Background and Purpose of Audit The FDIC is responsible for evaluating financial institution compliance with consumer protection laws and regulations. To evaluate compliance, the FDIC conducts examinations of institutions’ compliance practices. In June 2003, the FDIC’s Division of Supervision and Consumer Protection (DSC) revised its program for examining institutional compliance with consumer protection laws and regulations. Under the new program, DSC compliance examinations combine a risk-based examination process with an in-depth evaluation of an institution’s compliance management system, resulting in a top-down, risk-focused approach to examinations. The overall audit objective was to determine whether DSC’s risk-focused compliance examination program results in examinations that are adequately planned and effective in assessing financial institution compliance with consumer protection laws and regulations.

Results of Audit We found that DSC examiners generally complied with the policies and procedures related to risk-scoping compliance examinations and that the Risk Profile and Scoping Memorandums prepared by examiners provided an adequate basis for planned examination coverage. The examiners reviewed bank policies, procedures, disclosures, and forms for compliance with consumer protection laws and regulations for each examination we reviewed and planned for transaction testing or spot checks in all compliance areas over the course of two consecutive examinations – a period of 2 to 6 years, depending on an institution’s size and ratings. Additionally, examiners conducted transaction testing or spot checks in those areas for which violations had been found at previous compliance examinations. However, we found that examination documentation did not always show the transaction testing or spot checks conducted during the on-site portion of the examinations, including testing to ensure the reliability of the institutions’ compliance review functions. Examiners also did not always document whether the examination reviewed all the compliance areas in the planned scope of review. As a result, DSC cannot assure that the extent of testing was appropriate except for those areas in which examiners had identified violations and included them in Reports of Examination. Recommendation and Management Response We recommended that DSC clarify and reinforce requirements that examiners adequately document the scope of the work performed, including transaction testing and spot checks of the reliability of the institutions’ compliance review functions, during the on-site portions of compliance examinations. FDIC management agreed with the recommendation and has taken corrective action. Consumer Protection Laws and Regulations Lending Specialty Truth in Lending Equal Credit Opportunity Act Flood Insurance Real Estate Settlement Procedures Act Fair Credit Reporting Credit Practices Rule Fair Housing Act Homeownership Counseling Homeowners Protection Act Home Mortgage Disclosure Act Preservation of Consumer Claims and Defenses Consumer Leasing Community Reinvestment Act Technical Requirements Advertising of Membership Branch Closings Right to Financial Privacy Privacy of Consumer Financial Information Non-Deposit Products Electronic Banking Fair Debt Collection Practices Interstate Banking & Branching Efficiency Act Children’s Online Privacy Protection Act Deposit         Electronic Funds Transfer         Truth in Savings         Expedited Funds Availability         Interest on Deposits Source: DSC Compliance Examination Manual. [ D ]

TABLE OF CONTENTS

This report presents the results of our audit of the Federal Deposit Insurance Corporation (FDIC) Division of Supervision and Consumer Protection’s (DSC) process for risk-focused compliance examinations of FDIC-supervised institutions. The overall audit objective was to determine whether DSC’s risk-focused compliance examination process results in examinations that are adequately planned and effective in assessing financial institution compliance with consumer protection laws and regulations. Specifically, we determined whether DSC examiners are adequately risk-scoping compliance examinations, conducting appropriate levels of transaction testing, and making sound risk-scoping decisions in relying on the work of the financial institutions’ internal or external compliance review functions. Appendix I of this report discusses our objective, scope, and methodology in detail.

BACKGROUND

The FDIC is responsible for evaluating FDIC-supervised financial institutions’ compliance with federal consumer protection laws and regulations, including institutional performance under the Community Reinvestment Act (CRA). To evaluate compliance, the FDIC conducts examinations of institutional practices regarding fair lending, privacy, and other consumer protection laws. During the compliance examination, examiners must ensure that institutions have adequately addressed all areas related to the rules and regulations listed in Table 1 on the following page.

Table 1: Consumer Protection Laws and Regulations

Lending	Specialty
Truth in Lending Equal Credit Opportunity Act Flood Insurance Real Estate Settlement Procedures Act Fair Credit Reporting Credit Practices Rule Fair Housing Act Homeownership Counseling Homeowners Protection Act Home Mortgage Disclosure Act Preservation of Consumer Claims and Defenses Consumer Leasing	Community Reinvestment Act Technical Requirements Advertising of Membership Branch Closings Right to Financial Privacy Privacy of Consumer Financial Information Non-Deposit Products Electronic Banking Fair Debt Collection Practices Interstate Banking & Branching Efficiency Act Children’s Online Privacy Protection Act
Deposit
Electronic Funds Transfer         Truth in Savings         Expedited Funds Availability         Interest on Deposits

Source: DSC Compliance Examination Manual.

[ D ]

Noncompliance with these laws and regulations by financial institutions can result in civil liability and negative publicity as well as the FDIC’s imposition of formal or informal supervisory corrective actions to correct the identified violations. Some consumer protection laws and regulations require financial institutions to provide consumers with information intended to help in making informed decisions about financial services and products. As part of the compliance examination process, the FDIC reviews the information and disclosures that are provided to consumers by FDIC-supervised institutions in accordance with consumer protection laws and regulations. Also, DSC considers an institution's compliance with fair lending, privacy, and other consumer protection laws and its performance under the CRA when reviewing an institution's application for entry into or expansion within the insured depository institution system. During the 2-year period from July 1, 2003 through June 30, 2005, DSC conducted 4,153 compliance and CRA examinations.

In June 2003, DSC revised its program for examining institutions for compliance with consumer protection laws and regulations. Under the Revised Compliance Examination Procedures (Transmittal No. 2003-021, dated June 6, 2003), DSC compliance examinations combined a risk-based examination process with an in-depth evaluation of an institution’s compliance management system (CMS),^{[ 1 ]} resulting in a top-down, risk-focused approach to examinations. The risk-focused approach is intended to make the examination process more effective and efficient and reduce the examination burden on banks. The risk-focused approach also helps examiners in determining the depth of review of each functional area and improves the consistency of analysis across regional and field offices. The risk-focused approach recognizes that the banking industry’s compliance responsibilities continue to grow and become more complex with changes in financial products and services. Moreover, the focus on an institution’s compliance program places emphasis on the institution’s responsibility to ensure it complies with consumer protection laws.

Effective June 30, 2004, DSC made additional modifications to the examination procedures as they relate to the contents of the Report of Examination and the risk-focused planning documents – the Risk Profile and Scope Memorandum (RPSM) and the Compliance Information and Document Request (CIDR). Appendix II provides a detailed description of these modifications.

Compliance examinations are conducted every 12 to 36 months, depending on an institution’s size and the compliance and CRA ratings assigned at the most recent examination.^{[ 2 ]} Each compliance regulation and law is not reviewed at every compliance examination. If no transaction testing in a particular regulatory area has been conducted in the previous examination, a spot check should be conducted at the current examination, even if there are no risk indicators.^{[ 3 ]} For reporting purposes, the risk-focused examination approach combines the results of the CRA evaluation and the compliance examination into one report when CRA performance is evaluated at alternate examinations. The single report focuses on an institution’s CMS and includes only significant violations. (Appendix III provides the significant violations found during the compliance examinations for the banks in our sample.) Examiners identify other violations separately to bank management, and they are tracked by the FDIC.

RESULTS OF AUDIT

We found that DSC examiners generally complied with the policies and procedures related to risk-scoping compliance examinations and that the RPSMs prepared by examiners provided an adequate basis for planned examination coverage. The examiners reviewed bank policies, procedures, disclosures, and forms for compliance with consumer protection laws and regulations for each examination we reviewed and planned for transaction testing or spot checks in all compliance areas over the course of two consecutive examinations – a period of 2 to 6 years, depending on an institution’s size and ratings.

However, we found that examination documentation did not always show the transaction testing or spot checks conducted during the on-site portion of the examinations, including testing to ensure the reliability of the institutions’ compliance review functions. Also, examiners did not always document whether the examination had reviewed all the compliance areas in the planned scope of review. As a result, DSC cannot assure that the extent of testing was appropriate except for those areas in which examiners had identified violations and included them in Reports of Examination. Table 2 on the next page shows the components of a risk-focused compliance examination and our related audit results.

DOCUMENTATION OF ON-SITE TESTING PERFORMED DURING COMPLIANCE EXAMINATIONS

Examiners did not adequately document the scope of the work performed during the on-site portion of the compliance examinations. Specifically, for the examinations we reviewed, examination workpapers did not always contain sufficient information to identify examiner transaction testing or spot checks conducted during the on-site portion of examinations or whether the examination reviewed all areas in the planned scope of review. Documentation is lacking because examiners did not comply with DSC policy that requires they document their work. As a result, DSC cannot assure that the extent of testing was appropriate for assessing institutional compliance with regulations except for those areas in which examiners had identified violations and included them in Reports of Examination.

Documenting Compliance Examination Findings and Transaction Testing

DSC’s June 2003 DSC’s June 2003 Revised Compliance Examination (Transmittal No. 2003-021, dated June 6, 2003) section entitled, Documenting Examination Findings, states that examination documentation should demonstrate a clear trail of decisions and supporting logic within a specified area. Documentation should provide a written record of the examiner’s decisions and analysis and provide support for facts or opinions in the Report of Examination. A well-constructed examination documentation file provides sufficient information to reconstruct the examiner’s decision process for each step of the examination. The information should provide support for the examiner’s decision to include or exclude a regulation or area of review from the scope of the examination and for significant findings. Additionally, examiners should conduct on-site transaction testing for the operational areas included in the scope of the review.^{[ 4 ]} The number of transactions and the particular regulatory requirements to be reviewed should be carefully tailored to weaknesses identified in the CMS as it relates to specific operational areas. In addition, the revised procedures instruct examiners to prepare an examiner summary workpaper for each regulation or area reviewed. This summary, in conjunction with the RPSM, should allow subsequent examiners to clearly identify the scope of work performed and the basis for the examiner’s conclusion.

DSC’s Compliance Examination Manual, Appendix H, entitled, Sampling Guidelines for Compliance and CRA, instructs examiners to use judgment in determining the number of loans to be reviewed, depending upon specific circumstances. In addition, not all loan types or characteristics must be sampled at each examination; however, “emphasis should be placed on those types of loans that evidenced concerns in the past and those that could result in reimbursable violations.” The policy also states that (1) statistical sampling is the preferred method and should be used to the greatest extent possible; (2) the examiner should clearly document in the workpapers the sampling method utilized, loan universe and sample size(s), and sampling results; and (3) examiners should select independent loan samples for the compliance, CRA, and fair lending portions of the examination.

In June 2004, DSC issued Updated Compliance Examination Procedures, Transmittal No. 2004 032, effective June 30, 2004. According to the June 2004 procedures, the RPSM will be used solely for pre-examination planning. Examiners should no longer update the RPSM to reflect changes in the examination scope or to duplicate findings contained in the Report of Examination. However, examination workpapers need to reflect any material changes in scope and the support for those changes. Material increases or reductions in the examination scope must also be noted in examination workpapers.

Documenting Reviews of Institutions’ Compliance Review Functions

The Updated Compliance Examination Procedures require examiners to conduct documentation reviews and to interview management regarding the assessment of a bank’s compliance review functions. The procedures provide a list of questions for the interview and a list of documents that should be reviewed. Based on the interviews and materials reviewed, examiners are to develop and document a preliminary assessment of the institution’s performance related to compliance reviews and determine whether the institution’s compliance review function is generally strong, adequate, or weak and the assumptions on which the assessment is based. This determination is initially made off-site by an examiner and is based on the examiner’s assessment of the scope and frequency of the institution’s compliance reviews, the adequacy of written compliance reports, board of director and senior management responses to those reports, and the institution’s follow-up procedures to verify that the corrective actions were lasting and effective. In addition, the section of the Compliance Examination Manual entitled, Transaction Sampling and Testing, states that depending on the importance of a component, the examiner may find it appropriate to spot check a few transactions to show support for a favorable conclusion by the compliance review function. If no transaction testing in a particular regulatory area has been done in the previous examination, then spot checks should be done at the current examination, even if there are no risk indicators. If testing is not considered necessary to support conclusions about an element of the CMS or with respect to a particular operational area, examiners should retain appropriate documentation in the workpapers and include comments in the RPSM and/or the compliance examination report to support this conclusion.

Examiner Documentation of On-site Transaction Testing and Spot Checks

Our review of compliance examination workpapers showed that for 20 of the 36 examinations we reviewed, examiners had not documented the extent of transaction testing or spot checks they performed during the on-site portion of the examination. Some of the Reports of Examination contained comments related to the transaction testing and spot checks conducted. However, the comments related only to areas of violations identified during the examination and did not address the entire scope of the examination. As a result, we could not determine whether all areas included in the planned examination scope had been reviewed or to what extent examiners tested or spot checked transactions unless examiners had identified violations in compliance areas in the Report of Examination.

As a result of the lack of documentation to support on-site transaction testing and spot checks conducted during compliance examinations, DSC cannot assure that the extent of testing was appropriate except for those areas in which examiners identified violations and included them in Reports of Examination. In addition, the lack of examination documentation can affect subsequent examinations in that it will be more difficult for examiners to decide the appropriate scope of those examinations. DSC management plans to reassess the revised compliance examination procedures in relation to using the RPSM solely for pre-examination planning.

RECOMMENDATION

We recommend that the Director, DSC, clarify and reinforce requirements that examiners adequately document the scope of the work performed, including transaction testing and spot checks of the reliability of the institutions’ compliance review functions, during the on-site portion of compliance examinations.

CORPORATION COMMENTS AND OIG EVALUATION

On September 16, 2005, the Acting Director, DSC, provided a written response to the draft report. The response is presented in Appendix IV of this report. We did not include the attachments to DSC’s response in Appendix IV, which were excerpts from Regional Director Memorandum No. 2005-035, DSC’s June 2003 Revised Compliance Examination, dated August 18, 2005. DSC concurred with the recommendation, stating that guidance had been issued related to:

• documenting changes in the scope of an examination,
• documenting spot checks of regulations,
• providing cross checks to additional information available in Examiner Summaries, and
• providing descriptions of examination procedures used to conduct the examination.

This guidance was distributed to all DSC staff on August 31, 2005.

OIG Evaluation: We determined that the agreed-to corrective action has been completed and is effective. This recommendation is resolved, dispositioned, and closed.

Appendix V contains a summary of management’s response to the recommendation and the status of the recommendation as of the date of this report.

Objective

The overall objective of this audit was to determine whether DSC’s risk-focused compliance examination process results in examinations that are adequately planned and effective in assessing financial institution compliance with consumer protection laws and regulations. Specifically, we determined whether DSC examiners are adequately risk-scoping compliance examinations and conducting appropriate levels of transaction testing and making sound risk-scoping decisions when relying on the work of the financial institutions’ internal or external compliance review functions. We performed our audit from October 2004 through August 2005 in accordance with generally accepted government auditing standards.

Scope and Methodology

The scope of the audit was limited to a review of banks examined under the revised DSC risk-focused compliance examination policies and procedures in the Revised Compliance Examination Procedure, dated June 30, 2004. To accomplish our objective, we reviewed the most current and the prior compliance examination reports and corresponding examination workpaper files, policies, and procedures related to the compliance review function, prior OIG audit reports and DSC Internal Review reports, laws and regulations, and management tracking reports for each examination. We also interviewed DSC management officials and staff at FDIC headquarters and three regional offices.

The judgmental sample included 36 FDIC-supervised banks for which compliance examinations had been conducted from August 2003 through November 2004 at 3 FDIC regional offices. Our sample included 14 “1” rated banks, 14 “2” rated banks and 8 “3” rated banks.^{[ 5 ]} The asset sizes of the banks ranged from $8.5 million to $1.2 billion. The compliance examinations in our sample resulted in 11 banks whose compliance ratings were downgraded, 7 banks whose ratings were upgraded, and 18 banks whose ratings remained the same. Of the 36 banks, 8 had corrective supervisory actions imposed on them as a result of the compliance examinations: 2 banks were issued Memorandums of Understanding, and 6 banks were encouraged to adopt Bank Board Resolutions. ^{[ 6 ]} The eight banks had a compliance examination rating of “3.”

Pertinent Laws and Regulations

Compliance examinations are the primary means the FDIC uses to determine whether a financial institution is meeting its responsibilities to comply with the requirements of federal consumer laws and regulations. DSC has established policies and procedures for risk-focused compliance examinations in the FDIC Compliance Examination Manual. For the banks in our sample, the procedures generally were followed, although examination workpapers did not always contain sufficient information to identify examiner transaction testing or spot checks conducted during the on-site portion of examinations or whether the examination reviewed all areas in the planned scope of review. Our review did not find any instances of FDIC noncompliance with pertinent laws and regulations.

Reliance on Computer-based Data, Government Performance and Results Act, Fraud and Illegal Acts, and Internal Control

Validity and Reliability of Data from Computer-based Systems

We used computer-based data for background information and in generating a universe of examinations from which to select our sample. We reviewed examination records that supported data from the DSC System of Uniform Reporting of Compliance and CRA Examinations (SOURCE)^{[ 7 ]} and the Scheduling, Hours, and Reporting Package (SHARP)^{[ 8 ]} reporting systems to determine the accuracy of data used during the audit. The SOURCE system is used to: (a) generate examination schedules that support workload projections by incorporating quarterly planning and benchmark hours, (b) capture examination summary information, (c) store examination documents for divisional sharing and historical reference, and (d) support legislatively mandated reporting. The SHARP system is an hours-based tracking system that provides uniformity in collecting examination hours information. Based on our review, we found that the SHARP system does not provide detailed information on work conducted by examiners. Also, the SHARP system does not have time codes for all of the regulations reviewed during compliance examinations. According to our discussions with DSC staff, SHARP is not used to track or monitor examination coverage of regulations – the system is more useful for field office management.

Performance Measures

In fulfilling its primary supervisory responsibilities, the FDIC pursues two strategic goals: FDIC-supervised institutions are safe and sound and consumers’ rights are protected, and FDIC-supervised institutions invest in their communities.^{[ 9 ]}

Two strategic objectives support the consumer rights strategic goals. The first strategic objective is that consumers have access to easily understood information about their rights and the disclosures due them under consumer protection and fair lending laws. The FDIC’s annual performance goals related to this objective are:

• Provide effective outreach and technical assistance on topics related to the CRA, fair lending, and community development.
• Meet the statutory mandate to investigate and respond to consumer complaints about FDIC-supervised financial institutions.

The second strategic objective is that FDIC-supervised institutions comply with consumer protection, CRA, and fair lending laws. The FDIC’s annual performance goals related to this objective are:

• Conduct CRA and compliance examinations in accordance with the FDIC’s examination frequency policy.
• Take prompt and effective supervisory action to monitor and address problems identified during compliance examinations of FDIC-supervised institutions that receive a “4” or “5” rating for compliance with consumer protection and fair lending laws.

None of the strategic goals, strategic objectives, or performance goals related directly to the objectives of our audit.

Fraud and Illegal Acts

Our audit program did include steps for providing reasonable assurance of detecting fraud or illegal acts. We did not identify any illegal acts or abuse or potential areas susceptible to illegal acts or abuse.

Internal Controls Reviewed

During the audit, we gained an understanding of relevant control activities related to compliance examinations by examining DSC policies and procedures as presented in the DSC’s Compliance Examination Manual and Regional Directors Memoranda. We identified DSC’s internal controls related to the risk-focused examination process for compliance examinations. Specifically, we reviewed the systems used for measuring, monitoring, and reporting program performance; compliance with laws, regulations, policies, and procedures; and the reliability of computer-based data. We also reviewed the results of DSC Internal Control Reviews related to compliance examinations. We identified documentation weaknesses related to the on-site portion of compliance examinations as discussed in the finding section of this report.

Summary of Prior Audit Coverage

On March 26, 2002, the OIG issued Audit Report 02-009, Division of Compliance and Consumer Affairs’ Risk-Scoping Process for Fair Lending Examinations, on the fair lending examination risk-scoping process as conducted by the Division of Compliance and Consumer Affairs.^{[ 10 ]} The objective of the audit was to assess: (1) the adequacy of the Federal Financial Institutions Examination Council (FFIEC) Interagency Fair Lending Examination Procedures for the FDIC’s pre-examination planning for fair lending examinations of small banks, (2) the FDIC’s implementation of the FFIEC interagency procedures as they relate to identifying fair lending risks during the off-site pre-examination planning phase of the fair lending reviews, and (3) the related DCA internal controls. The 2002 audit focused on the FDIC’s application of the FFIEC Interagency Fair Lending Procedures and did not directly relate to the scope of our audit.

Effective June 30, 2003, DSC implemented revised procedures to enhance the FDIC's compliance examination process by focusing increased attention on an institution’s compliance management system. As noted in the DSC Memorandum entitled, Revised Compliance Examination Procedures, Transmittal No. 2003-021, dated June 6, 2003, the revised procedures combined the risk-based examination process with an in-depth evaluation of an institution’s CMS. Examiners were required to evaluate how well an institution’s compliance responsibilities are administered and managed, consistent with the level and complexity of its operations. The purpose of this approach was to allow examiners to devote more attention to those institutions requiring additional supervisory attention to help improve weak compliance functions and reduce the risks of future noncompliance. The new procedures did not change existing fair lending examination procedures or CRA performance evaluations. According to the revised procedures, all financial institutions would benefit from a comprehensive assessment of compliance management systems. The examiner’s identification of root causes of compliance management deficiencies and regulatory violations would serve as a blueprint for helping institution management improve its operations. Moreover, the revised compliance examination procedures would elevate the importance of comprehensive compliance risk management by institutions of all sizes.

Effective June 30, 2004, DSC updated the compliance examination procedures. As noted in the DSC Memorandum entitled, Updated Compliance Examination Procedures, Transmittal No. 2004-032, dated June 30, 2004, modifications to the examination procedures were centered in three distinct components of the compliance examination program: Report of Examination comments, the RPSM, and the CIDR.

• The Report of Examination changes included guidance to: (a) reduce examination scope comments, (b) consolidate examiner recommendations and management’s commitment to corrective action, (c) consolidate the summary assessment of compliance management, and (d) omit the Supervisory Comments page in most instances.
• The RPSM requirements were changed to ensure that the RPSM would be used solely for pre-examination planning. Upon completion of the RPSM, the Examiner-in Charge is required to submit it to the Field Supervisor for review and approval. Once the RPSM is approved by the Field Supervisor, examiners no longer need to update the RPSM to reflect changes in examination scope or to duplicate findings contained in the Report of Examination.
• To better tailor the CIDR to the unique circumstances of each institution, the following approaches were made available for examiners when requesting information from banks. For compliance examinations of large, complex banking organizations, examiners should use the existing CIDR. For compliance examinations of smaller, less complex institutions, examiners should use the “Interview Sheet” and a revised Compliance Information and Documentation Request (CIDR II) to simplify the information-gathering process by removing tables and separating information requests from document requests.

Significant violations found during the compliance examinations for the 36 banks in our sample are identified below. Significant violations are defined as deficiencies that may adversely impact the financial institution. We found that 75.6 percent of the total significant violations related to seven regulations: Truth in Lending, Equal Credit Opportunity, Real Estate Settlement Procedures Act, Truth in Savings, Home Mortgage Disclosure Act, Flood Insurance, and Expedited Funds Availability. The scope of this audit did not include a detailed review of the significant violations; however, we plan to include an audit of supervisory actions taken for compliance-related violations in our Fiscal Year 2006 Assignment Plan.

[ D ]

[ D ]

This table presents the management response on the recommendation in our report and the status of the recommendation as of the date of report issuance.

	Corrective Action for Recommendation: Taken or Planned/Status		Completion Date		Monetary Benefits		Resolved: [ a ] Yes or No		Dispositioned: [ b ] Yes or No		Open or Closed [ c ]
	DSC concurred with the recommendation. DSC clarified and reinforced requirements that examiners adequately document the scope of the work performed, including transaction testing and spot checks of the reliability of the institutions’ compliance review functions, during the on-site portion of compliance examinations. This clarification was provided in a written memorandum entitled, Revised Compliance Examination Procedures, which was issued to all DSC personnel.		August 31, 2005		None		Yes		Yes		Closed

^b Dispositioned – The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.

^c Once the OIG dispositions the recommendation, it can then be closed.