The Federal Deposit Insurance Corporation, FDIC Audit

This report presents the results of our audit of the FDIC Division of Supervision and Consumer Protection’s (DSC) supervisory actions taken for compliance violations of consumer protection laws and regulations. The overall audit objective was to determine whether DSC adequately addresses the violations and program deficiencies reported in compliance examinations to ensure that FDIC-supervised institutions take appropriate corrective action. Over 20 consumer protection laws and related regulations are addressed by FDIC compliance examinations. For purposes of this audit, we focused on compliance violations related to eight specific areas.^{[ 1 ]} Appendix I of this report discusses our objective, scope, and methodology in detail.

BACKGROUND

The FDIC has supervisory responsibilities for ensuring that the financial institutions it supervises comply with fair lending, privacy, and various other consumer protection laws and regulations. The compliance examination is the primary means by which the FDIC determines the extent to which a financial institution is complying with these requirements. The FDIC also conducts visitations and investigations. Visitations are used to review the compliance posture of newly chartered institutions coming under FDIC supervision or to follow up on an institution’s progress on corrective actions. Investigations are used to follow up on a particular consumer’s inquiries or complaints.

The compliance examination and follow-up supervisory attention accorded to violations and other program deficiencies^{[ 2 ]} helps to ensure that consumers and businesses obtain the benefits and protections afforded them by law. In addition, violations of some of the laws and regulations give rise to possible civil liability for damages and, in TILA cases, administrative adjustments for understated finance charges or annual percentage rates (APR) on loans. For example, TILA requires institutions to reimburse customers when disclosure errors are identified involving an inaccurate APR or finance charge and that error has resulted in “gross negligence” or a “clear and consistent pattern or practice of violations.” These violations, in certain cases, can also result in civil money penalties. Effective examinations and supervision should help to identify violations and preclude or minimize their recurrence, thereby reducing the potential for penalties or reimbursements.

The presence of violations and the absence of an effective compliance management system (CMS)^{[ 3 ]} to manage a financial institution’s compliance responsibilities also reflect adversely on the institution’s senior bank management and board of directors and may carry over into other areas of management responsibility. Additionally, DSC considers compliance with fair lending, privacy, and other consumer protection requirements when reviewing an application for entry into or expansion within the insured depository institution system.

DSC examiners follow the revised Compliance Examination Procedures (Transmittal No. 2005-035, dated August 18, 2005) in examining institutions for compliance with consumer protection laws and regulations. The FDIC’s compliance examinations blend risk-focused and process-oriented approaches. Risk focusing involves using information gathered about a financial institution to direct FDIC examiner resources to those operational areas that present the greatest compliance risks. The compliance examination procedures state that “a financial institution must develop and maintain a sound CMS that is integrated into the overall management strategy of the institution.” Concentrating on the institution’s internal control infrastructure and methods, or the “process,” used to ensure compliance with federal consumer protection laws and regulations acknowledges that the ultimate responsibility for compliance rests with the institution and encourages examination efficiency.

Compliance examinations are conducted every 12-36 months, depending on an institution’s size and the compliance and Community Reinvestment Act (CRA) ratings assigned at the most recent examination. The FDIC follows the Uniform Interagency Consumer Compliance Rating System approved by the Federal Financial Institutions Examination Council (FFIEC) in 1980. Appendix II discusses the rating system and describes how consumer compliance ratings are defined and distinguished.

RESULTS OF AUDIT

DSC identified and reported 9,534 significant^{[ 4 ]} compliance violations during 2005.^{[ 5 ]} Of the 1,945 financial institutions examined in 2005, 1,607 (83 percent) institutions had been cited with compliance violations deemed significant by the FDIC. Also, 837 (43 percent) of the 1,945 financial institutions examined had repeat,^{[ 6 ]} significant violations, of which 708 (85 percent) institutions were rated “1” or “2.”

According to DSC officials, of the institutions examined in 2005, 96 percent were rated “1” or “2,” indicating a strong or generally strong compliance position, while 4 percent were rated “3,” “4” or “5,” indicating various levels of concern. DSC officials stated that the FDIC’s supervisory approach is to increase the level of attention as an institution’s compliance position worsens, and during 2005, DSC downgraded 297 institutions’ compliance ratings, issued 72 informal and 36 informal enforcement actions for compliance, and made 43 compliance referrals to the Department of Justice or other authorities.

However, DSC had not adequately ensured that the financial institutions in our sample had taken appropriate corrective actions for repeat, significant violations that had been cited during examinations. In many cases, consistent with the flexibility allowed by DSC guidance for “1” or “2” rated institutions, DSC waited until the next examination to follow up on repeat, significant compliance violations that had been identified in multiple examinations before taking supervisory action. Specifically, we found that:

• of the 51 reports of examination (ROE) we reviewed for 14 sampled institutions, DSC cited 431 significant violations related to 8 consumer protection laws and regulations;
• 47 of the 51 ROEs reviewed identified significant compliance violations;
• 5 of the 47 ROEs resulted in informal supervisory actions^{[ 7 ]} and prompted follow-up activities, and 1 visitation for a new FDIC-supervised institution also prompted follow-up activities, but DSC did not follow up on the remaining 41 reports until the next examination;
• 11 of the 14 sampled institutions had repeat, significant violations; and
• all 14 sampled institutions had deficiencies and weaknesses noted in their CMS in at least 1 ROE. Also, DSC had identified serious deficiencies and weaknesses in some of the institutions’ CMSs that remained uncorrected for extended periods.

As a result of these repeat, significant violations, consumers and businesses of the affected institutions may not obtain the benefits afforded them by consumer protection laws and regulations.

We also identified certain other matters that warrant management attention relating to (1) performance goals associated with supervisory actions taken for compliance violations and (2) consideration of an institution’s training program in compliance ratings.

FOLLOW-UP FOR COMPLIANCE VIOLATIONS

DSC often identified and reported significant compliance violations and program deficiencies in multiple examinations over a period of years before taking supervisory action to address repeat violations. DSC’s guidance does not require follow-up between examinations or enforcement actions for institutions that repeatedly violate consumer protection laws and regulations in a manner cited as significant by FDIC examiners. Instead, DSC’s guidance gives staff the flexibility to wait until the next examination to follow up on significant violations, unless the institution is rated a “4” or “5.” As a result, consumers and businesses of the affected institutions may not obtain the benefits and protection afforded them by these laws and regulations.

DSC Compliance Examination Guidance

DSC’s revised Compliance Examination Procedures state that compliance examinations are the primary means the FDIC uses to determine whether a financial institution is meeting its responsibility to comply with the requirements and proscriptions of federal consumer protection laws and regulations.

The Compliance Examination Procedures do not require follow-up between examinations on significant compliance violations. Significant violations include those violations that meet any of the following criteria:

1. recurrent and outstanding for an extended period of time;
2. affect, or could affect, a large number of transactions or consumers in a way that has, or could have, severe consequences for the consumers or the financial institution;
3. continuation of a violation cited at the previous examination and is repeated in exactly the same manner at the current examination; or
4. willful act or omission to defeat the purpose of, or circumvent, law or regulation.

The Compliance Examination Procedures state that recommendations by the examiner-in-charge (EIC) for corrective actions that address the specific deficiencies noted in the narrative of the ROE should be appropriate in light of the size and complexity of the institution’s operations. The recommendations should enable the institution to resolve current CMS deficiencies and regulatory violations and to minimize future violations by making improvement to its CMS. Ultimately, the board of directors and management of the institution are responsible for determining the actions they will take to address the examination findings. The EIC should consider identifying by name those individuals who commit to specific corrective actions, in order to assist in follow-up at future examinations.

Follow-up on Identified Violations

For 41 (80 percent) of the 51 ROEs in our sample, DSC did not follow up until the next examination, usually 2 or 3 years later, to determine whether the institution had corrected its significant violations. Of the remaining 10 ROEs, 5 ROEs resulted in informal supervisory action, such as bank board resolutions (BBR)^{[ 8 ]} and memoranda of understanding (MOU)^{[ 9 ]} requiring banks to provide DSC with memoranda or progress reports documenting corrective actions; 2 ROEs were visitations;^{[ 10 ]} and 3 ROEs contained no significant violations.

As shown in Table 1 below, of the 431 significant violations we reviewed, 111 (26 percent) violations were TILA violations and 103 (24 percent) violations were for RESPA violations. Both of these statutes are intended to provide consumers with certain rights dealing with credit and real estate transactions. TILA requires that institutions disclose their terms and cost to consumers who receive credit. The statute also gives consumers the right to rescind certain credit transactions that involve a lien on a consumer’s principal dwelling, regulates certain credit card practices, and provides a means for fair and timely resolution of credit billing disputes. RESPA requires that institutions provide consumers with pertinent and timely disclosures regarding real estate settlement costs. Further, RESPA is intended to protect consumers against certain abusive practices, such as kickbacks, and places limitations on the use of escrow accounts.

Table 1: Total Significant Violations for the Sampled Institutions

Source: OIG analysis of ROEs for the 14 sampled institutions.

Repeat, Significant Violations

Of the 14 institutions we selected for review, 11 (79 percent) had repeat, significant violations. Seven institutions violated the same consumer protection laws and regulations during three or more consecutive examination cycles. No informal actions were taken for 6 of the 11 institutions. The remaining five institutions were subject to informal supervisory actions. Further, three of the five institutions were again cited with repeat, significant violations when the informal actions were terminated by DSC management.^{[ 11 ]} Consequently, the supervisory actions were not always effective in ensuring that these institutions were in compliance with consumer protection laws and regulations.

According to DSC, examiners consider the circumstances in determining whether a violation is a repeat violation and indicative of a weakness in procedures or a failure to take appropriate corrective action. Often, a violation code can be used in ROEs many times, but its use could be indicative of a number of distinct issues, problems, or causes. DSC violation codes were developed broadly, and DSC stated that a repeat violation at one examination can result from a different set of circumstances than had been in place at the prior examination. Repeat violations may also arise when regulatory requirements are changed or amended. For example, the bank may have corrected the previous issue, but a regulatory change could result in a new infraction of the same code.

However, the FDIC’s Compliance Examination Procedures specifically state that violations are significant if they had appeared in the Significant Violations section of the ROE for the previous examination and are repeated in exactly the same manner at the current examination. Isolated repeat violations are not categorized as significant in the examination reports. Further, for our analysis of the repeat, significant violations involving 11 institutions, we relied on the examiners’ description of the significant violations as “repeat violations” in the Significant Violations sections of the ROEs.

Supervisory Actions

Supervisory actions taken by DSC did not always ensure that institutions had corrected repeat, significant violations. Of the 14 institutions we reviewed, 5 institutions were subject to informal supervisory actions once their rating had changed from a “2” to a “3.” Table 2 below provides a summary of the actions.

Table 2: Supervisory Actions Taken for Significant Violations

^a These supervisory actions were still in effect as of the date of our review.
^b NA designates not applicable.

As shown in Table 2, repeat, significant violations still had not been corrected at three of the five institutions subject to informal supervisory actions when these actions had been terminated. Further, DSC concluded that the institutions had adequately complied with the provisions of the actions, even though the examinations of the institutions continued to identify repeat violations. Pages 8-10 of this report discuss, in detail, examples of the institutions in our sample that had been subject to informal supervisory actions and cited with repeat violations at the subsequent examination when the actions were terminated.

DSC’s revised Formal and Informal Action Procedures (FIAP) Manual, dated December 9, 2005, states that the FDIC generally initiates formal or informal corrective action against institutions with a composite safety and soundness or compliance rating of “3,” “4,” or “5,” unless specific circumstances warrant otherwise. Informal action is generally appropriate for institutions that receive a composite rating of “3” for safety and soundness or compliance. This rating indicates that the institution has weaknesses that, if left uncorrected, could cause the institution’s condition to deteriorate. Formal action^{[ 12 ]} is generally initiated against an institution with a composite rating of “4” or “5” for safety and soundness or compliance if there is evidence of unsafe or unsound practices and/or conditions or concerns over a high volume or severity of violations at the institution. In more serious situations, however, formal action could be considered even for institutions that receive composite ratings of “1” or “2” for safety and soundness or compliance examinations to address specific actions or inactions by the institution. The FIAP manual also states that informal actions are particularly appropriate when the FDIC has communicated with bank management regarding deficiencies and has determined that the institution’s managers and board of directors are committed to, and capable of, taking corrective action with some direction but without initiation of a formal corrective action. However, informal actions are voluntary and not legally enforceable. As shown in Table 2 on the previous page, imposing informal actions does not necessarily result in the correction of repeat significant violations.

Compliance Management System

DSC did not adequately ensure that the financial institutions in our sample corrected compliance program deficiencies. All 14 institutions we reviewed had deficiencies and weaknesses noted in at least 1 ROE. In addition, as discussed in the next section of our report, DSC identified serious deficiencies and weaknesses in some of these financial institutions’ CMSs that remained uncorrected for extended periods.

To determine whether an institution has an effective CMS, DSC evaluates three interdependent elements, including (1) board management and oversight; (2) the institution’s compliance program, including training and monitoring; and (3) a compliance audit.^{[ 13 ]} According to the Compliance Examination Procedures, when all elements are strong and working together, an institution will be successful at managing its compliance responsibilities and risks now and in the future. Noncompliance of consumer protection laws and regulations can result in monetary penalties, litigation, and formal enforcement actions. The responsibility for ensuring that an institution is in compliance appropriately rests with the institution’s board of directors and management.

Although the Compliance Examination Procedures do not cite a regulation requiring FDIC-supervised institutions to have a CMS, the FDIC expects every FDIC-supervised institution to have an effective CMS adapted to its unique business strategy. In June 2003, the FDIC issued guidance related to the Compliance Examination Procedures, informing institutions that the Corporation had revised its approach to examining institutions for compliance with consumer protection laws and regulations.^{[ 14 ]} The new approach combined a risk-based examination process with an in-depth evaluation of an institution’s CMS.

Examples of Repeat, Significant Violations; CMS Deficiencies; and Supervisory Actions

The following examples illustrate repeat, significant compliance violations; CMS program deficiencies; and cases in which DSC supervisory actions were not always effective in ensuring that institutions took timely and complete corrective action.

• From 1997 to 2005, DSC cited 47 significant violations for Institution A, in our sample, that included 13 (28 percent) repeat violations. During examinations conducted in 1998, 2001, and 2003, Institution A was repeatedly cited for RESPA, TILA, HMDA, and TISA violations. As a result, DSC downgraded the institution’s compliance rating from a “2” to a “3,” and imposed an MOU in 2003, about 5 years after the initial citations. During the subsequent 2005 examination, the institution was cited for the fourth consecutive time for the same RESPA violation that had been cited in the 1998, 2001, and 2003 examinations and was cited for the third consecutive time for the same TILA and HMDA violations that had been identified in the 2001 and 2003 examinations. However, DSC concluded in its 2005 ROE that the MOU had proven to be an effective tool for correcting the deficiencies identified at previous examinations. As a result of the improvements, DSC recommended that the MOU be terminated. In addition, DSC reported continued program deficiencies, which included training, during two consecutive examinations.
• From 1997 to 2005, DSC cited 77 significant violations for Institution B, in our sample, that included 17 (22 percent) repeat violations. During examinations conducted in 1999, 2001, and 2003, Institution B was repeatedly cited for flood insurance, RESPA and HMDA violations.^{[ 15 ]} As a result of the 2003 examination, DSC downgraded the bank’s compliance rating from a “2” to a “3.” The bank adopted a BBR in 2004, about 5 years after the initial citations, requiring that bank management correct all violations listed in the compliance report and initiate appropriate procedures to prevent their recurrence. In its March 2005 ROE, DSC states that Institution B had adequately addressed the requirements of the BBR, even though DSC cited the bank for the fourth consecutive time for the same HMDA violation that had been cited in the 1999, 2001, and 2003 examinations. Further, DSC reported program deficiencies in five consecutive examinations, citing weaknesses in the CMS program that included a lack of comprehensive review procedures, training, and the bank’s audit function.
• From 1997 to 2005, DSC cited 44 significant violations for Institution F, in our sample, that included 5 (11 percent) repeat violations. During examinations conducted in 1998, 2000, and 2003, Institution F was repeatedly cited for RESPA violations. In the 1998 examination, when the initial citation was made, the bank promised future compliance. However, the same violation was cited at the subsequent 2000 examination and again in the 2003 ROE. During the 2005 examination, Institution F was also cited for repeat TISA and ECOA significant violations. Program deficiencies were also noted during two consecutive examinations. DSC recommended that the institution adopt a written CMS program and internal review procedures to prevent the recurrence of the violations.
• From 1997 to 2005, DSC cited 44 significant violations for Institution C, in our sample, that included 7 (16 percent) repeat violations. During examinations conducted in 1997, 2003,^{[ 16 ]} and 2005, Institution C was repeatedly cited for TILA violations. In the 1997 ROE, when the initial citation was made, bank personnel promised future compliance. However, the same violation was subsequently cited for the third time in the 2005 ROE when DSC downgraded the bank’s compliance rating from a “2” to a “3” and the bank adopted a BBR. In addition, DSC described the institution’s CMS as lacking a compliance program and internal monitoring procedures and having inadequate training and review procedures identified by three consecutive examinations.
• From 1997 to 2005, DSC cited 58 significant violations for Institution D, in our sample, that included 6 (10 percent) repeat violations. During examinations conducted in 1997, 1999, and 2002, Institution D was repeatedly cited for RESPA and other significant violations. The total number of significant violations more than doubled between the 1999 and 2002 examinations and were categorized by DSC as “more serious.” As a result, DSC downgraded the compliance rating for Institution D from a “2” in 1999 to a “3” in 2002. The 2002 ROE stated that the prior ROE informed the bank’s board and management that the number of violations had doubled and repeat violations had occurred because the written compliance policy had not been implemented and effective program tools such as monitoring, audit, and training had not been established or implemented. An MOU was imposed on the institution in 2003, and DSC conducted a visitation during 2004 to assess the bank’s compliance with the MOU. In response, the bank corrected a majority of the violations cited during the 2002 examination, but some violations had not been corrected. For example, during the 2005 examination, the institution was cited for the third consecutive time for the same flood insurance violation that had been cited in the 1999 and 2002 examinations.

Conclusion

The FDIC’s Deputy to the Chairman and Chief Operating Officer has said publicly that the FDIC’s supervision and enforcement of consumer laws and regulations are part of ensuring public confidence in the banking system. Without effective enforcement, consumers and businesses may not obtain the benefits and protection afforded them by such laws and regulations. Consumer protection laws are intended to deter financial institutions from committing such acts as:

• discrimination based on race, color, religion, national origin, sex, marital status, and age in any aspect of a credit transaction, including residential real-estate-related transactions, such as making loans to buy, build, repair, or improve a dwelling;
• failure to provide borrowers with pertinent and timely disclosures regarding the nature and costs of the real estate settlement process; and
• inaccurate and unfair credit billing, credit card, and leasing transactions.

In addition, violations of consumer laws and regulations can give rise to civil liability for damages and, in TILA cases, administrative adjustments for understated finance charges or annual percentage rates.

Recommendations

We recommend that the Director, DSC, strengthen guidance related to the monitoring and follow-up processes for compliance violations by revising:

1. The Compliance Examination Procedures to require follow-up between examinations on repeat, significant compliance violations and program deficiencies.
2. The FIAP manual to require consideration of supervisory actions when any institution’s corrective action on repeat, significant violations is not timely or when repeat, significant violations are a recurring examination finding.

OTHER MATTERS

DSC’s 2005 Performance Goals

DSC does not have a performance goal^{[ 17 ]} associated with the supervision of institutions rated “1,” “2,” and “3” that are cited with repeat, significant compliance violations. Instead, one of DSC’s 2005 annual performance goals was to take prompt and effective supervisory action to monitor and address problems identified during compliance examinations of FDIC-supervised institutions that receive a “4” or “5” rating for compliance with consumer protection and fair lending laws. However, of the 837 institutions with repeat significant violations in 2005, 708 (85 percent) institutions were rated “1” and “2” and 126 (15 percent) institutions were rated “3.” Only three institutions were rated “4,” and none were rated “5.”

Examiners are instructed to document, for each violation and CMS program deficiency, corrective actions taken by management during the examination and commitments for future corrective action. DSC does not require a response from bank management on corrective actions unless the institution is rated a “3,” “4,” or “5.” According to DSC, a “1” or “2” rating indicates that the institution has a CMS that is sufficient for correcting violations and deficiencies in the normal course of business. However, examinations of institutions rated “1” or “2” are identifying numerous instances of repeat, significant violations. As a result, the FDIC’s performance goals did not address the majority of repeat, significant violations.

Recommendation

We recommend that the Director, DSC, revise:

3. DSC’s performance goals to focus more broadly on institutions with repeat, significant violations.

Ratings Consideration of Institution Compliance Training

As summarized in Appendix II of this report, each financial institution is assigned a consumer compliance rating predicated upon an evaluation of the nature and extent of its present compliance with consumer protection and civil rights statutes and regulations and the adequacy of its operating systems designed to ensure compliance on a continuing basis.

The FDIC’s compliance ratings standards specifically state, “An institution that is assigned a rating of ‘2’ is in generally strong compliance. Management is capable of administering an effective compliance program. Compliance training is satisfactory, and there is no evidence of practices resulting in repeat violations.”

While we are not questioning the assigned rating or the relative weighting given to the training component of the compliance program, we are nonetheless concerned about the apparent inconsistency between the ROEs and the ratings’ definitions. Specifically, we observed that the narratives for 29 (81 percent) of the 36 ROEs for institutions in our sample assigned a “2” rating appeared inconsistent with the definition of a “2” rating. All 29 of the ROEs identified the lack of training as the cause or a contributing factor for the significant violations identified in the ROEs. However, compliance ratings standards state that training has to be satisfactory for a “2” rating. In addition, 11 of the 14 institutions in our sample that were rated a “2” had repeat significant violations as identified by DSC. The examples below illustrate that the ROE narratives for these 29 institutions were not consistent with the definition of a “2” rating.

• Institution G’s 2005 ROE summary states, “The bank’s training program is generally adequate; however, several of the violations noted in this report are attributed to a lack of training. The lack of appropriate monitoring procedures and training has resulted in 15 violations including reimbursable violations of [TILA], repeat violations of Equal Credit Opportunity and Consumer Protection in the Sales of Insurance, and violations of Home Mortgage Disclosure and Flood Insurance, among others.”
• Institution H’s 1998 ROE summary states “The compliance program deficiencies include weak monitoring, poor audit coverage and response time, as well as inefficient training.” DSC cited seven significant violations, including RESPA, Flood Insurance, EFTA, and HMDA violations.
• During its 1997 examination, Institution D was cited for 18 significant violations that were attributed to management oversight and being unaware or misunderstanding the specific compliance requirements. In 1999, DSC cited Institution D for 19 violations, including a repeat RESPA violation. DSC reported that “The bank has a written, Board-approved compliance policy that calls for the development of compliance procedures, staff training, and periodic testing. However, the policy has not been implemented to any significant degree.” DSC further reported that “bank management should take immediate steps to reinforce the bank’s compliance efforts through some form of systematic training and the establishment of internal monitoring procedures.” In 2003, over 3 years later, DSC imposed an MOU on the bank, recommending that training be improved. DSC conducted a visitation in 2004 and reported that the institution had made good progress in improving its training system. The institution’s rating was upgraded to satisfactory in 2005, even though four significant violations were cited, and one was a repeat violation cited in the previous two examinations.

We are not making any recommendations on this observation. DSC officials told us that an FFIEC task force is reviewing the definitions of the compliance ratings for institutions. We encourage DSC to share our observation with the task force for its consideration when revising the compliance rating definitions.

CORPORATION COMMENTS AND OIG EVALUATION

On September 29, 2006, the Acting Director, DSC, provided a written response to a draft of this report. The DSC response is presented in its entirety in Appendix V. Overall, DSC agreed to take corrective actions that are responsive to the recommendations. Appendix VI contains a summary of management’s response to the recommendations. The recommendations are resolved but will remain open until we have determined that the agreed-to actions have been completed and are effective.

In response to recommendations 1 and 3, DSC stated that it intends to analyze the prevalence and scope of repeatedly cited, significant violations to determine whether any changes in DSC policies and/or performance goals are necessary. DSC will complete this analysis and implement appropriate actions by September 30, 2007.

In response to recommendation 2, DSC stated that current FDIC guidance already permits DSC to consider taking supervisory action against highly rated banks. Further, DSC stated that the FIAP manual presents a clear statement of DSC policy as follows:

In more serious situations, however, formal action could be considered even for institutions that receive composite ratings of “1” or “2” for safety and soundness or compliance examinations to address specific actions or inactions by the institution.

Nonetheless, DSC agreed to reevaluate current FDIC and FFIEC guidance to determine whether enhancements or clarifications are needed. DSC will complete this process by September 30, 2007. With regard to this recommendation, we encourage the FDIC to consider the full range of supervisory actions available to address repeat, significant compliance violations, not just formal actions as addressed in the FIAP manual.

In addition to specifically addressing the recommendations in our report, DSC’s response included general comments regarding our findings. The response also discussed DSC’s commitment to consumer protection and its response to significant violations discovered during compliance examinations.

In discussing its commitment to consumer protection, DSC stated that, during the 8-year period covered by our audit, DSC issued 1,075 formal and informal enforcement actions to ensure that institutions under FDIC supervision complied with consumer protection laws and regulations. DSC also stated that, over the same period, it required banks to refund over $10 million to 220,567 consumers as a result of TILA violations and to make over $5 million in reimbursement to consumers harmed by unfair and deceptive practices prohibited by the Federal Trade Commission Act.

With respect to violations discovered during compliance examinations, DSC pointed out that, although our report focused on repeat, significant violations cited in examination reports, all but five of these reports were assigned either a “1” or a “2” compliance rating to the banks involved. DSC further stated that it believes that institutions with a “1” or “2” compliance rating have “strong” or “generally strong” compliance programs and are capable of addressing problems. At the next examination, consistent with FDIC examination procedures, DSC follows up on institution efforts to correct violations. In addition, DSC believes that some violations represent less risk to consumers, which DSC takes into consideration as part of the evaluation process to determine the need for follow up.

While we take no exception to these comments, our view is that repeat, significant violations should be considered more serious for purposes of supervisory action and follow-up on corrective action by institutions. As noted in our report, our review of the 14 institutions in our sample found that 11 (79 percent) institutions had repeat, significant violations. As shown in our examples, the institutions repeatedly violated the same laws and regulations for several years before DSC took any supervisory action.

With respect to our report’s observation on ratings, DSC stated that the FDIC strives diligently to present examination findings in a consistent manner and validates the processes by secondary review and a strong internal control program. DSC also stated that each rating is based on a qualitative analysis of the factors comprising that rating, with some factors given more weight than others, depending on the situation. Finally, in its response to our report, DSC states that we say the ratings observation is outside the scope of our audit. In our report, we did not question the assigned rating or the relative weighting given to the training or other components of the compliance program or the process that resulted in those ratings. While these matters are within the scope of the audit, our intent was only to express concern about the possible inconsistency between the assigned ratings and the ratings’ definitions. We acknowledge that the FFIEC has a task force reviewing the ratings definitions and hope that this information is useful in that regard.

APPENDIX I

OBJECTIVE, SCOPE, AND METHODOLOGY

APPENDIX II

CONSUMER COMPLIANCE RATING SYSTEM

APPENDIX III

SIGNIFICANT AND CONSECUTIVE SIGNIFICANT VIOLATIONS CITED FROM JANUARY 1, 2005 TO DECEMBER 31, 2005

Region

Number of FDIC-Supervised Institutions^a
(a)

Number of Institutions Examined^b
(b)

Number of Institutions Examined with Significant Violations
(c)

Percentage of Institutions Examined with Significant Violations
(d=c/b)

Number of Institutions with Consecutive Significant Violations
(e)

Percentage of Institutions with Consecutive Significant Violations
(f=e/c)

Atlanta

742

216

187

87%

86

46%

Chicago

1,090

416

341

82%

180

53%

Dallas

987

387

310

80%

134

43%

Kansas City

1,367

590

547

93%

331

61%

New York

602

188

130

69%

68

52%

San Francisco

467

148

92

62%

38

41%

Total

5,255

1,945

1,607

83%

837

52%