President & Managing Director
Lenders Compliance Group
In my view, there are ten core competencies to implementing a
Compliance Management System, often referred to by its acronym CMS. The
Consumer Financial Protection Bureau requires it, state regulators are now
asking for it, and investors want assurance of its application.
I have written extensively about the CMS concept and its importance in
mortgage risk management. For instance, see my article on Creating a Culture of Compliance. Also, other articles here. When I speak on the subject, it is often the case
that some in the audience actually have no idea about what constitutes the CMS.
They think it is no more than a compilation of policies and procedures. But,
the fact is that a viable CMS is composed of several integral features, each of
which contributes to the cohesiveness of the whole compliance function.
Here’s a brief synopsis of the Ten Core Competencies that should inform
a CMS:
1)
Loan portfolio, secondary and capital market
management processes, mortgage servicing.
2)
Loan flow process, from point of sale to
securitization or secondary market transaction.
3)
Internal Audit and Control Plan, including
calendrical reviews, reporting protocol, rank and file training in all departments, and testing.
4)
Consumer disclosures, all loan types, federal
and state.
5)
Mortgage quality control, not only random
sampling, but proactive audits that target criteria.
6)
Record retention and maintenance, securing
against unauthorized alteration or destruction.
7)
Marketing and advertising, including use of
third-party services.
8)
Vendor, settlement agent, closing agent, and
third-party vetting and approvals.
9)
Safeguards for privacy protection of consumer
records and information.
10)
Reporting mandates to agencies, both federal and
state, investors, and third-party relationships.
The compliance framework is built on the foregoing competencies.
Destabilize one of them and it is possible that the others will crash like a
tottering stack of cards!
Also, it should be noted that there is a growing expectation amongst
regulators for a residential mortgage lender or originator to have a business
continuity plan.
It is not necessary to consolidate all compliance policies and
procedures into a single document. Nor does it require compliance managers to memorialize
every action that must be taken in order to remain in compliance with federal
and state banking law. In some cases, it may be enough for the compliance
policies and procedures to allocate responsibility within the organization for
the timely performance of many obligations, such as the filing or updating of
required forms.
However, observed instances in which compliance policies and procedures
were not followed or the actual practices were not consistent with the
description in the compliance manuals, will likely lead to an adverse banking examination
finding. Observed practices in areas that are required to be reviewed in
accordance with specific regulations and in areas that include policies and
procedures, but are not expressly required to be reviewed by regulations, will
come under significant regulatory scrutiny.
What good is a compliance management system if it is not continually
reviewed and, where needed, updated? In our work with new clients, we have
found the following issues happening often:
·
Critical areas not identified, thus certain
compliance policies and procedures were not adopted.
·
Policies were adopted, but were not applicable
to the businesses and operations.
·
Critical control procedures were not performed,
or not performed as described in the CMS.
·
Annual Review of the compliance function was
rarely, if ever, implemented.