New for Compliance Teams: BSA/AML Self-Assessment Tool and Consumer Compliance Rating System

The CSBS and a group of state BSA/AML subject-matter experts developed the BSA/AML Self-Assessment Tool to be used at the discretion of a financial institution to help in the BSA/AML risk assessment process. It is flexible and intended to be adapted to each institution’s circumstances and risk profile. The tool is not a replacement for other aspects of an institution’s BSA/AML risk management program, but is an optional supplement to that program. The goal is for the Assessment Tool to help institutions more effectively assess and internally manage their BSA/AML risks and thus reduce some of the regulatory burden associated with BSA/AML risk management.

This assessment tool is available for use by any institution and is strictly voluntary. It is available at

If you have questions, comments, or feedback about the assessment tool, please email

What is the Consumer Compliance Rating System?

The Consumer Compliance Rating System (CCRS) is an interagency framework developed by FFIEC member agencies for evaluating an institution’s ability to manage consumer compliance risk and to prevent harm to consumers. NCUA integrates the current rating system into its existing CAMEL structure.

In November 2016, the FFIEC agencies finalized changes to the current 36-year-old rating system to bring it more in line with existing consumer compliance approaches and the examination focus toward risk. The revisions to FFIEC’s existing guidance have an effective date of March 31, 2017.

Essentially, the CCRS is a supervisory policy for evaluating a financial institution’s adherence to consumer compliance requirements. It emphasizes the importance of an institution’s compliance management system (CMS). Particularly the institution’s compliance risk management practices that are in place to manage consumer compliance risk, support compliance, and prevent consumer harm.

Why should credit unions care? Under the new system NCUA examiners will assess a credit union’s ability to effectively manage its compliance risk. A credit union is expected to proactively prevent, self-identify, and should self-correct compliance issues. A credit union’s ability to do so will be reflected in the “Management” component rating and the overall CAMEL rating used by NCUA.

What about credit unions with assets over $10 billion? The CFPB will also use the CCRS, as appropriate, to assign a consumer compliance rating. The interagency final guidance was clear that a credit union with over $10 billion in assets may receive a consumer compliance rating by both NCUA and the CFPB. The rating will be based on the CFPB’s review of the credit union’s CMS and compliance with the federal consumer financial protection laws falling under each regulator’s jurisdiction. NCUA will take into consideration any material supervisory information provided by the CFPB. Similarly, the CFPB will take into consideration any material supervisory information provided by NCUA in appropriate situations.

What about state-chartered credit unions? As state regulators maintain supervisory authority over state-chartered credit unions, state regulators may also assign consumer compliance ratings to evaluate compliance with both state and federal laws and regulations. If the credit union has over $10 billion in assets, then it may receive a consumer compliance rating from its state regulator and the CFPB.

What are the main components of the CCRS framework? Well, first there are four principles of the CCRS that serve as its foundation:

  • Risk-based. The CCRS is risk-based. The focus is more on the sufficiency of the CMS. An effective CMS varies and is based on the size, complexity, and risk profile of the credit union.
  • Transparent. The CCRS is transparent and provides clear distinctions between rating categories to support consistent application by regulators across supervised financial institutions. The rating should reflect the scope of the review that formed the basis of the overall rating.
  • Actionable. The CCRS identifies areas of strength and directs appropriate attention to specific areas of weakness. It conveys the examiner’s assessment of the effectiveness of the credit union’s CMS, including its ability to prevent consumer harm and ensure compliance with consumer protection laws and regulations.
  • Incent Compliance. The CCRS is a tool to encourage the credit union to establish an effective CMS across the institution, to self-identify risk, and to take the necessary actions to reduce the risk of non-compliance and consumer harm.

The CCRS focuses on three Board categories within a credit union:

  • Board and Management Oversight
  • Compliance Program
  • Violations of Law and Consumer Harm

Each category has assessment factors and performance expectations. The first two areas (Board/Management Oversight and Compliance Program) are used to assess the effectiveness of the credit union’s compliance management system to prevent consumer violations and harm. The first two categories also apply to third party relationships. Both the NCUA (LCU 07-CU-13) and CFPB (Bulletin 2012-03) have issued guidance detailing expectations of third-party relationships. The third area of review (Violations of Law/Consumer Harm) assesses and evaluates the root cause of the problem; the severity of the problem, the duration, and frequency/commonness of the problem and evaluates violations and harm that have occurred.

The final interagency guidance indicated that the revisions to the CCRS were not developed to set new or higher supervisory expectations. We anticipate that NCUA will release additional guidance about the revisions to the CCRS and its integration into the “M” component in CAMEL prior to the March 31, 2017 effective date.

The final guidance provided details and described standards and expectations for each of the three rating categories (link provided below). It should shed some light on performance expectations until the additional guidance is released. While there are numerical factors on a scale of 1 to 5, in increasing order of supervisory concern, supplementary information to the final guidance indicated that a specific numeric rating won’t be assigned for each assessment factor. Therefore, the relative importance of each category or assessment factor is not a one size fits all approach; accomplishing an effective CMS may differ based on the size, complexity, and risk profile of the individual institution.

The chart in the Federal Register can be viewed here (see page 79480).

Source: CUNA Compliance Blog

Compliance Question of the Week

When advertising a loan product, if I want to disclose the APR, what else am I required to disclose?

If your loan product is open end, when you disclose the APR you must also disclose any minimum, fixed, transaction, activity or similar charge that could be imposed, if the rate is variable you must disclose that fact, and any membership or participation fee that could be imposed.

If your loan product is closed end, disclosing the APR is not a trigger term so you do not have to disclose anything else but you do have to use the term “APR” or “annual percentage rate.” However, if the rate can increase after consummation, this must be stated.

For helpful advertising checklists, please visit the Association’s InfoSight page.

Related Links:

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA issued a press release detailing the various resources available for consumers to learn about savings during America Saves Week and Military Saves Week.

The February issue of the NCUA Report is now available. The NCUA also announced that moving forward, the NCUA Report will be published quarterly as opposed to monthly.

The NCUA announced that the Q&A regarding the Corporate Resolution program costs and projected future Temporary Corporate Credit Union Stabilization Fund assessments have been updated.

The NCUA Board voted to extend the federal credit union rate cap of 18 percent through September 10, 2018.

The NCUA announced that it will be hosting a consumer compliance webinar on February 28 that will address the upcoming HMDA changes as well as the Equal Credit Opportunity Act. Credit unions that wish to watch the webinar can register here.

Federal Reserve Board (FRB)

The February issue of FedFlash is now available.

The FRB updated its report of Minority-Owned Depository Institutions.

The FRB released minutes from its February 10, 2017 Federal Advisory Council meeting.

The FRB released minutes from the January 31 – February 1, 2017 Federal Open Market Committee meeting.

The FRB announced its annual adjustment to the asset-size threshold that determined the dividend rate of certain member banks earn on their FRB stock. The updated total consolidated asset threshold is $10,122,000,000.

The FRB issued Supervision and Regulation Letter SR 17-3, explaining the initial examinations for compliance with minimum variation margin requirements for non-cleared swaps and non-cleared security based swaps.

Federal Housing Finance Agency (FHFA)

The FHFA announced that U.S. house prices rose 1.5% in the fourth quarter of 2016, according to its House Price Index. Oregon and Washington were in the top five states in annual appreciation.

Department of Defense (DoD)

The DoD announced that its MLA Multiple Record Requests system had issues that prevents 149 requests from processing. The DoD is asking institutions that submitted multiple record requests between February 9, 2017 and February 15, 2017 to submit their files again for processing.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of February 23, 2017. The last update prior to this was February 16, 2017.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, Compliance News.