Raided by ICE - Employees Detained

QUESTION 

Our company was raided by ICE last week. Two of our loan officers were taken away in handcuffs. They were not read any rights. They were just taken from their desks, put in cuffs, and walked out. Our HR Department notified their families. 

It was a shock to all of us. I am a loan officer and asked our lawyer for permission to write to you about it. We have no guidelines on what to do if ICE shows up, but we’re trying to figure out what to do if ICE shows up. We do not want any trouble, and there is a lot of fear. 

Our lawyer, compliance people, and HR manager are putting together some guidelines. But many of us here get your newsletter, and we would like you to provide a few guidelines to follow if ICE comes back. 

What should we do if ICE raids our company? 

Do our employees have any rights? 

SOLUTION 

ICE Tune-up® 

RESPONSE 

If ICE raids your company, remain calm and cooperate with the agents. However, you can protect your legal rights and those of your employees. The first action to take is to immediately contact legal counsel and have a designated employee accompany ICE agents during the raid. If you have not selected such an employee liaison, do so now. 

Document everything, including the names of agents, areas searched, and items seized. But, do not obstruct or interfere with the search, and also do not provide false information or hide employees. 

I will offer some suggestions for immediate actions and a few things to consider. The following list is not meant to be comprehensive (and I am not providing legal advice). Facts and circumstances often dictate the response and appropriate legal actions. If you have questions, you can contact us. 

If you want to be prepared for an ICE visit, you should consider our ICE Tune-up®, a mini-audit that determines whether you are ready for such a visit. Our pioneering Compliance Tune-up is in considerable demand. If you need this audit soon, I urge you to contact us to schedule it. 

IMMEDIATE ACTIONS

·    Contact Counsel

I suggest you notify legal counsel about the raid.

 

·    ICE Team

Designating an ICE Team is essential. Whoever has first contact with ICE agents should know to contact the company’s designated ICE Team members so they can start implementing the ICE raid protocols.

 

·    Document

Designate an employee to take detailed notes, including agent names, badge numbers, areas searched, and persons or items seized.

 

·    Stay with the Agents

Select an employee to accompany ICE agents during the search to observe and document.

 

·    Verify Warrants

Request and review any warrants presented by ICE agents. Many ICE raids are being conducted using administrative warrants. Ensure they are judicial warrants (viz., signed by a judge) and understand their scope.

o   Court Warrant – A federal or state court judge issues a judicial (or court) warrant. It gives ICE access to non-public spaces of the facility in accordance with the terms of the warrant. Even if ICE has a court warrant, it is important to review the warrant to ensure it has the correct company name and address, is properly signed and dated by a judge, includes a timeframe within which the search must be conducted, any restrictions, and contains a description of the premises to be searched and a list of items or people to be seized (i.e., equipment, records, workers).

o   Administrative (or No Warrant) – If ICE has no warrant or only an administrative warrant (i.e., signed by ICE on Forms I-200 or I-205), the warrant does not permit ICE to access non-public spaces.

But if ICE proceeds, do not argue with or impede ICE. Instead, document your objections, which can be used later in a court challenge.

What to Expect from a Fannie MORA audit?

Request Article 

Request MORA Tune-up® Information 

QUESTION 

Last month, you answered a question about doing an internal audit in advance of Fannie’s MORA audit. We did not pay much attention to it because (A) we never had a MORA audit, and (B) we did not expect a MORA audit anytime soon. Then, all hell broke loose! 

Yesterday, we got a letter from Fannie Mae telling us that they will be scheduling a date for an on-site audit. They are requesting policies, procedures, and many other documents. There are due dates. This review makes a state banking exam look like child’s play. But I’m a QC manager, so I don’t have the whole picture of our risks. However, I do know one thing: we are not ready for this MORA audit. 

The CEO called a team meeting in the conference room. Our compliance manager is in charge, and everyone reports to her. I got your name at the meeting because she said we are going to use you to do a MORA Tune-up®. I just wish they would have done this sooner. 

What I need – and I think they need it too – is some idea of what we can expect from the MORA exam. I hope you don’t wait to reply. The compliance manager and others in management read your articles. They pass them around to us all the time. Please tell us what to expect about the MORA process. 

What is the audit process of a Fannie MORA audit? 

SOLUTION 

MORA Tune-up® 

RESPONSE 

If you want a copy of this article, please contact us here. 

We realize your question is urgent. Accordingly, we are prioritizing a response. You only have a few weeks to get ready for the MORA audit, the purpose of which is for Fannie Mae to evaluate your company’s compliance with Fannie guidelines as well as assess the operational risks. 

For those who don’t know, Mortgage Origination Risk Assessment (MORA) is a Fannie Mae review of a Fannie Seller/Servicer. It is intended to be a collaborative engagement led by the review team with the active participation of your organization.[i]

Getting our MORA Tune-up® engaged is one of several readiness activities you must undertake as soon as possible. Ours is the pioneer of the Compliance Tune-up, a unique review that provides a risk assessment and self-evaluation to satisfy the Second Line of Defense. I am grateful that your compliance manager chose Lenders Compliance Group. Nevertheless, to all our subscribers, please know that a few compliance and law firms offer to prepare you for the MORA review. Pick one you trust and get it done! 

There are seven phases in the MORA review process, and I will outline them for you. My outline will give you a high-level view. You should not delay! 

Here are the seven phases of a MORA review: 

Phase 1: Selecting the Organization 

Phase 2: Confirmation and Engagement 

Phase 3: Document Request and Receipt 

Phase 4: Process Evaluation 

Phase 5: Interviews 

Phase 6: Final Assessment 

Phase 7: Remediation 

I am going to provide a brief overview of each phase. However, numerous contingencies can affect the process and outcome. Take this review as a deep dive, one that will make your company stronger and its relationship with Fannie more durable. It is not too late to get started immediately. 

PHASE 1: SELECTING THE ORGANIZATION 

Fannie Mae selects organizations for a review using risk-based inclusion criteria and provides advance notice to the organization prior to scheduling the review. A member of the review team begins the process by compiling the organization’s pertinent contact information to start the review before moving to Phase 2. 

We are often asked if there is a way to predict whether and when the selection takes place. The short answer is No. The best answer is Soon. In other words, always be prepared.

PHASE 2: Confirmation and Engagement 

There are obviously two parts to this phase: the first part involves confirmation, and the second part involves scheduling. These two parts are interfaced. What happens is your point person – in your case, the compliance manager – will discuss Fannie’s BAMS team, that is, its Business Account Management Solutions team, to discuss some basics. The MORA team is independent of the BAMS team. This is a sort of Question and Answer format where the BAMS team gathers the following information:

Fannie’s MORA Review: Internal Audits

QUESTION 

Although approved by Fannie Mae, we have not set up an internal audit schedule. This issue came up in a recent discussion with our Fannie representative. They want us to be ready for the MORA audit, and the audit schedule is going to be required. We haven’t even done an internal audit yet. This got us thinking about what we don’t know for preparing for the MORA visit. 

We know your company is well-known for independent risk assessments and self-evaluations, which are called the Compliance Tune-up®. I spoke to one of your Directors this morning about several of them that could help us get prepared for the Fannie audit. We need to know which policies and procedures will be reviewed, and we need to know so much more. Our first MORA audit is coming soon. So, we’re somewhat intimidated. 

I am the compliance manager. I have never handled a MORA audit before. And I have never been involved in an internal audit. I need some guidance about what Fannie expects for internal audits and a “heads-up” for their requirements.

·       What are Fannie’s expectations for internal audits?

 

·       Can you please provide a “heads-up” for the internal audit requirements?

·       What have you found that shows your clients were not prepared for an internal audit? 

SOLUTION 

Compliance Tune-up® List

MORA Tune-up® Fannie's Mortgage Origination Risk Assessment (MORA)

CMS Tune-up® Compliance Management System

RESPONSE 

Anyone who has an interest in our Compliance Tune-up®, in general, or our MORA Tune-up®, in particular, can contact us here. The Compliance Tune-up® is an extensive series of mini-audits that targets departments, functions, and regulations. It is a self-identification and risk assessment review that complies with the second line of defense.[i] The review provides a report and risk rating. It shows the strengths and weaknesses of the area subject to review. 

Fannie Mae conducts regular reviews to evaluate seller/servicer compliance with its guidelines and assess operational risks. Reviews are conducted by a team that operates independently of the Business Account Management Solutions team. 

You will need to establish an independent internal audit function. During the MORA process, Fannie Mae examines the lender's internal audit plan and the latest independent internal audit. A financial institution may outsource its internal audit process; however, it remains responsible for the findings that show compliance (or lack thereof) with Fannie's requirements.

An internal audit is the central feature of the third line of defense. From Fannie’s perspective, management control is itself a function. Indeed, establishing a professional internal audit activity should be a governance requirement for all organizations. 

Management is supposed to rely on the internal audit to validate a financial institution’s governance, risk management, and control processes to help it achieve strategic, operational, financial, and compliance objectives. This compliance framework is meant to ensure a risk-based approach, and the internal audit function evaluates and improves the effectiveness, exigencies, and readiness of risk management, control, and governance processes. 

We believe the following outline provides the guardrails and requirements of an internal audit. It would be best if you considered them collectively so that you prepare adequately for the development of this function. In other words, don’t cut corners. Be sure you comply with all these criteria. 

Internal Audit Function: Guardrails and Requirements

·       Be sure that the internal audit manager is free from any responsibility over any business unit.

 

·       Be sure the internal audit is independent of all key functions of the loan origination and servicing processes.

 

·       Draft internal audit and management control procedures for evaluating and monitoring the overall quality of loan production.

·       Ensure that your organization chart shows that the internal audit function reports directly to the senior management and, if applicable, the Board of Directors. (By the way, we know from experience that Fannie will permit exceptions in situations in which the size of the organization is insufficient to support adequate resources to allow for the separation of these functions. In those situations, your audit plan must include the rationale for the lack of separation of controls in place to mitigate risks associated with the lack of separation of these functions.)

·       Be especially careful that internal audit lines of reporting reflect the independence of the audit process at all levels so that the activities are conducted in an unbiased manner and without compromises that may result from internal influences or conflicts of interest.

·       Be especially careful that the internal audit function does not share any reporting lines with the functional areas that it reviews.

·       Create a reliable and scaleable reporting procedure to ensure that the written findings provide methodologies that derive recommendations that management can use to accomplish actionable objectives through a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes. 

Adverse Findings and Required Document Preparation 

There are a few other things I would like you to consider. I’ll get to them in a moment. You had asked about how some clients show that they are not ready for an internal audit. By this point, I think we’ve seen just about everything there is to see about internal audit findings and preparation. However, most challenges can be overcome if you have robust plans. 

We have an extensive database of common findings from independent internal audits and Compliance Tune-up®. I have picked seven of them that I think are virtually non-negotiable. 

Adverse Findings

1)    There is no comprehensive written plan to direct the internal audit process across all loan manufacturing and servicing business functions.

 

2)    There is no internal audit function.

3)    MBS Trust compliance is not included in the internal audit review plan and testing.

4)    The internal audit process has not been initiated.

5)    There is no internal audit function that is independent of the business functions subject to review.

6)    An internal audit schedule has not been established to specify the areas of review, and there’s no timeframe for conducting them.

7)    The internal audit plan does not include all required components. 

Required Document Preparation 

Each financial institution differs and is unique in terms of size, products, services, complexity, risk profile, and business strategy. Keep that in mind as I outline the document preparation needed to be ready for a MORA review. You can tighten up preparation by using the appropriate Compliance Tune-up® tool, such as a MORA Tune-up® or a CMS Tune-up®. 

A Compliance Tune-up® report provides recommendations indicating what should be done now and in the future to ensure readiness, but you can’t undo mistakes of the past. Willingness to correct errors, however, is a sign of good management and governance. So, it would be best if you got ready immediately to prevent a lookback that discloses unmitigated adverse findings. 

·       Organization chart reflecting the internal audit department

·       Internal audit policies and procedures.

·       Current year’s testing schedule and internal audit plan.

·       Current year’s Compliance Tune-up®. (Second Line of Defense).       

·       Current year’s independent internal audit. (Third Line of Defense).

·       Ability to identify any significant findings for the past 12-month period.

·       Management and tracking reports for monitoring performance in operational areas. 

WordS to the Wise should be Sufficient! 

I stated above that there are a few other things I want you to consider. I list them in no order of importance because they are all equally important. Let’s group these remarks in the category of “words to the wise should be sufficient!” 

·       An internal audit plan should be risk-based, updated annually, and include a review of all controls and key functions in each origination and servicing department. 

·       Applying a risk rating for each key process area of the originations and servicing platforms is critical to implementing a continuous internal audit schedule. 

·       A second line of defense review, such as the Compliance Tune-up®, should be initiated for specific departments, functions, and regulations in anticipation of performing the internal audit. (This ensures that the internal audit, the third line of defense, may present accurate and reliable findings.) 

·       A process should be in place to define the scope and frequency of audits to be performed based on the specific risk rating for all key functions. (This ensures that the functions that represent the highest risk are audited on at least an annual basis.) 

·       An internal audit schedule should be in place, reflect current activity, and be reviewed on a regular basis to incorporate any emerging risks in operational areas. 

·       Adverse internal or external audit findings pertaining to key functions or regulatory compliance should be reviewed by the audit committee for remediation. 

·       An established framework for interaction between internal audit functions, business units, and management exists to ensure open communications regarding risk and control management, including the adoption and implementation of self-assessment methodologies.

 

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

---

[i] Three Lines of Defense in Effective Risk Management and Control, Institute of Internal Auditors (IIA), January 2013. The Lines of Defense (LOD) model assigns and coordinates risk and control responsibilities across business functions.

Third Line of Defense and Risk-Based Auditing

QUESTION 

Although we're a small bank in the Midwest, we still are required to have policies and procedures that are similar to banks much larger than ours. However, our regulator has sent a letter notifying us that our corporate governance is not adequately implementing the "third line of defense." The letter also cited our need for "risk-based auditing." 

We want to show that we are responding to the regulator by revising our corporate governance policy to acknowledge this third line of defense. And we want to include a reference to risk-based auditing. We hope you can provide some insight into how to revise our policy for these requirements. 

What is the third line of defense? 

What is risk-based auditing? 

ANSWER 

The term "corporate governance" is a general term that refers to the oversight of daily business activities. Specifically, the board of directors should be actively and attentively looking over the performance of senior executives to ensure daily operations are performed within the adopted policies and objectives of the institution. 

Ultimately, the board of directors is responsible for the organization's performance. When delegating authority to senior management team members for day-to-day activities and decisions, the board should also require feedback and monitoring reports to assess executive performance. For the directors, it becomes a matter of setting high standards and ensuring they are maintained. 

The process whereby governance directs auditing programs is essential to effective risk management and internal control systems. Effective internal and external audit programs are also a critical defense against fraud and provide vital information to the board of directors about the effectiveness of internal control, among other things. 

Here's a generalized three-step process involved in corporate governance: 

1.   The board of directors and senior management is responsible for establishing, maintaining, and operating effective audit programs. This responsibility must not be delegated. 

2.   Audit programs must be performed by independent, competent staff or external auditors who objectively evaluate the institution's control environment. 

3.   Examiners validate the adequacy of the institution's audit programs. 

Regulators and investors evaluate corporate governance relating to audits. They will assess and draw conclusions about the adequacy of the overall audit function as part of every supervisory cycle or periodic review (i.e., Fannie Mae's MORA[i] audit). An assessment includes some level of audit validation, including verification procedures as necessary. The conclusions can significantly influence the institution's scope of other supervisory activities and investor relationship parameters. Where regulators are involved, examiners may expand supervisory activities in applicable areas if they identify significant concerns about the quality or extent of audit programs or the control environment. 

Now, let's turn to the "three lines of defense." These three lines of defense form a model that explains governance and roles among an institution's business units, support functions, and audit functions from a risk management perspective. So, I will conjoin the term "line of defense" with the words "risk management activities" because they are conceptually and explicitly inherent. 

·     The first line of defense risk management activities occur at the frontline units[ii] where risks are created. 

·     The second line of defense risk management activities occur in an area or function separate from the frontline unit, sometimes referred to as "independent risk management."[iii] These oversee and assess the frontline units' risk management activities. 

·     The third line of defense risk management activities are usually called the "internal audit function." These risk management activities are primarily responsible for providing independent assurance and challenging the risk structure. The audit function assesses the effectiveness of the policies, processes, personnel, and control systems created in the first and second lines of defense. 

Risk-Based Auditing is an approach to auditing an institution. This methodology links internal or external auditing to the overall risk management framework. The audit risk assessment is a process by which an auditor identifies and evaluates the quantity of the risks and the quality of its risk controls. The board, its audit committee, and the auditors use the results of the risk assessments to focus on the areas of greatest risk and to set priorities for audit work. 

The audit function should not ignore areas that are rated low-risk. An effective risk-based audit program includes adequate audit coverage for the institution's auditable activities. The frequency and depth of each area's audit should vary according to the audit risk assessment. In risk-based auditing, the audit is meant to assure the board that risk management processes manage risks effectively concerning the risk appetite. The risk appetite must be commensurate with the institution's size and complexity. 

Generally speaking, risk-based auditing seeks to report on at least the following risk management areas: 

·      objective, independent reviews and evaluations of bank activities, internal controls, and management information systems (MIS); 

·      adequate documentation of tests, findings, and any corrective actions; 

·      assistance in maintaining or improving the effectiveness of bank risk management processes, controls, and corporate governance; 

·      reasonable assurance about the accuracy and timeliness with which transactions are recorded and the accuracy and completeness of financial and regulatory reports; and 

·      validation and review of management actions to address material weaknesses. 

Well-planned, properly structured auditing programs are essential to effective risk management and adequate internal control systems. Effective internal and external audit programs are also a critical defense against fraud and provide vital information to the board of directors about the effectiveness of internal control systems. 

The high-level basis for the third line of defense is to provide a resource to assist internal auditors in their primary role to independently and objectively review and evaluate the institution's activities with respect to maintaining or improving the efficiency and effectiveness of its risk management, internal controls, and corporate governance. 

The audit function does this by: 

·      Evaluating the reliability, adequacy, and effectiveness of accounting, operating, and administrative controls. 

·      Ensuring that internal controls result in prompt and accurate recording of transactions and proper safeguarding of assets. 

·      Determining that an institution complies with laws and regulations and adheres to established bank policies. 

·      Confirming that management is taking appropriate steps to address current and prior control deficiencies and audit report recommendations. 

Whether the auditor is internal or external, auditors should clearly understand the institution's strategic direction, objectives, products, services, and processes to conduct these risk management activities. The auditors can then communicate findings to the board of directors, its audit committee, and senior management. 

Additionally, auditors often have a role in merger, acquisition, and transition activities. This role may include helping the board and management evaluate safeguards and controls, including appropriate documentation and audit trails, during acquisition planning and implementation processes. Each of these roles, duties, and responsibilities are critical to the overall safety and soundness of the institution.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] Lenders that sell loans to GSEs such as Fannie Mae are subject to a Mortgage Origination Risk Assessment (MORA) review, which includes assessing the adequacy and effectiveness of the company’s internal audit function.

[ii] 12 CFR 30, Appendix D, at 6, “Front Line Unit”

[iii] 12 CFR 30, appendix D, at 7, “Independent Risk Management”

Risk Ratings of the Compliance Management System

QUESTION 

We have retained your firm for several of your Compliance Tune-ups. It has been amazing to find out the strengths and weaknesses of our departments and the implementation of regulatory compliance. We began with the CMS Tune-up almost two years ago, which told us how strong our Compliance Management System was in real time. Your risk ratings gave us a way to gauge our risk. 

As the Compliance Officer and General Counsel, I've come to appreciate that certain elements reflect a strong Compliance Management System. We are now planning another CMS Tune-up to see how effectively we have improved overall since the last CMS Tune-up. 

I understand the features of the Compliance Management System. What I would like to zero in on is the core elements themselves, the ones that are the foundation on which the CMS edifice sits. 

What are the core elements of a strong Compliance Management System? 

ANSWER 

When we developed and pioneered the CMS Tune-up® seven years ago, our goal was to provide a way for financial institutions to respond to the CFPB's position regarding the Compliance Management System (CMS). The Bureau found that there were

 

"… one or more situations in which an effective CMS was lacking across the financial institution's entire consumer financial portfolio, or in which the financial institution failed to adopt and follow comprehensive internal policies and procedures." 

So, our goal was to identify the strengths and weaknesses of a financial institution's Compliance Management System. We wanted to provide a cost-effective tool to evaluate five areas of interest to determine if a company: 

1.   Establishes its compliance responsibilities;

2.   Communicates those responsibilities to employees;

3.   Ensures that responsibilities for meeting legal and regulatory requirements, and internal policies, are incorporated into business processes;

4.   Reviews operations to ensure responsibilities are effectuated, with legal requirements met; and

5.   Takes corrective action and updates tools, systems, and materials as necessary. 

In the CMS Tune-up®, we assess whether an effective CMS accomplishes these four interdependent control components: 

1.   Board and management oversight;

2.   Compliance program;

3.   Response to consumer complaints; and

4.   Compliance audit. 

When all four control components are strong and well-coordinated, a financial institution should successfully manage its compliance responsibilities and risks. Bringing the analytics together can be extrapolated into an overall risk rating of the Compliance Management System. 

In fact, the Federal Financial Institutions Examination Council (FFIEC) endeavored to provide a compliance risk rating system all the way back in 2016.[i] FFIEC called it the CC Rating System. 

Our firm believes that providing risk ratings offers a financial institution the means to measure its compliance with rules; laws; regulations; guidelines; Best Practices; policy and procedure requirements; federal, state, and investor expectations. Each review in the Compliance Tune-up® series provides an independent risk rating defined and fully disclosed in our reports. 

___________________________________________________

The Compliance Tune-up® is an exclusive review

provided by Lenders Compliance Group.

If you want information about the Compliance Tune-up® series, 

please contact us HERE.

___________________________________________________

Our risk rating system consists of five levels of risk, based on an institution's size, complexity, and risk profile. Risk Rating 1 is the strongest; Risk Rating 5 is the weakest. Generally, depending on the category subject to review, a 1-rating is strong, a 2-rating is satisfactory, a 3-rating is deficient, a 4-rating is seriously deficient, and a 5-rating is critically deficient. We support our risk ratings by providing the appropriate citations and review analyses. Our reports contain recommendations and remediation guidance. 

Now, you put your finger on the importance of identifying the "core elements" on which rest risk ratings and evaluation of the strengths and weaknesses of the CMS. In my view, three fundamental elements secure the edifice of the Compliance Management System. 

The three elements of risk rating in evaluating a CMS are: 

1.       Change Management;

2.       Comprehending, identifying, and managing risk; and

3.       Corrective action and self-identification. 

Let's call this the Three "C" Approach to CMS Risk Rating. 

Change Management 

The first "C" stands for change management. The financial institution that receives our 1-rating is committed to a strong CMS that anticipates and responds promptly to changes in applicable laws and regulations, market conditions, and products and services offered. Management prepares for such changes by defining and providing examples of what constitutes a change, including new and changed vendor relationships and regulatory updates. To get our top rating, the company must demonstrate strong change management through proactive measures in advance of upcoming changes; for instance, management requires the compliance department and impacted business lines to review and approve changes before they take effect to ensure compliance with applicable consumer protection laws and regulations. 

Due diligence is an important activity in our risk rating because it should be conducted before product changes, taking into consideration the entire life cycle of a product or service, and conducting a post-implementation review to determine whether the actions taken have achieved the expected results. For example, as a part of its due diligence on a new product, the institution should develop and follow approval processes associated with implementing the new product and require a post-implementation review. 

Comprehending, Identifying, and Managing Risk 

The second "C" stands for comprehending, identifying, and managing risk. We give our 1-rating to financial institutions that evince a solid comprehension of risks, effectively identifies compliance risks, and actively manages those risks. Indeed, these institutions complete comprehensive risk assessments at established frequencies. 

In our experience, we have found that risk identification and evaluation processes generally become increasingly formal and extensive as an institution's size, complexity, and risk profile increase. For instance, an annual risk assessment may be appropriate for a small, non-complex institution. Completing a risk assessment at a large, complex institution may be an ongoing, collaborative effort among senior management, the compliance department, and the internal and external audit functions. 

Furthermore, institutions with a strong CMS maintain comprehensive risk assessments, including business lines, relevant rules and regulations, and a breakdown of associated inherent risk, risk controls, and residual risk. 

Corrective Action and Self-Identification 

The third "C" stands for corrective action and self-identification. In our view, a financial institution merits the 1-rating because it proactively identifies issues and promptly responds to compliance risk management deficiencies and violations. Such responsiveness invariably reflects a strong CMS. 

We have conducted a CMS Tune-up® that found the institution completed a root cause analysis of deficiencies and violations to ensure that remediation is timely, appropriate, and comprehensive. This is what proactive management does! An institution that completes a root cause analysis of a self-identified violation may find that written policies and procedures do not include sufficient information to ensure that staff complies with relevant regulatory requirements. Thus, the root cause analysis helps to inform appropriate and comprehensive remediation. 

Self-identification and self-assessment are reflections of proactive management. We often find that these institutions may also contact their primary regulator to determine whether their remediation efforts are sufficient. Consequently, we assign a 1-rating to institutions that proactively identify issues and promptly respond to deficiencies and violations, including remediation.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director 

Lenders Compliance Group

---

[i] Uniform Interagency Consumer Compliance Rating System, Final Guidance, Federal Financial Institutions Examination Council, November 14, 2016, Federal Register, Vol. 81, No. 219, Notices