Each standard includes a summary of the expected control, process, or program, along with criteria for rating the quality of a company’s application of the standard along a five point scale: Level 5 (Rudimentary), Level 4 (Documented), Level 3 (Integrated), Level 2 (Strategic), and Level 1 (Optimized). For each company being certified, assessors are expected to utilize the rating criteria, along with other industry insights and experience to assign an appropriate certification level for each standard. The CFES expects to periodically update the criteria over time in future releases as needed to capture emerging best practices.

Importantly, these ratings are not meant to be purely linear or prescriptive. A nonbank may have different ratings across different compliance and risk areas based on their business model, risk profile, and stage of growth. This approach ensures the framework provides a meaningful framework for guiding nonbanks to pursue stronger risk and compliance programs while avoiding setting unrealistic expectations for all industry participants. However, as a general rubric, nonbanks early on their journey should strive to consistently achieve ratings of 3-4 while established companies should achieve ratings of 1-3.