Enter the Consumer Financial Protection Bureau. The CFPB was established as a regulator of financial institutions to supervise banks, credit unions, and other financial companies and to enforce Federal consumer financial laws. However, its mission is to make markets for consumer financial products and services work for Americans; a somewhat different focus from the other regulatory agencies. And the difference is further highlighted in the Risk Assessment process set forth in the CFPB Supervision and Examination Manual published in September 2011. This risk assessment evaluates the “risk to consumers,” defined as “the potential for consumers to suffer economic loss or other legally-cognizable injury as a result of a violation of Federal consumer financial law.”
The two risk assessments use the same methodology; with both evaluating the inherent risk and analyzing the effectiveness of the controls to arrive at a residual risk level or, in the case of the CFPB, an overall consumer risk level. But if one approach is focused on the risk to the financial institution and the other on the risk to the consumer, are the results comparable? In a case where an institution has a high level of residual compliance risk associated with a specific product, is there an equally high level of consumer risk?
Let’s look at a few examples. If an institution makes a significant number of real estate loans in a special flood hazard area, has a history of flood violations, and has weak controls, the residual risk to the institution is high. If a consumer obtains a real estate loan in a special flood hazard area and the institution fails to require flood insurance, the risk that the consumer may suffer a loss if the area floods is also high. In spite of the difference in focus, the residual risks appear comparable – when an institution is facing a high level of compliance risk, there is also a high level of consumer risk.
In our next example, consider an institution with a history of violations relating to transaction limitations for savings accounts under Regulation D. Given the prior violations and assuming weak controls, the residual risk to the institution is high. However, under the CFPB’s definition of consumer risk, does this violation have “the potential for consumers to suffer economic loss or other legally-cognizable injury as a result of a violation of Federal consumer financial law?” Because the institution’s lack of enforcing these limitations will allow the consumer to continue to maintain the account and continue to exceed the transaction limitations, there is no harm to the consumer.
Clearly these two different risk assessment approaches do not always yield comparable results. How, then, is the institution to identify, measure, monitor, and control consumer risk? Although the CFPB does not require institutions to implement its risk assessment methodology, it appears that institutions will need to add consumer risk and the CFPB’s methodology to its current risk management program.
Another interesting difference in the CFPB’s risk assessment is the manner in which an institution’s inherent risk to consumer is mitigated or amplified by the strength or weakness of the controls. The CFPB provides a Risk Matrix similar to those developed to represent the traditional method, with inherent risk categorized as high, moderate, or low, and the quality of risk controls defined as strong, adequate, or weak.
However, under this new methodology, a high level of inherent risk cannot be mitigated to less than moderate risk level – even with strong controls. A low risk area increases to moderate risk if the risk controls are weak. And, across every inherent risk level, implementing adequate controls will not reduce the residual risk below the inherent risk level.
To illustrate, let’s apply a typical point rating system to this risk assessment analysis. Using a one-to-three scale:
• High/Weak = 3 points
• Moderate/Adequate = 2 points
• Low/Strong = 1 point
Based on the total point structure, the Overall risk categories are defined as:
• High Risk = 7 to 9 points
• Moderate Risk = 4 to 6 points
• Low Risk = 1 to 3 points
The resulting risk matrix, using the traditional risk assessment methodology is:
Whereas, under the CFPB’s new risk assessment methodology, the amplified by approach produces a very different matrix:
As you can see from this illustration, implementing strong controls will result in a decreased residual risk; however, adequate controls will never reduce the residual risk level below the inherent level. How long before an examiner tells you that adequate controls are no longer good enough?
Will your Risk Management Program withstand this new focus?
No comments:
Post a Comment