Compliance Management Systems

Compliance Management Systems

A Structure of Excellence

• Jim Bedsole’s Working Definition:

A compliance management system (CMS) is the process used by a financial institution to provide a comprehensive program designed to reasonably ensure compliance with consumer protection laws and related regulations and minimize and remediate violations and instances of consumer harm resulting from violations.

What is a Compliance Management System?

• Uniform Interagency Compliance Rating System (Effective Mar 2017) Defines components – three main categories

Board and Management Oversight

Compliance Program

Violations of Law and Consumer Harm

Establishes risk‐based benchmarks

Provides for consistency and transparency Actionable Incent strong compliance and self‐identification and correction


Board & Management Oversight

Risk Assessment

Policies/ Procedures/ Controls

Systems

TrainingMonitoring

Complaint Management

Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture



Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture


CMS in Practice

• Failure to institute clear policies & procedures, lines of communication, and employee training

• Inconsistent investigation processes

• Failure to take corrective action (“sweep it under the rug”)

• Records of complaints and resolution not adequately retained or centralized

CMS Deficiencies – Complaint Management

• Complaint management policy – define what is a complaint, including complaints resolved at point of contact• Monitor complaints from all sources (verbal, written, regulatory, social media)• Training & accountability• Emphasize self‐identification of issues as a positive• Automate where possible• Easy to access complaint recording tools• Centralized review of complaint trends and resolution• Root cause analysis• Open lines of communication at all levels including Board and Management

CMS Deficiencies – Complaint Management

How to avoid:

• Training not tailored to staff roles and responsibilities

• Compliance culture not threaded through product development, marketing, customer service

• Monitoring and/or audit schedule and coverage not aligned with risk assessments and prior audits/exams

• Third party management, oversight, and due diligence not appropriately scaled to risk

CMS Deficiencies – Misappropriately Scaled CMS

• Compliance committee structure – involve all parties who own compliance risk or indirectly address compliance risk

• Align technology for risk assessments, compliance monitoring, and auditing where possible

• Plan internal audits strategically and in alignment with risk profile

CMS Deficiencies – Misappropriately Scaled CMS

How to avoid:

• Policies don’t match procedures and processes

• Required policies are not reviewed, revised, updated, adopted, or maintained

• Policies are a “check‐the‐box” exercise with no real oversight or governance

• Policies and procedures are hard to retrieve, in various formats and locations

CMS Deficiencies – Governance

• Centralize policy management – leverage technology

• Assign policy owner for each policy

• Create and automate policy review schedule

• Ensure regulatory change management includes policy review and revision where needed

• Standardize format

• Don’t use policy templates without appropriate tailoring to your institution

• Policy attestation by affected employees

CMS Deficiencies – Governance

How to avoid:

• Changes are not captured and evaluated for impact (cost, systems, policies & procedures, training, monitoring)

• Action plans are weak or non‐existent• Responsible parties not assigned• Progress due dates not tracked/reported

CMS Deficiencies – Change Management

• Automate tracking

• Spend time analyzing change

• Leverage technology and third parties

• Solid action plans

• Due date tracking and reporting – accountability

• Post‐implementation evaluation – what can we do better next time?

CMS Deficiencies – Change Management

How to avoid:

Build It or Buy It?

What is Unique About Today’s Environment?

Governing body roles: Integrity, leadership, and transparency

Third line roles:Independent and objective assurance and advice on all matters related to the achievement of

objectives

First line roles:Provision of

products/services to clients; managing risk

Second line roles:Expertise, support, monitoring, and challenge on risk‐related matters

Achieving CMS Agility ‐ Three Lines Model

GOVERNING BODYBoard/Audit Committee/Compliance Committee

Accountability to stakeholders for organizational oversight

MANAGEMENTActions (including managing risk) to achieve

organizational objectives

INTERNAL AUDITIndependent assurance

KEY: Accountability, reportingDelegation, direction,Resources, oversight

Alignment, communication coordination, collaboration

EXTER

NAL A

SSURANCE P

ROVIDER

SExte

rnal A

udit/R

egulato

rs

Deployment and Implementation of RegTech

What Does Agility/Adaptability Look Like in a CMS?


Risk Assessment


Systems

TrainingMonitoring


Independent Testing

Corrective Actions

Compliance Culture

Compliance as a Competitive Advantage

OODA Loop

Q&A Time

Regulator CMS Expectations

OCC: Comptroller’s Handbook, Consumer Compliance, Compliance Management Systems (June 2018)

FDIC: Consumer Compliance Examination Manual – Compliance Management Systems (June 2019)

FRB: Community Bank Risk‐Focused Consumer Compliance Supervision Program

CFPB: Examination Procedures – Compliance Management Review (August 2017)

Uniform Interagency Compliance Rating System

https://www.occ.treas.gov/publications-and-resources/publications/comptrollers-handbook/files/compliance-mgmt-systems/pub-ch-compliance-management-systems.pdf

https://www.fdic.gov/resources/supervision-and-examinations/consumer-compliance-examination-manual/documents/2/ii-3-1.pdf

https://www.federalreserve.gov/boarddocs/supmanual/cch/risk-focused.pdf

https://files.consumerfinance.gov/f/documents/201708_cfpb_compliance-management-review_supervision-and-examination-manual.pdf

https://www.govinfo.gov/content/pkg/FR-2016-11-14/pdf/2016-27226.pdf

Contact Me

Documents

Compliance Management Systems