QUESTION
I am the Assistant General Counsel of our bank. Generally, we believe we have a dependable Compliance Management System. A couple of years ago, we had your firm do a CMS Tune-up, and we learned how to improve it even more. Your review was a productive experience, strengthening management’s sincere commitment to maintaining high standards.
Recently, we went through Change Management procedures that involved changes in our Compliance Management System. We plan to have you back soon to do another CMS Tune-up to ensure everything is intact.
In the meantime, we could use some additional insight. In particular, in outlining our risk assessment objectives, we would like to know which factors to consider. We are not looking to know how to evaluate the compliance program so much as to understand better the top level areas to be reviewed in a risk assessment of the Compliance Management System.
So, our question is, what are some of the essential categories in the risk assessment of a Compliance Management System?
ANSWER
Regulatory compliance management of consumer laws involves implementing policies and procedures designed to ensure the financial institution understands and follows the laws in a manner that avoids, among other things, fines, lawsuits, and reputational issues. The Dodd-Frank Wall Street Reform and Consumer Protection Act established the Consumer Financial Protection Bureau (CFPB) that centralizes the monitoring and enforcement of consumer protection laws.
The CFPB issues regulations that institutions use to implement the laws that Congress passes. The risk institutions face is that these regulations will not be followed as intended. The implications that could result include specific administrative actions by the institution’s primary regulator, including fines, lawsuits, and various other types of risk. Therefore, it is essential to have a strong Consumer Compliance Management Program, usually called a Compliance Management Program (CMP) or Compliance Management System (CMS). The primary purpose of the CMS architecture is to oversee the institution’s compliance with applicable laws and regulations.
The tool we pioneered, the CMS Tune-up, is a mini-audit that provides a comprehensive review that highlights a financial institution’s regulatory strengths and weaknesses with respect to its CMS mandate. It is cost-effective and is completed in sixty days. The report and risk rating are results that help facilitate decisions throughout the company’s compliance infrastructure. If you’ve encountered substantive issues of Change Management, you should contact us to do a follow-on CMS Tune-up.
If you or anyone else wishes more information about the CMS Tune-up, contact us HERE.
Risk assessments of your company’s Compliance Management System are important to conduct periodically to evaluate the adequacy of your institution’s CMS efforts to protect the institution from the failure associated with compliance defects and risks. I will provide certain categories that you should include in your risk assessment protocol. Given the enormity of risk assessment development, my comments here can only be brief, cursory, and suggestive.
Objectives
It would be best to have a clear idea of the risk assessment objectives. In my view, the following four objectives are mandatory:
1) Determine the quality of the institution’s CMS, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations;
2) Assess whether the CMS is effective at facilitating compliance;
3) Identify potential deficiencies in the CMS and areas of most significant risk and concern; and
4) Determine where transaction testing is necessary.
When you develop the risk assessment, keep in mind the evaluation is meant to serve as guidance for the categories to be addressed during the risk team’s dialogue with departments and functions personnel. I suggest that you organize by elements of the CMS, and these elements should be considered in conjunction with each of the different operational areas of the company, so as to come to a conclusion about the strength of each element overall and the applicable overall risk assessment score.
Risk Rating
Also, it is critical to determine the requirements for a risk rating. To develop a consumer compliance risk rating, review the overall compliance program using the methods that I outline briefly below. The compliance rating should reflect:
· Quantity of compliance risk;
· Adequacy of the bank’s risk management practices in light of the quantity of compliance risk;
· Degree of reliance that can be placed on the company’s risk management system, inclusive of the compliance review and audit functions; and
· Degree of supervisory concern posed by the company’s CMS.
Acts, Statutes, Regulations
It is fundamental to the risk assessment process to identify applicable statutes and regulations. Specifically, determine if the CMS adequately addresses (through oversight, policies and procedures, training, monitoring, and complaint response) all areas related to the following federal consumer laws, regulations, rules, and policy statements. Take note, this list is not meant to be comprehensive, and any relevant list should be updated, as needed, to be all-inclusive as of the risk assessment date.
A list of core statutes and regulations in a risk assessment should include: