FFIEC Guidance on the Uniform Interagency Consumer Compliance

FFIEC GUIDANCE ON THE UNIFORM INTERAGENCY CONSUMER COMPLIANCE

RATING SYSTEM

Uniform Interagency Consumer Compliance Rating System

The Federal Financial Institutions Examination Council (FFIEC) member agencies

(Agencies) promote compliance with federal consumer protection laws and regulations through

supervisory and outreach programs.

The Agencies engage in consumer compliance supervision

to assess whether a financial institution is meeting its responsibility to comply with these

requirements.

This Uniform Interagency Consumer Compliance Rating System (CC Rating System)

provides a general framework for assessing risks during the supervisory process using certain

compliance factors and assigning an overall consumer compliance rating to each federally

regulated financial institution.

The primary purpose of the CC Rating System is to ensure that

regulated financial institutions are evaluated in a comprehensive and consistent manner, and that

supervisory resources are appropriately focused on areas exhibiting risk of consumer harm and

on institutions that warrant elevated supervisory attention.

The CC Rating System is composed of guidance and definitions. The guidance provides

examiners with direction on how to use the definitions when assigning a consumer compliance

The FFIEC members are the Board of Governors of the Federal Reserve System, the Consumer Financial

Protection Bureau (CFPB), the Federal Deposit Insurance Corporation, the National Credit Union Administration,

the Office of the Comptroller of the Currency, and the State Liaison Committee.

The Federal Financial Institutions Examination Council Act of 1978 (12 U.S.C. 3302(3)) defines financial

institution. Additionally, as a member of the FFIEC, the CFPB will also use the CC Rating System to assign a

consumer compliance rating, as appropriate for nonbanks, for which it has jurisdiction regarding the enforcement of

Federal consumer financial laws as defined under the Dodd-Frank Wall Street Reform and Consumer Protection Act

(Dodd-Frank Act) (12 U.S.C. 5481 et seq.).

rating to an institution. The definitions consist of qualitative descriptions for each rating

category and include compliance management system (CMS) elements reflecting risk control

processes designed to manage consumer compliance risk and considerations regarding violations

of laws, consumer harm, and the size, complexity, and risk profile of an institution. The

consumer compliance rating reflects the effectiveness of an institution’s CMS to ensure

compliance with consumer protection laws and regulations and reduce the risk of harm to

consumers.

Principles of the Interagency CC Rating System

The Agencies developed the following principles to serve as a foundation for the CC

Rating System.

Risk-based. Recognize and communicate clearly that CMS vary based on the size,

complexity, and risk profile of supervised institutions.

Transparent. Provide clear distinctions between rating categories to support consistent

application by the Agencies across supervised institutions. Reflect the scope of the

review that formed the basis of the overall rating.

Actionable. Identify areas of strength and direct appropriate attention to specific areas of

weakness, reflecting a risk-based supervisory approach. Convey examiners’ assessment

of the effectiveness of an institution’s CMS, including its ability to prevent consumer

harm and ensure compliance with consumer protection laws and regulations.

Incent Compliance. Incent the institution to establish an effective consumer compliance

system across the institution and to identify and address issues promptly, including self-

identification and correction of consumer compliance weaknesses. Reflect the potential

impact of any consumer harm identified in examination findings.

Five-Level Rating Scale

The CC Rating System is based upon a numeric scale of 1 through 5 in increasing order

of supervisory concern. Thus, 1 represents the highest rating and consequently the lowest degree

of supervisory concern, while 5 represents the lowest rating and the most critically deficient level

of performance, and therefore, the highest degree of supervisory concern.

Ratings of 1 or 2

represent satisfactory or better performance. Ratings of 3, 4, or 5 indicate performance that is

less than satisfactory. Consistent with the previously described Principles, the rating system

incents a financial institution to establish an effective CMS across the institution, to self-identify

risks, and to take the necessary actions to reduce the risk of non-compliance and consumer harm.

• The highest rating of 1 is assigned to a financial institution that maintains a strong

CMS and takes action to prevent violations of law and consumer harm.

• A rating of 2 is assigned to a financial institution that maintains a CMS that is

satisfactory at managing consumer compliance risk in the institution’s products and

services and at substantially limiting violations of law and consumer harm.

• A rating of 3 reflects a CMS deficient at managing consumer compliance risk in the

institution’s products and services and at limiting violations of law and consumer

harm.

The Agencies do not consider an institution’s record of performance under the Community Reinvestment Act

(CRA) in conjunction with assessing an institution under the CC Rating System since institutions are evaluated

separately under the CRA.

• A rating of 4 reflects a CMS seriously deficient at managing consumer compliance

risk in the institution’s products and services and/or at preventing violations of law

and consumer harm. “Seriously deficient” indicates fundamental and persistent

weaknesses in crucial CMS elements and severe inadequacies in core compliance

areas necessary to operate within the scope of statutory and regulatory consumer

protection requirements and to prevent consumer harm.

• A rating of 5 reflects a CMS critically deficient at managing consumer compliance

risk in the institution’s products and services and/or at preventing violations of law

and consumer harm. “Critically deficient” indicates an absence of crucial CMS

elements and a demonstrated lack of willingness or capability to take the appropriate

steps necessary to operate within the scope of statutory and regulatory consumer

protection requirements and to prevent consumer harm.

CC Rating System Categories and Assessment Factors

CC Rating System – Categories

The CC Rating System is organized under three broad categories:

1. Board and Management Oversight,

2. Compliance Program, and

3. Violations of Law and Consumer Harm.

The Consumer Compliance Rating Definitions below list the assessment factors

considered within each category, along with narrative descriptions of performance.

The first two categories, Board and Management Oversight and Compliance Program,

are used to assess a financial institution’s CMS. As such, examiners should evaluate the

assessment factors within these two categories commensurate with the institution’s size,

complexity, and risk profile. All institutions, regardless of size, should maintain an effective

CMS. The sophistication and formality of the CMS typically will increase commensurate with

the size, complexity, and risk profile of the entity.

Additionally, compliance expectations contained within the narrative descriptions of

these two categories extend to third-party relationships into which the financial institution has

entered. There can be certain benefits to financial institutions engaging in relationships with

third parties, including gaining operational efficiencies or an ability to deliver additional

products and services, but such arrangements also may expose financial institutions to risks if not

managed effectively. The prudential agencies, the CFPB, and some states have issued guidance

describing expectations regarding oversight of third-party relationships. While an institution’s

management may make the business decision to outsource some or all of the operational aspects

of a product or service, the institution cannot outsource the responsibility for complying with

laws and regulations or managing the risks associated with third-party relationships.

As noted in the Consumer Compliance Rating Definitions, examiners should evaluate

activities conducted through third-party relationships as though the activities were performed by

the institution itself. Examiners should review a financial institution’s management of third-

party relationships and servicers as part of its overall compliance program.

The third category, Violations of Law and Consumer Harm, includes assessment factors

that evaluate the dimensions of any identified violation or consumer harm. Examiners should

weigh each of these four factors – root cause, severity, duration, and pervasiveness – in

evaluating relevant violations of law and any resulting consumer harm.

Board and Management Oversight – Assessment Factors

Under Board and Management Oversight, the examiner should assess the financial

institution’s board of directors and management, as appropriate for their respective roles and

responsibilities, based on the following assessment factors:

• oversight of and commitment to the institution’s CMS;

• effectiveness of the institution’s change management processes, including responding

timely and satisfactorily to any variety of change, internal or external, to the

institution;

• comprehension, identification, and management of risks arising from the institution’s

products, services, or activities; and

• self-identification of consumer compliance issues and corrective action undertaken as

such issues are identified.

Compliance Program – Assessment Factors

Under Compliance Program, the examiner should assess other elements of an effective

CMS, based on the following assessment factors:

• whether the institution’s policies and procedures are appropriate to the risk in the

products, services, and activities of the institution;

• the degree to which compliance training is current and tailored to risk and staff

responsibilities;

• the sufficiency of the monitoring and, if applicable, audit to encompass compliance

risks throughout the institution; and

• the responsiveness and effectiveness of the consumer complaint resolution process.

Violations of Law and Consumer Harm – Assessment Factors

Under Violations of Law and Consumer Harm, the examiner should analyze the

following assessment factors:

• the root cause, or causes, of any violations of law identified during the examination;

• the severity of any consumer harm resulting from violations;

• the duration of time over which the violations occurred; and

• the pervasiveness of the violations.

As a result of a violation of law, consumer harm may occur. While many instances of

consumer harm can be quantified as a dollar amount associated with financial loss, such as

charging higher fees for a product than was initially disclosed, consumer harm may also result

from a denial of an opportunity. For example, a consumer could be harmed when a financial

institution denies the consumer credit or discourages an application in violation of the Equal

Credit Opportunity Act,

whether or not there is resulting financial harm.

This category of the Consumer Compliance Rating Definitions defines four factors by

which examiners can assess violations of law and consumer harm.

Root Cause. The Root Cause assessment factor analyzes the degree to which weaknesses

in the CMS gave rise to the violations. In many instances, the root cause of a violation is tied to

a weakness in one or more elements of the CMS. Violations that result from critical deficiencies

in the CMS evidence a critical absence of management oversight and are of the highest

supervisory concern.

15 U.S.C. 1691 et seq.

Severity. The Severity assessment factor of the Consumer Compliance Rating

Definitions weighs the type of consumer harm, if any, that resulted from violations of law. More

severe harm results in a higher level of supervisory concern under this factor. For example,

some consumer protection violations may cause significant financial harm to a consumer, while

other violations may cause negligible harm, based on the specific facts involved.

Duration. The Duration assessment factor considers the length of time over which the

violations occurred. Violations that persist over an extended period of time will raise greater

supervisory concerns than violations that occur for only a brief period of time. When violations

are brought to the attention of an institution’s management and management allows those

violations to remain unaddressed, such violations are of the highest supervisory concern.

Pervasiveness. The Pervasiveness assessment factor evaluates the extent of the

violation(s) and resulting consumer harm, if any. Violations that affect a large number of

consumers will raise greater supervisory concern than violations that impact a limited number of

consumers. If violations become so pervasive that they are considered to be widespread or

present in multiple products or services, the institution’s performance under this factor is of the

highest supervisory concern.

Self-Identification of Violations of Law and Consumer Harm

Strong compliance programs are proactive. They promote consumer protection by

preventing, self-identifying, and addressing compliance issues in a proactive manner.

Accordingly, the CC Rating System provides incentives for such practices through the

definitions associated with a 1 rating.

The Agencies believe that self-identification and prompt correction of violations of law

reflect strengths in an institution’s CMS. A robust CMS appropriate for the size, complexity and

risk profile of an institution’s business often will prevent violations or will facilitate early

detection of potential violations. This early detection can limit the size and scope of consumer

harm. Moreover, self-identification and prompt correction of serious violations represents

concrete evidence of an institution’s commitment to responsibly address underlying risks. In

addition, appropriate corrective action, including both correction of programmatic weaknesses

and full redress for injured parties, limits consumer harm and prevents violations from recurring

in the future. Thus, the CC Rating System recognizes institutions that consistently adopt these

strategies as reflected in the Consumer Compliance Rating Definitions.

Evaluating Performance Using the CC Rating Definitions

The consumer compliance rating is derived through an evaluation of the financial

institution’s performance under each of the assessment factors described above. The consumer

compliance rating reflects the effectiveness of an institution’s CMS to identify and manage

compliance risk in the institution’s products and services and to prevent violations of law and

consumer harm, as evidenced by the financial institution’s performance under each of the

assessment factors.

The consumer compliance rating reflects a comprehensive evaluation of the financial

institution’s performance under the CC Rating System by considering the categories and

assessment factors in the context of the size, complexity, and risk profile of an institution. It is

not based on a numeric average or any other quantitative calculation. Specific numeric ratings

will not be assigned to any of the 12 assessment factors. Thus, an institution need not achieve a

satisfactory assessment in all categories in order to be assigned an overall satisfactory rating.

Conversely, an institution may be assigned a less than satisfactory rating even if some of its

assessments were satisfactory.

The relative importance of each category or assessment factor may differ based on the

size, complexity, and risk profile of an individual institution. Accordingly, one or more category

or assessment factor may be more or less relevant at one financial institution as compared to

another institution. While the expectations for compliance with consumer protection laws and

regulations are the same across institutions of varying sizes, the methods for accomplishing an

effective CMS may differ across institutions.

The evaluation of an institution’s performance within the Violations of Law and

Consumer Harm category of the CC Rating Definitions considers each of the four assessment

factors: Root Cause, Severity, Duration, and Pervasiveness. At the levels of 4 and 5 in this

category, the distinctions in the definitions are focused on the root cause assessment factor rather

than Severity, Duration, and Pervasiveness. This approach is consistent with the other categories

where the difference between a 4 and a 5 is driven by the institution’s capacity and willingness to

maintain a sound consumer compliance system.

In arriving at the final rating, the examiner must balance potentially differing conclusions

about the effectiveness of the financial institution’s CMS over the individual products, services,

and activities of the organization. Depending on the relative materiality of a product line to the

institution, an observed weakness in the management of that product line may or may not impact

the conclusion about the institution’s overall performance in the associated assessment factor(s).

For example, serious weaknesses in the policies and procedures or audit program of the

mortgage department at a mortgage lender would be of greater supervisory concern than those

same gaps at an institution that makes very few mortgage loans and strictly as an

accommodation. Greater weight should apply to the financial institution’s management of

material products with significant potential consumer compliance risk.

An institution may receive a less than satisfactory rating even when no violations were

identified, based on deficiencies or weaknesses identified in the institution’s CMS. For example,

examiners may identify weaknesses in elements of the CMS in a new loan product. Because the

presence of those weaknesses left unaddressed could result in future violations of law and

consumer harm, the CMS deficiencies could impact the overall consumer compliance rating,

even if no violations were identified.

Similarly, an institution may receive a 1 or 2 rating even when violations were present, if

the CMS is commensurate with the risk profile and complexity of the institution. For example,

when violations involve limited impact on consumers, were self-identified, and resolved

promptly, the evaluation may result in a 1 or 2 rating. After evaluating the institution’s

performance in the two CMS categories, Board and Management Oversight and Compliance

Program, and the dimensions of the violations in the third category, the examiner may conclude

that the overall strength of the CMS and the nature of observed violations viewed together do not

present significant supervisory concerns.

Assignment of Ratings by Supervisor(s)

The prudential regulators will continue to assign and update, as appropriate, consumer

compliance ratings for institutions they supervise, including those with total assets of more than

$10 billion.

As a member of the FFIEC, the CFPB will also use the CC Rating System to assign

Section 1025 of the Dodd-Frank Act (12 U.S.C. 5515) applies to federally insured institutions with more than $10

billion in total assets. This section granted the CFPB exclusive authority to examine insured depository institutions

and their affiliates for compliance with Federal consumer financial laws. The prudential regulators retained authority

for examining insured depository institutions with more than $10 billion in total assets for compliance with certain

a consumer compliance rating, as appropriate, for institutions with total assets of more than $10

billion, as well as for nonbanks for which it has jurisdiction regarding the enforcement of

Federal consumer financial laws as defined under the Dodd-Frank Act.

The prudential

regulators will take into consideration any material supervisory information provided by the

CFPB, as that information relates to covered supervisory activities or covered examinations.

Similarly, the CFPB will take into consideration any material supervisory information provided

by prudential regulators in appropriate supervisory situations.

State regulators maintain supervisory authority to conduct examinations of state-

chartered depository institutions and licensed entities. As such, states may assign consumer

compliance ratings to evaluate compliance with both state and federal laws and regulations.

States will collaborate and consider material supervisory information from other state and federal

regulatory agencies during the course of examinations.

other laws related to consumer financial protection, including the Fair Housing Act, the Servicemembers Civil

Relief Act, and section 5 of the Federal Trade Commission Act.

12 U.S.C. 5481 et seq. A financial institution with assets over $10 billion may receive a consumer compliance

rating by both its primary prudential regulator and the CFPB. The rating is based on each agency’s review of the

institution’s CMS and compliance with the federal consumer protection laws falling under each agency’s

jurisdiction.

The prudential regulators and the CFPB signed a Memorandum of Understanding on Supervisory Coordination

dated May 16, 2012 (MOU) intended to facilitate the coordination of supervisory activities involving financial

institutions with more than $10 billion in assets as required under the Dodd-Frank Act.

Consumer Compliance Rating Definitions

ASSESSMENT

FACTORS TO BE

CONSIDERED

Board and Management Oversight

Board and management oversight factors should be evaluated commensurate with the institution’s size, complexity, and risk profile.

Compliance expectations below extend to third-party relationships.

Oversight and

Commitment

Board and

management

demonstrate strong

commitment and

oversight to the

financial institution’s

compliance

management system.

Substantial

compliance

resources are

provided, including

systems, capital, and

human resources

commensurate with

the financial

institution’s size,

complexity, and risk

profile. Staff is

knowledgeable,

empowered and held

accountable for

compliance with

consumer laws and

regulations.

Management

conducts

comprehensive and

ongoing due

diligence and

oversight of third

parties consistent

with agency

expectations to

ensure that the

financial institution

complies with

consumer protection

laws, and exercises

strong oversight of

third parties’

policies, procedures,

internal controls, and

training to ensure

consistent oversight

of compliance

responsibilities.

Board and

management provide

satisfactory oversight

of the financial

institution’s

compliance

management system.

Compliance

resources are

adequate and staff is

generally able to

ensure the financial

institution is in

compliance with

consumer laws and

regulations.

Management

conducts adequate

and ongoing due

diligence and

oversight of third

parties to ensure

that the financial

institution complies

with consumer

protection laws, and

adequately oversees

third parties’ policies,

procedures, internal

controls, and training

to ensure

appropriate

oversight of

compliance

responsibilities.

Board and

management

oversight of the

financial institution’s

compliance

management system

is deficient.

Compliance

resources and staff

are inadequate to

ensure the financial

institution is in

compliance with

consumer laws and

regulations.

Management does

not adequately

conduct due

diligence and

oversight of third

parties to ensure

that the financial

institution complies

with consumer

protection laws, nor

does it adequately

oversee third parties’

policies, procedures,

internal controls, and

training to ensure

appropriate

oversight of

compliance

responsibilities.

Board and

management

oversight, resources,

and attention to the

compliance

management system

are seriously deficient.

Compliance resources

and staff are seriously

deficient and are

ineffective at ensuring

the financial

institution’s

compliance with

consumer laws and

regulations.

Management

oversight and due

diligence over third-

party performance, as

well as management’s

ability to adequately

identify, measure,

monitor, or manage

compliance risks, is

seriously deficient.

Board and

management

oversight,

resources, and

attention to the

compliance

management

system are

critically deficient.

Compliance

resources are

critically deficient

in supporting the

financial

institution’s

compliance with

consumer laws

and regulations,

and management

and staff are

unwilling or

incapable of

operating within

the scope of

consumer

protection laws

and regulations.

Management

oversight and due

diligence of third-

party performance

is critically

deficient.

Change

Management

anticipates and

responds promptly

to changes in

applicable laws and

Management

responds timely and

adequately to

changes in applicable

laws and regulations,

Management does

not respond

adequately and/or

timely in adjusting to

changes in applicable

Management’s

response to changes

in applicable laws and

regulations, market

conditions, or

Management fails

to monitor and

respond to

changes in

applicable laws

ASSESSMENT

FACTORS TO BE

CONSIDERED

regulations, market

conditions and

products and

services offered by

evaluating the

change and

implementing

responses across

impacted lines of

business.

Management

conducts due

diligence in advance

of product changes,

considers the entire

life cycle of a product

or service in

implementing

change, and reviews

the change after

implementation to

determine that

actions taken have

achieved planned

results.

market conditions,

products and

services offered by

evaluating the

change and

implementing

responses across

impacted lines of

business.

Management

evaluates product

changes before and

after implementing

the change.

laws and regulations,

market conditions,

and products and

services offered.

products and services

offered is seriously

deficient.

and regulations,

market conditions,

or products and

services offered.

Comprehension,

Identification

and

Management of

Risk

Management has a

solid comprehension

of and effectively

identifies compliance

risks, including

emerging risks, in the

financial institution’s

products, services,

and other activities.

Management

actively engages in

managing those

risks, including

through

comprehensive self-

assessments.

Management

comprehends and

adequately identifies

compliance risks,

including emerging

risks, in the financial

institution’s

products, services,

and other activities.

Management

adequately manages

those risks, including

through self-

assessments.

Management has an

inadequate

comprehension of

and ability to identify

compliance risks,

including emerging

risks, in the financial

institution’s

products, services,

and other activities.

Management exhibits

a seriously deficient

comprehension of and

ability to identify

compliance risks,

including emerging

risks, in the financial

institution.

Management does

not comprehend

nor identify

compliance risks,

including

emerging risks, in

the financial

institution.

Corrective

Action and Self-

Identification

Management

proactively identifies

issues and promptly

responds to

compliance risk

management

deficiencies and any

violations of laws or

regulations, including

remediation.

Management

adequately responds

to and corrects

deficiencies and/or

violations, including

adequate

remediation, in the

normal course of

business.

Management does

not adequately

respond to

compliance

deficiencies and

violations including

those related to

remediation.

Management

response to

deficiencies, violations

and examination

findings is seriously

deficient.

Management is

incapable,

unwilling and/or

fails to respond to

deficiencies,

violations or

examination

findings.

Compliance Program

Compliance Program factors should be evaluated commensurate with the institution’s size, complexity, and risk profile. Compliance

expectations below extend to third-party relationships.

Policies and

Procedures

Compliance policies

and procedures and

third-party

relationship

management

Compliance policies

and procedures and

third-party

relationship

management

Compliance policies

and procedures and

third-party

relationship

management

Compliance policies

and procedures and

third-party

relationship

management

Compliance

policies and

procedures and

third-party

relationship

ASSESSMENT

FACTORS TO BE

CONSIDERED

programs are strong,

comprehensive and

provide standards to

effectively manage

compliance risk in

the products,

services and

activities of the

financial institution.

programs are

adequate to manage

the compliance risk

in the products,

services and

activities of the

financial institution.

programs are

inadequate at

managing the

compliance risk in

the products,

services and

activities of the

financial institution.

programs are

seriously deficient at

managing compliance

risk in the products,

services and activities

of the financial

institution.

management

programs are

critically absent.

Training

Compliance training

is comprehensive,

timely, and

specifically tailored

to the particular

responsibilities of the

staff receiving it,

including those

responsible for

product

development,

marketing and

customer service.

The compliance

training program is

updated proactively

in advance of the

introduction of new

products or new

consumer protection

laws and regulations

to ensure that all

staff are aware of

compliance

responsibilities

before rolled out.

Compliance training

outlining staff

responsibilities is

adequate and

provided timely to

appropriate staff.

The compliance

training program is

updated to

encompass new

products and to

comply with changes

to consumer

protection laws and

regulations.

Compliance training

is not adequately

comprehensive,

timely, updated, or

appropriately

tailored to the

particular

responsibilities of the

staff.

Compliance training is

seriously deficient in

its

comprehensiveness,

timeliness, or

relevance to staff with

compliance

responsibilities, or has

numerous major

inaccuracies.

Compliance

training is critically

absent.

Monitoring

and/or Audit

Compliance

monitoring practices,

management

information systems,

reporting,

compliance audit,

and internal control

systems are

comprehensive,

timely, and

successful at

identifying and

measuring material

compliance risk

management

throughout the

financial institution.

Programs are

monitored

proactively to

identify procedural

or training

weaknesses to

preclude regulatory

violations. Program

modifications are

Compliance

monitoring practices,

management

information systems,

reporting,

compliance audit,

and internal control

systems adequately

address compliance

risks throughout the

financial institution.

Compliance

monitoring practices,

management

information systems,

reporting,

compliance audit,

and internal control

systems do not

adequately address

risks involving

products, services or

other activities

including, timing and

scope.

Compliance

monitoring practices,

management

information systems,

reporting, compliance

audit, and internal

controls are seriously

deficient in addressing

risks involving

products, services or

other activities.

Compliance

monitoring

practices,

management

information

systems,

reporting,

compliance audit,

or internal

controls are

critically absent.

ASSESSMENT

FACTORS TO BE

CONSIDERED

made expeditiously

to minimize

compliance risk.

Consumer

Complaint

Response

Processes and

procedures for

addressing consumer

complaints are

strong. Consumer

complaint

investigations and

responses are

prompt and

thorough.

Management

monitors consumer

complaints to

identify risks of

potential consumer

harm, program

deficiencies, and

customer service

issues and takes

appropriate action.

Processes and

procedures for

addressing consumer

complaints are

adequate. Consumer

complaint

investigations and

responses are

generally prompt and

thorough.

Management

adequately monitors

consumer complaints

and responds to

issues identified.

Processes and

procedures for

addressing consumer

complaints are

inadequate.

Consumer complaint

investigations and

responses are not

thorough or timely.

Management does

not adequately

monitor consumer

complaints.

Processes and

procedures for

addressing consumer

complaints and

consumer complaint

investigations are

seriously deficient.

Management

monitoring of

consumer complaints

is seriously deficient.

Processes and

procedures for

addressing

consumer

complaints are

critically absent.

Meaningful

investigations and

responses are

absent.

Management

exhibits a

disregard for

complaints or

preventing

consumer harm.

Violations of Law and Consumer Harm

Root Cause

The violations are

the result of minor

weaknesses, if any, in

the compliance risk

management system.

Violations are the

result of modest

weaknesses in the

compliance risk

management system.

Violations are the

result of material

weaknesses in the

compliance risk

management system.

Violations are the

result of serious

deficiencies in the

compliance risk

management system.

Violations are the

result of critical

deficiencies in the

compliance risk

management

system.

Severity

The type of

consumer harm, if

any, resulting from

the violations would

have a minimal

impact on

consumers.

The type of

consumer harm

resulting from the

violations would

have a limited impact

on consumers.

The type of

consumer harm

resulting from the

violations would

have a considerable

impact on

consumers.

The type of consumer harm resulting from

the violations would have a serious impact

on consumers.

Duration

The violations and

resulting consumer

harm, if any,

occurred over a brief

period of time.

The violations and

resulting consumer

harm, if any,

occurred over a

limited period of

time.

The violations and

resulting consumer

harm, if any,

occurred over an

extended period of

time.

The violations and resulting consumer harm,

if any, have been long-standing or repeated.

Pervasiveness

The violations and

resulting consumer

harm, if any, are

isolated in number.

The violations and

resulting consumer

harm, if any, are

limited in number.

The violations and

resulting consumer

harm, if any, are

numerous.

The violations and resulting consumer harm,

if any, are widespread or in multiple

products or services.