What is a Compliance Management System?

What is a compliance management system?  I have been asked this question many times, and I have come to learn that the best way to answer this question is not to not only explain all of the components of a compliance management system, but to also explain what a compliance management system does.

Overview of a Compliance Management System

In its simplest form, a compliance management system is how a financial institution manages the compliance risks associated with doing business.  

According to the Consumer Financial Protection Bureau (CFPB), a compliance management system is how an institution:

  • Establishes its compliance responsibilities;

  • Communicates those responsibilities to employees;

  • Ensures that responsibilities for meeting legal requirements and internal policies and procedures are incorporated into business processes;

  • Reviews operations to ensure responsibilities are carried out and legal requirements are met; and

  • Takes corrective action and updates tools, systems, and materials as necessary.

Who is Responsible for a Compliance Management System?

As is the case for all things in the financial industry, the Board of Directors is ultimately responsible for the compliance program of the financial institution.  That said, one of the requirements of a compliance program, which is an element of a compliance management system, is to designate an individual responsible for managing the compliance program.  This individual is often designated the “Compliance Officer” and should have appropriate authority and resources to ensure an effective compliance program in the organization.

How Formal is a Compliance Management System?

A compliance management system may vary greatly from one organization to the next, as it should be designed based on the size and complexity of the organization.  Basically, a small financial institution - like a one branch community bank with only 10 employees and around $50 million in assets - may have a fairly informal program, while a much larger regional community bank will have a much more formalized system.

This “scaling” of sorts is usually effective as the examiners who regulate financial institutions also vary their expectations based on the size and complexity of the organization.

What Are the Components of a Compliance Management System?

A compliance management system should be designed to have two main elements, and several subcomponents.  According to the CFPB, a compliance management system will have the following two elements:

  1. Board and Management Oversight

  2. Compliance Program

Board and Management Oversight

As mentioned previously, the board of directors is ultimately responsible for the compliance program of the organization.  Therefore, a financial institution’s regulators (OCC, FDIC, Federal Reserve, CFPB, NCUA, or State Department of Financial Institutions) will expect the board and senior management to have effective oversight of the compliance program.  

Specifically, the regulators will evaluate the following:

  • Oversight of and commitment to the institution’s compliance management system

  • Effectiveness of the institution’s change management process, including responding timely and satisfactory to any variety of change, internal or external, to the institution

  • Comprehension, identification, and management of risks arising from the institution’s products, services, or activities

  • Self-identification of consumer compliance issues and corrective action undertaken as such issues are identified

Compliance Program

According to the CFPB, the second element of a compliance management system is a compliance program.  Generally, a compliance program will include several components.

First, a compliance program should establish a formal, written Compliance Program that is often administered by a chief compliance officer.  This program will generally include and address the following components:

  • Policies and procedures

  • Training

  • Monitoring and/or audit

  • Consumer complaints response

Policies and Procedures

The first component of a compliance management system is for a financial institution to establish formal policies and procedures that are designed to mitigate the risk of violations of compliance rules and regulations.  According to the CFPB, examiners will seek to determine whether the policies and procedures:                                

  1. Are designed to effectively manage compliance risk in the products, services and activities of the institution.

  2. Are consistent with board-approved compliance policies.

  3. Address compliance with applicable Federal consumer financial laws in a manner designed to minimize violations and to detect and minimize associated risks of harm to consumers.

  4. Cover the full life-cycle of all products and/or services offered.

  5. Are maintained and modified to remain current and complete, and to serve as a reference for employees in their day-to-day activities.                     


The second element of a compliance program is training.  The board of directors must ensure that each employee has appropriate training in order to effectively complete their duties in a compliance manner.  This means that all employees should receive some level of compliance training, including the board of directors.  Management and staff should receive training that reinforces and helps implement the financial institution’s written policies and procedures.

According to the CFPB, examiners will seek to determine whether:

  1. Compliance training is comprehensive, timely, and specifically tailored to the particular responsibilities of the staff receiving it, including those responsible for product development, marketing and customer service.

  2. The compliance training program is updated proactively in advance of the rollout of new or changed products or the effective date of new or changed consumer protection laws and regulations to ensure that all staff is aware of compliance responsibilities.

  3. Training is consistent with policies and procedures and designed to reinforce those policies and procedures.

  4. Compliance professionals have access to training that is necessary to administer a compliance program that is tailored to the supervised entity’s risk profile, business strategy, and operations.

Monitoring and/or Audit

The next element of a compliance program is monitoring and/or audit.  While each of these functions vary slightly in implementation, they both have one main objective: to self identity and correct compliance deficiencies.

Monitoring is typically a more frequent activity than audit and is often less formal.  In addition, monitoring may or may not be completed by an individual who is independent of the function being reviewed, as independence is not as important as identifying and correcting deficiencies.

On the other hand, the audit function is typically more formal than the monitoring function and is completed on a less frequent basis, such as once a year.  A compliance audit is an independent evaluation of the area being reviewed, meaning that an independent individual must complete the audit.  As audits are typically more formal, they will often be delivered in formal reports and presented to the Board or an appropriate committee of the Board.

As is the case with the larger compliance management system, the monitoring and/or audit function must be based on the size and complexity of the organization.  According to the CFPB, an examiner’s review of compliance monitoring and/or audit should determine whether:

  1. Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems are comprehensive, timely, and successful at identifying and measuring material compliance risk management throughout a specific product line and/or the institution.

  2. Programs are monitored proactively to identify procedural or training weaknesses to mitigate regulatory violations. Program modifications are made timely to minimize compliance risk.

  3. The institution is determining that transactions and other consumer contacts are handled according to the entity’s policies and procedures.

  4. Monitoring considers the results of risk assessments or other guides for prioritizing reviews.

  5. Findings as a result of monitoring reviews are escalated to management and to the The audit program is sufficiently independent and reports to the board or a committee of the board.

  6. The audit program addresses compliance with all applicable Federal consumer financial laws.

  7. The schedule and coverage of audit activities is appropriate for the institution’s size, complexity, risk profile; consumer financial product offerings; and manner of conducting its consumer financial products business.

  8. All appropriate compliance and business unit managers receive copies of audit reports in a timely manner.

Consumer Complaint Response

The final component of a compliance program is a financial institution’s response to consumer complaints.  Each bank or credit union must ensure that it is appropriately responding to and handling complaints and inquiries.  It is important that each financial institution make an intentional good faith effort to resolve each consumer complaint.

According to the CFPB, examiners will assess whether:    

  1. Processes and procedures for addressing consumer complaints are appropriate.

  2. Consumer complaint investigations and responses are reasonable.

  3. Consumer complaints and inquiries, regardless of the channel through which they are submitted, are appropriately recorded and categorized.

  4. Consumer complaints and inquiries, whether regarding the entity or its service providers, are addressed and resolved promptly.

  5. Consumer complaints that raise legal issues involving potential consumer harm from unfair treatment or discrimination, unauthorized product enrollment, account openings or upgrades (including the addition of ancillary products), improper sales practices, imminent foreclosures, or other regulatory compliance issues, are appropriately categorized and escalated.

  6. Management monitors consumer complaints to identify risks of potential consumer harm and CMS deficiencies, and takes appropriate prospective and retrospective corrective action.

  7. Consumer complaints result in retrospective corrective action to correct the effects of the supervised entity’s actions when appropriate.

  8. The nature or number of substantive complaints from consumers indicates that potential weaknesses in the CMS exist.

More Information On What Is a Compliance Management System

As you can see from the information provided above, a compliance management system is the process by which a financial institution manages the risk associated with violations of consumer laws and regulations.  A compliance management system will vary from one financial institution to another, as it must be based on the institution’s unique size and complexity.    

For more information to help you further understand compliance management, take a look at some of these articles: