Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

The FDIC's Actions to Address Consumer Protection Violations and Deficiencies

This is the accessible text file for FDIC OIG report number AUD-14-004 entitled 'The FDIC’s Actions to Address Consumer Protection Violations and Deficiencies'.

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possbile. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.



Federal Deposit Insurance Corporation

Office of Inspector General

The FDIC’s Actions to Address Consumer Protection Violations and Deficiencies

Report No. AUD-14-004

March 2014

Executive Summary

The FDIC’s Actions to Address Consumer Protection Violations and Deficiencies

Report No. AUD-14-004 March 2014

Why We Did The Audit

FDIC-supervised financial institutions are responsible for developing and implementing compliance management systems to ensure compliance with federal consumer protection laws and regulations. The FDIC routinely examines these institutions for potential deficiencies in their compliance management systems and for potential violations of consumer protection laws and regulations. Compliance examinations and follow-up supervisory attention help to ensure that consumers obtain the benefits and protection afforded to them under the law. Given the importance of this area, we conducted this audit.

The objective of this performance audit was to determine whether the FDIC’s actions to address consumer protection violations and deficiencies comply with applicable policies, procedures, and guidelines and the extent to which the actions are consistently handled by the Division of Depositor and Consumer Protection’s (DCP) Regional Offices. The FDIC Office of Inspector General engaged the independent professional services firm of KPMG LLP to provide assistance on the audit.

Background

Within the FDIC, DCP has primary responsibility for examining institutions for compliance with fair lending, privacy, and various other consumer protection laws and regulations. Examiners document the results of their work in compliance examination reports, which are provided to the institution’s management and Board of Directors. Examiner recommendations and discussions with management generally result in the correction of identified violations and deficiencies. However, when such efforts are not successful, or when violations or deficiencies are significant, the FDIC may take stronger steps in the form of informal supervisory actions or formal enforcement actions against an institution or responsible individuals. Such actions can include the assessment of civil money penalties (CMP) or orders to pay restitution to consumers who were harmed because of violations. The FDIC typically performs follow-up examinations or onsite visits within 12 months of completing an examination that assigns a “4” or “5” compliance rating.

DCP has developed a formal consultation process that requires officials in the Regional Offices and the Washington Office to consult on significant, unusual, and emerging supervisory matters, including supervisory actions, violations of certain laws and regulations, and weak compliance ratings. The consultation process is intended to help ensure appropriate, consistent, and timely consideration of such matters.

Audit Results

We found that the FDIC’s actions to address the consumer protection violations and deficiencies that we reviewed generally aligned with applicable policies, procedures, and guidelines. In addition, compliance examination reports identified the specific laws and regulations that were violated, the nature and causes of the violations, the recommended corrective actions, and the responses of the institutions’ management. Further, follow-up examinations or visits were conducted timely, and CMPs that the FDIC issued were well supported and documented and included a legal opinion that addressed consideration of applicable laws, violations, mitigating factors, and monetary penalties.

While the above results are positive, the FDIC’s compliance information systems used to record, track, and monitor consumer compliance activities did not always contain pertinent information on the following compliance activities:

- the basis for decisions on whether and what type of supervisory action should be taken, - restitutions to consumers, and - consultations among DCP officials regarding proposed supervisory actions.

In some cases, this information was maintained outside of the FDIC’s compliance information systems in memoranda and other documents. Recording and tracking key supervisory information in a consistent and centralized manner helps to ensure its reliability, reduces the amount of time and effort needed to locate information and respond to inquiries, and mitigates the risk associated with staff turnover. Such an approach also provides increased assurance of consistency in the supervision of institutions.

DCP has established a number of internal controls to promote consistency among its Regional Offices in the handling of actions to address violations and deficiencies. Such controls include the Compliance Examination Manual, the Formal and Informal Action Procedures Manual, the National Review Examiner Manual, a consultation process, restitution tracking procedures, and the compliance examination report review process. In addition, the FDIC established the Case Review Committee and has issued guidance to examiners on consumer protection matters to help ensure a consistent supervisory approach. Further, the supervisory matters that we reviewed, including actions taken to address violations and deficiencies, generally appeared to be consistently handled by DCP’s Regional Offices. However, we did note differences among DCP’s regional consultation policies and procedures that the FDIC should consider as part of its initiative to update those procedures for consistency with recently-issued national consultation procedures.

Our report also includes an observation that DCP’s guidance to examiners on assigning compliance ratings allows more flexibility than the definitions provided in the Uniform Interagency Consumer Compliance Rating System (UICCRS). DCP officials informed us that there have been high-level discussions among Federal Financial Institutions Examination Council participants about the need to clarify the UICCRS ratings definitions. Finally, we identified two potential control improvements that we did not consider significant in the context of the audit objective. We communicated those potential control improvements separately to DCP management.

Recommendations and Corporation Comments

Our report contains four recommendations addressed to the Director, DCP, that are intended to improve DCP’s internal controls for addressing consumer protection violations and deficiencies identified during compliance examinations. The Director, DCP, provided a written response, dated March 17, 2014, to a draft of this report. In the response, the Director concurred with all four of the report’s recommendations and described planned corrective actions that address the recommendations. With respect to the report’s observation, the Director, DCP, plans to contact other agencies to determine whether there is mutual interest in updating the UICCRS definitions.

[End of Executive Summary section]

Contents

Background

Audit Results

Recording Supervisory Information in the FDIC’s Compliance Information Systems

Regional Consultation Policies and Procedures

Observation: Consumer Compliance Rating System

Corporation Comments and OIG Evaluation

Appendices 1. Objective, Scope, and Methodology 2. Glossary of Terms 3. Acronyms and Abbreviations 4. Corporation Comments 5. Summary of the Corporation’s Corrective Actions

Tables 1. Institutions Selected for Review 2. Institutions Actually Reviewed

[End of Contents section]

[Letterhead, FDIC logo, Federal Deposit Insurance Corporation, Office of Inspector General, Office of Audits and Evaluations, 3501 Fairfax Drive, Arlington, Virginia 22226 ]

DATE: March 28, 2014

MEMORANDUM TO: Mark E. Pearce, Director, Division of Depositor and Consumer Protection

FROM: Stephen M. Beard, /Signed/, Deputy Inspector General for Audits and Evaluations

SUBJECT: The FDIC’s Actions to Address Consumer Protection Violations and Deficiencies (Report No. AUD-14-004)

This report presents the results of our audit of the FDIC’s actions to address consumer protection violations and deficiencies identified during compliance examinations. FDIC-supervised financial institutions are responsible for developing and implementing compliance management systems to ensure compliance with federal consumer protection laws and regulations.1 The FDIC routinely examines these institutions for potential deficiencies in their compliance management systems and for potential violations of consumer protection laws and regulations. Although violations and deficiencies can often be addressed through examiner recommendations and discussions with the management of the institution, serious matters may result in monetary penalties and enforcement actions against the institution.

Footnote 1: Terms that are underlined when first used in this report are defined in Appendix 2, Glossary of Terms.

The audit objective was to determine whether the FDIC’s actions to address consumer protection violations and deficiencies comply with applicable policies, procedures, and guidelines and the extent to which the actions are consistently handled by the Division of Depositor and Consumer Protection’s (DCP) Regional Offices. To address our objective, we interviewed officials in DCP and the FDIC’s Legal Division about the Corporation’s processes for addressing consumer protection violations and deficiencies and for ensuring a consistent approach. We also reviewed supervisory information related to a nonstatistical sample2 of 93 FDIC-supervised financial institutions for which DCP had identified violations or deficiencies, issued a supervisory action, or referred a violation to another federal agency. 3

Footnote 2: A non-statistical sample is judgmental and cannot be projected to the population. See Appendix 1 for details regarding our sampling methodology.

Footnote 3: For the purposes of this report, supervisory actions broadly include informal actions such as Bank Board Resolutions (BBR), Memoranda of Understanding (MOU), and voluntary restitutions, and formalenforcement actions such as Civil Money Penalties (CMP), cease-and-desist orders (C&D)/consent orders (CO), and restitution orders. Referrals to other agencies are not considered to be supervisory actions.

We conducted this performance audit in accordance with generally accepted government auditing standards. Appendix 1 of this report includes additional information about our objective, scope, and methodology; Appendix 2 contains a glossary of key terms; Appendix 3 contains a list of acronyms and abbreviations; Appendix 4 contains the Corporation’s comments on this report; and Appendix 5 contains a summary of the Corporation’s corrective actions.

Background

The FDIC has statutory responsibility for examining the financial institutions it supervises for compliance with fair lending, privacy, and various other consumer protection laws and regulations.4 Within the FDIC, DCP has primary responsibility for directing and managing compliance examinations, policy, research, and enforcement activities related to consumer protection and community affairs. DCP relies on compliance examinations as the primary means for determining whether financial institutions meet their responsibility for complying with consumer protection laws and regulations. DCP examines institutions every 12-36 months, depending on the institution’s size and compliance and Community Reinvestment Act (CRA) ratings assigned at the most recent examination. According to DCP’s Compliance Examination Manual, examiners perform the following steps during compliance examinations:

Footnote 4: Such laws include the Equal Credit Opportunity Act (ECOA), Fair Housing Act (FHAct), Home Mortgage Disclosure Act (HMDA), Real Estate Settlement Procedures Act (RESPA), and Truth in Lending Act (TILA). The FDIC and other federal agencies issue regulations for implementing consumer protection laws, as appropriate. The FDIC also coordinates with other regulatory agencies, such as the Consumer Financial Protection Bureau (CFPB), on relevant consumer protection matters.

- assess the quality of the institution’s compliance management system for implementing federal consumer protection statutes and regulations,

- review compliance with relevant laws and regulations, and

- initiate supervisory action when elements of an institution’s compliance management system are deficient or when significant violations of law are found.

At the conclusion of an examination, examiners discuss their findings and recommendations with the institution’s management and obtain a commitment for corrective action, if warranted. Examiners document the results of their work (including both strengths and weaknesses in the institution’s compliance management system) in compliance examination reports, which are provided to the institution’s management and Board of Directors. Under certain circumstances, the FDIC must refer violations identified by examiners to other federal agencies, such as the Department of Justice (DOJ), when there is reason to believe that a pattern or practice of discouraging or denying applications for credit exists in violation of ECOA’s general rule prohibiting discrimination. The FDIC must also notify the Department of Housing and Urban Development (HUD) of certain violations of the FHAct.

Except where DCP management determines it is unnecessary, a follow-up examination or onsite visit is conducted within 12 months of completing any examination that assigns a “4” or “5” compliance rating. The purpose of the follow-up is to assess the institution’s implementation of corrective actions. Additional follow-up is performed when initial corrective actions are determined to be insufficient. An institution’s progress in implementing informal or formal supervisory actions is typically assessed through quarterly progress reports from, and direct communication with, the management of the institution. In addition, the FDIC’s Legal Division supports DCP in its supervisory activities. For example, the Legal Division reviews and opines on proposed enforcement actions.

The FDIC follows the Uniform Interagency Consumer Compliance Rating System (UICCRS), approved by the Federal Financial Institutions Examination Council (FFIEC), when conducting compliance examinations. Under this system, financial institutions are assigned a consumer compliance rating based on an evaluation of the nature and extent of the institution’s compliance with consumer protection and civil rights laws and regulations and the adequacy of their operating systems designed to ensure compliance on a continuing basis. Ratings are based on a scale of 1 to 5, with 1 indicating a strong compliance position and 5 indicating an institution in need of the strongest supervisory attention. The majority of FDIC-supervised institutions have ratings that reflect satisfactory or strong consumer compliance programs. Only 234 institutions—less than 6 percent of all FDIC-supervised institutions—were rated “3,” “4,” or “5” for consumer compliance purposes as of December 31, 2013.

Supervisory Actions

Frequently, examiner recommendations and discussions with management result in the correction of identified violations and deficiencies. When such efforts are not successful, or when the violations or deficiencies are significant, the FDIC may take stronger steps in the form of supervisory actions against an institution or responsible individuals. Many factors must be considered in determining whether a supervisory action should be taken. According to the FDIC’s Formal and Informal Action Procedures Manual (FIAP Manual), such actions may be appropriate under the following circumstances.

- Informal actions are generally appropriate for institutions with a composite “3” rating for compliance. This rating indicates that the institution has weaknesses that, if left uncorrected, could cause the institution’s compliance position to deteriorate.

- Formal actions are generally appropriate for institutions with a composite “4” or “5” rating for compliance, such as when there is a high volume or severity of violations.

DCP has developed a formal consultation process that requires officials in the Regional Offices and the Washington Office to consult on significant, unusual, and emerging supervisory matters, including supervisory actions, violations of certain laws and regulations, and weak compliance ratings.5 The consultation process is intended to help ensure appropriate, consistent, and timely consideration of such matters. In addition, the FDIC’s Board of Directors has established a Case Review Committee (CRC) to review and approve or disapprove proposed orders or notices with respect to certain enforcement actions. As it relates to compliance matters, the CRC has authority over proposed actions to order restitution and assess CMPs—except CMPs related to Flood Insurance violations—and to review certain other compliance-related enforcement actions, such as those that may affect corporate policy or attract unusual attention or publicity

Footnote 5: The process is defined in Regional Directors Memoranda (RD Memorandum), entitled Consultation Process for Compliance and CRA Examinations (Transmittal No. 2011-26, dated November 18, 2011) and Consultation Policies and Procedures for Consumer Compliance and Community Reinvestment Act Issues (Transmittal No. 2008-42, dated December 30, 2008). These transmittals were superseded by RD Memorandum, Consultation Process for Compliance and CRA Examinations (Transmittal No. 2013-013-DCP, dated December 13, 2013).

During 2013, the FDIC issued 161 supervisory actions, consisting of 80 informal and 81 formal actions, to address consumer protection matters. In addition to BBRs and MOUs, the informal actions included 10 voluntary restitutions made by institutions in the form of refunds to consumers who were harmed by the institutions’ failure to comply with various laws. Formal actions may also impose requirements for institutions to pay restitution. In 2013, the FDIC ordered 6 institutions to pay almost $47 million in restitution to over 387,000 consumers. These refunds related to unfair or deceptive acts or practices (UDAP) by institutions. The FDIC also issued 54 CMPs totaling over $10 million payable to the Department of the Treasury (Treasury) in 2013. The majority of these CMPs involved Flood Insurance, UDAP, or ECOA violations.

Information Systems

The FDIC’s System of Uniform Reporting of Compliance and CRA Examinations (SOURCE) and the Formal and Informal Action Tracking System (FIAT) are the primary information systems used by DCP to support compliance supervisory activities. SOURCE is DCP’s system of record for data and documents associated with examination activities. The system is used to support examination and review processes, reporting, management and policy decisions, and strategic planning. FIAT is a module within the FDIC’s Virtual Supervisory Information On the Net System (ViSION) and serves as the central source of information for informal and formal actions. SOURCE is relied upon at all levels of DCP and by external stakeholders, including the Treasury, CFPB, and state banking authorities. DCP also uses various other information systems, such as the Regional Automated Document Distribution and Imaging System (RADD) and the Regional Report Repository (R3), to support compliance supervisory activities. For purposes of this report, we collectively refer to SOURCE, FIAT, RADD, and R3 as the FDIC’s compliance information systems.

In the course of performing our work, we found that the FDIC’s compliance information systems were generally not well integrated, did not always support DCP’s workflow processes or activities that we reviewed, and sometimes lacked relevant data or contained redundant data. These weaknesses present a risk to the reliability of the information that the systems maintain and increase the amount of time needed to locate key information. The FDIC recognizes that its current portfolio of systems supporting consumer compliance and CRA activities does not efficiently or effectively support existing business processes. In 2013, the FDIC began a multi-year initiative to modernize SOURCE and certain other ancillary compliance-related systems. The FDIC also has plans to modernize ViSION. The FDIC should consider the findings in this report in formulating and implementing its information systems modernization efforts.

[End of section]

Audit Results

We found that the FDIC’s actions to address the consumer protection violations and deficiencies that we reviewed generally aligned with applicable policies, procedures, and guidelines. In addition, compliance examination reports identified the specific laws and regulations that were violated, the nature and causes of the violations, the recommended corrective actions, and the responses of the institutions’ management. Further, follow-up examinations or visits were conducted timely, and CMPs that the FDIC issued were well supported and documented and included a legal opinion that addressed consideration of applicable laws, violations, mitigating factors, and monetary penalties.

While the above results are positive, the FDIC’s compliance information systems used to record, track, and monitor consumer compliance activities did not always contain pertinent information on the following compliance activities:

- the basis for decisions on whether and what type of supervisory action should be taken,

- restitutions to consumers harmed by an institution’s failure to comply with consumer protection laws and regulations, and

- consultations among Field Office, Regional Office, and Washington Office officials regarding proposed supervisory actions.

In some cases, this information was maintained outside of the FDIC’s compliance information systems in memoranda and other documents. Recording and tracking key supervisory information in a consistent and centralized manner helps to ensure its reliability, reduces the amount of time and effort needed to locate information and respond to inquiries, and mitigates the risk associated with staff turnover. Such an approach also provides increased assurance of consistency in the supervision of institutions.

DCP has established a number of internal controls to promote consistency among its Regional Offices in the handling of actions to address violations and deficiencies. Such controls include the Compliance Examination Manual, the FIAP Manual, the National Review Examiner Manual (NRE Manual), a consultation process, restitution tracking procedures, and the compliance examination report review process. In addition, the FDIC established the CRC and has issued guidance to examiners on consumer protection matters to help ensure a consistent supervisory approach. Further, the supervisory matters that we reviewed, including actions taken to address violations and deficiencies, generally appeared to be consistently handled by DCP’s Regional Offices. However, we did note differences among DCP’s regional consultation policies and procedures that the FDIC should consider as part of its initiative to update those procedures for consistency with recently-issued national consultation procedures.

In addition, we identified two potential control improvements that we did not consider significant in the context of the audit objective. These improvements pertain to how DCP records and organizes information on the results of CRC proceedings and referrals of violations to other federal agencies. We communicated these issues separately to DCP management officials. Our report also includes an observation that DCP’s guidance to examiners on assigning compliance ratings allows more flexibility than the definitions provided in the UICCRS. DCP officials informed us that there have been high-level discussions among FFIEC participants about the need to clarify the UICCRS ratings definitions.

[End of section]

Recording Supervisory Information in the FDIC’s Compliance Information Systems

Although the FDIC’s compliance information systems contained information pertaining to key supervisory actions for the institutions we reviewed, we did note exceptions. As described below, the systems did not always contain pertinent information regarding decisions about supervisory actions, restitution payments to consumers, or consultations about proposed supervisory actions.

Basis for Decisions on Supervisory Actions

The Compliance Examination Manual states that SOURCE is the system of record for the compliance examination program. The system is used extensively by field supervisors, examiners, review examiners, and Washington Office policy staff for reporting and management decision-making. Among other functions, SOURCE captures examination summary information, tracks information through the consultation process, and facilitates the reporting of examination data for legislatively-mandated reporting. Additionally, FIAT serves as a central source of information for supervisory actions.

The FDIC’s compliance information systems did not contain information that adequately explained the basis for decisions on supervisory actions—such as actions that were taken or actions that were recommended by DCP or supported by Legal Division opinions but ultimately not taken—for 15 of the 93 institutions that we reviewed. Several examples follow.

- For five institutions, DCP and/or Legal Division staff recommended or considered a stronger supervisory action (e.g., restitution order, CMP, or C&D/CO) than was ultimately taken. However, the FDIC’s compliance information systems did not contain an explanation of why the stronger actions were not ultimately pursued or the basis for the actions that were taken.

- For three institutions, the FDIC’s compliance information systems did not indicate why supervisory actions related to Flood Insurance violations cited during examinations were not pursued. In one case, the institution’s failure to comply with Flood Insurance requirements resulted in consumer harm totaling $78,000.6 In the other two cases, the systems did not indicate why the cited violations did not represent a pattern or practice requiring the payment of CMPs.

- For two institutions with the same action in place for several years, the FDIC’s compliance information systems did not indicate why stronger action had not been pursued to address continued deficiencies in the institutions’ compliance management systems.

Footnote 6: Section 339.3(a) of the FDIC Rules and Regulations requires that the building, mobile home, or personal property securing a designated loan be covered by flood insurance for the term of the loan. Section 339.7 requires a financial institution or servicer to purchase insurance on the borrower’s behalf if the borrower fails to obtain flood insurance within 45 days after notification.

DCP Regional Office officials provided additional information pertaining to the matters described above. These officials acknowledged the importance of maintaining current, accurate, and complete information about supervisory actions in the FDIC’s compliance information systems. In addition, DCP officials in the Washington Office indicated that information in the FDIC’s compliance information systems pertaining to supervisory actions has historically focused on actions that have been taken and that additional emphasis on documenting actions considered or recommended, but not pursued, would be beneficial. Recording such information in DCP’s compliance information systems could provide greater assurance of consistency in the supervision of institutions and facilitate planning for subsequent examinations.

Restitution to Consumers

A DCP RD Memorandum, entitled Procedures for Handling the Payment, Documentation, and Tracking of Restitution to Customers (Transmittal No. 2012-001- DCP, dated March 12, 2012), states that when examiners identify a violation where restitution to consumers is appropriate, the Regional Office will track the amount of the restitution and the number of consumers impacted in FIAT.7 FIAT is designed to track two types of restitution: voluntary and ordered. According to DCP officials, voluntary restitution occurs when an institution agrees to pay restitution immediately upon notification of a violation and before the conclusion of the examination. Ordered restitution occurs when the FDIC pursues an enforcement action to compel an institution to pay restitution. When an institution discovers and corrects a violation and pays restitution in a timely manner outside of the examination process, no recordkeeping of the restitution is required by DCP policy.

Footnote 7: Prior to the issuance of the RD Memorandum, DCP tracked restitution using various manual and automated systems depending on the type of violation or corrective program involved. The use of disparate systems created difficulty in identifying and aggregating the amount of consumer harm addressed through examination and enforcement activities.

DCP generally recorded and tracked the amount of restitution and the number of consumers impacted in FIAT for the institutions we reviewed. However, we did note exceptions. Specifically, FIAT lacked required information for 5 of the 34 institutions in our sample that involved voluntary or ordered restitution payments subsequent to the issuance of DCP’s March 2012 RD Memorandum. Details regarding these exceptions follow.

- For two of the institutions, FIAT contained no information about required restitution for violations cited in the compliance examination reports. Supervisory documentation that we reviewed outside of FIAT indicated that one institution had ECOA violations involving restitution payments totaling $750 to 47 consumers and the other institution had a TILA violation involving one consumer, but we were not able to locate documentation indicating the amount of required restitution.

- For the three remaining institutions, FIAT contained information pertaining to the amount of restitution and the number of consumers impacted for some, but not all, of the violations identified during the examinations. Supervisory documentation that we reviewed outside of FIAT indicated that one institution had ECOA violations involving restitution payments totaling $4,269 to 21 consumers, one institution had a TILA violation involving a restitution payment of $420 to one consumer, and the other institution had a RESPA violation involving a restitution payment of $300 to one consumer.

DCP’s March 2012 RD Memorandum requires the Regional Offices to enter restitution payments in FIAT by the eighth day of the month following the month of payment. Incomplete information in FIAT regarding restitutions presents an increased risk that consumers impacted by violations of laws and regulations may not receive appropriate restitution and that reports to management and to the Congress may not be complete. Management emphasis on the importance of recording restitution information in FIAT as prescribed in the March 2012 RD Memorandum could help to mitigate the types of exceptions that we identified.

We also noted inconsistencies among regional DCP officials with respect to their understanding of when restitution should be categorized as voluntary or ordered. Some DCP officials indicated that they categorize restitutions as ordered if there is a statutory requirement for the institution to pay the restitution (such as for certain TILA violations) or if the FDIC has authority to impose restitution, such as with certain instances under Section 8(b) of the Federal Deposit Insurance Act (FDI Act). However, other DCP officials indicated that they categorize such restitutions as voluntary if the institution agrees to pay the restitution prior to DCP pursuing a formal order. This inconsistency can be attributed, in part, to the lack of a formal definition for voluntary and ordered restitution. Inconsistent treatment of restitution can affect the reliability of reporting as FIAT is designed to track voluntary and ordered restitution separately.

Consultations

According to the NRE Manual, the consultation process is intended to promote ongoing communication of examination issues between field staff and management and applicable Regional Office and Washington Office staff and management. Consultations help to ensure that examination processes and procedures are consistently applied on a regional and nationwide basis. In addition, DCP’s Washington Office has issued several RD Memoranda that provide guidance on the consultation process, and DCP’s Regional Offices have developed their own consultation policies and procedures that support the national consultation process. Both the NRE Manual and the regional consultation policies and procedures define the types of actions and issues that require a consultation, and both state that consultations must be recorded in SOURCE.

Of the 58 institutions that we reviewed that involved issues or actions requiring a consultation, we noted 10 instances in which SOURCE did not indicate whether a consultation had occurred. These issues and actions consisted of the following:8

- Consent Orders – 3 instances. - Restitutions – 3 instances. - MOUs – 2 instances. - BBRs – 1 instance. - Potential or actual RESPA Section 8 violations – 1 instance.

Footnote 8: It should be noted that some examinations involved multiple issues and/or actions requiring consultation.

We also noted six instances in which a consultation regarding an MOU or BBR was incorporated into consultations about the institutions’ ratings or violations. Regional consultation procedures state that separate records should be created in SOURCE for each issue or action requiring a consultation.

The exceptions we noted may be attributed to oversights or a lack of awareness on the part of examiners regarding the requirements for recording consultations in SOURCE. In some cases, consultation discussions may have occurred and were documented outside of SOURCE. Recording consultations in SOURCE helps to ensure that relevant information is readily available to those who need it and increases management’s assurance of appropriate, timely, and consistent treatment of issues and actions requiring concurrence from Regional Offices and/or the Washington Office.

Recommendations

We recommend that the Director, DCP:

1. Emphasize to examination staff the importance of recording information in SOURCE regarding the basis for decisions on supervisory actions, including when supervisory actions are considered or recommended but ultimately not taken.

2. Review and update, as appropriate, current controls designed to ensure that relevant information about restitutions is recorded in FIAT and develop formal definitions for voluntary and ordered restitutions to ensure consistent tracking and reporting.

3. Reinforce to examiners DCP’s policy requirement to create records in SOURCE for matters requiring consultation.

[End of section]

Regional Consultation Policies and Procedures

DCP’s six Regional Offices have each established consultation policies and procedures to augment the division’s national consultation procedures contained in the NRE Manual and RD Memoranda. The regional policies and procedures identify specific matters that require consultation among examination teams in local Field Offices and personnel in the Regional Offices. We reviewed the regional consultation policies and procedures and identified the following variations:

- Restitution. The minimum dollar threshold amount of restitution requiring a consultation ranges from $2,500 to $15,000 among the Regional Offices. In some regions, consultations for restitution are only required for violations of certain laws or regulations and are not tied to dollar thresholds.

- Referrals. Regional consultation policies and procedures vary with regard to the apparent violation of specific laws that require a consultation.

- RESPA. Some regions require consultations for potential violations of Section 8 of RESPA, while others require consultations only for cited or unusual violations of the section.9

- Ratings and Supervisory Actions. Only one region requires a consultation to upgrade a financial institution from a “3” rating or to terminate an informal supervisory action.

Footnote 9: Section 8 of RESPA prohibits anyone from giving or accepting a fee, kickback, or anything of value in exchange for referrals of settlement service business involving a federally-related mortgage loan. Violations of this section are subject to criminal and civil penalties.

The differences we noted warrant review to ensure that consumer compliance issues and supervisory actions are considered and applied in a consistent manner across regions. DCP Transmittal No. 2013-013-DCP, issued in December 2013, requires the Regional Directors to review and update their regional consultation procedures to ensure they are consistent with the current national consultation procedures. Accordingly, this is an opportune time for the Regional Offices to review and consider the variations noted above.

Recommendation

We recommend that the Director, DCP:

4. Review and update, as appropriate, Regional Office consultation policies and procedures to ensure consistency.

[End of section]

Observation: Consumer Compliance Rating System

The UICCRS was established in 1980 to provide a general framework for evaluating and integrating significant compliance factors in order to assign a consumer compliance rating to each federally-regulated commercial bank, savings and loan association, mutual savings bank, and credit union. The purpose of the rating system is to reflect in a comprehensive and uniform fashion the nature and extent of an institution’s compliance with consumer protection and civil rights statutes and regulations. According to the UICCRS, all relevant factors must be evaluated and weighed in assigning a consumer compliance rating. In general, these factors include the nature and extent of compliance with consumer protection and civil rights statutes and regulations, the commitment of management to compliance and its ability and willingness to take the necessary steps to assure compliance, and the adequacy of operating systems, including internal procedures, controls, and audit activities designed to ensure compliance on a routine and consistent basis. The assignment of ratings may also incorporate other factors that impact significantly on the overall effectiveness of an institution’s compliance efforts.

We observed that DCP’s policy and guidance to examiners on assigning compliance ratings allows more flexibility than the definitions provided in the UICCRS. Specifically, the UICCRS definition for a “2” rating states, in part:

There is no evidence of discriminatory acts or practices, reimbursable violations, or practices resulting in repeat violations.

The FDIC’s Compliance Examination Manual incorporates this same definition, but also states:

In assigning ratings under this system, it is important to recognize that all the attributes in each rating category will not necessarily apply to each institution. …examiners are expected to use reasoned judgment to reach sensible, supportable conclusions about an institution’s performance based on the totality of the examination findings.

DCP officials informed us that there are circumstances in which examiners may assign a “2” rating even when reimbursable and/or repeat violations exist. Indeed, we identified 14 instances in our review of selected financial institutions wherein reimbursable or repeat violations were cited in compliance examination reports and the institution was assigned a “2” rating. In those instances, it was the judgment of examiners that the restitution amounts and nature of the violations did not warrant lower ratings. We also noted that DCP updated its internal guidance in March 2012 to require the consistent use of the term “restitution,” rather than “reimbursement,” to describe payments to harmed consumers.

Unlike the FDIC guidance, the UICCRS does not provide for flexibility in its ratings definitions. However, the FDIC’s view regarding the application of examiner judgment in evaluating the overall risk of an institution seems reasonable, particularly in light of the UICCRS not being updated since 1980. In this regard, the UICCRS may not fully reflect current risk-based approaches to supervisory matters. DCP officials informed us that there have been high-level discussions among FFIEC participants about the need to clarify the UICCRS ratings definitions.

[End of section]

Corporation Comments and OIG Evaluation

The Director, DCP, provided a written response, dated March 17, 2014, to a draft of this report. The response is presented in its entirety in Appendix 4. In the response, the Director, DCP, concurred with all four of the report’s recommendations and described planned corrective actions that address the recommendations. A summary of the Corporation’s corrective actions is presented in Appendix 5. The planned corrective actions are responsive to the recommendations, and the recommendations are resolved.

The response notes that a draft of this report indicated that one of the FDIC’s Regional Offices—the Atlanta Regional Office—did not have regional consultation policies or procedures. The response indicates that based on DCP’s discussions with Atlanta Regional Office personnel, the region does have consultation procedures in its Standard Operating Procedures manual. Prior to finalizing our report, we obtained and reviewed these procedures and updated our report accordingly. The additional information did not affect our findings, conclusions, or recommendations.

In response to the report’s observation, the Director, DCP, agreed that the UICCRS could be improved by clarifying the ratings definitions. DCP plans to contact other agencies to determine whether there is mutual interest in updating the UICCRS definitions to address our observation and other matters.

[End of section]

Appendix 1

Objective, Scope, and Methodology

Objective

The performance audit objective was to determine whether the FDIC’s actions to address consumer protection violations and deficiencies comply with applicable policies, procedures, and guidelines and the extent to which the actions are consistently handled by DCP’s Regional Offices.

We conducted this audit from April 2013 through January 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. The conclusions and findings in this report are based on information provided by the FDIC and certain analyses that we performed through January 2014. We caution that projecting the results of our audit to future periods is subject to the risk that controls may become inadequate because of changes in conditions or because compliance with controls may deteriorate.

Scope and Methodology

To obtain a proper understanding of the FDIC’s controls for addressing consumer protection violations and deficiencies and ensuring a consistent approach, we:

- Identified and became familiar with key applicable consumer compliance policies, procedures, and guidelines. Such criteria included, but was not limited to:

o consumer protection laws and regulations, including ECOA, FHAct, FTC Act, HMDA, Flood Insurance, RESPA, and TILA; o FDIC rules and regulations related to consumer protection; o the FFIEC’s UICCRS definitions; o interagency statements of policy on fair lending, CMPs, and administrative enforcement of TILA; o the Compliance Examination Manual, FIAP Manual, and NRE Manual; o DCP’s consultation and referral procedures; o RD Memoranda related to fair lending, UDAP, RESPA, HMDA, Flood Insurance, TILA, CMPs, and general compliance procedures; and o DCP’s Regional Office consultation policies and procedures.

- Identified and became familiar with key controls and processes, such as the role and responsibility of the CRC and DCP’s compliance examination report review process.

- Spoke with Washington Office and Regional Office officials in DCP and the Legal Division about the FDIC’s approach and processes for addressing consumer protection violations and deficiencies.

We assessed whether the FDIC’s actions to address consumer protection violations and deficiencies complied with applicable policies, procedures, and guidelines and the extent to which those actions were consistently handled by reviewing supervisory information for a non-statistical sample of 93 financial institutions. Non-statistical samples are judgmental and cannot be projected to the population of institutions. A description of our sampling methodology follows.

Our sample consisted of four strata. The first two strata focused on deficiencies and violations, respectively, and were drawn from a universe of 472 institutions that SOURCE identified as having been examined from October 1, 2012 to March 31, 2013. Within this universe, SOURCE identified 27 institutions with deficiencies in their compliance management systems and 413 institutions with violations of consumer protection laws or regulations. We selected 16 institutions with deficiencies and 32 institutions with violations for detailed analysis. We selected these institutions in such a manner as to obtain representation from all six of DCP’s Regional Offices and a mix of violation types.10

Footnote 10: The violations that we selected included noncompliance with provisions of TILA, Flood Insurance, ECOA, RESPA, HMDA, and other consumer protection laws and regulations. DCP utilizes a three-tiered system to classify violations to reflect the level of risk of consumer harm resulting from the violation. We selected violations at all three levels.

The second two strata focused on enforcement actions and referrals, respectively, and were drawn from a universe of 570 supervisory actions (covering 546 institutions) and 29 referrals (covering 29 institutions) that FIAT or DCP indicated were issued or made from April 1, 2011 to March 31, 2013. We selected 78 supervisory actions (covering 71 institutions) and 11 referrals for detailed analysis. Our selections were made in such a manner as to obtain representation from all six of DCP’s Regional Offices and a mix of action types.11 Table 1 summarizes the institutions that we selected for review.

Footnote 11: Supervisory actions that we selected included BBRs, MOUs, C&Ds/COs, CMPs, and restitution orders.

Table 1: Institutions Selected for Review

Row 1: Sample Strata: Strata 1: Deficiencies Total Number of Institutions: 27 Number of Institutions Selected*: 16 Percentage of Total: 59%

Row 2: Sample Strata: Strata 2: Violations Total Number of Institutions: 413 Number of Institutions Selected*: 32 Percentage of Total: 8%

Row 3: Sample Strata: Strata 3: Supervisory Actions Total Number of Institutions: 546 Number of Institutions Selected*: 71 Percentage of Total: 13%

Row 4: Sample Strata: Strata 4: Referrals Total Number of Institutions: 29 Number of Institutions Selected*: 11 Percentage of Total: 38%

Source: FDIC Office of Inspector General (OIG) analysis of deficiencies and violations reflected in SOURCE, enforcement actions reflected in FIAT, and referral information provided by DCP. * Some institutions were selected more than once for multiple violations or actions covered by our review.

[End of table]

Initially, we selected 126 unique financial institutions for review. After reviewing all of the institutions in Stratas 1 and 2 and most of the institutions in Stratas 3 and 4, it became evident to us that we had sufficient evidence to address our audit objective. Accordingly, we discontinued further analysis of institutions in Stratas 3 and 4 as we determined that it would not be cost-beneficial to review the remaining institutions. Table 2 provides a breakdown of the 93 institutions that we reviewed.

Table 2: Institutions Actually Reviewed

Row 1: Strata: Deficiencies Number of Institutions Selected for Review*: 16 Number of Institutions Actually Reviewed**: 16 Percentage Reviewed: 100%

Row 2: Strata: Violations Number of Institutions Selected for Review*: 32 Number of Institutions Actually Reviewed**: 32 Percentage Reviewed: 100%

Row 3: Strata: Supervisory Actions - BBR Number of Institutions Selected for Review*: 18 Number of Institutions Actually Reviewed**: 6 Percentage Reviewed: 33%

Row 4: Strata: Supervisory Actions - MOU Number of Institutions Selected for Review*: 18 Number of Institutions Actually Reviewed**: 9 Percentage Reviewed: 50%

Row 5: Strata: Supervisory Actions - C&D/CO Number of Institutions Selected for Review*: 14 Number of Institutions Actually Reviewed**: 8 Percentage Reviewed: 57%

Row 6: Strata: Supervisory Actions - CMP Number of Institutions Selected for Review*: 18 Number of Institutions Actually Reviewed**: 15 Percentage Reviewed: 83%

Row 7: Strata: Supervisory Actions - Restitution Number of Institutions Selected for Review*: 10 Number of Institutions Actually Reviewed**: 5 Percentage Reviewed: 50%

Row 8: Strata: Referrals Number of Institutions Selected for Review*: 11 Number of Institutions Actually Reviewed**: 8 Percentage Reviewed: 73%

Row 9: Strata: Total Number of Institutions Selected for Review*: 137 Number of Institutions Actually Reviewed**: 99 Percentage Reviewed: 72%

Source: OIG analysis of institutions reviewed. * Some institutions were selected more than once for multiple violations or supervisory actions. ** Ninety-three unique institutions were reviewed in total.

[End of table]

Our analysis of supervisory information for the institutions we reviewed was generally limited to information contained in SOURCE, FIAT, RADD, and R3. We also spoke with officials in DCP to follow up on certain issues that we noted during our analysis. Our work did not include a review of examination workpapers to determine whether examiners had identified all relevant deficiencies and violations or made all relevant referrals to other agencies.

We engaged KPMG LLP (KPMG) to perform a detailed analysis of the institutions we sampled. KPMG completed an analysis for all but 1 of the 93 institutions. The OIG performed the analysis for the remaining institution because KPMG notified us of a potential conflict of interest with that institution. The OIG retained overall responsibility for conducting the audit, and we provided oversight of KPMG’s work in our role as contract oversight manager and technical monitor. In this role, we performed certain quality control procedures to assure ourselves that KPMG’s work and results were consistent with professional standards and applicable OIG policies and procedures. The OIG’s quality control work was in addition to KPMG’s quality assurance work.

Internal Control, Reliance on Computer-processed Information, Performance Measurement, and Compliance with Laws and Regulations

As described in the Scope and Methodology section of this Appendix, we performed audit procedures to identify and obtain an understanding of the FDIC’s controls for addressing consumer protection violations and deficiencies and ensuring a consistent approach. We also assessed the implementation of those controls by performing a detailed analysis of a sample of institutions. Consistent with our audit objective, we did not assess the adequacy of DCP’s overall internal control or management control environment. Our report identifies certain internal control weaknesses warranting management’s attention.

We relied on data in SOURCE and FIAT to select a sample of institutions for detailed analysis.12 We determined that the data in these systems was sufficiently reliable for purposes of selecting a sample based on the nature of our planned testing, a comparison of information in various reports and documents generated by other information systems, and discussions with DCP management. Although DCP uses various systems to capture information related to consumer violations and deficiencies, we determined that information system controls were not significant to our objective. Accordingly, we did not assess the design or effectiveness of information system controls as part of this audit. However, for each of the sampled items, we did evaluate whether DCP information systems appropriately captured pertinent information about the supervisory actions taken or considered.

Footnote 12: The sample of referrals was selected from a separate list maintained by DCP.

The Government Performance and Results Act of 1993 (the Results Act), as amended, directs Executive Branch agencies to develop a customer-focused strategic plan, align agency programs and activities with concrete missions and goals, and prepare and report on annual performance plans. We identified one DCP Divisional Goal established in 2012 that was relevant to our audit objective. The goal states:

Take prompt and effective supervisory action to address problems identified during compliance examinations of FDIC-supervised institutions that receive a composite “3,” “4,” or “5” rating for compliance with consumer protection and fair lending laws, and to ensure that each institution is fulfilling the requirements of any corrective program that has been implemented and that the actions taken by the banks are effectively addressing the underlying concerns identified during the examination.

As mentioned previously in this report, we found that follow-up examinations or visits for the institutions in our sample were conducted in a timely manner.

Regarding compliance with laws and regulations, our report identifies weaknesses in internal controls that, if not addressed, could lead to incomplete tracking and reporting pertaining to consumer compliance activities. In addition, we assessed the risk of fraud and abuse related to our objective in the course of evaluating audit evidence.

[End of section]

Appendix 2

Glossary of Terms

Term: Bank Board Resolution (BBR) Definition: BBRs are informal commitments adopted by a financial institution’s Board of Directors (often at the request of the FDIC) directing the institution’s personnel to take corrective action regarding specific noted deficiencies. BBRs may also be used as a tool to strengthen and monitor an institution’s progress with regard to a particular component rating or activity.

Term: Cease-and-Desist Orders (C&D Orders or Consent Orders) Definition: Orders may be issued to stop violations of law, rule, or regulation or unsafe or unsound practices, as well as to require affirmative action to correct any conditions resulting from such violations or practices. Orders may be issued after notice and hearing, or after stipulation by the institution. By ordering an institution to cease and desist from violations or practices and/or to take affirmative actions, the FDIC may prevent the institution’s problems from reaching such serious proportions as to require more severe corrective measures. Section 8(b) of the FDI Act authorizes the FDIC to issue Orders.

Term: Civil Money Penalties (CMP) Definition: Section 8(i) of the FDI Act grants the FDIC authority to impose CMPs against insured depository institutions and institutionaffiliated parties. CMPs may be assessed for violations of final and temporary orders, written agreements with the FDIC, and laws and regulations; unsafe and unsound practices; and breaches of fiduciary duty.

Term: Community Reinvestment Act (CRA) Definition: The Community Reinvestment Act encourages federally insured banks to meet the credit needs of their entire community. Part 345 of the FDIC Rules and Regulations states that each appropriate federal financial supervisory agency is required to assess an institution’s record of helping to meet the credit needs of the local communities in which the institution is chartered, consistent with the safe and sound operation of the institution, and to take this record into account in the agency’s evaluation of an application for a deposit facility by the institution.

Term: Equal Credit Opportunity Act (ECOA) Definition: ECOA prohibits certain discriminatory practices, including creditor practices that discriminate based on race, color, religion, national origin, sex, marital status, or age.

Term: Fair Housing Act (FHAct)—the Civil Rights Act of 1968, Title VIII Definition: FHAct prohibits discrimination based on race, color, religion, national origin, sex, family status, and handicap in residential real estate-related transactions. HUD’s regulations implementing FHAct are found at 24 CFR Part 100. The FDIC Rules and Regulations, Part 338, Fair Housing, is the FDIC’s implementing regulation for FHAct.

Term: Home Mortgage Disclosure Act (HMDA) Definition: HMDA was enacted to provide information to the public and federal regulators regarding how depository institutions are fulfilling their obligations towards community housing needs. The regulation requires an institution to report data to its supervisory agency about home purchase loans, home improvement loans, and refinancings that it originates or purchases, or for which it receives applications, and to disclose certain data to the public.

Term: Memorandum of Understanding (MOU) Definition: An MOU is an informal agreement between an institution and the FDIC, which is signed by both parties. A State Authority may also be a party to the agreement. MOUs are designed to address and correct identified weaknesses in an institution’s compliance position. The FDIC generally uses MOUs instead of BBRs, especially when there is reason to believe the deficiencies noted during an examination need a more structured program or specific terms to effect corrective action.

Term: Real Estate Settlement Procedures Act (RESPA) Definition: RESPA covers loans secured with a mortgage placed on a one-tofour family residential property. These include most home purchase loans, assumptions, refinancings, property improvement loans, and equity lines of credit. RESPA requires that borrowers receive disclosures at various times. Some disclosures spell out the costs associated with settlement, outline lender servicing and escrow account practices, and describe business relationships between settlement service providers.

Term: Referrals Definition: ECOA provides for referrals to DOJ or notifications to HUD of suspected instances of credit discrimination as well as certain other violations of ECOA or FHAct. The referral provisions of ECOA require that the federal financial institution regulatory agencies refer matters to DOJ whenever the agency has reason to believe that a creditor has engaged in a pattern or practice of discouraging or denying applications for credit in violation of ECOA’s general rule prohibiting discrimination. Further, whenever one of the agencies has reason to believe, as a result of receiving a consumer complaint, conducting a consumer compliance examination, or otherwise, that: (a) a violation of ECOA has occurred, and (b) has reason to believe that the alleged violation would also be a violation of the FHAct, and (c) does not refer the matter to DOJ, the agency must notify HUD of the alleged violation.

Term: Restitution Definition: Financial consumer protection laws and regulations are designed to protect consumers in financial transactions. Violations of such laws and regulations can result in harm to consumers where restitution is appropriate. Restitution can be voluntary or ordered. According to DCP officials, voluntary restitution occurs when an institution agrees to pay restitution immediately upon notification of a violation and before the conclusion of the examination. Ordered restitution occurs when the FDIC pursues an enforcement action to compel an institution to pay restitution. Section 8(b)(6)(A) of the FDI Act authorizes the FDIC to issue restitution orders.

Term: Truth in Lending Act Definition: Contained in Title I of the Consumer Credit Protection Act, the Truth in Lending Act requires meaningful disclosure of credit and leasing terms.

Term: Unfair or Deceptive Acts or Practices (UDAP) Definition: Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive acts or practices in or affecting commerce. Such acts or practices are illegal; can cause significant financial injury to consumers; erode consumer confidence; and present significant credit and asset quality risk, undermining the financial soundness of banking organizations.

Term: Uniform Interagency Consumer Compliance Rating System (UICCRS) Definition: The UICCRS was approved by the Federal Financial Institutions Examination Council to reflect in a comprehensive and uniform fashion the nature and extent of an institution’s compliance with consumer protection and civil rights statutes and regulations. The rating system is based upon a scale of 1 through 5 in increasing order of supervisory concern. Thus, “1” represents the highest rating and consequently the lowest level of supervisory concern, while “5” represents the lowest, most critically deficient level of performance and, therefore, the highest degree of supervisory concern.

[End of section]

Appendix 3

Acronyms and Abbreviations

BBR Bank Board Resolution C&D Order Cease and Desist Order CFPB Consumer Financial Protection Bureau CMP Civil Money Penalties CRA Community Reinvestment Act CO Consent Order CRC Case Review Committee DCP Division of Depositor and Consumer Protection DOJ Department of Justice ECOA Equal Credit Opportunity Act FDI Act Federal Deposit Insurance Act FDIC Federal Deposit Insurance Corporation FFIEC Federal Financial Institutions Examination Council FHAct Fair Housing Act FIAP Manual Formal and Informal Action Procedures Manual FIAT Formal and Informal Action Tracking System HMDA Home Mortgage Disclosure Act HUD Department of Housing and Urban Development KPMG KPMG LLP MOU Memorandum of Understanding NRE Manual National Review Examiner Manual OIG Office of Inspector General R3 Regional Report Repository RADD Regional Automated Document Distribution and Imaging System RD Regional Directors RESPA Real Estate Settlement Procedures Act SOURCE System of Uniform Reporting of Compliance and CRA Examinations TILA Truth in Lending Act Treasury Department of the Treasury UDAP Unfair or Deceptive Acts or Practices UICCRS Uniform Interagency Consumer Compliance Rating System ViSION Virtual Supervisory Information On the Net

[End of section]

Appendix 4

Corporation Comments

[Letterhead, Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, D.C. 20429-9990, Division of Depositor and Consumer Protection]

March 17, 2014

TO: Stephen M. Beard Deputy Inspector General for Audits and Evaluations

FROM: Mark Pearce /Signed/ Director

SUBJECT: Draft Audit Report Entitled: The FDIC's Actions to Address Consumer Protection Violations and Deficiencies (Assignment No. 2013-001)

The Division of Depositor and Consumer Protection (DCP) reviewed the above-titled audit, the first OIG audit related to DCP’s operation since FDIC created the Division in 2011. DCP concurs with the OIG findings that:

1. DCP’s actions to address consumer protection violations and deficiencies in FDIC-supervised institutions are generally aligned with applicable policies, procedures, and guidelines, and are generally handled consistently by DCP’s Regional Offices; 2. examination reports identified the specific violations, their nature and cause, and institutions’ responses; 3. examinations and visits are conducted in a timely manner; and 4. Civil Money Penalties, when issued, were well-supported including Legal opinions.

The audit report identifies four recommendations and one observation to enhance processes for addressing consumer protection violations and deficiencies identified during compliance examinations. DCP agrees with all of the recommendations in the audit report. The specific actions DCP will undertake to address each of the recommendations and the observation are described briefly below.

OIG Audit Recommendation 1: Emphasize to examination staff the importance of recording information in SOURCE regarding the basis for decisions on supervisory actions, including when supervisory actions are considered or recommended, but ultimately not taken.

DCP Response: Documentation of the consultation process is covered in the revised Consultation Policy and will be discussed at the Review Examiners Training Session in August 2014. While Review Examiners have primary responsibility for maintaining consultation records in SOURCE, DCP will distribute information about the expected documentation to all examination-related staff as an update to the National Review Examiner Manual which will be completed by September 30, 2014.

OIG Audit Recommendation 2: Review and update, as appropriate, current controls designed to ensure that relevant information about restitution is recorded in FIAT and develop formal definitions for voluntary and ordered restitution to ensure consistent tracking and reporting.

DCP Response: DCP will review current instructions on voluntary and ordered restitution and revise as needed. The revised definitions and usage of FIAT will be discussed at the Review Examiner Training Session in August 2014. In addition, the revisions will be distributed to all examination-related staff as an update to the National Review Examiner Manual which will be completed by September 30, 2014

OIG Audit Recommendation 3: Reinforce to examiners DCP’s policy requirement to create records in SOURCE for matters requiring consultation.

DCP Response: Requirements for documenting consultations in SOURCE were updated in the recently released WO Consultation Policy and will be included in the Regional Consultation Policies discussed below. Again, the updated policies will be communicated to all examination related staff through the Regional Consultation policies and the National Review Examiner Manual which will be completed by September 30, 2014.

OIG Audit Recommendation 4: Review and update, as appropriate, Regional Office consultation policies and procedures to ensure consistency.

DCP Response: A team including one Review Examiner from each region has been established to review all of the regional consultation policies and procedures. The team will develop recommendations to ensure that the policies are consistent regarding the types of issues that are included, time frames for processing, and protocols that are aligned with the WO policy. Any changes will also seek to preserve flexibility for unique regional organizational structures and areas of concern. The revised regional policies will be completed by June 30, 2014.

The OIG audit identified that the Atlanta Region did not have a formal regional consultation policy. Upon further discussion with the Atlanta Region, DCP identified that the Region’s consultation procedures are included in the region’s Standard Operating Procedures (SOP) manual, which is housed on an internal Sharepoint site and provided to each Field Office, Field Supervisor, and Review Examiner in the region.

OIG Audit Observation: DCP’s interpretation of the Uniform Interagency Consumer Compliance Rating System (UICCRS) allows more flexibility than the definitions provided in the UICCRS.

DCP Response: The OIG correctly notes that the FDIC’s Compliance Examination Manual provides for examiner judgment in assessing the appropriate compliance rating based on the factors and elements associated with each rating category. DCP agrees that the UICCRS could be improved to clarify this important point. Efforts were made on an interagency basis to update the ratings system in 2008; however, they were not completed DCP will contact other agencies to determine if there mutual interest in updating the UICCRS to address this point and other matters.

In conclusion, DCP appreciates the OIG team for its professionalism, regular communication, and analysis related to the subject audit. The findings, recommendations, and observations have provided constructive suggestions for enhancing DCP’s consumer protection program. In addition, your findings will be helpful as we begin work on the Division’s SOURCE Modernization Project which will among other things, standardize documentation requirements and the ability to better integrate multiple systems to enhance tracking and reporting.

[End of section]

Appendix 5

Summary of the Corporation’s Corrective Actions

This table presents corrective actions taken or planned by the Corporation in response to the recommendations in the report and the status of the recommendations as of the date of report issuance.

Rec. No. : 1 Corrective Action (Taken or Planned): Documentation expectations in the revised national consultation policy will be discussed at the Review Examiners Training session in August 2014. In addition, DCP will distribute information regarding documentation expectations to all examination staff as an update to the NRE Manual. Expected Completion Date: 9/30/2014 Monetary Benefits: N/A Resolved (Yes or No)a: Yes Open or Closedb: Open

Rec. No. : 2 Corrective Action (Taken or Planned): DCP will review current instructions on voluntary and ordered restitution and revise them as needed. In addition, the revised definitions and usage of FIAT will be discussed at the Review Examiner Training session in August 2014. Further, the revisions will be distributed to all examination staff as an update to the NRE Manual. Expected Completion Date: 9/30/2014 Monetary Benefits: N/A Resolved (Yes or No)a: Yes Open or Closedb: Open

Rec. No. : 3 Corrective Action (Taken or Planned): Requirements for documenting consultations in SOURCE were updated in the revised national consultation policy and will be included in regional consultation policies as discussed in the corrective action for Recommendation 4. The updates will be communicated to all examination staff through planned updates to the regional consultation policies and the NRE Manual. Expected Completion Date: 9/30/2014 Monetary Benefits: N/A Resolved (Yes or No)a: Yes Open or Closedb: Open

Rec. No. : 4 Corrective Action (Taken or Planned): A team including one Review Examiner from each region has been established to review all of the regional consultation policies and procedures. The team will develop recommendations to ensure that the policies are consistent regarding the types of issues that are included, time frames for processing, and protocols that are aligned with the national consultation policy. Expected Completion Date: 6/30/2014 Monetary Benefits: N/A Resolved (Yes or No)a: Yes Open or Closedb: Open

a Resolved – (1) Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation. (2) Management does not concur with the recommendation, but alternative action meets the intent of the recommendation. (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount. b Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective actions are complete or (b) in the case of recommendations that the OIG determines to be particularly significant, when the OIG confirms that corrective actions have been completed and are responsive.

[End of table]

[End of section]

[End of report]

Print Print
Close