We have known for some time that CFPB examinations are coming, and late last year the CFPB released their Supervision and Examination Manual…all 924 pages of it! There is much to comment on in there, but I want to focus on 2 things that will impact financial institutions right away.
The first is the actual approach the CFPB will take towards examining your institution, and anyone familiar with the risk management process (or who regularly reads this blog) will instantly recognize it. Before they begin the examination process, they will conduct a risk assessment of your institution. Of course the concept is nothing new, regulators have been expecting FI’s to conduct risk assessments for years, and for everything they do, so I guess it’s good to see them finally practice what they preach. However this the first time the concept has been applied to the pre-examination process, and since the depth and breadth of the examination will depend on the result of their assessment, you should definitely be proactive about this. If their pre-exam assessment determines that your overall inherent risk is low or moderate and likely to remain steady or decrease in the future, and your controls are strong or adequate, the focus and intensity of the exam is likely to be relatively mild. On the other hand, if inherent risk is high and/or increasing, and controls are judged as weak, I think you can expect a more vigorous examination experience.
So how can you prepare? In the past, one common approach to new regulations has been to make at least a token effort to comply, then see what the examiner had to say. Because past regulatory changes have been notoriously non-prescriptive (and as such, open to interpretation), you wait for the examiner to take a look at what you’ve done, and let them suggest changes. In other words, you would accept examination findings rather than risk misinterpreting examiner expectations. This has been a common, and frankly rational, approach to compliance. However this approach may not be optimal with CFPB examinations, because a token compliance effort may actually result in a higher risk rating.
This brings me to the the second big take-away from the examination manual, and the only way to avoid a sub-optimal risk assessment; the implementation of a “Compliance Management System”, or CMS. According to the CFPB:
“A critical component of a well-run financial institution is a robust and effective compliance management system (CMS), designed to ensure that the financial institution’s policies and practices are in full compliance with the requirements of Federal consumer financial law. Consequently, one of the most important responsibilities of the CFPB supervisory program is assessing the quality of the compliance management systems employed by the financial institutions. …Without such a system, serious and systemic violations of Federal consumer financial law are likely to occur.”
The system should be designed to address the following elements:
- Internal controls and oversight
- Internal monitoring
- Consumer complaint response
- Independent testing and audit
- Third-party service provider oversight
- Product development and business acquisition, and
- Marketing practices
At first glance this appears to be a whole new set of potentially burdensome requirements for financial institutions. The “CMS” term is new, no other regulatory agency specifically requires this. And they make it clear that having the system in place is not just a best practice, it is a “critical component” of a well-run institution (strongly implying that if you don’t have one in place, you aren’t well-run). Furthermore, if you don’t have a CMS in place you are likely to incur “serious and systemic violations” of law.
So a CMS is both a requirement in and of itself, and a good way to avoid a sub-optimal CFPB pre-examination risk assessment. The question at this point is not whether you should do it (you should), or when you should do it (ASAP, prior to your first CFPB examination), but rather how can you implement one with minimal internal resource impact?
I mentioned earlier that it may appear at first glance to be an entirely new system, but in my next post I’ll discuss how you can implement a comprehensive CMS that meets regulatory expectations and doesn’t impose an unreasonable burden by utilizing the risk assessment and reporting structure you probably already have in place within your institution.
(Spoiler alert: The fundamentals of a CMS are nothing we haven’t seen before…understanding the difference between polices, procedures, and practices….utilizing a management committee with a standard agenda…implementing a control self-assessment process…documenting the management reporting process…sound familiar?)