President & Managing Director
Nary a week goes by that I do not talk to somebody about the concept of a Compliance Management System, or "CMS" for short. Now made famous by the CFPB's examination protocol, the CMS has become the sine qua non for federal and state examination readiness.
I have written extensively on the Compliance Management System. Perhaps these two articles would be of interest to you:
Policy, Procedures, and Examinations - Part I: Mortgage Brokers
Policy, Procedures, and Examinations - Part II: Mortgage Bankers
Some companies want to retain us to put in place a CMS, not realizing that, in most cases, they already have one! There are law firms and compliance firms that have no problem in charging terrifically and immoderately for something that is largely hiding in plain sight. Tabulated binders, sophisticated templates, and all manner of bells and whistles are sold to credulous companies seeking the Holy Grail to the CMS requirements.
Of course, we work with clients on their CMS needs. But first I let them know that if they are maintaining certain basic compliance structures, they likely already have a CMS! Maybe it needs to be reviewed by a firm such as ours, but that review can be done by just going through the structure itself easily and at a modest fee.
I am going to give you a brief checklist of sorts. Consider it a way to get prepared for a banking examination, whether state or federal. The checklist tells you what an examiner is going to look at in determining if you have a CMS.
So what is hiding in plain sight? The structural components that I provide in the checklist. If you satisfy these components, you will be ready - and many of you already do satisfy these components - without having to go out and retain a firm to build for you what you have already built for yourselves!
Seek guidance, where possible.
Seek compliance support, where needed.
Fortify the weaknesses and ensure the strengths.
But first and foremost, take stock of the existing compliance structure. You may be surprised to learn that the CMS purveyors' fancy binders and due diligence tasks are already manifest in your Compliance Management System and the compliance elements are working just fine!
What you need to know is that compliance examinations start with a top-down, process-oriented, comprehensive review and analysis of an institution’s compliance management system.
Here's a checklist that a compliance examiner considers:
- the knowledge level and attitude of management and personnel;
- management’s responsiveness to emerging issues and past or self-identified compliance deficiencies;
- compliance organizational structure such as reporting relationships and recent experiences with staff turnover;
- management information systems;
- policies and procedures;
- training; and
- monitoring and audit programs.
Based on the results of this review, the examiner may conclude that weaknesses in the institution’s compliance management system may result in current or future noncompliance with federal consumer protection laws, regulations, or policy statements.
Then the examiner determines, based on this analysis, whether transaction testing is warranted to further study particular risk in an entire operational area or regulation, or only a limited aspect of an area or regulation.
But, generally, the more confidence an examiner has in an institution’s compliance management system, the less transaction testing an examiner may do.
Banking departments and federal agencies take the position that the management of a financial institution is responsible for complying with all federal consumer protection laws and regulations. Management really cannot slough off the responsibility to lower level personnel. While the formality and complexity of Compliance Management Systems will vary greatly among institutions, management is expected to have a system in place that effectively oversees compliance risk, consistent with the institution's size, complexity, risk profile, and product array.
If you gear your Compliance Management System to contain the foregoing checklist elements, and if you understand that examiners are going to manage the examination based on risk, you will get prepared and may even find that there will be a reduction of the on-site examination presence. This also means that an examiner might require elevated supervisory attention if the there are weaknesses that you could have strengthened all along but, for whatever reason, chose not to do so.
By focusing on Compliance Management Systems, examiners are able to identify the causes of deficiencies and suggest appropriate corrective actions designed to address the problems.
It is a heuristic that works for them.
It should be a heuristic that works for you!