<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Examiners Want to Know: Does Your CMS Ensure Consumer Protection & Compliance?

2 min read
Apr 13, 2020

Regulators aren’t messing around when it comes to consumer protection and compliance. That’s the message the FDIC sent in an enforcement action against a Wisconsin community bank that demonstrated weaknesses in its consumer protection and compliance program.

While the EA doesn’t go into the details of what went wrong, it makes it clear the bank has to improve the following areas of its compliance management system (CMS).

  • Board oversight and commitment
  • Dedication of adequate resources
  • Due diligence and oversight of third parties
  • Anticipation and response to changes in laws/regulations, market conditions, and products and services offered
  • Due diligence reviews of the product life cycle
  • Identification of compliance risks
  • Management of identified risks (including self-assessments)
  • Response and remediation of deficiencies in compliance risk management
  • Ongoing compliance training for all staff
  • Compliance monitoring and reviews

It also needs to add:

    • A compliance coordinator authorized to cross-departmental lines, correct deficiencies, and report directly to the board.
    • A compliance committee that meets at least monthly, reports to the board and has at least one senior manager and one independent director.
    • Ongoing training and sufficient time and resources for the compliance coordinator and committee.


CFPB Bulletin on Minimizing Consumer Harm

The FDIC isn’t alone in focusing on consumer protection and compliance. In March the Consumer Financial Protection Bureau (CFPB) updated a 2013 bulletin on “responsible conduct” that can minimize harm to consumers.

The bulletin emphasizes the importance of compliance culture and notes that the bureau “will favorably consider” responsible conduct when dealing with violations of consumer protection law. Factors the CFPB will consider include:

      • Self-assessments. Efforts to prevent and detect violations of consumer financial law early.
      • Self-reporting. Prompt self-reporting demonstrates a commitment to compliance.
      • Responding quickly when violations are discovered, including root-cause analysis, to reduce the likelihood of future violations.
      • Going above and beyond the required response for cooperating with the CFPB.

Preventing Consumer Harm with Your CMS

Preventing consumer harm is among the top goals of financial regulators. That goal is best accomplished with streamlined CMS.

The primary functional regulators agree that there are three essential categories in an effective CMS:

      1. Board and management oversight of change management
      2. A compliance program
      3. Violations of law and consumer harm.

The first two items encompass an institution’s CMS. The third one helps measures its effectiveness.

It’s easy to have compliance issues if there isn’t a strong compliance program and board and management oversight. In theory, any product or service could pose consumer harm—including those offered by third parties on behalf of the financial institution.

Violations are assessed on the pervasiveness of the violation, root cause, severity of the consumer harm and duration. The greater the weakness in the CMS or consumer impact and the longer or more severe the violation (or consumer harm), and the number of overall violations.

Smart institutions recognize that failure to follow applicable laws and regulations poses a substantial financial and reputational risk. They have strong internal controls to ensure policies, procedures, and systems are reliable, effective and compliant. They ensure that individuals are accountable for their actions.

Banks and credit unions need to carefully review internal controls to ensure they are effectively mitigating risks throughout the institution—and catching mistakes before regulators do.

The threat of regulatory action for institutions that fall short is anything but empty.


Related: Creating Reliable Risk Assessments

Subscribe to the Nsight Blog