TOPICS

Thursday, February 24, 2022

Risk Assessment of a Compliance Management System

QUESTION 

I am the Assistant General Counsel of our bank. Generally, we believe we have a dependable Compliance Management System. A couple of years ago, we had your firm do a CMS Tune-up, and we learned how to improve it even more. Your review was a productive experience, strengthening management’s sincere commitment to maintaining high standards. 

Recently, we went through Change Management procedures that involved changes in our Compliance Management System. We plan to have you back soon to do another CMS Tune-up to ensure everything is intact. 

In the meantime, we could use some additional insight. In particular, in outlining our risk assessment objectives, we would like to know which factors to consider. We are not looking to know how to evaluate the compliance program so much as to understand better the top level areas to be reviewed in a risk assessment of the Compliance Management System. 

So, our question is, what are some of the essential categories in the risk assessment of a Compliance Management System? 

ANSWER 

Regulatory compliance management of consumer laws involves implementing policies and procedures designed to ensure the financial institution understands and follows the laws in a manner that avoids, among other things, fines, lawsuits, and reputational issues. The Dodd-Frank Wall Street Reform and Consumer Protection Act established the Consumer Financial Protection Bureau (CFPB) that centralizes the monitoring and enforcement of consumer protection laws. 

The CFPB issues regulations that institutions use to implement the laws that Congress passes. The risk institutions face is that these regulations will not be followed as intended. The implications that could result include specific administrative actions by the institution’s primary regulator, including fines, lawsuits, and various other types of risk. Therefore, it is essential to have a strong Consumer Compliance Management Program, usually called a Compliance Management Program (CMP) or Compliance Management System (CMS). The primary purpose of the CMS architecture is to oversee the institution’s compliance with applicable laws and regulations. 

The tool we pioneered, the CMS Tune-up, is a mini-audit that provides a comprehensive review that highlights a financial institution’s regulatory strengths and weaknesses with respect to its CMS mandate. It is cost-effective and is completed in sixty days. The report and risk rating are results that help facilitate decisions throughout the company’s compliance infrastructure. If you’ve encountered substantive issues of Change Management, you should contact us to do a follow-on CMS Tune-up. 

If you or anyone else wishes more information about the CMS Tune-up, contact us HERE. 

Risk assessments of your company’s Compliance Management System are important to conduct periodically to evaluate the adequacy of your institution’s CMS efforts to protect the institution from the failure associated with compliance defects and risks. I will provide certain categories that you should include in your risk assessment protocol. Given the enormity of risk assessment development, my comments here can only be brief, cursory, and suggestive. 

Objectives 

It would be best to have a clear idea of the risk assessment objectives. In my view, the following four objectives are mandatory: 

1)     Determine the quality of the institution’s CMS, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations;

2)     Assess whether the CMS is effective at facilitating compliance; 

3)     Identify potential deficiencies in the CMS and areas of most significant risk and concern; and 

4)     Determine where transaction testing is necessary. 

When you develop the risk assessment, keep in mind the evaluation is meant to serve as guidance for the categories to be addressed during the risk team’s dialogue with departments and functions personnel. I suggest that you organize by elements of the CMS, and these elements should be considered in conjunction with each of the different operational areas of the company, so as to come to a conclusion about the strength of each element overall and the applicable overall risk assessment score. 

Risk Rating 

Also, it is critical to determine the requirements for a risk rating. To develop a consumer compliance risk rating, review the overall compliance program using the methods that I outline briefly below. The compliance rating should reflect: 

·       Quantity of compliance risk; 

·       Adequacy of the bank’s risk management practices in light of the quantity of compliance risk; 

·       Degree of reliance that can be placed on the company’s risk management system, inclusive of the compliance review and audit functions; and 

·       Degree of supervisory concern posed by the company’s CMS. 

Acts, Statutes, Regulations 

It is fundamental to the risk assessment process to identify applicable statutes and regulations. Specifically, determine if the CMS adequately addresses (through oversight, policies and procedures, training, monitoring, and complaint response) all areas related to the following federal consumer laws, regulations, rules, and policy statements. Take note, this list is not meant to be comprehensive, and any relevant list should be updated, as needed, to be all-inclusive as of the risk assessment date. 

A list of core statutes and regulations in a risk assessment should include:

Lending 

·       Truth in Lending

·       Real Estate Settlement Procedures

·       Homeowners Protection

·       Credit Practices Rule

·       Equal Credit Opportunity

·       Fair Housing

·       Home Mortgage Disclosure

·       Fair Credit Reporting

·       Flood Insurance

·       Preservation of Consumers’ Claims and Defenses

·       Homeownership Counseling

·       SAFE Act

Deposits

·       Truth in Savings

·       Electronic Fund Transfers

·       Expedited Funds Availability

·       Interest on Deposits

Other

·       CRA Technical Requirements

·       Bank Secrecy and Anti-Money Laundering

·       Advertisement of Membership

·       Electronic Banking

·       Privacy of Consumer Financial Information

·       Right to Financial Privacy

·       Non-Deposit Products

·       Consumer Leasing

·       Fair Debt Collection Practices

·       Branch Closings

·       Interstate Banking

·       Children’s Online Privacy Protection

·       Unfair or Deceptive Acts or Practices

·       Telephone Consumer Protection

·       Controlling the Assault of Non-Solicited Pornography

·       Marketing and Advertising 

In time, you might want to build a matrix of compliance risk assessment statutes and regulations that identifies the consumer compliance laws and regulations to be included in the risk assessment of your CMS. 

Management oversight is a critical compliance component. Thus, the risk assessment should prioritize this category. 

Management Oversight 

Reviewing the board or management is a key element. There are several evaluative procedures and questions that are features of this part of a risk assessment. The procedural list is rather extensive. Here are but a few. 

·       Extent of board oversight/involvement in assuring compliance with consumer protection and fair lending laws and regulations; 

·       Training of directors and senior management regarding compliance and fair lending issues; 

·       Rationale for implementing new policies or procedures or modifying existing ones; and 

·       Whether the board or management documented a review of policy changes, an adoption of those revisions, and the corrective action and subsequent testing for identified defects. 

Interrogatories are an essential component of a risk assessment of a CMS. The list of questions is quite extensive. Here are a few questions that should be included. 

·       What is the business strategy, and what are the compliance implications (for instance, elevated risk due to rapidly growing niche lending)? 

·       Have the board and senior management fostered a favorable climate for compliance? 

·       Has management allocated the appropriate level of resources to compliance? 

·       Has management responded appropriately and promptly to consumer complaints? 

·       Has management responded appropriately to deficiencies noted and suggestions made at previous examinations and audits? 

·       How does management ensure that compliance is part of new product and service development, marketing, and advertising? 

·       How does management ensure that due diligence is performed before changing software or software vendors or third-party audit providers? 

·       Is the board aware that it is ultimately responsible for the institution’s CMS? 

When developing and documenting the assessment of the institution’s performance in this and any other area subject to review, create an evaluation of management’s oversight with findings of strong, adequate, or weak. Describe the basis for these findings. And, be sure to define these ratings. 

Much of the foregoing is a preamble to the risk assessment categories that evaluate the CMS. I will provide a generic and somewhat compact outline of some categories. Consider the following elements. 

Compliance Management System (CMS) 

Whether written or unwritten, the policies and procedures should cover all of the areas listed below. A financial institution may have other policies and procedures related to compliance not listed here that should be included in the review, depending on the institution’s activities, size, complexity, and risk profile. 

·       Compliance Policy This may be a single document or a compilation of various documents, each relating to specific areas of institution activity. 

·       Lending Often, institutions will have separate policies for various lending types such as consumer, real estate, residential, commercial, agricultural, and so forth. They should all be reviewed in a risk assessment. 

·       Deposits Institutions often have separate policies (i.e., Regulation DD, Regulation E, Regulation CC, and Part 329). 

·       Electronic Banking The adequacy of e-banking policies should be assessed in light of the level of activity in which the institution is engaged. 

·       Privacy The privacy policies and procedures usually vary widely, depending on the level of information sharing involved, such as non-deposit products or the branch closing policy. 

As was the case with Management Oversight, there are also important questions regarding the CMS. I will mention several amongst a large number of such interrogatories. The institution’s policies and procedures must provide the appropriate level of guidance for all employees and include clearly defined goals and objectives. 

·       What areas of compliance do written policies or procedures cover? 

·       Which policies or procedures are unwritten? 

·       Is the use of unwritten policies/procedures adequate for the institution’s needs? 

·       Are there any practices that have become policy because of the frequency of their occurrence? If so, do these practices conflict with formal policies or procedures? 

·       Do the policies give effective guidance to institution employees? 

·       Are policies and procedures structured and implemented in such a way as to ensure fair and equitable treatment of all consumers? 

·       Are policies, procedures, and standardized forms periodically reviewed and updated in response to regulatory changes and changes in the institution's risk profile? How frequent are the reviews? 

·       Does the board or management review and approve all changes to policies and procedures? If not, is the level of approval appropriate given the institution’s risk profile? 

Training 

The institution’s training records should be reviewed as a critical element. Some questions to ask management and department personnel are significant. 

·       Does every employee receive appropriate training given their compliance responsibilities? 

·       How often is training conducted? Is the frequency of training acceptable? 

·       Is the training program continuously updated to incorporate accurate, complete information on new products and services, regulatory changes, emerging issues, and so forth? 

·       Regardless of whether staff training is conducted primarily in-house or is outsourced, does management evaluate whether the institution’s training needs are being met? 

Monitoring 

Those of you who follow my columns know the emphasis I place on monitoring and testing. Obviously, the category of monitoring is an essential element of a CMS risk assessment. Determine whether the institution’s monitoring efforts encompass all applicable regulations. 

·       What monitoring programs are in place for loan transactions? Deposit transactions? Investment and insurance sales activities? 

·       Are the appropriate personnel conducting the monitoring (i.e., someone with daily involvement in the monitored area who has received adequate training)? 

·       How are errors that are identified during the monitoring process documented? How are the errors corrected? 

·       Is there appropriate follow-up when errors are identified (i.e., refresher training, disciplinary action)? 

Consumer Complaint Response 

Place high importance on the component of consumer complaints in the risk assessment. You should develop an evaluation based on at least the four questions mentioned here. 

·       Has the institution implemented policies and procedures to handle consumer complaints? 

·       If policies and procedures are in place, do they comply with all regulatory requirements regarding complaints (i.e., maximum time limits for response, documentation requirements, and so forth)? 

·       If the institution has received consumer complaints, have all complaints been resolved satisfactorily? 

·       Cross-referencing the complaints to all other areas of the CMS, does the type or quantity of complaints suggest any other areas needing in-depth review? 

Jonathan Foxx
Chairman & Managing 
Director 
Lenders Compliance Group