Tag: CFPB

05 Feb 2013

Implementing the CFPB-required Compliance Management System (Part 2)

CFPB compliance examinations have only just started and the agency has already identified deficiencies in some institutions:

“The CFPB has found one or more situations in which an effective CMS was lacking across the financial institution’s entire consumer financial portfolio, or in which the financial institution failed to adopt and follow comprehensive internal policies and procedures, resulting in a significant breakdown in compliance and numerous violations of Federal consumer financial law.”

By the way, if you were under the impression that the CFPB would only examine institutions above $10B in assets, Section 1026 of the Dodd-Frank Act provides that the agency does have regulatory authority for institutions under $10B as well.  They will likely coordinate the consumer compliance examination through your current primary federal examiner, or they may “spot-check” smaller institutions on their own.  Either way, you’ll have to meet their guidelines.  “…the CFPB expects every regulated entity under its supervision and enforcement authority to have an effective compliance management system…”.

So the agency clearly considers the Compliance Management System (CMS) a key component, and it is already an area of focus for regulators.  In fact if you read a bit further in the guidance they state that if a formal CMS is not in place, “…the financial institution has no ability to address risks presented by its lines of business.”

What is interesting about this statement is that although the focus of the CFPB is consumer compliance, they don’t seem to limit the applicability of a CMS to only consumer-oriented lines of business.  This leads me to believe that they believe that a CMS is not just a CFPB requirement, but they consider it a general compliance best-practice.  Furthermore, any attempt to implement a CMS using a “compliance response” approach (i.e. one that address the letter, but not necessarily the spirit, of the regulation) will likely be inadequate.  In a typical CMS examination, the CFPB will evaluate both the understanding and the application of the financial institution’s compliance efforts. The “compliance -response” approach will not work.  Indeed as the earlier quote indicates, the CFPB has already found several institutions that had the correct policies and procedures in place, but they were not being followed.  In other words, while it is important to have the right policies in place, compliance will be determined by how well management understands the policies, and how well the policies are actually being followed.   Simply put…

Compliance = Policies + Procedures + Actual Practices

So how do you implement an effective and compliant CMS?  And more importantly, how do you do it in a cost effective way?  While the exact elements of your CMS will vary according to the scope and complexity of your consumer financial products and services, there will be 6 broad areas of focus for the examiners:

  1. Board of Directors and Management Oversight
  2. Policies and Procedures
  3. Training
  4. Monitoring and Corrective Action
  5. Consumer Complaint Response
  6. Compliance Audit

With the possible exception of #5, you already have a formal process in place to address all of these elements for information security, it’s called your information security program.  Consider this…

  1. You have an IT strategic plan, which integrates with your overall strategic plan, and establishes the business case for technology.  It  assigns overall responsibility to the Board for managing the plan, and requires periodic progress updates back to the Board.  Day-to-day management has been assigned to an IT Steering Committee.
  2. You have a set of policies and procedures, and you update them at least annually.
  3. You train your employees on information security best practices at least annually.
  4. You have periodic meetings of the IT Steering Committee, structured as a control self-assessment, where control adequacy and effectiveness is evaluated.
  5. You conduct periodic independent audits of the process.

So whether you realize it or not, you already have a “compliance management system” in place!  Simply take what you are already doing for information security, add a complaint response capability, and apply it to consumer compliance.  The CFPB Supervision and Examination Manual lists the specific procedures that examiners will use starting on page 36.  Just as Appendix A of the FFIEC Handbooks guided your information security program, you should use this to define the specifics of your CFPB compliance program.*

One final thought…the CFPB has adopted the same 5 point rating system used by the FFIEC to “grade” your adherence to the guidance, wherein a rating of 1 or 2 represents a strong compliance position, and anything less than a 2 is considered sub-optimal.  This is how the CFPB defines an institution rated “1” (bulletized for easier reading), use it as your guide:

  • Management is capable of and staff is sufficient for effectuating compliance.
  • An effective compliance program, including an efficient system of internal procedures and controls, has been established.
  • Changes in consumer statutes and regulations are promptly reflected in the institution’s policies, procedures, and compliance training.
  • The institution provides adequate training for its employees.
  • If any violations are noted they relate to relatively minor deficiencies in forms or practices that are easily corrected.
  • There is no evidence of discriminatory acts or practices,  reimbursable violations, or practices resulting in repeat violations.
  • Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern.

*I’ve converted the examination procedures section into an easy-to-follow checklist.  For Safe Systems customers, your account manager has a copy and will walk through it with you.

15 Jan 2013

CFPB Examinations To Require “Compliance Management Systems” (Part 1)

We have known for some time that CFPB examinations are coming, and late last year the CFPB released their Supervision and Examination Manual…all 924 pages of it!    There is much to comment on in there, but I want to focus on 2 things that will impact financial institutions right away.

The first is the actual approach the CFPB will take towards examining your institution, and anyone familiar with the risk management process (or who regularly reads this blog) will instantly recognize it.  Before they begin the examination process, they will conduct a risk assessment of your institution.  Of course the concept is nothing new, regulators have been expecting FI’s to conduct risk assessments for years, and for everything they do, so I guess it’s good to see them finally practice what they preach.  However this the first time the concept has been applied to the pre-examination process, and since the depth and breadth of the examination will depend on the result of their assessment, you should definitely be proactive about this.  If their pre-exam assessment determines that your overall inherent risk is low or moderate and likely to remain steady or decrease in the future, and your controls are strong or adequate, the focus and intensity of the exam is likely to be relatively mild.  On the other hand, if inherent risk is high and/or increasing, and controls are judged as weak, I think you can expect a more vigorous examination experience.

So how can you prepare?  In the past, one common approach to new regulations has been to make at least a token effort to comply, then see what the examiner had to say.  Because past regulatory changes have been notoriously non-prescriptive (and as such, open to interpretation), you wait for the examiner to take a look at what you’ve done, and let them suggest changes.  In other words, you would accept examination findings rather than risk misinterpreting examiner expectations.  This has been a common, and frankly rational, approach to compliance.  However this approach may not be optimal with CFPB examinations, because a token compliance effort may actually result in a higher risk rating.

This brings me to the the second big take-away from the examination manual, and the only way to avoid a sub-optimal risk assessment; the implementation of a “Compliance Management System”, or CMS.  According to the CFPB:

“A critical component of a well-run financial institution is a robust and effective compliance management system (CMS), designed to ensure that the financial institution’s policies and practices are in full compliance with the requirements of Federal consumer financial law.  Consequently, one of the most important responsibilities of the CFPB supervisory program is assessing the quality of the compliance management systems employed by the financial institutions.  …Without such a system, serious and systemic violations of Federal consumer financial law are likely to occur.”

The system should be designed to address the following elements:

  • Internal controls and oversight
  • Training
  • Internal monitoring
  • Consumer complaint response
  • Independent testing and audit
  • Third-party service provider oversight
  • Record-keeping
  • Product development and business acquisition, and
  • Marketing practices

At first glance this appears to be a whole new set of potentially burdensome requirements for financial institutions.  The “CMS” term is new, no other regulatory agency specifically requires this.  And they make it clear that having the system in place is not just a best practice, it is a “critical component” of a well-run institution (strongly implying that if you don’t have one in place, you aren’t well-run).  Furthermore, if you don’t have a CMS in place you are likely to incur “serious and systemic violations” of law.

So a CMS is both a requirement in and of itself, and a good way to avoid a sub-optimal CFPB pre-examination risk assessment. The question at this point is not whether you should do it (you should), or when you should do it (ASAP, prior to your first CFPB examination), but rather how can you implement one with minimal internal resource impact?

I mentioned earlier that it may appear at first glance to be an entirely new system, but in my next post I’ll discuss how you can implement a comprehensive CMS that meets regulatory expectations and doesn’t impose an unreasonable burden by utilizing the risk assessment and reporting structure you probably already have in place within your institution.

(Spoiler alert:  The fundamentals of a CMS are nothing we haven’t seen before…understanding the difference between polices, procedures, and practices….utilizing a management committee with a standard agenda…implementing a control self-assessment process…documenting the management reporting process…sound familiar?)

11 Dec 2012

Technology Service Providers and the new SOC reports

What do all of the 2012 changes to the IT Examination Handbooks have in common?  They are all, directly or indirectly, related to vendor management.  I had previously identified vendor management as a leading candidate for increased regulatory scrutiny in 2012, and boy was it.  (Not all of my 2012 predictions fared as well, I’ll take a closer look at the rest of them in a future post.)

So there is definitely more regulatory focus on vendors, and it’s a pretty safe bet that this will continue into 2013.  It usually takes about 6-12 months before new guidance is fully digested into the examination process, so expect additional scrutiny of your vendor management process during your 2013 examination cycle.  Since guidance is notoriously non-prescriptive we don’t know exactly what to expect, but we can be certain that third-party reviews will be more important than ever.  Third-party audit reports, such as the SAS 70 in previous years, and now the new SOC reports (particularly the SOC 1 & SOC 2), provide the best assurance that your vendors are in fact treating your data with the same degree of care that regulators expect from you.  As the FFIEC stated in their recent release on Cloud Computing:

“A financial institution’s use of third parties to achieve its strategic plan does not diminish the responsibility of the board of directors and  management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations.”

Undoubtedly third-party audit reports will still be the best way for you to ensure that your vendors are compliant, but there seems to be considerable confusion about exactly which of the 3 new SOC reports are the “right” ones for you.  In fact, in a recent webinar we hosted with a leading accounting firm, one of the firm’s partners stated that “there are a few instances where you might receive a SOC 1 report where a SOC 2 might be more appropriate”.  And this is exactly what we are seeing, technology service providers are having a SOC 1 report prepared when what the financial institution really wants and needs is a SOC 2.

Why is it important for you to understand this?  Because the SOC 1 (also known as the SSAE 16) reporting standard specifically states that it be used only for assessing controls over financial reporting.  It is their auditor telling your auditor that the information they are feeding into your financial statements is reliable.  On the other hand the SOC 2 reporting standard is a statement from their auditor directly to you, and addresses the following criteria:

  1. Security – The service provider’s systems is protected against unauthorized access.
  2. Availability – The service provider’s system is available for operation as contractually committed or agreed.
  3. Processing Integrity – The provider’s system is accurate, complete, and trustworthy.
  4. Confidentiality – Information designated as confidential is protected as contractually committed or agreed.
  5. Privacy – Personal information (if collected by the provider) is used, retained, disclosed, and destroyed in accordance with the providers’ privacy policy.

If these sound familiar, they should.  The FFIEC Information Security Booklet lists the following security objectives that all financial institutions should strive to accomplish:

  1. Privacy &
  2. Security (elements of GLBA)
  3. Availability
  4. Integrity of data or systems
  5. Confidentiality of data or systems
  6. Accountability
  7. Assurance

As you can see, there is considerable overlap between what the FFIEC expects of you, and what the SOC 2 report tells you about your service provider.  So why are we seeing so many service providers prepare SOC 1 reports when the SOC 2 is called for?  I think there are two reasons; first, because they are functionally equivalent, the SOC 1 is an easier transition if they are coming from the SAS 70.  I can tell you from our transition experience that the SOC 2 reporting standard is not just different, it is substantially broader and deeper than the SAS 70.  So some vendors may simply be taking the path of least resistance.

But the primary reason is that if the vendor provides a service to you that directly impacts your financial statements (like the calculation of interest) they must produce a SOC 1.  But, if they additionally provide services unrelated to your financial statements, should they also produce a SOC 2?  In almost every case, the answer is “yes”, because for all of the above reasons, the SOC 1 simply will not address all of your concerns.

The next couple of years will be transitional ones for most technology service providers as they adjust to the new auditing standards, and for you as you begin to digest the new reports.  But will the examiners be willing to give you a transition period?  In other words, should you wait for your examiner to find fault with your vendor management program to start updating it?  I’m not sure that taking a wait-and-see attitude is prudent in this case.  The regulatory expectations are out there now, the reporting standards are out there, and the risk is real…you need to be pro-active in your response.

(NOTE:  This will be covered more completely in a future post, but the CFPB has also recently issued guidance on vendor management…and they are staffing up with new examiners.  Are there three scarier words to a financial institution than “entry-level examiners”?!)

28 Mar 2012

CFPB Examinations Are Coming – UPDATE 2

UPDATE 2 – June 2012:  Memorandum of Understanding issued on CFPB examinations

Examinations are coming, but hopefully they won’t impose too much of an additional burden on you.  At least that is the intent of an MOU was recently signed between the CFPB and the other Federal regulators (Federal Reserve, NCUA, FDIC and OCC).  The MOU provides for information sharing among and between all agencies in order to minimize unnecessary duplication of examination efforts, and provides guidelines for “Simultaneous and Coordinated Examinations” between the agencies.  So expect additional visitors during future examinations, but if they truly expect to achieve the stated objective to “minimize unnecessary regulatory burden on Covered Institutions” they could start by doing away with CFPB examinations entirely.

UPDATE 1  –  May 2012:  Ramping Up…

Coming soon to your financial institution –

Dear Board of Directors:

Pursuant to the authority of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Consumer Financial Protection Bureau (CFPB) performed a risk-focused examination of your institution.  The examination began on April 1, 2012.  The following report summarizes the findings of our examination.

Any matters of criticism, violations of laws or regulations, and other matters of concern identified within this Examination Report require the Board of Director’s and management’s prompt attention and corrective action….

Although by law the CFPB will only  examine large depository institutions (assets greater than $10B) individually, Section 1026 extends coverage to smaller institutions on a sampling basis.  This means all institutions can eventually expect a visit from CFPB examiners (either with or without your primary federal regulator) at some point in the future.  And it is my opinion that the influence of the CFPB will continue to expand to all financial institutions regardless of size.  Consider the following:

  1. The CFPB is now one of the agencies comprising the inter-agency council of the FFIEC (replacing the OTS).  This means that CFPB will have input into all FFIEC guidance going forward.
  2. The head of the CFPB sits on the FDIC Board of Directors
  3. So far, 19 (Regs. B – P, V, X, Z & DD) out of the total of 39 Regulations have been turned over to CFPB for enforcement.  (I wonder if including Reg E will affect all electronic funds transfers, or only those initiated by non-business customers?  I find it hard to believe that there would be 2 sets of standards.)

So they are coming, but believe it or not there is good news.  Not only are they telling you what they are looking for ahead of time, they are giving you lots of helpful templates to fill out in preparation.  True, the templates are for their examiners, but there is no reason why you can’t use them too.  Particularly helpful is the Consumer Risk Assessment Template which CFPB examiners will use to determine inherent risk, which is then reduced by the appropriate controls to arrive at the overall risk (also called residual risk).  This table represents the summary of the consumer risk assessment process:

Notice that if the inherent risk is high, the residual risk can be no lower than moderate, regardless of the strength of the controls.  I think this is significant because of the potential implications for all risk assessments going forward.  Remember, CFPB now has a seat at the FFIEC (and FDIC) table.

But consider this…could we be looking at a fundamental change in how all risk assessments are conducted, and examined, in the future?  One single standardized risk assessment template for all risks?  Inherent risk levels are pre-defined, and control strength is pre-determined, making residual risk a purely objective calculation.  The complete lack of subjectivity means that all examiners evaluate all institutions against the exact same set of standards.  No exit meeting surprises, no unexpected CAMELS score downgrades, no spending hours and hours preparing for one area of compliance, only to have the examiners focus on something else.

So could the influence of the CFPB be a smoother, more predictable examination experience overall?  Or am I dreaming?