President & Managing Director
Lenders Compliance Group
In my view, there are ten core competencies to implementing a Compliance Management System, often referred to by its acronym CMS. The Consumer Financial Protection Bureau requires it, state regulators are now asking for it, and investors want assurance of its application.
I have written extensively about the CMS concept and its importance in mortgage risk management. For instance, see my article on Creating a Culture of Compliance. Also, other articles here. When I speak on the subject, it is often the case that some in the audience actually have no idea about what constitutes the CMS. They think it is no more than a compilation of policies and procedures. But, the fact is that a viable CMS is composed of several integral features, each of which contributes to the cohesiveness of the whole compliance function.
Here’s a brief synopsis of the Ten Core Competencies that should inform a CMS:
1) Loan portfolio, secondary and capital market management processes, mortgage servicing.
2) Loan flow process, from point of sale to securitization or secondary market transaction.
3) Internal Audit and Control Plan, including calendrical reviews, reporting protocol, rank and file training in all departments, and testing.
4) Consumer disclosures, all loan types, federal and state.
5) Mortgage quality control, not only random sampling, but proactive audits that target criteria.
6) Record retention and maintenance, securing against unauthorized alteration or destruction.
7) Marketing and advertising, including use of third-party services.
8) Vendor, settlement agent, closing agent, and third-party vetting and approvals.
9) Safeguards for privacy protection of consumer records and information.
10) Reporting mandates to agencies, both federal and state, investors, and third-party relationships.
The compliance framework is built on the foregoing competencies. Destabilize one of them and it is possible that the others will crash like a tottering stack of cards!
Also, it should be noted that there is a growing expectation amongst regulators for a residential mortgage lender or originator to have a business continuity plan.
It is not necessary to consolidate all compliance policies and procedures into a single document. Nor does it require compliance managers to memorialize every action that must be taken in order to remain in compliance with federal and state banking law. In some cases, it may be enough for the compliance policies and procedures to allocate responsibility within the organization for the timely performance of many obligations, such as the filing or updating of required forms.
However, observed instances in which compliance policies and procedures were not followed or the actual practices were not consistent with the description in the compliance manuals, will likely lead to an adverse banking examination finding. Observed practices in areas that are required to be reviewed in accordance with specific regulations and in areas that include policies and procedures, but are not expressly required to be reviewed by regulations, will come under significant regulatory scrutiny.
What good is a compliance management system if it is not continually reviewed and, where needed, updated? In our work with new clients, we have found the following issues happening often:
· Critical areas not identified, thus certain compliance policies and procedures were not adopted.
· Policies were adopted, but were not applicable to the businesses and operations.
· Critical control procedures were not performed, or not performed as described in the CMS.
· Annual Review of the compliance function was rarely, if ever, implemented.