Welcome to the Compliance Cohort. We are a group of compliance professionals working to make compliance easier. Our goal is to take complex compliance concepts and put them in simple terms that apply to the real world. We are glad you have found us and look forward to collaborating in the future.
If you haven't done so already, make sure you sign up for our free membership where you get access to many member-only videos, articles, and other resources.
What is a compliance management system? I have been asked this question many times, and I have come to learn that the best way to answer this question is not to not only explain all of the components of a compliance management system, but to also explain what a compliance management system does.
In its simplest form, a compliance management system is how a financial institution manages the compliance risks associated with doing business.
According to the Consumer Financial Protection Bureau (CFPB), a compliance management system is how an institution:
Establishes its compliance responsibilities;
Communicates those responsibilities to employees;
Ensures that responsibilities for meeting legal requirements and internal policies and procedures are incorporated into business processes;
Reviews operations to ensure responsibilities are carried out and legal requirements are met; and
Takes corrective action and updates tools, systems, and materials as necessary.
As is the case for all things in the financial industry, the Board of Directors is ultimately responsible for the compliance program of the financial institution. That said, one of the requirements of a compliance program, which is an element of a compliance management system, is to designate an individual responsible for managing the compliance program. This individual is often designated the “Compliance Officer” and should have appropriate authority and resources to ensure an effective compliance program in the organization.
A compliance management system may vary greatly from one organization to the next, as it should be designed based on the size and complexity of the organization. Basically, a small financial institution - like a one branch community bank with only 10 employees and around $50 million in assets - may have a fairly informal program, while a much larger regional community bank will have a much more formalized system.
This “scaling” of sorts is usually effective as the examiners who regulate financial institutions also vary their expectations based on the size and complexity of the organization.
A compliance management system should be designed to have two main elements, and several subcomponents. According to the CFPB, a compliance management system will have the following two elements:
Board and Management Oversight
Compliance Program
As mentioned previously, the board of directors is ultimately responsible for the compliance program of the organization. Therefore, a financial institution’s regulators (OCC, FDIC, Federal Reserve, CFPB, NCUA, or State Department of Financial Institutions) will expect the board and senior management to have effective oversight of the compliance program.
Specifically, the regulators will evaluate the following:
Oversight of and commitment to the institution’s compliance management system
Effectiveness of the institution’s change management process, including responding timely and satisfactory to any variety of change, internal or external, to the institution
Comprehension, identification, and management of risks arising from the institution’s products, services, or activities
Self-identification of consumer compliance issues and corrective action undertaken as such issues are identified
According to the CFPB, the second element of a compliance management system is a compliance program. Generally, a compliance program will include several components.
First, a compliance program should establish a formal, written Compliance Program that is often administered by a chief compliance officer. This program will generally include and address the following components:
Policies and procedures
Training
Monitoring and/or audit
Consumer complaints response
The first component of a compliance management system is for a financial institution to establish formal policies and procedures that are designed to mitigate the risk of violations of compliance rules and regulations. According to the CFPB, examiners will seek to determine whether the policies and procedures:
Are designed to effectively manage compliance risk in the products, services and activities of the institution.
Are consistent with board-approved compliance policies.
Address compliance with applicable Federal consumer financial laws in a manner designed to minimize violations and to detect and minimize associated risks of harm to consumers.
Cover the full life-cycle of all products and/or services offered.
Are maintained and modified to remain current and complete, and to serve as a reference for employees in their day-to-day activities.
The second element of a compliance program is training. The board of directors must ensure that each employee has appropriate training in order to effectively complete their duties in a compliance manner. This means that all employees should receive some level of compliance training, including the board of directors. Management and staff should receive training that reinforces and helps implement the financial institution’s written policies and procedures.
According to the CFPB, examiners will seek to determine whether:
Compliance training is comprehensive, timely, and specifically tailored to the particular responsibilities of the staff receiving it, including those responsible for product development, marketing and customer service.
The compliance training program is updated proactively in advance of the rollout of new or changed products or the effective date of new or changed consumer protection laws and regulations to ensure that all staff is aware of compliance responsibilities.
Training is consistent with policies and procedures and designed to reinforce those policies and procedures.
Compliance professionals have access to training that is necessary to administer a compliance program that is tailored to the supervised entity’s risk profile, business strategy, and operations.
The next element of a compliance program is monitoring and/or audit. While each of these functions vary slightly in implementation, they both have one main objective: to self identity and correct compliance deficiencies.
Monitoring is typically a more frequent activity than audit and is often less formal. In addition, monitoring may or may not be completed by an individual who is independent of the function being reviewed, as independence is not as important as identifying and correcting deficiencies.
On the other hand, the audit function is typically more formal than the monitoring function and is completed on a less frequent basis, such as once a year. A compliance audit is an independent evaluation of the area being reviewed, meaning that an independent individual must complete the audit. As audits are typically more formal, they will often be delivered in formal reports and presented to the Board or an appropriate committee of the Board.
As is the case with the larger compliance management system, the monitoring and/or audit function must be based on the size and complexity of the organization. According to the CFPB, an examiner’s review of compliance monitoring and/or audit should determine whether:
Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems are comprehensive, timely, and successful at identifying and measuring material compliance risk management throughout a specific product line and/or the institution.
Programs are monitored proactively to identify procedural or training weaknesses to mitigate regulatory violations. Program modifications are made timely to minimize compliance risk.
The institution is determining that transactions and other consumer contacts are handled according to the entity’s policies and procedures.
Monitoring considers the results of risk assessments or other guides for prioritizing reviews.
Findings as a result of monitoring reviews are escalated to management and to the The audit program is sufficiently independent and reports to the board or a committee of the board.
The audit program addresses compliance with all applicable Federal consumer financial laws.
The schedule and coverage of audit activities is appropriate for the institution’s size, complexity, risk profile; consumer financial product offerings; and manner of conducting its consumer financial products business.
All appropriate compliance and business unit managers receive copies of audit reports in a timely manner.
The final component of a compliance program is a financial institution’s response to consumer complaints. Each bank or credit union must ensure that it is appropriately responding to and handling complaints and inquiries. It is important that each financial institution make an intentional good faith effort to resolve each consumer complaint.
According to the CFPB, examiners will assess whether:
Processes and procedures for addressing consumer complaints are appropriate.
Consumer complaint investigations and responses are reasonable.
Consumer complaints and inquiries, regardless of the channel through which they are submitted, are appropriately recorded and categorized.
Consumer complaints and inquiries, whether regarding the entity or its service providers, are addressed and resolved promptly.
Consumer complaints that raise legal issues involving potential consumer harm from unfair treatment or discrimination, unauthorized product enrollment, account openings or upgrades (including the addition of ancillary products), improper sales practices, imminent foreclosures, or other regulatory compliance issues, are appropriately categorized and escalated.
Management monitors consumer complaints to identify risks of potential consumer harm and CMS deficiencies, and takes appropriate prospective and retrospective corrective action.
Consumer complaints result in retrospective corrective action to correct the effects of the supervised entity’s actions when appropriate.
The nature or number of substantive complaints from consumers indicates that potential weaknesses in the CMS exist.
As you can see from the information provided above, a compliance management system is the process by which a financial institution manages the risk associated with violations of consumer laws and regulations. A compliance management system will vary from one financial institution to another, as it must be based on the institution’s unique size and complexity.
For more information to help you further understand compliance management, take a look at some of these articles:
In this Compliance Clip (video), Adam discusses the importance of a well designed Compliance Management System (CMS) and explains what the goal should be for a CMS. Maybe even more importantly, Adam explains what he considers a key element needed to be able to have an effective CMS. The video concludes with an explanation about how our premium memberships can assist financial institutions in implementing and managing their Compliance Management Systems.
In this Compliance Clip (video), Adam provides a quick executive summary of the CFPB’s recent proposal to amend Regulation B, which will require small business data collection and reporting - much like HMDA - for many financial institutions. As this rule will have a significant impact on financial institutions, it is important to understand the direction this proposal is headed in regards to who might be required to report and what this rule is going to require. This video is a MUST WATCH for all compliance officer, senior lenders, and those who may be required to implement this new rule. (NOTE: Feel free to share this video with those in your team who may need to have this information as this video is free to all.)
On 9/23/21, the Consumer Financial Protection Bureau (CFPB) released its first in-depth report analyzing complaint submission patterns by U.S. Census tract. The report, “Consumer complaints throughout the credit life cycle, by demographic characteristics,” finds that the complaints from wealthier communities and communities with higher percentages of white, non-Hispanic residents were more frequently about loan origination and performing servicing, while the complaints from communities of color and lower income communities were more frequently about credit reporting, identity theft, and delinquent servicing.
On 7/13/21, the joint agencies (Federal Reserve, FDIC, & OCC) announced a request for public comment on proposed guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology-focused entities. Comments must be received within 60 days of the proposed guidance's publication in the Federal Register.
In February of 2021, the FFIEC released the second round of what appears to be an overhaul of the BSA/AML Exam Manual. The February 2021 revisions include updates to four sections including and introduction section to the section on assessing compliance with BSA regulatory requirements, and sections on customer identification programs, currency transaction reporting, and transactions of exempt persons.
On 2/2/2021, the NCUA announced that they will be hosting a webinar on Thursday, February 11, 2021, that will provide participants with an update on Chairman Todd M. Harper’s priorities, the agency’s supervisory activities, and recently issued guidance and regulations, among other topics. As some may recall, Chairman Harper was announced on 1/25/2021 as President Biden’s designated Chairman of the NCUA Board. Harper is also the NCUA director who, in October of 2020, requested comments regarding the NCUA’s approach to supervising institutions for regulatory compliance. In the announcement about the upcoming webinar, Mr. Harper is quoted as saying that he will share his “regulatory philosophy” with stakeholders during this webinar. Credit union compliance professionals may want to consider taking part in this webinar as it may shed some light on the direction of regulatory compliance supervision and enforcement from the NCUA going forward.
On 1/25/2021, the NCUA announced that President Biden had designated National Credit Union Administration Board Member Todd M. Harper as the twelfth Chairman of the NCUA Board. Harper succeeds Rodney Hood, who was designated Board Chairman in April 2019. Hood continues to serve as an NCUA Board Member. Harper was nominated to the NCUA Board on Feb. 6, 2019. Following Senate confirmation, he took office as an NCUA Board Member on April 8, 2019. As some might recall, it was Mr. Harper who, in October of 2020, requested comments regarding the NCUA’s approach to supervising institutions for regulatory compliance.
On 1/19/2021, the joint agencies (CFPB, Federal Reserve, FDIC, OCC, and NCUA) a final rule regarding the agencies use of supervisory guidance for its supervised institutions. The rule codifies the statement, with amendments, that the joint agencies issued in September 2018, which clarified the differences between regulations and supervisory guidance.
On 11/9/2020, the OCC published their fall 2020 edition of the publication, Semiannual Risk Perspective. In their release, the OCC explains that Banks remain in strong financial condition but profitability is stressed due to low interest rates and increasing levels of provisions for problem loans. As would be expected, the OCC identified credit, strategic, operational, and compliance risks as key themes for financial institutions.
On October 7, 2020, the Office of the Comptroller of the Currency (OCC) announced that they had assessed a $400 million civil money penalty (CMP) against Citibank due to deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls. In their release, the OCC explained that these measure were taken “based on the bank’s unsafe or unsound banking practices for its long-standing failure to establish effective risk management and data governance programs and internal controls.”
In this Compliance Clip (video), Adam answers a question about cashing checks made out to a business for an individual. In addition, Adam addresses situations where a check made out to a business may be deposited into an account of an individual.
On 7/16/2020, the CFPB issued an updated complaint bulletin on complaints from January through May of 2020 which mentioned “coronavirus” or coronavirus-related terms. Highlights of complaints about these consumer financial products and services that mention coronavirus key words:
In this Compliance Clip (video), Adam explains how regulatory change management should fit within a compliance management system (CMS) of a financial institution. Specifically, Adam provides 3 (or 4) main ways a financial institution can keep up with regulatory changes (and one of them involves…
On 7/1/2020, the Federal Financial Institutions Examination Council (FFIEC) issued a statement to highlight the risks that will result from the transition away from LIBOR, which is used by the financial industry as a reference rate for many products and instruments like loans, investments, and deposits. In their release, the regulators encouraged financial institutions to continue working toward a transition to alternative reference rates so that financial, legal, operational, and consumer protection risks can be mitigated. While the transition away from the LIBOR will affect some institutions more than others, the regulators state that the impact will affect almost all institutions and, therefore, it would be beneficial for all financial institutions to consider the risks associated with the LIBOR transition.
In this Compliance Clip (video), Adam provides an overview of what should be included in a financial institution’s compliance management system (CMS). In addition, Adam explains what a CMS should do within an organization and also provides more resources for those who are interested.
On 5/26/2020, the OCC issued Bulletin 2020-55 to clarify that national banks and federal savings associations may permit telephonic and electronic participation at all board of directors, shareholder, and, as applicable, member meetings.
On April 2016, the FFIEC announced the availability of two new computational tools: one for calculating APY and one for calculating APR. According to the FFIEC, the APR Computational Tool is designed to streamline the process by which examiners and financial institutions can verify finance charges and annual percentage rates included on consumer loan disclosures subject to the Truth in Lending Act and its implementing regulation, Regulation Z. The FFIEC explains that…
On March 6, 2020, the Federal Financial Institutions Examination Council updated guidance identifying actions that financial institutions should take to minimize the potential adverse effects of a pandemic. The guidance provides the FFIEC’s expectations that regulated institutions should periodically review related risk management plans, including continuity plans, to ensure their ability to continue to deliver their products and services in a wide range of scenarios and with minimal disruption.
On January 23, 2020, the Office of the Comptroller of the Currency (OCC) issued a notice of charges against five former senior executives of Wells Fargo Bank, N.A., Sioux Falls, South Dakota, and announced settlements with the bank’s former Chief Executive Officer (CEO) and other members of the bank’s operating committee - including the former chief auditor, a former risk officer, former general counsel, and a former executive audit director.
This notice of charges is of particular interest to compliance and audit professionals as risk managers, auditors, and general counsel don’t typically appear in these types of charges.
The notice of charges alleges these executives…
In this Compliance Clip (video), Adam discusses the role of a compliance management system. Specifically, Adam explains what a compliance management system should accomplish in an organization.
Adam uses this Compliance Clip (video) to review the annual compliance training requirements for directors - or lack thereof. That said, there are a few expectations regulators have had for director training, and Adam explains some of these topics and reminds viewers of a few annual reports that do need to go to the board.
The CFPB has released the summer 2019 Edition of Supervisory Highlights. In this issue, topics include UDAAPs, auto loans, Supervision, compliance, credit cards, credit reports and scores, debt collection, Fair Credit Reporting Act, mortgage origination. The full version of Supervisory Highlights can be found here.
As you might expect, we will be coving the portions of Supervisory Highlights that relate to compliance professionals in our next Quarterly Compliance Update. You can view the tentative curriculum for our Q3 2019 Quarterly Compliance Update here.
This is a guest post by one of our Cohort members, Theresa Zuber. Theresa is the VP/Compliance Officer at a $450 million community bank and shares her years of experience in banking by providing us with an example of things to consider in building and designing a compliance management system. ——
Between policy reviews, risk analysis, board reporting, annual training, complaint tracking and documentation for examiners, it can be difficult to keep track of all the individual tasks and responsibilities found within a Compliance Management System (CMS). In fact, keeping a CMS going can sometimes feel more like a juggling act than banking. Therefore, we have the following Compliance Management System example to give you the framework you need to take control of your Compliance duties and ensure nothing slips through the cracks.
In this Compliance Clip, Adam uses his years of presenting live compliance seminars to share with you six tips for making your annual day of training go well - especially if you are involved in the training or preparation. In addition to the six tips, be sure to pay attention for a few extra nuggets (like how important good food is in making a successful training day).
In this Compliance Clip (video), Adam provides three different ways to present compliance training to a financial institution’s board of directors. In addition to three different ways for providing board training, Adam gives a few tips that can be used when delivering board training.
In this Compliance Clip (video), Adam answers a question regarding whether Member FDIC must be included in a Radio ad. As you will see, the answer to this is quite complex and Adam breaks the answer down in simple, easy-to-understand, layman’s terms. This video clip includes a transcript.
As we work to build careers in regulatory compliance, we often look for opportunities to become more valuable to our organizations and to establish ourselves as experts. While experience and self-learned technical expertise is a must for any compliance professional, finding a way to be recognized as an industry leader can help to establish credibility with both examiners and peers. One way to do this is to obtain a professional regulatory compliance certification. This article explores 3 options for obtaining a regulatory compliance certification.
On June 12, 2019, the Federal Housing Finance Agency (FHFA), Fannie Mae, and Freddie Mac announced that the optional use period for the redesigned Uniform Residential Loan Application (URLA) form has been delayed again. It was planned that the redesigned URLA could be used starting on July 1, 2019 with required use by January 1, 2020. This announcement delays the optional use period for the new URLA, meaning that lenders should not yet begin using this form.
The Certified Regulatory Compliance Manager (CRCM) certification is one of the most respected and well recognized certifications for a banking compliance professional. This respect and recognition doesn’t come just because the CRCM is earned through the American Bankers Association (ABA) - or because many of the top compliance professionals and consultants have this certification. The CRCM certification is a valued credential because of the difficulty to obtain the designation, meaning that not just anyone can obtain their CRCM.
To explain, the difficulty of the CRCM certification results from four main things: experience qualifications, knowledge of content, taking the actual test, and maintaining the certification.
