Tag: CFPB Supervision and Examination Manual

  • Home
  • CFPB Supervision and Examination Manual
05 Feb 2013
From the Field Tom Hinkel 2 Comments

Implementing the CFPB-required Compliance Management System (Part 2)

CFPB compliance examinations have only just started and the agency has already identified deficiencies in some institutions:

“The CFPB has found one or more situations in which an effective CMS was lacking across the financial institution’s entire consumer financial portfolio, or in which the financial institution failed to adopt and follow comprehensive internal policies and procedures, resulting in a significant breakdown in compliance and numerous violations of Federal consumer financial law.”

By the way, if you were under the impression that the CFPB would only examine institutions above $10B in assets, Section 1026 of the Dodd-Frank Act provides that the agency does have regulatory authority for institutions under $10B as well.  They will likely coordinate the consumer compliance examination through your current primary federal examiner, or they may “spot-check” smaller institutions on their own.  Either way, you’ll have to meet their guidelines.  “…the CFPB expects every regulated entity under its supervision and enforcement authority to have an effective compliance management system…”.

So the agency clearly considers the Compliance Management System (CMS) a key component, and it is already an area of focus for regulators.  In fact if you read a bit further in the guidance they state that if a formal CMS is not in place, “…the financial institution has no ability to address risks presented by its lines of business.”

What is interesting about this statement is that although the focus of the CFPB is consumer compliance, they don’t seem to limit the applicability of a CMS to only consumer-oriented lines of business.  This leads me to believe that they believe that a CMS is not just a CFPB requirement, but they consider it a general compliance best-practice.  Furthermore, any attempt to implement a CMS using a “compliance response” approach (i.e. one that address the letter, but not necessarily the spirit, of the regulation) will likely be inadequate.  In a typical CMS examination, the CFPB will evaluate both the understanding and the application of the financial institution’s compliance efforts. The “compliance -response” approach will not work.  Indeed as the earlier quote indicates, the CFPB has already found several institutions that had the correct policies and procedures in place, but they were not being followed.  In other words, while it is important to have the right policies in place, compliance will be determined by how well management understands the policies, and how well the policies are actually being followed.   Simply put…

Compliance = Policies + Procedures + Actual Practices

So how do you implement an effective and compliant CMS?  And more importantly, how do you do it in a cost effective way?  While the exact elements of your CMS will vary according to the scope and complexity of your consumer financial products and services, there will be 6 broad areas of focus for the examiners:

  1. Board of Directors and Management Oversight
  2. Policies and Procedures
  3. Training
  4. Monitoring and Corrective Action
  5. Consumer Complaint Response
  6. Compliance Audit

With the possible exception of #5, you already have a formal process in place to address all of these elements for information security, it’s called your information security program.  Consider this…

  1. You have an IT strategic plan, which integrates with your overall strategic plan, and establishes the business case for technology.  It  assigns overall responsibility to the Board for managing the plan, and requires periodic progress updates back to the Board.  Day-to-day management has been assigned to an IT Steering Committee.
  2. You have a set of policies and procedures, and you update them at least annually.
  3. You train your employees on information security best practices at least annually.
  4. You have periodic meetings of the IT Steering Committee, structured as a control self-assessment, where control adequacy and effectiveness is evaluated.
  5. You conduct periodic independent audits of the process.

So whether you realize it or not, you already have a “compliance management system” in place!  Simply take what you are already doing for information security, add a complaint response capability, and apply it to consumer compliance.  The CFPB Supervision and Examination Manual lists the specific procedures that examiners will use starting on page 36.  Just as Appendix A of the FFIEC Handbooks guided your information security program, you should use this to define the specifics of your CFPB compliance program.*

One final thought…the CFPB has adopted the same 5 point rating system used by the FFIEC to “grade” your adherence to the guidance, wherein a rating of 1 or 2 represents a strong compliance position, and anything less than a 2 is considered sub-optimal.  This is how the CFPB defines an institution rated “1” (bulletized for easier reading), use it as your guide:

  • Management is capable of and staff is sufficient for effectuating compliance.
  • An effective compliance program, including an efficient system of internal procedures and controls, has been established.
  • Changes in consumer statutes and regulations are promptly reflected in the institution’s policies, procedures, and compliance training.
  • The institution provides adequate training for its employees.
  • If any violations are noted they relate to relatively minor deficiencies in forms or practices that are easily corrected.
  • There is no evidence of discriminatory acts or practices,  reimbursable violations, or practices resulting in repeat violations.
  • Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern.

*I’ve converted the examination procedures section into an easy-to-follow checklist.  For Safe Systems customers, your account manager has a copy and will walk through it with you.

15 Jan 2013
From the Field Tom Hinkel 2 Comments

CFPB Examinations To Require “Compliance Management Systems” (Part 1)

We have known for some time that CFPB examinations are coming, and late last year the CFPB released their Supervision and Examination Manual…all 924 pages of it!    There is much to comment on in there, but I want to focus on 2 things that will impact financial institutions right away.

The first is the actual approach the CFPB will take towards examining your institution, and anyone familiar with the risk management process (or who regularly reads this blog) will instantly recognize it.  Before they begin the examination process, they will conduct a risk assessment of your institution.  Of course the concept is nothing new, regulators have been expecting FI’s to conduct risk assessments for years, and for everything they do, so I guess it’s good to see them finally practice what they preach.  However this the first time the concept has been applied to the pre-examination process, and since the depth and breadth of the examination will depend on the result of their assessment, you should definitely be proactive about this.  If their pre-exam assessment determines that your overall inherent risk is low or moderate and likely to remain steady or decrease in the future, and your controls are strong or adequate, the focus and intensity of the exam is likely to be relatively mild.  On the other hand, if inherent risk is high and/or increasing, and controls are judged as weak, I think you can expect a more vigorous examination experience.

So how can you prepare?  In the past, one common approach to new regulations has been to make at least a token effort to comply, then see what the examiner had to say.  Because past regulatory changes have been notoriously non-prescriptive (and as such, open to interpretation), you wait for the examiner to take a look at what you’ve done, and let them suggest changes.  In other words, you would accept examination findings rather than risk misinterpreting examiner expectations.  This has been a common, and frankly rational, approach to compliance.  However this approach may not be optimal with CFPB examinations, because a token compliance effort may actually result in a higher risk rating.

This brings me to the the second big take-away from the examination manual, and the only way to avoid a sub-optimal risk assessment; the implementation of a “Compliance Management System”, or CMS.  According to the CFPB:

“A critical component of a well-run financial institution is a robust and effective compliance management system (CMS), designed to ensure that the financial institution’s policies and practices are in full compliance with the requirements of Federal consumer financial law.  Consequently, one of the most important responsibilities of the CFPB supervisory program is assessing the quality of the compliance management systems employed by the financial institutions.  …Without such a system, serious and systemic violations of Federal consumer financial law are likely to occur.”

The system should be designed to address the following elements:

  • Internal controls and oversight
  • Training
  • Internal monitoring
  • Consumer complaint response
  • Independent testing and audit
  • Third-party service provider oversight
  • Record-keeping
  • Product development and business acquisition, and
  • Marketing practices

At first glance this appears to be a whole new set of potentially burdensome requirements for financial institutions.  The “CMS” term is new, no other regulatory agency specifically requires this.  And they make it clear that having the system in place is not just a best practice, it is a “critical component” of a well-run institution (strongly implying that if you don’t have one in place, you aren’t well-run).  Furthermore, if you don’t have a CMS in place you are likely to incur “serious and systemic violations” of law.

So a CMS is both a requirement in and of itself, and a good way to avoid a sub-optimal CFPB pre-examination risk assessment. The question at this point is not whether you should do it (you should), or when you should do it (ASAP, prior to your first CFPB examination), but rather how can you implement one with minimal internal resource impact?

I mentioned earlier that it may appear at first glance to be an entirely new system, but in my next post I’ll discuss how you can implement a comprehensive CMS that meets regulatory expectations and doesn’t impose an unreasonable burden by utilizing the risk assessment and reporting structure you probably already have in place within your institution.

(Spoiler alert:  The fundamentals of a CMS are nothing we haven’t seen before…understanding the difference between polices, procedures, and practices….utilizing a management committee with a standard agenda…implementing a control self-assessment process…documenting the management reporting process…sound familiar?)

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy