Recently, we were cited by our regulator for not having an adequate Compliance Management Program document that was consistent with our “size, complexity, and risk profile.”
As Erma Bombeck, the inimitable American humorist, once said, “When your mother asks, ‘Do you want a piece of advice?’ it is a mere formality. It doesn’t matter if you answer yes or no. You’re going to get it anyway.” So, I am going to put on my Mother Hen hat and tell you straight-out: if your company does not have a Compliance Management Program that represents its “size, complexity, and risk profile,” a world of hurt is coming your way! Getting policies from “manual mills,” as I call these policy purveyors, is an ineffective and dangerous way to manage your policies and procedures. And, getting a Compliance Management Program from a manual mill is particularly inappropriate because this outline is the foundational basis of all compliance-related areas of interest.
We realized this years ago when we began our Compliance Tune-up® audit series. The very first Compliance Tune-up® was the CMS Tune-up®, a targeted audit that evaluates the Compliance Management System or Program. Our review is affordable, collaborative, and quick. It reports a company’s strengths and weaknesses with respect to the compliance management program - plus, it provides a risk rating. If I were in your position, I would be getting the CMS Tune-up® done as soon as possible. Then, I would use the results to ensure that the CMS is responsive to the reported findings.
Regulatory compliance management of consumer laws involves implementing policies and procedures that are designed to ensure the institution understands and follows applicable laws in a manner that avoids fines, lawsuits, and reputational issues. The Dodd-Frank Wall Street Reform and Consumer Protection Act established the Consumer Financial Protection Bureau (CFPB) that centralized the monitoring and enforcement of consumer protection laws. The CFPB issues regulations that institutions use to implement the laws that Congress passes. The risk that institutions face is that these regulations will not be followed as intended. The ramifications that could result include actions by the institution’s primary regulator, as well as potential fines, lawsuits, and reputation risk.
Thus, it is essential to have a robust Compliance Management Program in place to oversee the institution’s compliance with applicable laws and regulations. I will provide some high-level guidelines for you to consider. Keep in mind that drafting and implementing a review process is only the beginning. You should also implement a risk assessment program that addresses the need to periodically review and evaluate the adequacy of the institution’s CMS efforts to protect the institution.
The following brief outline offers a cursory highlight of the areas of interest that should be included in the Compliance Manager Program. It provides some insight into an evaluation generally, while also providing some understanding of risk assessment imperatives. It would be best if you used the CMS Tune-up® to get a focused review of your overall compliance program. Since I do not know if you have completed a recent internal audit, I am going to outline some features of a risk assessment; then discuss a compliance management system policy document; then mention two caveats. Finally, I will briefly discuss risk ratings and how these apply in the context of a Compliance Management Program.
Risk Assessment Objectives
A periodic risk assessment should determine the quality of the institution’s Compliance Management Program, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations. Moreover, it should assess whether the Compliance Management Program is effective at facilitating compliance; identify potential deficiencies in the Compliance Management Program and areas of most significant risk and concern; and, determine where transaction testing is necessary.
Identify Applicable Statutes and Regulations
Determine if the Compliance Management Program adequately addresses (viz., through oversight, policies and procedures, training, monitoring, and complaint response) all areas related to the following federal consumer laws, regulations, rules, and policy statements. Depending on the institutional structure and charter, this would include the areas of lending, deposits, and many other items, such as HMDA or CRA requirements, advertisements, banking format, privacy, leasing, debt collection, interstate banking, branch activation and closings, online protections, telemarketing, CAN-SPAM, marketing, and much more.
Evaluate Management Oversight
Review the Board and committee minutes. Review of these documents should give you an indication of conditions, such as the extent of Board governance and oversight in assuring compliance with consumer protection and fair lending laws and regulations; director and senior management training; policy and procedures rationalization; negative comments on rejected loan applications during loan committee or any other meeting; consideration of new loan or deposit products and strategies for their implementation; new software or software vendors; consideration of third parties for compliance audits; branch openings and closings rationalizations; and whether the Board maintains a reporting structure that documents discussions of recommendations for policy changes, adoption of revisions, and corrective actions and testing.
Evaluate the Compliance Management Program
To evaluate the Compliance Management Program, you should review the following, at a minimum:
Policies and Procedures Review
Policies and procedures, whether written or unwritten, should cover all of the department and function areas of the financial institution. An entity may have other policies or procedures related to compliance, but not specific to compliance, and those policies need to be reviewed as well, depending on the institution’s activities and risk profile.
Review your institution’s training records and have sufficient discussions with management to answer a host of review topics, such as, among other things, whether every employee receives appropriate training given his or her compliance responsibilities; how often training is conducted; the acceptable frequency of training activity; if the training program is continuously updated to incorporate accurate, complete information on new products and services, regulatory changes, emerging issues; and if the effectiveness of the training is evaluated by management through delayed testing, before-and-after work product reviews, or other means.
Conduct documentation reviews and have discussions with management to answer specific review topics, such as, among other things, what monitoring programs are in place for loan transactions and deposit transactions; whether every transaction is subject to monitoring, and, if not, what is the level of transactional review; if the level of monitoring is adequate; if monitoring includes a review of the performance by third-party service providers; what are the appropriate personnel conducting the monitoring (i.e., someone with daily involvement in the monitored area and who has received adequate training); how errors are identified and documented during the monitoring process. Importantly, determine whether the institution’s monitoring efforts encompass all applicable regulations.
Consumer Complaint Response
Conduct documentation reviews and discuss with management whether, among other things, your institution implements policies and procedures to handle consumer complaints; if policies and procedures are in place, do they comply with all regulatory requirements regarding complaints (maximum time limits for a response, and documentation requirements); if your company has received consumer complaints, have all complaints been resolved satisfactorily; whether you cross-referenced the complaints to all other areas of the Compliance Management Program; and if the type or quantity of complaints suggest any other areas in need of in-depth review.