What Does the OCC Look for in a CMS?
The Office of the Comptroller of the Currency (OCC) defines a compliance management system (CMS) as “the method by which a bank manages consumer compliance risk, supports compliance with consumer protection-related laws and regulations, and prevents consumer harm.”
The Comptroller’s Handbook CC-CMS, published in June 2018, specifically addresses CMSs designed to manage consumer compliance risk.
Compliance risk is the potential for violating any of the laws and regulations that govern credit union operations, including those related to federal consumer financial protection enforced by the OCC. From the Bank Secrecy Act to the SAFE Act, it seeks to determine how well a bank is managing the risk of compliance violations.
“…Examiners should consider the effectiveness of the bank’s CMS for compliance with all applicable consumer protection- related laws and regulations…”
CMS & Risk
A CMS does more than control compliance risk. The OCC says a CMS also addresses operational risk (the risk of failed processes or symptoms disrupting the institution), strategic risk (risk resulting from poor business decisions), and reputation risk. It also notes this list isn’t absolute since risks are interrelated.
What Does a CMS Need?
The OCC wants every bank it regulates to “develop and maintain an effective CMS that is appropriate for the size, complexity, and risk profile of its operations.”
That includes 3 key components:
- Board & management oversight
- A compliance program
- Violation of law and consumer harm
Board & Management Oversight
The board and management need to understand the importance of compliance and the potential consequences for falling short of regulatory expectations. Four key areas to address include:
Oversight of and a commitment to the bank’s CMS. The OCC wants to see sufficient resources dedicated to compliance (including oversight of third-party vendors) and well-trained staff that’s accountable for compliance.
The board’s role is to create a culture of compliance, oversee management’s CMS implementation and hold management accountable. Board minutes should demonstrate review of compliance-related information.
Management’s role is overseeing the day-to-day functioning of the CMS, monitoring third-party risk management, change management, compliance risk management, and identification and correction of deficiencies. It can assign committees to oversee compliance and should establish clear compliance roles. This may include a compliance officer with the knowledge, authority, resources, and independence to effectively oversee compliance. Both bank staff and the compliance officer should be given opportunities for training.
The OCC pays special attention to third-party risk management, emphasizing that banks are responsible for ensuring vendors working on behalf of the bank are following all applicable laws, regulations, and policies. Citing OCC guidance on third-party risk management, the agency says it should include:
- Due diligence and monitoring for compliance
- Oversight of compliance-related policies, procedures, internal controls, and training
Effective change management processes. Banks should have processes to identify, evaluate, and implement changes to consumer-protection laws. It should also consider compliance when introducing new products or services or making changes to existing ones.
Comprehension, identification, and management of risks arising from the bank’s products, services, or activities. Risk should be continually identified, measured, monitored, and controlled.
Risk assessment. Banks should conduct risk assessments to mitigate existing and potential risks using quantitative and qualitative data. It should include all products, services, and business lines. Less complex institutions may have one regular risk assessment while more complex institutions may aggregate the results of multiple assessments for an enterprise-level view.
Risk assessments should determine:
- Inherent risk. The risk if there were no mitigating controls in place.
- Residual risk. The risk once controls are accounted for.
Issues should be self-identified by management and promptly addressed.
Self-identification of issues. Management should identify and promptly address issues. There should be processes for tracking, escalating, and resolving issues. Root causes should be identified and whether they link to a product, service, or business line and whether the issue is a one-off or systemic. The board should be kept informed of issues and should hold management accountable for corrections or if issues are systemic. The board should be apprised of material issues and resolution strategies, and hold management accountable for correcting issues and validating corrective actions.
Policies and procedures. Policies should support the bank’s risk tolerance, values and objectives. The scope and formality depend on the bank’s complexity.
Compliance training. All staff should receive timely and periodic compliance training appropriate for their jobs. Compliance, audit, the board, and management should receive more advanced and tailored training. Training should be documented.
Monitoring and audit. The OCC is looking for bank-wide monitoring inclusive of the bank’s products, services, and activities to help evaluate and report risks. It may be enough to simply monitor less complex or risky activities while more intensive undertaking may require an audit. A periodic independent audit is important.
- Monitoring. Should include quality control and assurance and is less formal and more frequent than an audit. Transaction testing is an important component.
- Audit. An audit should be conducted by a qualified and independent auditor who tests internal controls to identify weaknesses like violations of laws, regulations, or internal policies and procedures and uncover systemic issues. Compliance policies and procedures should be evaluated and management actions should be reviewed and validated.
Consumer complaint response. Banks should have a process for identifying, managing, and analyzing complaints. That includes the definition of a complaint, documentation, responsibility and accountability for complaint tracking and remediation, complaint analysis, and reporting to the board or management.
Violations of Law and Consumer Harm
Violations are often the sign of a weak CMS, although a CMS may have weaknesses even if no violations are found. The ability to promptly self-identify and correct violations is a sign a CMS is effective.