By: William J. Showalter, CRCM, CRP, Senior Consultant
We have been told repeatedly over the years that we need to manage compliance, just like all aspects of our business. This maxim is particularly true in today’s escalating compliance environment. There are so many new and changed rules that have been added to the mix over the past decade that we could easily be overwhelmed if we did not proactively manage the compliance process.
Over the years, supervisory agencies have shared general outlines of compliance management systems with the financial institutions they regulate. They have been quick to point out that there is no one “right” way to manage compliance, but that there are certain basic needs that must be met by any such program.
Compliance Management Systems
The Consumer Financial Protection Bureau (CFPB) and other agencies view compliance management as vital to the prevention of violations of federal consumer financial laws and the resulting harm to consumers. In its Supervisory Highlights publication, the CFPB spelled out its expectations for an effective compliance management system (CMS) – which mirror those from other supervisory agencies.
The CFPB states that it expects every entity it supervises (large financial institutions and nonbank financial firms) to have an effective CMS adapted to its business strategy and operations. According to the CFPB, a CMS is how a supervised entity:
- Establishes its compliance responsibilities
- Communicates those responsibilities to employees
- Ensures that responsibilities for meeting legal requirements and internal policies are incorporated into business processes
- Reviews operations to ensure responsibilities are carried out and legal requirements are met
- Takes corrective action, and
- Updates tools, systems, and materials, as necessary
No agency requires financial institutions to structure their CMS in any particular manner. They recognize the differences inherent in an industry comprised of banking organizations of different sizes, differing compliance profiles, and a wide range of consumer financial products and services. In addition, some financial firms outsource functions with consumer compliance-related responsibilities to service providers, requiring adaptations in their CMS structure.
However compliance is managed, financial entities are expected by all the federal supervisory agencies to structure their CMS in a manner sufficient to comply with federal consumer financial laws and appropriately address associated risks of harm to consumers.
The CFPB has found that the majority of banks it has examined have generally had adequate CMS structures. However, several institutions have lacked one or more of the components of an effective CMS, which creates an increased risk of noncompliance with federal consumer financial laws.
The most common weakness identified during CFPB reviews of banks’ CMS is a deficient system of periodic monitoring and independent compliance audits. The CFPB has noted that an effective CMS implements an effective internal compliance review program as an integral part of an overall risk management strategy. Such a program has two components – both periodic monitoring reviews and an independent compliance audit. These two types of controls are not interchangeable. They must be complementary.
The periodic monitoring reviews are more frequent and less intensive than the audits, focusing on areas that carry the most risk – where mistakes should not be allowed to go uncorrected too long. Monitoring is an ongoing process, conducted by either the individual business lines or the compliance officer/department on a relatively frequent basis, and allows the bank to self-check its processes and ensure day-to-day compliance with federal consumer financial laws.
The independent compliance audit is a review of all operations impacted by consumer laws. An audit is performed on a less frequent basis, usually annually, to ensure that compliance is ongoing, that the CMS as a whole is operating properly, and that the board is aware of consumer compliance issues noted as part of these independent reviews. Audits are best performed by an independent party – usually either an internal auditor or an outside consultant.
The CFPB notes that an entity lacking periodic monitoring increases its risk that violations and weaknesses will go undetected for long periods of time, potentially leading to multiple regulatory violations and increased consumer harm. Additionally, these entities increase the risk that:
- Insufficiencies in the periodic monitoring process may not be identified
- The board is not made aware of regulatory violations or program weaknesses, or
- Practices or conduct by employees within the business lines or compliance department that are unfair, deceptive, abusive, discriminatory, or otherwise unlawful could go undetected
Although the CFPB states that it does not require any specific CMS structure, it notes that supervisory experience has found that an effective CMS commonly has four interdependent control components, elements that have been advocated by all regulatory agencies over the years:
- Board of directors and management oversight. An effective board of directors communicates clear expectations and adopts clear policy statements about consumer compliance for both the bank itself and its service providers. The board should establish a compliance function, allocating sufficient resources and qualified staffing to that function, commensurate with the entity’s size, organizational complexity, and risk profile. The board should ensure that the compliance function has the authority and accountability necessary to implement the compliance management program, with clear and visible support from senior management, as well. Management should ensure a strong compliance function and provide recurring reports of compliance risks, issues, and resolutions to the board or to a committee of the board.
- Compliance program. The CFPB and other federal financial institutions supervisors expect supervised entities to establish a formal, written compliance program, generally administered by a chief compliance officer. A compliance program includes the following elements: policies and procedures, training, monitoring, and corrective action.
The agencies assert that a well-planned, implemented, and maintained compliance program will prevent or reduce regulatory violations, protect consumers from noncompliance and associated harms, decrease the costs and risks of litigation affecting revenues and operational focus, and help align business strategies with outcomes.
- Consumer complaint management program. Financial service providers are expected to be responsive to complaints and inquiries received from consumers. In addition, financial institutions should monitor and analyze complaints to understand and correct weaknesses in their programs that could lead to consumer risks and violations of law.
Key elements of a consumer complaint management program include establishment of channels through which to receive consumer complaints and inquiries (e.g., telephone numbers or email addresses dedicated to receiving consumer complaints or inquiries); proper and timely resolution of all complaints; recordation, categorization, and analysis of complaints and inquiries; and reviews for possible violations of federal consumer financial laws.
The agencies expect financial firms to organize, retain, and analyze complaint data to identify trends, isolate areas of risk, and identify program weaknesses in their lines of business and overall CMS.
- Independent compliance audit. A compliance audit program provides a board of directors or its designated committees with a determination of whether policies and standards are being implemented to provide for the level of compliance and consumer protection established by the board. As noted above, these audits should be conducted by a party independent of both the compliance program and the business functions. The audit results should be reported directly to the board or a board committee.
The agencies expect that the audit schedule and scope will be appropriate for the entity’s size, its consumer financial product offerings, and structure for offering these products. The compliance audit program should address compliance with all applicable federal consumer financial laws, and identify any significant gaps in policies and standards.
When all of these four control components are strong and well-coordinated, the CFPB states that a supervised entity should be successful at managing its compliance responsibilities and risks.
To learn more about Young & Associates, Inc. and how we can assist your organization in developing a strong Compliance Management System, visit our website, or contact Dave Reno, Director – Lending and Business Development.
About Young & Associates, Inc.
Young & Associates, Inc. has provided consulting, training, and practical products for community financial institutions for over 43 years. We strive to provide the most up-to-date solutions for our clients’ needs, while remaining true to our founding principles and goals – to ease the management of your organization, reduce the regulatory burden, improve your bottom line, and increase shareholder value.