The requirements of a compliance management system (CMS) seem relatively simple. The primary functional regulators agree that there are three crucial elements of a good CMS:
- Board and management oversight of change management, risk management and corrective actions
- A formal compliance program with policies, procedures, training, monitoring and complaint responses
- An audit function
While regulatory agencies have been emphasizing the importance of a strong and effective CMS, they’ve given financial institutions a lot of flexibility in building one.
That leaves a great deal of room for customization—and this is where a compliance officer’s institutional insights are extremely valuable. No two financial institutions are identical and their CMSs shouldn’t be either. A CMS should be developed keeping in mind the institution’s size, products and services, structure, risk tolerance and other unique factors.
This is especially true in an environment where many smaller financial institutions have specialized to compete more effectively. An institution may focus on certain niches of commercial lending or have left the mortgage market or operate in a tech-heavy environment.
Compliance officers at such institutions become experts in these niches, learning to sort through information on new regulations to pick out what applies to their institution—and then developing policies and procedures that build on an institution’s strengths and address its weaknesses.
The challenge is finding more efficient ways to manage these well-thought-out policies as the regulatory burden increases. Many institutions already have a strong CMS in place. They simply need to find ways to enhance their existing systems to keep pace with the rate of change.
While there are many ways to design a strong CMS, compliance officers and their staff should follow these four ways to streamline a CMS:
- Interpreting regulations and keeping up with changes
- Cross-departmental collaboration
- Maintaining organized records needed to produce reports for examiners and board meetings
- Keeping track of policy changes and approvals
Interpreting Regulations and Keeping up with Changes
A compliance officer could spend all day, every day tracking and reading changes to regulations and still never get to them all—let alone interpret and implement them.
An efficient CMS has a method to actively monitor and quickly review regulatory change, determine which rules specifically impact the institution, share these changes with other business units involved, and develop step-by-step plans for writing, updating and modifying policies and procedures.
Compliance activities aren’t restricted to the compliance department. Everyone at the bank, from lending and IT to marketing and the frontline, has a role to play in keeping the financial institution compliant. The question is how can an institution effectively build and reinforce a culture of compliance.
It starts at the top with the buy-in of the board and management, and continues with unified execution. Consider vendor management activities. This area of compliance touches cybersecurity, business continuity planning, and enterprise risk management.
A good CMS should have tools and systems for ensuring the different departments and areas are leveraging each other’s work, rather than duplicating efforts. It should make it easy to see regulatory overlap, assign responsibility for specific areas, and ensure that everyone works with the same data and work product.
In addition, an institution’s CMS should make it easy to demonstrate to management and examiners the collaborative efforts undertaken by all units to achieve and maintain compliance. For example, a good CMS needs to account for the fact that employees throughout the institution must engage in compliance training and ensure employees are not only aware of policies and procedures but are following them.
Maintaining Organized Records
Everyone who manages compliance knows the cardinal rule of documentation: if you didn’t document it, it didn’t happen.
Financial institutions need a standardized and centralized system to efficiently manage and document the compliance process, including task management. Compliance officers need to demonstrate to the board and examiners that they know what’s being done, when it’s being done and who is responsible for doing it.
Smart compliance officers know financial institutions are filled with people, and people make mistakes. No matter how strong an institution’s policies and procedures, there will be times when things don’t go according to plan. The key is to find and address these mistakes before significant consumer harm occurs or regulators find these errors blindsiding the compliance department.
This can be an enormous task—even for the most diligent compliance officers. A strong audit trail involves many employees and departments, meaning there are many moving pieces to track. Hours are spent tracking down individuals and following up to ensure their parts are completed. It’s a constant effort to track and document. And the stakes are high. If something falls through the cracks and an examiner finds an error, it can cast a shadow over the institution’s entire CMS—not to mention fines and other fiduciary repercussions.
Good documentation demonstrates that an institution is following policies and procedures, testing for weaknesses and actively taking steps to remediate any problems. But good documentation is incomplete without an easy to navigate document repository that produces records when examiners want to see them.
Keeping Track of Policy Changes and Approvals
It’s not enough to update policies and procedures. An institution also needs to demonstrate that the board and management were involved in developing those policies and procedures and have signed off on them. It ties back to board and management oversight. A strong CMS will be able to track and document this process as well as ensure no policy is neglected and left to collect dust.
It is essential to keep track of different versions of a policy and ensure the most recent policy is being utilized across the financial institution. Without this organization, employees may rely on the wrong process and increase the risk of providing noncompliant products and services.
Embracing these four ways to streamline a CMS can help compliance officers more efficiently manage the day-to-day details of compliance management, freeing them to focus on more strategic initiatives while being exam-ready.