In the FFIEC Press Release, dated 11/27/2018, the Federal Financial Institutions Examination Council (FFIEC) provided a more formal idea of what a “risk-based exam” looks like and the factors that will help define the scope of the exam in its second update of the Exam Modernization Project released late last month.
After reviewing the risk-based exam principles and processes at the Fed, FDIC, OCC, NCUA and the State Liaison Committee, the FFIEC noted key principles including:
- Recognizing there are financial institutions, or areas within institutions, that present low risk, and in those cases, minimum examination procedures are generally sufficient to assess the institution’s condition and risks.
- Allocating more examination resources to higher risk areas and fewer resources to lower risk areas.
- Considering the financial institution’s ability to identify and control risks when risk-focusing examinations.
- Following up between examinations on institutions’ actions taken to address areas in need of improvement.
To help make sure examiners shape exams around risk-based examination principles, the agencies said examiner guidance will be reinforced or clarified.
Examiners will be instructed to:
- Consider the unique risk profile, complexity, and business model of the institution when developing an examination plan.
- Analyze existing information such as Call Report data, publicly available information, and confidential supervisory information to help identify areas of higher and lower risk when planning examinations.
- Monitor financial institutions between examinations.
- Tailor the document request list based on the financial institution’s business model, complexity, risk profile and planned scope of review.
- Apply examination procedures in a way that reduces the level of review of low-risk institutions or low-risk areas.
- Discuss financial conditions, risk profiles, new or expanded business lines, and pertinent new supervisory or regulatory information with institution management prior to finalizing the scope of review.
What Does This Mean for Your Exams?
A risk-focused supervision process is one where more attention and resources are used to address areas of heightened risk. Areas that pose less risk will receive less attention.
Examiners will study your institution not only to look at areas that the agencies view as inherently risky (BSA, information security, etc.) but also the areas that are particularly risky for your institution based on its business model and complexity. This may include departments, products, services, etc.
You need to know what these areas are and make sure you can demonstrate that the risks in these areas have been identified, measured, monitored, and mitigated. Examiners will not be amused if they have to point them out for you.
What may have been overlooked in “higher risk” areas in previous examinations due to a limited scope and in future reviews, may receive a more granular review as less time is dedicated to less risky areas. While an examiner may not have had an issue with how something was done in the past, even if it wasn’t exactly compliant or no work was shown, that is less likely to be the case in the future.
Get ahead of the examiners with a thorough and ongoing risk assessment program. Examiners are literally “considering the financial institution’s ability to identify and control risks.” A strong risk assessment program addresses all parts of the risk assessment lifecycle to ensure your institution recognizes its greatest risks and is allocating resources in a way that ensures these threats are properly mitigated. Make sure you have a transparent program that demonstrates you understand where and why risk exists.
Be sure to have a systemic way to address and track findings. Examiners will be following up on shortfalls. If you can’t demonstrate efforts to make improvements, or if a finding gets lost in the shuffle, it will have a negative impact on your institution.