While the Consumer Financial Protection Bureau continues to expand into various business lines and increase the number of industries they supervise and hold enforcement power over, the FDIC, FED, and various state regulators have all incorporated the CFPB’s hyper focus on consumer risk into their supervision duties. As such, regulatory focus continues to remain concentrated on entities’ compliance management systems (CMS).
Each regulator independently states what the elements of a proper CMS are. For example, the FDIC’s can be found within their compliance examinations manual here, and the CFPB’s can be found in Part II (A) of their Supervision and Examination Manual. If you are drafting a CMS for the first time, you should read them all, as well as the corresponding issued guidance. There are common themes and regulators are looking for a CMS to accomplish the following goals:
- Establishes compliance responsibilities;
- Communicates those responsibilities to employees;
- Ensures that responsibilities for meeting legal requirements and internal policies are incorporated into business processes;
- Reviews operations to ensure responsibilities are carried out and legal requirements are met;
- Takes corrective action and updates tools, systems, and materials as necessary.
There is no one correct way to accomplish these goals, and therefore no defined correct format for a CMS; this leads to confusion and second guessing from a lot of clients. That said, there are three basic components that should be present in your CMS no matter who your primary regulator is. These components are: (1) Board Management and Oversight; (2) Compliance Program; and (3) Consumer Complaint Response.
1. Board and Management Oversight
Focus, now more than ever, is on an entity’s “culture of compliance.” Routinely, regulators ask, “Do you have a culture of compliance?” or “How are you maintaining that culture?” The most effective way to create a “culture of compliance” is by demonstrating that one exists in your company from the top down, starting with the Board and senior management. This is accomplished by laying out the following goals within your CMS for the Board to adopt and follow:
- Demonstrating clear and unequivocal expectations about compliance, not only within the institution, but also to third-party providers;
- Adopting clear policy statements;
- Appointing a compliance officer with authority and accountability;
- Allocating resources to compliance functions commensurate with the level and complexity of the institution’s operations;
- Anticipating and evaluating changes in the institution’s operating environment and implementing responses across impacted lines of business;
- Identifying compliance risk in the institution’s products, services and other activities, and responding to deficiencies and violations;
- Conducting periodic compliance audits; and
- Providing for recurrent reports by the compliance officer to the Board. Leadership on compliance by the Board and management sets the tone in an organization.
2. Compliance Program
A compliance program is comprised of three elements: (A) policies and procedures; (B) training and (C) monitoring and/or audit.
A) Policies and Procedures
Policies and procedures should be drafted in a way that a new employee could start a job within a particular department, understand his or her job functions and the basics of handling their responsibilities, while at the same time staying within the department’s governance. It is important to note that when drafting your policies and procedures, they must be written with as much detail and direction as possible so that they are followed each and every time. Therefore, it is important to be careful that the written policies and procedures are not too burdensome.
Training must be provided on a regular schedule and include directors, management and staff, as well as any third-party service providers. Said training must (i) be updated with current, complete, and accurate information on products and services and business operations of the institution; (ii) include the current state of consumer protection laws and regulations; (iii) be up to date with all internal policies and procedures; and (iv) cover any emerging issues in the public domain.
C) Monitoring and Audit Functions
Monitoring can be handled within the line of business and should function as your first check that your policies and procedures are being followed. Its purpose is to identify any weak points in order for remediation efforts to begin. When deficiencies are identified, it is important that you document how your monitoring procedure identified the opportunity to improve and the steps that were taken to strengthen the CMS as a whole. Here, examiners will be looking to make sure (i) monitoring is scheduled and completed and leads to timely corrective actions where appropriate; (ii) the supervised entity is determining that transactions and other consumer contacts are handled according to the entity’s policies and procedures; (iii) monitoring and testing consider the results of risk assessments or other guides for prioritizing reviews; (iv) the monitoring addresses deficiencies identified in internal or external audits and the Board’s or management’s directives on resolving the deficiencies; and (v) findings are escalated to management and to the board of directors, if appropriate.
3. Consumer Complaint Response
Complaints at times can signal to an industry participant that there is a compliance weakness in a particular function or department and therefore, you should be aware of the complaints received and act to ensure a timely resolution. It is important to determine the cause of the complaint and if the cause is affecting a larger population of consumers, it will be necessary to remediate the larger problem, not just rectify the individual complaint. Examiners will be looking to see if:
- Consumer complaints and inquiries, regardless of where submitted, are appropriately recorded and categorized.
- Complaints and inquiries, whether regarding the entity or its service providers, are addressed and resolved promptly.
- Complaints that raise legal issues involving potential consumer harm from unfair treatment or discrimination, or other regulatory compliance issues, are appropriately escalated.
- Complaint data and individual cases drive adjustments to business practices as appropriate.
- Consumer complaints result in retrospective corrective action to correct the effects of the supervised entity’s actions when appropriate.
- Weaknesses in the compliance management system exist, based on the nature or number of substantive complaints from consumers.
If you are a depository, non-bank lender, mortgage servicer, third-party payment processor, debt collector, money transmitter auto finance company or any other participant in the consumer lending industry, a proper complaint CMS is needed.
Craig Nazzaro, an attorney with Baker Donelson in Atlanta, advises lenders and servicers on all regulatory and compliance issues that impact the consumer lending industry, and defends them against charges of liability and any regulatory violations. He can be reached at email@example.com.