QUESTION
We have retained your firm for several of your Compliance Tune-ups. It has been amazing to find out the strengths and weaknesses of our departments and the implementation of regulatory compliance. We began with the CMS Tune-up almost two years ago, which told us how strong our Compliance Management System was in real time. Your risk ratings gave us a way to gauge our risk.
As the Compliance Officer and General Counsel, I've come to appreciate that certain elements reflect a strong Compliance Management System. We are now planning another CMS Tune-up to see how effectively we have improved overall since the last CMS Tune-up.
I understand the features of the Compliance Management System. What I would like to zero in on is the core elements themselves, the ones that are the foundation on which the CMS edifice sits.
What are the core elements of a strong Compliance Management System?
ANSWER
When we
developed and pioneered the CMS Tune-up® seven years ago, our goal was to
provide a way for financial institutions to respond to the CFPB's position regarding
the Compliance Management System (CMS). The Bureau found that there were
"… one or more situations in which an effective CMS was lacking across the financial institution's entire consumer financial portfolio, or in which the financial institution failed to adopt and follow comprehensive internal policies and procedures."
So, our goal was to identify the strengths and weaknesses of a financial institution's Compliance Management System. We wanted to provide a cost-effective tool to evaluate five areas of interest to determine if a company:
1. Establishes its compliance responsibilities;
2. Communicates those responsibilities to employees;
3. Ensures that responsibilities for meeting legal and regulatory requirements, and internal policies, are incorporated into business processes;
4. Reviews operations to ensure responsibilities are effectuated, with legal requirements met; and
5. Takes corrective action and updates tools, systems, and materials as necessary.
In the CMS Tune-up®, we assess whether an effective CMS accomplishes these four interdependent control components:
1. Board and management oversight;
2. Compliance program;
3. Response to consumer complaints; and
4. Compliance audit.
When all four control components are strong and well-coordinated, a financial institution should successfully manage its compliance responsibilities and risks. Bringing the analytics together can be extrapolated into an overall risk rating of the Compliance Management System.
In fact, the Federal Financial Institutions Examination Council (FFIEC) endeavored to provide a compliance risk rating system all the way back in 2016.[i] FFIEC called it the CC Rating System.
Our firm believes that providing risk ratings offers a financial institution the means to measure its compliance with rules; laws; regulations; guidelines; Best Practices; policy and procedure requirements; federal, state, and investor expectations. Each review in the Compliance Tune-up® series provides an independent risk rating defined and fully disclosed in our reports.
___________________________________________________
___________________________________________________
Our risk rating system consists of five levels of risk, based on an institution's size, complexity, and risk profile. Risk Rating 1 is the strongest; Risk Rating 5 is the weakest. Generally, depending on the category subject to review, a 1-rating is strong, a 2-rating is satisfactory, a 3-rating is deficient, a 4-rating is seriously deficient, and a 5-rating is critically deficient. We support our risk ratings by providing the appropriate citations and review analyses. Our reports contain recommendations and remediation guidance.
Now, you put your finger on the importance of identifying the "core elements" on which rest risk ratings and evaluation of the strengths and weaknesses of the CMS. In my view, three fundamental elements secure the edifice of the Compliance Management System.
The three elements of risk rating in evaluating a CMS are:
1. Change Management;
2. Comprehending, identifying, and managing risk; and
3. Corrective action and self-identification.
Let's call this the Three "C" Approach to CMS Risk Rating.
Change Management
The first "C" stands for change management. The financial institution that receives our 1-rating is committed to a strong CMS that anticipates and responds promptly to changes in applicable laws and regulations, market conditions, and products and services offered. Management prepares for such changes by defining and providing examples of what constitutes a change, including new and changed vendor relationships and regulatory updates. To get our top rating, the company must demonstrate strong change management through proactive measures in advance of upcoming changes; for instance, management requires the compliance department and impacted business lines to review and approve changes before they take effect to ensure compliance with applicable consumer protection laws and regulations.
Due diligence is an important activity in our risk rating because it should be conducted before product changes, taking into consideration the entire life cycle of a product or service, and conducting a post-implementation review to determine whether the actions taken have achieved the expected results. For example, as a part of its due diligence on a new product, the institution should develop and follow approval processes associated with implementing the new product and require a post-implementation review.
Comprehending, Identifying, and Managing Risk
The second "C" stands for comprehending, identifying, and managing risk. We give our 1-rating to financial institutions that evince a solid comprehension of risks, effectively identifies compliance risks, and actively manages those risks. Indeed, these institutions complete comprehensive risk assessments at established frequencies.
In our experience, we have found that risk identification and evaluation processes generally become increasingly formal and extensive as an institution's size, complexity, and risk profile increase. For instance, an annual risk assessment may be appropriate for a small, non-complex institution. Completing a risk assessment at a large, complex institution may be an ongoing, collaborative effort among senior management, the compliance department, and the internal and external audit functions.
Furthermore, institutions with a strong CMS maintain comprehensive risk assessments, including business lines, relevant rules and regulations, and a breakdown of associated inherent risk, risk controls, and residual risk.
Corrective Action and Self-Identification
The third "C" stands for corrective action and self-identification. In our view, a financial institution merits the 1-rating because it proactively identifies issues and promptly responds to compliance risk management deficiencies and violations. Such responsiveness invariably reflects a strong CMS.
We have conducted a CMS Tune-up® that found the institution completed a root cause analysis of deficiencies and violations to ensure that remediation is timely, appropriate, and comprehensive. This is what proactive management does! An institution that completes a root cause analysis of a self-identified violation may find that written policies and procedures do not include sufficient information to ensure that staff complies with relevant regulatory requirements. Thus, the root cause analysis helps to inform appropriate and comprehensive remediation.
Self-identification and self-assessment are reflections of proactive management. We often find that these institutions may also contact their primary regulator to determine whether their remediation efforts are sufficient. Consequently, we assign a 1-rating to institutions that proactively identify issues and promptly respond to deficiencies and violations, including remediation.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director[i] Uniform
Interagency Consumer Compliance Rating System, Final Guidance, Federal
Financial Institutions Examination Council, November 14, 2016, Federal
Register, Vol. 81, No. 219, Notices
