What Does the NCUA Look for in a CMS?
The NCUA defines a compliance management system as a credit union’s overall approach to managing compliance risk. What does that mean for you?
Compliance risk is the potential of violating any of the laws and regulations that govern credit union operations, including those related to federal consumer financial protection enforced by the NCUA. From the Bank Secrecy Act to the SAFE Act, it seeks to determine how well a credit union is managing the risk of compliance violations.
The NCUA’s CMS approach is based on the principles of the FFIEC’s Consumer Compliance Rating System, which are included in NCUA’s list of Compliance Risk Indicators, last updated in 2017. This document helps examiners evaluate compliance risk as part the Risk-Focused Examination program.
A CMS Should Be Proactive
The NCUA is looking for a CMS that is proactive. It should be designed to promote self-identification and self-correction of deficiencies and be commensurate with a credit union’s size, complexity, and risk profile This extends to oversight of third-party relationships and their compliance with applicable laws and regulations.
Examiners will rely on the Compliance Risk Indicators Framework to evaluate three broad categories:
- Board and management oversight
- The compliance program
- Violations of law and consumer harm (if applicable)
Board and Management Oversight
Knowledge of and commitment to the CMS. Both the board and management must demonstrate knowledge of and commitment to the CMS. Examiners assess this by looking for communication, the allocation of appropriate capital and human resources, and a staff that is well trained and accountable for compliance. Management due diligence and oversight of third-party vendors’ commitment to consumer compliance is a must.
Effective change management process. When laws, regulations, and market conditions change, management needs to have a process in place to promptly evaluate the impact of the change and respond accordingly. Similarly, if a credit union considers introducing a new product or service or changing an existing one, it should consider the product's life cycle and review whether the product or service has performed as expected.
Risk management. A credit union should have systems in place to identify and manage both existing and emerging risks. It should have a strong culture of compliance with risk management that minimizes the potential for serious compliance violations. Comprehensive self-assessments are an important element of risk management.
Self-identification and corrective actions. Management should be able to proactively identify compliance deficiencies, including violations of law or regulation, and then take prompt corrective action.
The Compliance Program
The effectiveness of a compliance program is assessed by the following elements.
Policies and procedures. These should be strong, comprehensive and provide standards both internally and for third-party relationship management to manage compliance risk.
Training. From the board and management to staff, compliance training should be comprehensive, timely and tailored to staff job duties. Training should be updated along with new consumer protection laws or regulations or when new products are introduced.
Monitoring and audit programs. A credit union should have comprehensive, timely, and successful systems for identifying and measuring compliance risk. Adjustments should be made when weaknesses are identified.
Complaint resolution. Examiners want to see prompt and thorough complaint responses and for management to assess complaints for consumer harm.
Violations of Law and Consumer Harm (if applicable)
Violations are assessed by on the pervasiveness of the violation, root cause, severity or any consumer harm and duration. The greater the weakness in the CMS or consumer impact and the longer or more severe the violation (or consumer harm), and the number of overall violations.
To learn more about compliance management and how to construct a CMS, check out the Ncontracts webinar, What Is A CMS And Why You Should Have One.