I. INTRODUCTION
The Consumer Financial Protection Bureau (CFPB) Supervision and Examination Manual provides a thorough risk assessment template that should be useful to banks of all sizes. The document takes banks through the steps of evaluating inherent “risks to consumers” of a particular business line or of the business entity as a whole, as well as the “quality of controls implemented by the entity to manage and mitigate those risks.”
“Risk to Consumers” for the purpose of the CFPB risk assessment is the potential for consumers to suffer economic loss or other legally cognizable injury as a result of a violation of Federal consumer financial law.
Inherent risk includes factors that increase the potential for unfair, deceptive or abusive acts or practices, for discrimination, or for violations of other Federal consumer financial laws. It also includes factors that increase the compliance management challenges of a business and thereby increase the risk of such violations. The quality of risk controls includes factors related to both managing and mitigating specific inherent risks as well as the strength of an entity’s overall system of compliance management.
The questions and considerations in the template may be used to conduct risk assessments of individual lines of business, supervised entities as a whole, and groups of affiliated entities when feasible and applicable. Assessments of individual lines of business and large complex entities may be considered together to reach conclusions about the entity as a whole.
The CFPB’s Risk Assessment template provides prompts to help uncover bank products and practices that may potentially be deemed unfair, deceptive, or abusive, an area in which all regulators are placing increased emphasis.
The risk assessment is not a determination of whether a violation of law exists.
II. USING THE RISK ASSESSMENT TEMPLATE
The template provides a series of factors that bear on inherent risk and relevant risk controls. Examiners conducting the assessment will rate each relevant factor (low, moderate, or high inherent risk; strong, adequate, or weak risk controls and mitigation), and comment briefly on the basis for each rating and issues to consider during the examination. The factor ratings, taken as a whole, result in the Risk Summary, which is a conclusion about whether the overall risk to consumers is low, moderate or high. The Risk Summary also includes a judgment about the expected change in the overall risk (decreasing, increasing, or stable/unchanged), and when that direction last changed. The Risk Summary, and the basis for it, will be included with the Examination Report.
The factor ratings and comments will be used to inform the Examination Scope. For example, if the nature and structure of certain products point to high inherent risk and the quality of risk controls is only adequate, then the examination scope will likely include a review of those products and the related compliance controls. The magnitude and severity of potential consumer harm arising from particular risks will be considered when setting priorities for review.
There may be other institution or industry-specific risk factors beyond those included in the template that should be considered when assessing risk to consumers. Examiners will use their knowledge and judgment to identify risks that are unique to a particular entity or its specialized business focus.
III. RISK ASSESSMENT TEMPLATE
The CFPB risk assessment template can be found by going to http://files.consumerfinance.gov/f/supervision-manual/PartIIICFPBsupervisionmanual.pdf. In the second paragraph, click on “third part” and you will find the template for Risk Assessment (pages 4-24 of 45).