site assessment of the CMS, to include the proposed on-site testing plan, are documented in the RPSM. The RPSM is designed to assess the CMS, operational areas, and issues to be investigated or targeted. In addition, the RPSM contains the Risk Profile Matrix, which summarizes perceived risk in each of the CMS elements regarding major operational areas. Examiners use the matrix to develop a compliance risk profile for an institution, using various sources of information about the institutionís business lines, organizational structure, operations, and past supervisory performance. Examiners generally complied with risk-scoping documentation requirements, as follows: (1) requirements for preparing the RPSM were met for the banks in our sample; and (2) the RPSMs provided an adequate analysis of the bankís CMS and were broad enough to provide an understanding of the organizational structure of an institution, its related activities, and compliance risks associated with each of the institutionís activities. In addition, the use of RPSMs as a planning tool provides examiners an adequate method for making an initial off-site assessment of whether the institutionsí management and board of directors identify, understand, and adequately control the compliance risks facing the financial institution.
On-site Transaction Testing and Spot Checks During the on-site portion of the risk-focused compliance examination, examiners determine actual bank practice through extensive discussions with bank management and staff, reviews of relevant documents, and testing of selected bank transactions. The extent of transaction testing and spot checks is based on the examinerís assessment of the institutionís compliance risk profile, such as whether an operational area is determined to be high risk or the institutionís compliance management efforts appear weak. There is insufficient evidence in examination workpapers or reports for DSC to assure that the extent of on-site transaction testing and spot checks was appropriate. Compliance examination workpapers were not always maintained in a manner that ensures the work performed during the on-site portion of the review is adequately documented, including transaction testing and spot checks to ensure the reliability of the institutionís compliance review function. Also, examiners did not always document whether the examination reviewed all the compliance areas in the planned scope of review.
Source: DSC Compliance Examination Manual and Office of Inspector General (OIG) audit results. [ D ]

DOCUMENTATION OF ON-SITE TESTING PERFORMED DURING COMPLIANCE EXAMINATIONS

Examiners did not adequately document the scope of the work performed during the on-site portion of the compliance examinations. Specifically, for the examinations we reviewed, examination workpapers did not always contain sufficient information to identify examiner transaction testing or spot checks conducted during the on-site portion of examinations or whether the examination reviewed all areas in the planned scope of review. Documentation is lacking because examiners did not comply with DSC policy that requires they document their work. As a result, DSC cannot assure that the extent of testing was appropriate for assessing institutional compliance with regulations except for those areas in which examiners had identified violations and included them in Reports of Examination.

Documenting Compliance Examination Findings and Transaction Testing

DSCís June 2003 DSCís June 2003 Revised Compliance Examination (Transmittal No. 2003-021, dated June 6, 2003) section entitled, Documenting Examination Findings, states that examination documentation should demonstrate a clear trail of decisions and supporting logic within a specified area. Documentation should provide a written record of the examinerís decisions and analysis and provide support for facts or opinions in the Report of Examination. A well-constructed examination documentation file provides sufficient information to reconstruct the examinerís decision process for each step of the examination. The information should provide support for the examinerís decision to include or exclude a regulation or area of review from the scope of the examination and for significant findings. Additionally, examiners should conduct on-site transaction testing for the operational areas included in the scope of the review.[ 4 ] The number of transactions and the particular regulatory requirements to be reviewed should be carefully tailored to weaknesses identified in the CMS as it relates to specific operational areas. In addition, the revised procedures instruct examiners to prepare an examiner summary workpaper for each regulation or area reviewed. This summary, in conjunction with the RPSM, should allow subsequent examiners to clearly identify the scope of work performed and the basis for the examinerís conclusion.

DSCís Compliance Examination Manual, Appendix H, entitled, Sampling Guidelines for Compliance and CRA, instructs examiners to use judgment in determining the number of loans to be reviewed, depending upon specific circumstances. In addition, not all loan types or characteristics must be sampled at each examination; however, ďemphasis should be placed on those types of loans that evidenced concerns in the past and those that could result in reimbursable violations.Ē The policy also states that (1) statistical sampling is the preferred method and should be used to the greatest extent possible; (2) the examiner should clearly document in the workpapers the sampling method utilized, loan universe and sample size(s), and sampling results; and (3) examiners should select independent loan samples for the compliance, CRA, and fair lending portions of the examination.

In June 2004, DSC issued Updated Compliance Examination Procedures, Transmittal No. 2004 032, effective June 30, 2004. According to the June 2004 procedures, the RPSM will be used solely for pre-examination planning. Examiners should no longer update the RPSM to reflect changes in the examination scope or to duplicate findings contained in the Report of Examination. However, examination workpapers need to reflect any material changes in scope and the support for those changes. Material increases or reductions in the examination scope must also be noted in examination workpapers.

Documenting Reviews of Institutionsí Compliance Review Functions

The Updated Compliance Examination Procedures require examiners to conduct documentation reviews and to interview management regarding the assessment of a bankís compliance review functions. The procedures provide a list of questions for the interview and a list of documents that should be reviewed. Based on the interviews and materials reviewed, examiners are to develop and document a preliminary assessment of the institutionís performance related to compliance reviews and determine whether the institutionís compliance review function is generally strong, adequate, or weak and the assumptions on which the assessment is based. This determination is initially made off-site by an examiner and is based on the examinerís assessment of the scope and frequency of the institutionís compliance reviews, the adequacy of written compliance reports, board of director and senior management responses to those reports, and the institutionís follow-up procedures to verify that the corrective actions were lasting and effective. In addition, the section of the Compliance Examination Manual entitled, Transaction Sampling and Testing, states that depending on the importance of a component, the examiner may find it appropriate to spot check a few transactions to show support for a favorable conclusion by the compliance review function. If no transaction testing in a particular regulatory area has been done in the previous examination, then spot checks should be done at the current examination, even if there are no risk indicators. If testing is not considered necessary to support conclusions about an element of the CMS or with respect to a particular operational area, examiners should retain appropriate documentation in the workpapers and include comments in the RPSM and/or the compliance examination report to support this conclusion.

Examiner Documentation of On-site Transaction Testing and Spot Checks

Our review of compliance examination workpapers showed that for 20 of the 36 examinations we reviewed, examiners had not documented the extent of transaction testing or spot checks they performed during the on-site portion of the examination. Some of the Reports of Examination contained comments related to the transaction testing and spot checks conducted. However, the comments related only to areas of violations identified during the examination and did not address the entire scope of the examination. As a result, we could not determine whether all areas included in the planned examination scope had been reviewed or to what extent examiners tested or spot checked transactions unless examiners had identified violations in compliance areas in the Report of Examination.

As a result of the lack of documentation to support on-site transaction testing and spot checks conducted during compliance examinations, DSC cannot assure that the extent of testing was appropriate except for those areas in which examiners identified violations and included them in Reports of Examination. In addition, the lack of examination documentation can affect subsequent examinations in that it will be more difficult for examiners to decide the appropriate scope of those examinations. DSC management plans to reassess the revised compliance examination procedures in relation to using the RPSM solely for pre-examination planning.

RECOMMENDATION

We recommend that the Director, DSC, clarify and reinforce requirements that examiners adequately document the scope of the work performed, including transaction testing and spot checks of the reliability of the institutionsí compliance review functions, during the on-site portion of compliance examinations.

CORPORATION COMMENTS AND OIG EVALUATION

On September 16, 2005, the Acting Director, DSC, provided a written response to the draft report. The response is presented in Appendix IV of this report. We did not include the attachments to DSCís response in Appendix IV, which were excerpts from Regional Director Memorandum No. 2005-035, DSCís June 2003 Revised Compliance Examination, dated August 18, 2005. DSC concurred with the recommendation, stating that guidance had been issued related to:

  • documenting changes in the scope of an examination,
  • documenting spot checks of regulations,
  • providing cross checks to additional information available in Examiner Summaries, and
  • providing descriptions of examination procedures used to conduct the examination.

This guidance was distributed to all DSC staff on August 31, 2005.

OIG Evaluation: We determined that the agreed-to corrective action has been completed and is effective. This recommendation is resolved, dispositioned, and closed.

Appendix V contains a summary of managementís response to the recommendation and the status of the recommendation as of the date of this report.



OBJECTIVE, SCOPE, AND METHODOLOGY

APPENDIX I

Objective

The overall objective of this audit was to determine whether DSCís risk-focused compliance examination process results in examinations that are adequately planned and effective in assessing financial institution compliance with consumer protection laws and regulations. Specifically, we determined whether DSC examiners are adequately risk-scoping compliance examinations and conducting appropriate levels of transaction testing and making sound risk-scoping decisions when relying on the work of the financial institutionsí internal or external compliance review functions. We performed our audit from October 2004 through August 2005 in accordance with generally accepted government auditing standards.

Scope and Methodology

The scope of the audit was limited to a review of banks examined under the revised DSC risk-focused compliance examination policies and procedures in the Revised Compliance Examination Procedure, dated June 30, 2004. To accomplish our objective, we reviewed the most current and the prior compliance examination reports and corresponding examination workpaper files, policies, and procedures related to the compliance review function, prior OIG audit reports and DSC Internal Review reports, laws and regulations, and management tracking reports for each examination. We also interviewed DSC management officials and staff at FDIC headquarters and three regional offices.

The judgmental sample included 36 FDIC-supervised banks for which compliance examinations had been conducted from August 2003 through November 2004 at 3 FDIC regional offices. Our sample included 14 ď1Ē rated banks, 14 ď2Ē rated banks and 8 ď3Ē rated banks.[ 5 ] The asset sizes of the banks ranged from $8.5 million to $1.2 billion. The compliance examinations in our sample resulted in 11 banks whose compliance ratings were downgraded, 7 banks whose ratings were upgraded, and 18 banks whose ratings remained the same. Of the 36 banks, 8 had corrective supervisory actions imposed on them as a result of the compliance examinations: 2 banks were issued Memorandums of Understanding, and 6 banks were encouraged to adopt Bank Board Resolutions. [ 6 ] The eight banks had a compliance examination rating of ď3.Ē

Pertinent Laws and Regulations

Compliance examinations are the primary means the FDIC uses to determine whether a financial institution is meeting its responsibilities to comply with the requirements of federal consumer laws and regulations. DSC has established policies and procedures for risk-focused compliance examinations in the FDIC Compliance Examination Manual. For the banks in our sample, the procedures generally were followed, although examination workpapers did not always contain sufficient information to identify examiner transaction testing or spot checks conducted during the on-site portion of examinations or whether the examination reviewed all areas in the planned scope of review. Our review did not find any instances of FDIC noncompliance with pertinent laws and regulations.

Reliance on Computer-based Data, Government Performance and Results Act, Fraud and Illegal Acts, and Internal Control

Validity and Reliability of Data from Computer-based Systems

We used computer-based data for background information and in generating a universe of examinations from which to select our sample. We reviewed examination records that supported data from the DSC System of Uniform Reporting of Compliance and CRA Examinations (SOURCE)[ 7 ] and the Scheduling, Hours, and Reporting Package (SHARP)[ 8 ] reporting systems to determine the accuracy of data used during the audit. The SOURCE system is used to: (a) generate examination schedules that support workload projections by incorporating quarterly planning and benchmark hours, (b) capture examination summary information, (c) store examination documents for divisional sharing and historical reference, and (d) support legislatively mandated reporting. The SHARP system is an hours-based tracking system that provides uniformity in collecting examination hours information. Based on our review, we found that the SHARP system does not provide detailed information on work conducted by examiners. Also, the SHARP system does not have time codes for all of the regulations reviewed during compliance examinations. According to our discussions with DSC staff, SHARP is not used to track or monitor examination coverage of regulations Ė the system is more useful for field office management.

Performance Measures

In fulfilling its primary supervisory responsibilities, the FDIC pursues two strategic goals: FDIC-supervised institutions are safe and sound and consumersí rights are protected, and FDIC-supervised institutions invest in their communities.[ 9 ]

Two strategic objectives support the consumer rights strategic goals. The first strategic objective is that consumers have access to easily understood information about their rights and the disclosures due them under consumer protection and fair lending laws. The FDICís annual performance goals related to this objective are:

  • Provide effective outreach and technical assistance on topics related to the CRA, fair lending, and community development.
  • Meet the statutory mandate to investigate and respond to consumer complaints about FDIC-supervised financial institutions.

The second strategic objective is that FDIC-supervised institutions comply with consumer protection, CRA, and fair lending laws. The FDICís annual performance goals related to this objective are:

  • Conduct CRA and compliance examinations in accordance with the FDICís examination frequency policy.
  • Take prompt and effective supervisory action to monitor and address problems identified during compliance examinations of FDIC-supervised institutions that receive a ď4Ē or ď5Ē rating for compliance with consumer protection and fair lending laws.

None of the strategic goals, strategic objectives, or performance goals related directly to the objectives of our audit.

Fraud and Illegal Acts

Our audit program did include steps for providing reasonable assurance of detecting fraud or illegal acts. We did not identify any illegal acts or abuse or potential areas susceptible to illegal acts or abuse.

Internal Controls Reviewed

During the audit, we gained an understanding of relevant control activities related to compliance examinations by examining DSC policies and procedures as presented in the DSCís Compliance Examination Manual and Regional Directors Memoranda. We identified DSCís internal controls related to the risk-focused examination process for compliance examinations. Specifically, we reviewed the systems used for measuring, monitoring, and reporting program performance; compliance with laws, regulations, policies, and procedures; and the reliability of computer-based data. We also reviewed the results of DSC Internal Control Reviews related to compliance examinations. We identified documentation weaknesses related to the on-site portion of compliance examinations as discussed in the finding section of this report.

Summary of Prior Audit Coverage

On March 26, 2002, the OIG issued Audit Report 02-009, Division of Compliance and Consumer Affairsí Risk-Scoping Process for Fair Lending Examinations, on the fair lending examination risk-scoping process as conducted by the Division of Compliance and Consumer Affairs.[ 10 ] The objective of the audit was to assess: (1) the adequacy of the Federal Financial Institutions Examination Council (FFIEC) Interagency Fair Lending Examination Procedures for the FDICís pre-examination planning for fair lending examinations of small banks, (2) the FDICís implementation of the FFIEC interagency procedures as they relate to identifying fair lending risks during the off-site pre-examination planning phase of the fair lending reviews, and (3) the related DCA internal controls. The 2002 audit focused on the FDICís application of the FFIEC Interagency Fair Lending Procedures and did not directly relate to the scope of our audit.



RISK-FOCUSED COMPLIANCE EXAMINATION
GUIDELINES

APPENDIX II

Effective June 30, 2003, DSC implemented revised procedures to enhance the FDIC's compliance examination process by focusing increased attention on an institutionís compliance management system. As noted in the DSC Memorandum entitled, Revised Compliance Examination Procedures, Transmittal No. 2003-021, dated June 6, 2003, the revised procedures combined the risk-based examination process with an in-depth evaluation of an institutionís CMS. Examiners were required to evaluate how well an institutionís compliance responsibilities are administered and managed, consistent with the level and complexity of its operations. The purpose of this approach was to allow examiners to devote more attention to those institutions requiring additional supervisory attention to help improve weak compliance functions and reduce the risks of future noncompliance. The new procedures did not change existing fair lending examination procedures or CRA performance evaluations. According to the revised procedures, all financial institutions would benefit from a comprehensive assessment of compliance management systems. The examinerís identification of root causes of compliance management deficiencies and regulatory violations would serve as a blueprint for helping institution management improve its operations. Moreover, the revised compliance examination procedures would elevate the importance of comprehensive compliance risk management by institutions of all sizes.

Effective June 30, 2004, DSC updated the compliance examination procedures. As noted in the DSC Memorandum entitled, Updated Compliance Examination Procedures, Transmittal No. 2004-032, dated June 30, 2004, modifications to the examination procedures were centered in three distinct components of the compliance examination program: Report of Examination comments, the RPSM, and the CIDR.

  • The Report of Examination changes included guidance to: (a) reduce examination scope comments, (b) consolidate examiner recommendations and managementís commitment to corrective action, (c) consolidate the summary assessment of compliance management, and (d) omit the Supervisory Comments page in most instances.
  • The RPSM requirements were changed to ensure that the RPSM would be used solely for pre-examination planning. Upon completion of the RPSM, the Examiner-in Charge is required to submit it to the Field Supervisor for review and approval. Once the RPSM is approved by the Field Supervisor, examiners no longer need to update the RPSM to reflect changes in examination scope or to duplicate findings contained in the Report of Examination.
  • To better tailor the CIDR to the unique circumstances of each institution, the following approaches were made available for examiners when requesting information from banks. For compliance examinations of large, complex banking organizations, examiners should use the existing CIDR. For compliance examinations of smaller, less complex institutions, examiners should use the ďInterview SheetĒ and a revised Compliance Information and Documentation Request (CIDR II) to simplify the information-gathering process by removing tables and separating information requests from document requests.


SIGNIFICANT VIOLATIONS CONTAINED IN THE
REPORTS OF EXAMINATION FOR THE SAMPLE
BANKS

APPENDIX III

Significant violations found during the compliance examinations for the 36 banks in our sample are identified below. Significant violations are defined as deficiencies that may adversely impact the financial institution. We found that 75.6 percent of the total significant violations related to seven regulations: Truth in Lending, Equal Credit Opportunity, Real Estate Settlement Procedures Act, Truth in Savings, Home Mortgage Disclosure Act, Flood Insurance, and Expedited Funds Availability. The scope of this audit did not include a detailed review of the significant violations; however, we plan to include an audit of supervisory actions taken for compliance-related violations in our Fiscal Year 2006 Assignment Plan.

Lending Regulation Violations # of Banks
Truth in Lending (TIL) 17
Equal Credit Opportunity Act (ECOA) 17
Flood Insurance 11
Real Estate Settlement Procedures Act (RESPA) 17
Fair Credit Reporting 4
Credit Practices Rule 0
Fair Housing Act 2
Homeownership Counseling 1
Homeowners Protection Act (HPA) 1
Home Mortgage Disclosure Act (HMDA) 13
Preservation of Consumer Claims and Defenses (PCCD) 0
Consumer Leasing 0
Deposit Regulation Violations # of Banks
Electronic Funds Transfer (EFT) 7
Truth in Savings (TIS) 16
Expedited Funds Availability (EFA) 11
Interest on Deposits 2
Specialty Regulation Violations # of Banks
Community Reinvestment Act Technical Requirements 4
Advertising of Membership 1
Branch Closings 0
Right to Financial Privacy Act 4
Privacy of Consumer Financial Information 2
Non-Deposit Products 5
Electronic Banking 0
Consumer Complaints 0
Fair Debt Collection Practices 0
Interstate Banking & Branching Efficiency Act (IBBEA) 0
Childrenís Online Privacy Protection Act (COPPA) 0
 
[ D ]


CORPORATION COMMENTS

APPENDIX IV


Corporation Comments, page 1
[ D ]
Corporation Comments, page 2
[ D ]


MANAGEMENT RESPONSE TO RECOMMENDATIONS

APPENDIX V


This table presents the management response on the recommendation in our report and the status of the recommendation as of the date of report issuance.

Corrective Action for
Recommendation: Taken or
Planned/Status
Completion Date Monetary Benefits Resolved: [ a ] Yes or No Dispositioned: [ b ] Yes or No
Open or Closed [ c ]

DSC concurred with the recommendation. DSC clarified and reinforced requirements that examiners adequately document the scope of the work performed, including transaction testing and spot checks of the reliability of the institutionsí compliance review functions, during the on-site portion of compliance examinations. This clarification was provided in a written memorandum entitled, Revised Compliance Examination Procedures, which was issued to all DSC personnel.

August 31, 2005 None   Yes   Yes   Closed
a Resolved Ė
(1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

b Dispositioned Ė The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.

c Once the OIG dispositions the recommendation, it can then be closed.

Last updated 10/24/2005