A Compliance Management System Example

This is a guest post by one of our Cohort members, Theresa Zuber.  Theresa is the VP/Compliance Officer at a $450 million community bank and shares her years of experience in banking by providing us with an example of things to consider in building and designing a compliance management system.

Between policy reviews, risk analysis, board reporting, annual training, complaint tracking and documentation for examiners, it can be difficult to keep track of all the individual tasks and responsibilities found within a Compliance Management System (CMS).  In fact, keeping a CMS going can sometimes feel more like a juggling act than banking. Therefore, we have the following Compliance Management System example to give you the framework you need to take control of your Compliance duties and ensure nothing slips through the cracks.  

Of course, it is important to keep in mind that each bank will differ and a Compliance Management System will need to be designed on a risk-based approach, so use this example as a guide and not an all-inclusive list.  

So, let’s start with the framework: 

The Framework of a Compliance Management System

While each regulator outlines the framework of a Compliance Management System a bit differently, there are a few core elements that should be included in your CMS.

First and foremost, each financial institution should have someone responsible for compliance, and this is typically done by designating a compliance officer to manage the CMS.  A Compliance Officer must be appointed by the Board of Directors and should have: 

  • Appropriate experience and stature within the organization to be effective 

  • Direct access to the board of directors 

  • Attendance & input during new product/services development 

  • Ongoing training 

  • Adequate financial resources/staff support based on size of financial institution 

Elements of a Compliance Management System 

Once someone has been identified as being responsible for the Compliance Management System, it is important to make sure that all of the components of a CMS are working properly.   In short, the components of a CMS should include the following:

  • A process for identifying compliance risk in all areas 

  • Monitoring/testing of procedures/requirements and reporting of such 

  • Documenting and reporting to the board any corrective action, material issues or weaknesses 

  • Insuring policies/procedures are current, include any compliance requirements and are reviewed at the board level as required. 

  • Training for staff based on job responsibilities on an ongoing basis. 

  • A process for consumer complaint management 

If you need detailed information about Compliance Management Systems, take a look at this article that explains: What is a Compliance Management System? https://www.compliancecohort.com/what-is-compliance-management-system 

Reviewing Your Compliance Management System

If you are the Compliance Officer at your institution, hopefully you’ve got the first section check marked already.  If not, it’s time to sit down with your Bank President and have an honest discussion about the areas in which you feel are lacking.  Are they forgetting to include you in new product development until they are ready to roll it out to the customer? Compliance concerns and risk are in every facet of banking.  If you don’t hear about it until the last minute, who has done the due diligence review on the Vendor? Are disclosures required? Often they aren’t intentionally excluding the Compliance Officer but just don’t think about it!  A gentle reminder may be in order. 

What about adequate financial resources and staff support?  Compliance requirements have increased exponentially in the last several years.  It’s easy for leadership to be unaware of all that is required; after all, they are consumed with their own responsibilities.  If you are struggling to get it all done, consider documenting your work day for a month. This can be a great resource when requesting additional support. 

Compliance Management Examples

Here are some tips to help you keep all those compliance balls in the air as you strive to become your bank’s Compliance Super Hero! 

Examples for Organizing Your CMS

First – list the regulations that apply to your organization.  For instance, BSA will apply to all banks but Reg C (HMDA) may not.  A list of the regulations that may apply to you can be found here.  

You may have already risk-rated these regulations in order to determine the frequency of monitoring. If not, look at your exposures and risk-rate each regulation.  BSA will be higher risk than Reg GG (Unlawful Internet Gambling) for example, so perhaps you will decide to monitor different areas of BSA quarterly and review CTRs daily or weekly, but just review Reg GG annually.  

Next, list the items that you want to review/do on an annual basis.  Here are some examples:

  • Reg O training for the board;

  • analysis of BSA/OFAC/CIP/Patriot Act;

  • CRA file update, vendor management;

  • taking risk assessments to the board;

  • Information Security/GLBA annual report; and

  • verification of signage in all facilities.

Based on the regulations you must adhere to and the risk-rating assigned, you will next determine what areas you will monitor throughout the year and how often.  Perhaps fair lending/UDAAP and beneficial owner forms (a newer BSA rule) need reviewed monthly, but homeownership counseling requirements in Reg X can be reviewed annually.  Social media activity should be monitored more often than just the FDIC Membership requirements – unless you have a new person handling advertising and then, extra reviews may be warranted.   Consider what policies does your institution have?  Do they specifically state they must be reviewed by the board annually?  Go through each policy noting the requirements for review. Then schedule these policies throughout the year for review by the appropriate employee (Loan Policy reviewed by VP of Lending, ACH policy reviewed by head of accounting, etc.) 

Create Monthly “To Do” Lists for Your CMS 

Now that you have many of your main responsibilities listed, begin to divide these up into monthly “To Do” lists.  What items will need to go to the board next month? List those out so that you are prepared. What policies are coming up?  A month or so ahead, email the latest copy to the person responsible for reviewing it with the date it is due. Divide your monitoring, risk assessments, reports throughout the year keeping in mind that quarter end months will be busier than other months.  Perhaps you want to do the risk assessment at the same time you submit the policy and do the monitoring. Perhaps you’d rather split it throughout the year; whatever works for you – as long as you document everything. Remember that in Compliance “If it’s not written down, it didn’t happen.” 

Don’t forget training – for the employees, the directors and for yourself.  Schedule time to stay up to date on the latest Compliance happenings through great resources like (shameless plug….) the Compliance Cohort. (Find even more training options in our store here.)  Annual training for staff is great, but be sure to reinforce various topics with additional mini-trainings throughout the year – and document, document, document.  Having staff read through policies that directly affect them is a free training tool. This can be spread throughout the year as policies are updated and reviewed by the board. 

Create a Functioning Compliance Procedure Manual 

If you don’t have a Compliance Procedure Manual, I highly recommend creating one.  First, in case you get hit by a bus… ah, win the lottery, then someone will be able to pick up where you left off. Second, it is a great way to keep yourself on track.  There are too many details to  remember and a procedure manual can assist you in staying organized and out of hot water with your board and regulators. Perhaps add a table of contents with hyperlinks for ease of use and update as changes occur. 

Also, be sure to revisit your procedures and “to do” lists annually to make sure everything is being covered and to add any new requirements.  These steps will help show examiners that your bank’s Compliance Management System is being well maintained. We all know that a happy examiner means a happy Compliance Officer.  

Realistic Expectations for Compliance Management

A Compliance Officer has an immense amount of responsibility. Being organized and keeping yourself (and others) on track will help set you up for a successful career.

About The (Guest) Author

Theresa Zuber is a Vice President/Compliance Officer for a community bank with 8 branches and assets around $450 million. Theresa’s been with her bank for 33 years, though she now specializes in compliance.

FFIEC Announces 2018 HMDA Data

6 Tips for Leading an Annual Day of Compliance Training

6 Tips for Leading an Annual Day of Compliance Training