CFPB compliance examinations have only just started and the agency has already identified deficiencies in some institutions:
“The CFPB has found one or more situations in which an effective CMS was lacking across the financial institution’s entire consumer financial portfolio, or in which the financial institution failed to adopt and follow comprehensive internal policies and procedures, resulting in a significant breakdown in compliance and numerous violations of Federal consumer financial law.”
By the way, if you were under the impression that the CFPB would only examine institutions above $10B in assets, Section 1026 of the Dodd-Frank Act provides that the agency does have regulatory authority for institutions under $10B as well. They will likely coordinate the consumer compliance examination through your current primary federal examiner, or they may “spot-check” smaller institutions on their own. Either way, you’ll have to meet their guidelines. “…the CFPB expects every regulated entity under its supervision and enforcement authority to have an effective compliance management system…”.
So the agency clearly considers the Compliance Management System (CMS) a key component, and it is already an area of focus for regulators. In fact if you read a bit further in the guidance they state that if a formal CMS is not in place, “…the financial institution has no ability to address risks presented by its lines of business.”
What is interesting about this statement is that although the focus of the CFPB is consumer compliance, they don’t seem to limit the applicability of a CMS to only consumer-oriented lines of business. This leads me to believe that they believe that a CMS is not just a CFPB requirement, but they consider it a general compliance best-practice. Furthermore, any attempt to implement a CMS using a “compliance response” approach (i.e. one that address the letter, but not necessarily the spirit, of the regulation) will likely be inadequate. In a typical CMS examination, the CFPB will evaluate both the understanding and the application of the financial institution’s compliance efforts. The “compliance -response” approach will not work. Indeed as the earlier quote indicates, the CFPB has already found several institutions that had the correct policies and procedures in place, but they were not being followed. In other words, while it is important to have the right policies in place, compliance will be determined by how well management understands the policies, and how well the policies are actually being followed. Simply put…
Compliance = Policies + Procedures + Actual Practices
So how do you implement an effective and compliant CMS? And more importantly, how do you do it in a cost effective way? While the exact elements of your CMS will vary according to the scope and complexity of your consumer financial products and services, there will be 6 broad areas of focus for the examiners:
- Board of Directors and Management Oversight
- Policies and Procedures
- Monitoring and Corrective Action
- Consumer Complaint Response
- Compliance Audit
With the possible exception of #5, you already have a formal process in place to address all of these elements for information security, it’s called your information security program. Consider this…
- You have an IT strategic plan, which integrates with your overall strategic plan, and establishes the business case for technology. It assigns overall responsibility to the Board for managing the plan, and requires periodic progress updates back to the Board. Day-to-day management has been assigned to an IT Steering Committee.
- You have a set of policies and procedures, and you update them at least annually.
- You train your employees on information security best practices at least annually.
- You have periodic meetings of the IT Steering Committee, structured as a control self-assessment, where control adequacy and effectiveness is evaluated.
- You conduct periodic independent audits of the process.
So whether you realize it or not, you already have a “compliance management system” in place! Simply take what you are already doing for information security, add a complaint response capability, and apply it to consumer compliance. The CFPB Supervision and Examination Manual lists the specific procedures that examiners will use starting on page 36. Just as Appendix A of the FFIEC Handbooks guided your information security program, you should use this to define the specifics of your CFPB compliance program.*
One final thought…the CFPB has adopted the same 5 point rating system used by the FFIEC to “grade” your adherence to the guidance, wherein a rating of 1 or 2 represents a strong compliance position, and anything less than a 2 is considered sub-optimal. This is how the CFPB defines an institution rated “1” (bulletized for easier reading), use it as your guide:
- Management is capable of and staff is sufficient for effectuating compliance.
- An effective compliance program, including an efficient system of internal procedures and controls, has been established.
- Changes in consumer statutes and regulations are promptly reflected in the institution’s policies, procedures, and compliance training.
- The institution provides adequate training for its employees.
- If any violations are noted they relate to relatively minor deficiencies in forms or practices that are easily corrected.
- There is no evidence of discriminatory acts or practices, reimbursable violations, or practices resulting in repeat violations.
- Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern.
*I’ve converted the examination procedures section into an easy-to-follow checklist. For Safe Systems customers, your account manager has a copy and will walk through it with you.