Recently, we were cited by our regulator for not having an adequate Compliance Management Program document that was consistent with our “size, complexity, and risk profile.”
We had bought a manual for a Compliance Management Program from a policy publisher and adapted it to our use. The person who purchased the policy is no longer with the company, so now we’re scrambling to put together a program that will satisfy the examiners. We don’t want to buy another off-the-shelf policy at this point. Lesson learned.
We’ve started to compile information, but this situation is getting overwhelming, and we’re running out of time.
Since you do reviews for the Compliance Management Program, can you give us a way to focus our research?
ANSWER
As Erma Bombeck, the inimitable American humorist, once said, “When your mother asks, ‘Do you want a piece of advice?’ it is a mere formality. It doesn’t matter if you answer yes or no. You’re going to get it anyway.” So, I am going to put on my Mother Hen hat and tell you straight-out: if your company does not have a Compliance Management Program that represents its “size, complexity, and risk profile,” a world of hurt is coming your way! Getting policies from “manual mills,” as I call these policy purveyors, is an ineffective and dangerous way to manage your policies and procedures. And, getting a Compliance Management Program from a manual mill is particularly inappropriate because this outline is the foundational basis of all compliance-related areas of interest.
We realized this years ago when we began our Compliance Tune-up® audit series. The very first Compliance Tune-up® was the CMS Tune-up®, a targeted audit that evaluates the Compliance Management System or Program. Our review is affordable, collaborative, and quick. It reports a company’s strengths and weaknesses with respect to the compliance management program - plus, it provides a risk rating. If I were in your position, I would be getting the CMS Tune-up® done as soon as possible. Then, I would use the results to ensure that the CMS is responsive to the reported findings.
ANSWER
As Erma Bombeck, the inimitable American humorist, once said, “When your mother asks, ‘Do you want a piece of advice?’ it is a mere formality. It doesn’t matter if you answer yes or no. You’re going to get it anyway.” So, I am going to put on my Mother Hen hat and tell you straight-out: if your company does not have a Compliance Management Program that represents its “size, complexity, and risk profile,” a world of hurt is coming your way! Getting policies from “manual mills,” as I call these policy purveyors, is an ineffective and dangerous way to manage your policies and procedures. And, getting a Compliance Management Program from a manual mill is particularly inappropriate because this outline is the foundational basis of all compliance-related areas of interest.
We realized this years ago when we began our Compliance Tune-up® audit series. The very first Compliance Tune-up® was the CMS Tune-up®, a targeted audit that evaluates the Compliance Management System or Program. Our review is affordable, collaborative, and quick. It reports a company’s strengths and weaknesses with respect to the compliance management program - plus, it provides a risk rating. If I were in your position, I would be getting the CMS Tune-up® done as soon as possible. Then, I would use the results to ensure that the CMS is responsive to the reported findings.
Contact me HERE to discuss this matter or request more information HERE about the CMS Tune-up®.
Regulatory compliance management of consumer laws involves implementing policies and procedures that are designed to ensure the institution understands and follows applicable laws in a manner that avoids fines, lawsuits, and reputational issues. The Dodd-Frank Wall Street Reform and Consumer Protection Act established the Consumer Financial Protection Bureau (CFPB) that centralized the monitoring and enforcement of consumer protection laws. The CFPB issues regulations that institutions use to implement the laws that Congress passes. The risk that institutions face is that these regulations will not be followed as intended. The ramifications that could result include actions by the institution’s primary regulator, as well as potential fines, lawsuits, and reputation risk.
Thus, it is essential to have a robust Compliance Management Program in place to oversee the institution’s compliance with applicable laws and regulations. I will provide some high-level guidelines for you to consider. Keep in mind that drafting and implementing a review process is only the beginning. You should also implement a risk assessment program that addresses the need to periodically review and evaluate the adequacy of the institution’s CMS efforts to protect the institution.
The following brief outline offers a cursory highlight of the areas of interest that should be included in the Compliance Manager Program. It provides some insight into an evaluation generally, while also providing some understanding of risk assessment imperatives. It would be best if you used the CMS Tune-up® to get a focused review of your overall compliance program. Since I do not know if you have completed a recent internal audit, I am going to outline some features of a risk assessment; then discuss a compliance management system policy document; then mention two caveats. Finally, I will briefly discuss risk ratings and how these apply in the context of a Compliance Management Program.
Risk Assessment Objectives
A periodic risk assessment should determine the quality of the institution’s Compliance Management Program, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations. Moreover, it should assess whether the Compliance Management Program is effective at facilitating compliance; identify potential deficiencies in the Compliance Management Program and areas of most significant risk and concern; and, determine where transaction testing is necessary.
Identify Applicable Statutes and Regulations
Determine if the Compliance Management Program adequately addresses (viz., through oversight, policies and procedures, training, monitoring, and complaint response) all areas related to the following federal consumer laws, regulations, rules, and policy statements. Depending on the institutional structure and charter, this would include the areas of lending, deposits, and many other items, such as HMDA or CRA requirements, advertisements, banking format, privacy, leasing, debt collection, interstate banking, branch activation and closings, online protections, telemarketing, CAN-SPAM, marketing, and much more.
Evaluate Management Oversight
Review the Board and committee minutes. Review of these documents should give you an indication of conditions, such as the extent of Board governance and oversight in assuring compliance with consumer protection and fair lending laws and regulations; director and senior management training; policy and procedures rationalization; negative comments on rejected loan applications during loan committee or any other meeting; consideration of new loan or deposit products and strategies for their implementation; new software or software vendors; consideration of third parties for compliance audits; branch openings and closings rationalizations; and whether the Board maintains a reporting structure that documents discussions of recommendations for policy changes, adoption of revisions, and corrective actions and testing.
Evaluate the Compliance Management Program
To evaluate the Compliance Management Program, you should review the following, at a minimum:
Policies and Procedures Review
Policies and procedures, whether written or unwritten, should cover all of the department and function areas of the financial institution. An entity may have other policies or procedures related to compliance, but not specific to compliance, and those policies need to be reviewed as well, depending on the institution’s activities and risk profile.
Training
Review your institution’s training records and have sufficient discussions with management to answer a host of review topics, such as, among other things, whether every employee receives appropriate training given his or her compliance responsibilities; how often training is conducted; the acceptable frequency of training activity; if the training program is continuously updated to incorporate accurate, complete information on new products and services, regulatory changes, emerging issues; and if the effectiveness of the training is evaluated by management through delayed testing, before-and-after work product reviews, or other means.
Monitoring
Conduct documentation reviews and have discussions with management to answer specific review topics, such as, among other things, what monitoring programs are in place for loan transactions and deposit transactions; whether every transaction is subject to monitoring, and, if not, what is the level of transactional review; if the level of monitoring is adequate; if monitoring includes a review of the performance by third-party service providers; what are the appropriate personnel conducting the monitoring (i.e., someone with daily involvement in the monitored area and who has received adequate training); how errors are identified and documented during the monitoring process. Importantly, determine whether the institution’s monitoring efforts encompass all applicable regulations.
Consumer Complaint Response
Conduct documentation reviews and discuss with management whether, among other things, your institution implements policies and procedures to handle consumer complaints; if policies and procedures are in place, do they comply with all regulatory requirements regarding complaints (maximum time limits for a response, and documentation requirements); if your company has received consumer complaints, have all complaints been resolved satisfactorily; whether you cross-referenced the complaints to all other areas of the Compliance Management Program; and if the type or quantity of complaints suggest any other areas in need of in-depth review.
Caveat # 1: Conduct Transaction Sampling and Testing
After analyzing the Compliance Management Program elements in relation to operational risks, you should decide what transactions sampling and testing are necessary. The number of transactions and the particular regulatory requirements to be reviewed should be carefully tailored to the identified weaknesses as they relate to specific operational areas. In our experience, the severity of the Compliance Management Program’s weakness and operational risk dictates the intensity of transaction testing, that is, greater weakness and higher risk generally lead to the review of more transactions. If you find a moderate degree of risk, then sufficient testing should be done to support a conclusion.
Caveat # 2: Identify Higher Risk Consumer Deposit and Lending Areas
Certain consumer compliance laws and regulations may be subject to higher risks. The risk assessment process should consider the unique risks for all relevant areas, which are numerous. Higher risk areas include, among other things, the Flood Disaster Protection Act; BSA/AML Programs; fair lending violation triggers; and complaints from regulators. Many high risks include changes, such as the change in compliance structure and the key personnel responsible for compliance; changes in products, services, customer base, or delivery channels that affect quantity of compliance risk, including those offered through affiliated and nonaffiliated third parties; significant changes in the volume of products and services offered that would affect consumer compliance; revisions to online protections; updates to regulations and banking laws; substantial changes in third-party relationships, contracts, and activities; changes in the training process; and changes in vendor programs, software, and applications used to support compliance.
Finally, a few words about risk ratings. Our risk ratings emulate the CAMELS rating system, but you can devise your own rating standards. To develop a consumer compliance risk rating, you would include a review of the overall compliance program using the methods I’ve discussed. The compliance risk rating should reflect at least the following standards:
Regulatory compliance management of consumer laws involves implementing policies and procedures that are designed to ensure the institution understands and follows applicable laws in a manner that avoids fines, lawsuits, and reputational issues. The Dodd-Frank Wall Street Reform and Consumer Protection Act established the Consumer Financial Protection Bureau (CFPB) that centralized the monitoring and enforcement of consumer protection laws. The CFPB issues regulations that institutions use to implement the laws that Congress passes. The risk that institutions face is that these regulations will not be followed as intended. The ramifications that could result include actions by the institution’s primary regulator, as well as potential fines, lawsuits, and reputation risk.
Thus, it is essential to have a robust Compliance Management Program in place to oversee the institution’s compliance with applicable laws and regulations. I will provide some high-level guidelines for you to consider. Keep in mind that drafting and implementing a review process is only the beginning. You should also implement a risk assessment program that addresses the need to periodically review and evaluate the adequacy of the institution’s CMS efforts to protect the institution.
The following brief outline offers a cursory highlight of the areas of interest that should be included in the Compliance Manager Program. It provides some insight into an evaluation generally, while also providing some understanding of risk assessment imperatives. It would be best if you used the CMS Tune-up® to get a focused review of your overall compliance program. Since I do not know if you have completed a recent internal audit, I am going to outline some features of a risk assessment; then discuss a compliance management system policy document; then mention two caveats. Finally, I will briefly discuss risk ratings and how these apply in the context of a Compliance Management Program.
Risk Assessment Objectives
A periodic risk assessment should determine the quality of the institution’s Compliance Management Program, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations. Moreover, it should assess whether the Compliance Management Program is effective at facilitating compliance; identify potential deficiencies in the Compliance Management Program and areas of most significant risk and concern; and, determine where transaction testing is necessary.
Identify Applicable Statutes and Regulations
Determine if the Compliance Management Program adequately addresses (viz., through oversight, policies and procedures, training, monitoring, and complaint response) all areas related to the following federal consumer laws, regulations, rules, and policy statements. Depending on the institutional structure and charter, this would include the areas of lending, deposits, and many other items, such as HMDA or CRA requirements, advertisements, banking format, privacy, leasing, debt collection, interstate banking, branch activation and closings, online protections, telemarketing, CAN-SPAM, marketing, and much more.
Evaluate Management Oversight
Review the Board and committee minutes. Review of these documents should give you an indication of conditions, such as the extent of Board governance and oversight in assuring compliance with consumer protection and fair lending laws and regulations; director and senior management training; policy and procedures rationalization; negative comments on rejected loan applications during loan committee or any other meeting; consideration of new loan or deposit products and strategies for their implementation; new software or software vendors; consideration of third parties for compliance audits; branch openings and closings rationalizations; and whether the Board maintains a reporting structure that documents discussions of recommendations for policy changes, adoption of revisions, and corrective actions and testing.
Evaluate the Compliance Management Program
To evaluate the Compliance Management Program, you should review the following, at a minimum:
Policies and Procedures Review
Policies and procedures, whether written or unwritten, should cover all of the department and function areas of the financial institution. An entity may have other policies or procedures related to compliance, but not specific to compliance, and those policies need to be reviewed as well, depending on the institution’s activities and risk profile.
Training
Review your institution’s training records and have sufficient discussions with management to answer a host of review topics, such as, among other things, whether every employee receives appropriate training given his or her compliance responsibilities; how often training is conducted; the acceptable frequency of training activity; if the training program is continuously updated to incorporate accurate, complete information on new products and services, regulatory changes, emerging issues; and if the effectiveness of the training is evaluated by management through delayed testing, before-and-after work product reviews, or other means.
Monitoring
Conduct documentation reviews and have discussions with management to answer specific review topics, such as, among other things, what monitoring programs are in place for loan transactions and deposit transactions; whether every transaction is subject to monitoring, and, if not, what is the level of transactional review; if the level of monitoring is adequate; if monitoring includes a review of the performance by third-party service providers; what are the appropriate personnel conducting the monitoring (i.e., someone with daily involvement in the monitored area and who has received adequate training); how errors are identified and documented during the monitoring process. Importantly, determine whether the institution’s monitoring efforts encompass all applicable regulations.
Consumer Complaint Response
Conduct documentation reviews and discuss with management whether, among other things, your institution implements policies and procedures to handle consumer complaints; if policies and procedures are in place, do they comply with all regulatory requirements regarding complaints (maximum time limits for a response, and documentation requirements); if your company has received consumer complaints, have all complaints been resolved satisfactorily; whether you cross-referenced the complaints to all other areas of the Compliance Management Program; and if the type or quantity of complaints suggest any other areas in need of in-depth review.
Caveat # 1: Conduct Transaction Sampling and Testing
After analyzing the Compliance Management Program elements in relation to operational risks, you should decide what transactions sampling and testing are necessary. The number of transactions and the particular regulatory requirements to be reviewed should be carefully tailored to the identified weaknesses as they relate to specific operational areas. In our experience, the severity of the Compliance Management Program’s weakness and operational risk dictates the intensity of transaction testing, that is, greater weakness and higher risk generally lead to the review of more transactions. If you find a moderate degree of risk, then sufficient testing should be done to support a conclusion.
Caveat # 2: Identify Higher Risk Consumer Deposit and Lending Areas
Certain consumer compliance laws and regulations may be subject to higher risks. The risk assessment process should consider the unique risks for all relevant areas, which are numerous. Higher risk areas include, among other things, the Flood Disaster Protection Act; BSA/AML Programs; fair lending violation triggers; and complaints from regulators. Many high risks include changes, such as the change in compliance structure and the key personnel responsible for compliance; changes in products, services, customer base, or delivery channels that affect quantity of compliance risk, including those offered through affiliated and nonaffiliated third parties; significant changes in the volume of products and services offered that would affect consumer compliance; revisions to online protections; updates to regulations and banking laws; substantial changes in third-party relationships, contracts, and activities; changes in the training process; and changes in vendor programs, software, and applications used to support compliance.
Finally, a few words about risk ratings. Our risk ratings emulate the CAMELS rating system, but you can devise your own rating standards. To develop a consumer compliance risk rating, you would include a review of the overall compliance program using the methods I’ve discussed. The compliance risk rating should reflect at least the following standards:
- Quantity of compliance risk;
- Adequacy of the entity’s risk management practices in light of the quantity of compliance risk;
- Degree of reliance on the entity’s risk management programs (viz., including the compliance review and audit functions); and,
- Degree of supervisory concern posed by the institution’s consumer compliance program.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
