Compliance Management Systems Twelve Steps To A Successful Compliance Management Plan Raplexity Resources, LLC mjmasid@raplexityresources.com
Subtitle: How do you eat an elephant?
What is a Compliance Management System anyway? It’s How an Entity
Establishes its compliance responsibilities; Communicates those responsibilities to employees; Ensures that responsibilities for meeting legal requirements and internal policies are incorporated into business processes; Reviews operations to ensure responsibilities are carried out and legal requirements are met; Takes corrective action, and Updates tools, systems, and materials, as necessary.
CMS deficiencies in nonbanks are generally related to the supervised entity’s lacking a CMS structure altogether [CFPB Supervisory Highlights, Summer 2013, p. 6]
Step One Clear written statement that compliance management and oversight is the responsibility of the Board and Management.
Board and Leadership Responsibility The leadership of a supervised entity up to and including the Board should: Establish a Compliance Function and allocate sufficient resources to that function “commensurate with the entity’s size, organizational complexity, and risk profile” [CFPB Supervisory Highlights, Spring 2013, p.8] Establish clear lines of accountability Establish CMP Provide oversight of CMP
Step Two Identification of those persons, committees or teams responsible for oversight and governance of the CMP.
Step Three Establishment of a reporting structure to make certain that adequate information is provided in a timely manner to those responsible for governance and oversight.
Adapt CMS to your business strategy and operations The CFPB does not require entities to structure their CMS in any particular manner: Large banking organizations with complex compliance profiles and a wide range of consumer financial products and services will likely manage compliance differently than entities that may be owned by a single individual or feature a narrow range of financial products and services. Other entities may outsource functions with consumer compliance-related responsibilities to service providers. (CFPB Supervisory Highlights, Summer 2013, p. 5)
Step Four Emphasis on accountability for compliance at all levels of the organization, including employees with day to day business functions as well as the legal and senior management level staff.
Step Five Assign responsibility to persons or departments to draft and adopt policies and procedures, and updates resulting from new or amended laws or regulations.
Policies and procedures Address every consumer financial product or service offered by the entity. Formal, written documents detailing consumer compliance responsibilities and instruct employees on the appropriate methods for executing these responsibilities. Designed to prevent violations and to detect and prevent associated risk of harm to consumers Maintained and modified regularly to remain current and referenced by employees in day-to-day activities
Step Six Create a centralized process to monitor consumer complaints, identify trends, determine appropriate remedial actions and report back to the Board and/or management.
Key elements to customer complaint management Establishment of channels to receive consumer complaints and inquiries; e.g. telephone numbers or email addresses dedicated to receiving consumer complaints or inquiries. Proper and timely resolution of all complaints; Recordation, categorization, and analysis of complaints and inquiries; Reviews for possible violations of Federal consumer financial laws.
CFPB observations when consumer complaint tracking is not centralized Not conducive to trend analysis of findings across the entity as a whole. Inability to to identify systemic issues or to determine the root cause of regulatory violations or internal control weaknesses. Failure to address an issue across the entity as a whole.
Consumer Complaint Management Be responsive to consumer complaints and inquiries Monitor and analyze complaints to understand and correct weaknesses that could lead to consumer risks and violations of law Organize, retain, and analyze complaint data to: identify trends isolate areas of risk identify areas of weakness
Step Seven Establish expectations for compliance by service providers/third party vendors with obligations applicable to the service provider or its products or services.
(CFPB Supervisory Highlights, Spring 2014, p. 7) The fact that a supervised entity enters into a business relationship with a service provider does not absolve the supervised entity of responsibility for complying with Federal consumer financial law and, depending on the circumstances, it may be held legally responsible for violations by the third party. (CFPB Supervisory Highlights, Spring 2014, p. 7)
Third party service providers Select service providers carefully Include compliance expectations in contracts Monitor service providers’ work and complaints about their work If they fail to provide services properly, require remediation and take appropriate measures including possible termination of contract.
Step Eight Establish a training plan for all staff and management based on their roles and the nature and risks to consumers. Such training must be consistent with and designed to reinforce internal policies and procedures. Keep track of training.
Training Leadership should ensure regular training of employees on their consumer compliance responsibilities. Current, complete, effective, and commensurate with the entity’s size and risk profile. Federal consumer financial laws regulatory requirements and entity’s own consumer compliance-related policies and procedures. Reinforces and helps implement written policies and procedures. Board members need sufficient information, including training, to understand the entity’s consumer compliance responsibilities and the commensurate resource requirements.
Training Programs Include formal training schedules Attendance records Written reference materials Responsive to new or changing regulatory requirements, new products and services, and product changes.
Step Nine Identify resources for, and schedule frequent monitoring of, activities for compliance with policies and procedures.
What is expected for Monitoring? An effective CMS implements both periodic monitoring reviews and an independent compliance audit. Periodic monitoring reviews may be conducted by either individual business lines or the compliance department on a frequent basis, monthly or quarterly, to self-check processes and ensure day-to-day compliance with Federal consumer financial laws.
Insufficiency in monitoring increases risks Violations and weaknesses may go undetected for long periods of time potentially leading to multiple regulatory violations and increased consumer harm. Insufficiencies in the periodic monitoring process may not be identified Board is not made aware of regulatory violations or program weaknesses Practices or conduct by employees within the business lines or compliance department that are unfair, deceptive, abusive, discriminatory, or otherwise unlawful could go undetected
Step Ten Require annual audit by a person or team independent from the compliance function and business units. This audit addresses compliance with the CMS, internal policies and procedures, state and federal consumer finance laws and regulations with coverage appropriate for the size of the organization.
Independent compliance audits Usually done annually This audit is independent from the compliance function and from the business unit Compliance with Federal consumer financial law is ongoing CMS as a whole is operating properly The Board is made aware of consumer compliance issues
Audit schedule and scope is expected to be appropriate for the entity’s size, its consumer financial product offerings, and structure for offering these products. The compliance audit program should address compliance with all applicable Federal consumer financial laws, and also identify any significant gaps in policies and standards. (CFPB Supervisory Highlights, Summer 2013, p.11)
Reports should be timely made to the Board or executive management. Step Eleven Reports should be timely made to the Board or executive management.
Independent compliance audit Provides Board/Board Committee with determination whether implemented policies and standards are implemented to Board’s established level of compliance and consumer protection Audit results are reported directly to Board or Board committee.
Results leading to appropriate corrective action are documented. Step Twelve Results leading to appropriate corrective action are documented.
Corrective action Areas of weakness identified in Monitoring and Audit are addressed through implementation of corrective actions Management follow up on corrective actions Ensure violation of law or program deficiencies are resolved Findings escalated to management and Board, where appropriate
Let’s look at CHFA’s approach Assigned legal and compliance staff to the tasks Conducted internal research and interview business units Prepared a Gap Analysis Sought out training opportunities – especially those provided by the CFPB Reported Findings to Executive Leadership
CHFA’s Implementation Created Comprehensive Management Plan for Board level approval Refined and updated existing policies and procedures to incorporate CFPB guidance Overhauled complaint tracking and response system Updated Seller’s Guide; Mortgage Purchase Agreements with Participating Lenders and Vendor Contract forms and procedures Educated CHFA business units, Participating Lenders and third-party vendors about CFPB requirements and CHFA’s expectations Established a training curriculum for all CHFA staff and management
Getting started Gap Analysis Assess your human capital Survey what you already have What can you re-use or repurpose Assess your human capital Who can take charge - person or committee Assess your resources
Where to start Assign specific persons to take responsibility for implementation Take stock of what you already have in place Where are the Gaps? Prepare Formal Action for approval by the Board or other Executive Leadership Consider your organization’s culture and how to best incorporate the necessary changes
Resources Supervisory Highlights CFPB has provided guidance through its Supervision and Examination Manual http://files.consumerfinance.gov/f/201210_cfpb_supervision-and-examination-manual-v2.pdf Supervisory Highlights http://www.consumerfinance.gov/policy-compliance/guidance/supervisory-highlights/ Published Bulletins, e.g. CFPB Bulletin 2012-03 Date: April 13, 2012 Subject: Service Providers http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf Published Consent Orders – e.g. ADMINISTRATIVE PROCEEDING File No. 2014-CFPB- In the Matter of: CONSENT ORDER U.S. Bank National Association https://s3.amazonaws.com/files.consumerfinance.gov/f/201409_cfpb_consent-order_us- bank.pdf