What Is A Compliance Management System And Why Your Financial Institution Needs One
EXECUTIVE SUMMARY: The definition of a CMS includes three key elements: board and management oversight; a compliance program; and violations of law and consumer harm. This blog post breaks down each of these elements and offers advice for streamlining existing compliance functions to create a more effective and efficient CMS.
- What Regulators Are Saying About CMSs
- Where CMS Expectations Begin: Understanding The Consumer Compliance Rating System
- Board And Management Oversight
- A Compliance Program
- Violations Of Law And Consumer Harm (If Applicable)
- One CMS Does Not Fit It All
- Interpreting regulations and keeping up with changes
- Cross-departmental collaboration
- Maintaining organized records needed to produce reports for examiners and board meetings
- Keeping track of policy changes and approvalsFour Ways To Streamline Your CMS
- Consequences Of Poor Compliance Management
- About Ncontracts
Compliance management is no joke. From the day-to-day work of making sure everyone is following policies and procedures to training staff to tracking, understanding, and implementing new regulations and predicting the impact of proposed rules, it’s a Herculean exercise in organization and education.
That’s why federal regulators require financial institutions to have a compliance management system (CMS). While each agency has its own definition of a CMS, it all boils down to one simple concept: how a financial institution manages consumer compliance risk.
- Learning about compliance requirements
- Training business units
- Ensuring processes are compliant
- Reviewing operations to ensure requirements are carried out
- Correcting and preventing consumer harm
Each of these day-to-day activities help shape the compliance program of a financial institution.
As you’ll learn, a CMS is a regulatory expectation, but it’s also a valuable tool that helps an institution manage risk (including operational, strategic, compliance and reputation risk), promote self-corrective action, and prevent severe consumer harm and penalties.
What Regulators Are Saying About CMSs
FDIC: “...the FDIC expects the Board of Directors and management of each institution to have a system in place to effectively manage its compliance risk, consistent with the size and complexity of its products, services, and markets.”
NCUA: “…Field staff’s supervisory evaluation will typically focus primarily on evaluating the sufficiency of a credit union’s overall approach to managing compliance risk– also referred to as a compliance management system.”
CFPB: “…an institution must develop and maintain a sound compliance management system (CMS) that is integrated into the overall framework...”
OCC: “…examiners should consider the effectiveness of the bank’s CMS for compliance with all applicable consumer protection- related laws and regulations…”
THE FED: “To a large degree, the success of an institution’s CMS is founded on the actions taken by its Board and management.”
FFIEC: “While compliance management programs vary based on the size, complexity, and risk profile of supervised institutions, all institutions should maintain an effective CMS.”
Where CMS Expectations Begin: Understanding The Consumer Compliance Rating System
The Federal Financial Institutions Examination Council (FFIEC) developed the Consumer Compliance Rating System (CC Rating System) as a framework for evaluating how a financial institution is managing consumer compliance risk, supporting compliance and preventing consumer harm.
The FFIEC recommended that agencies implement the November 2016 update to the CC Rating System for compliance examinations on or after March 31, 2017. Ratings are on a scale of 1 (the best) to 5 (the worst).
The CC Rating System is based on four principles:
Risk-based. An institution’s CMS will depend on its size, complexity, and risk profile. No two institutions will have the exact same CMS.
Transparent. The ratings system is meant to be transparent, with clear distinctions between rating categories to support consistent application.
Actionable. Examiners are asked to identify areas of strength and weakness and provide the rating that conveys whether examiners view an FI’s CMS as effective.
Incentivizes compliance. Ratings give credit for self-identification and prompt correction of consumer compliance weaknesses/issues. They also reflect the potential impact of consumer harm identified in examinations.
From a financial institution’s perspective, the most important part of the CC Rating System is how it defines a compliance management system, since its framework informs the CMS requirements of all primary federal banking regulators.
The primary functional regulators agree that there are three essential categories in an effective CMS:
- Board and management oversight of change management
- A compliance program
- Violations of law and consumer harm
The first two items encompass an institution’s CMS. The third one helps measures its effectiveness.
Board And Management Oversight
The board and management are responsible for overseeing all elements of compliance, including change management, risk management and corrective action.
Knowledge of and commitment to the CMS. Both the board and management must demonstrate knowledge of and commitment to the institution’s CMS. This is demonstrated with clear communication, the allocation of appropriate capital and human resources, and a staff that is well trained and accountable for compliance. Management’s oversight and due diligence of third-party vendors to ensure their commitment to consumer compliance is a must.
Effective change management process. When laws, regulations, and market conditions change, management needs to have a process in place to promptly evaluate the impact of the change and respond accordingly. Similarly, if a financial institution considers introducing a new product or service or changing an existing one, it should consider the product’s life cycle and review whether the product or service has performed as expected.
Risk management. An FI should have systems in place to identify and manage both existing and emerging risks. It should have a strong culture of compliance with risk management that minimizes the potential for serious compliance violations. Comprehensive self-assessments are an important element of risk management.
Self-identification and corrective actions. Management should be able to proactively identify compliance deficiencies, including violations of law or regulation, and then take prompt corrective action.
It all comes down to a culture of compliance. Both the board and management should demonstrate they are committed to introducing and overseeing effective compliance policies, procedures, risk assessments, due diligence, training, and accountability. They should promote an environment where staff are encouraged to report compliance issues, knowing the board and management will be receptive and welcoming of the feedback. Staff should not fear reprisal.
The board should stay abreast of consumer compliance-related information and have the information it needs for oversight. It should also provide a credible challenge to management. The board isn’t there to rubber stamp executive decisions. It’s there to probe for information from management, consultants, and experts to make well-informed decisions. Directors shouldn’t immediately accept information presented at face value. They need to dig deeper and ask pointed questions to uncover potential concerns and address red flags.
Related: Nboardportal - Features & Benefits
A Compliance Program
A compliance program plays three roles. It prevents problems with policies, procedures and training. It uncovers potential issues with monitoring, testing and independent audits. It also corrects issues with complaints, errors and violations of rules and laws.
A compliance program should include:
- Policies and procedures. These should be strong, comprehensive and provide standards both internally and for third-party relationship management to manage compliance risk. This includes change management, ensuring there are programs in place to ensure applicable regulatory changes and identified and integrated into policies and procedures to ensure all business lines remain compliant.
- Training. From the board and management to staff, compliance training should be comprehensive, timely and tailored to staff job duties. Training should be updated along with new consumer protection laws or regulations or when new products are introduced.
- Monitoring and audit programs. A financial institution should have comprehensive, timely, and successful systems for identifying and measuring compliance risk. Adjustments should be made when weaknesses are identified.
- Complaint resolution. Examiners want to see prompt and thorough complaint responses and for management to assess complaints for consumer harm.
Violations Of Law And Consumer Harm (If Applicable)
It’s easy to have compliance issues if there isn’t a strong compliance program and board and management oversight. In theory, any product or service could pose consumer harm—including those offered by third-parties on behalf of the financial institution.
Violations are assessed on the pervasiveness of the violation, root cause, severity of the consumer harm and duration. The greater the weakness in the CMS or consumer impact and the longer or more severe the violation (or consumer harm), and the number of overall violations.
When implementing a complaint management program, consider:
- Is my FI tracking complaints from the right source(s)?
- How does my FI define a complaint?
- How is my FI managing complaints?
- Is my FI paying attention to third-party complaints?
- Is my FI identifying areas of improvement and areas of high risk?
"When compliance officers more efficiently manage the day-to-day details of compliance management, it frees them to focus on more strategic initiatives while being exam-ready."
Related: Ncomply Overview
One CMS Does Not Fit All
Regulatory agencies have been emphasizing the importance of a strong and effective CMS, yet they’ve given financial institutions a lot of flexibility in building one.
That leaves a great deal of room for customization— and this is where a compliance officer’s institutional insights are extremely valuable. No two financial institutions are identical, and their CMSs shouldn’t be either. A CMS should be developed keeping in mind the institution’s size, products and services, structure, risk tolerance and other unique factors.
This is especially true in an environment where many smaller financial institutions have specialized to compete more effectively. An institution may focus on certain niches of commercial lending, have left the mortgage market or operates in a tech-heavy environment.
Compliance officers at such institutions become experts in these niches, learning to sort through information on new regulations to pick out what applies to their institution—and then developing policies and procedures that build on an institution’s strengths and address its weaknesses.
Four Ways To Streamline Your CMS
The challenge is finding more efficient ways to manage these well-thought-out policies. Many institutions already have a strong CMS in place. They simply need to find ways to enhance their existing systems to keep pace with the rate of change.
When compliance officers more efficiently manage the day-to-day details of compliance management, it frees them to focus on more strategic initiatives while being exam-ready.
While there are many ways to design a strong CMS, compliance officers and their staff should prioritize four key elements to streamline the process:
- Interpreting regulations and keeping up with changes
- Cross-departmental collaboration
- Maintaining organized records needed to produce reports for examiners and board meetings
- Keeping track of policy changes and approvals
1. Interpreting Regulations And Keeping Up With Changes
A compliance officer could spend all day, every day tracking and reading changes to regulations and still never get to them all—let alone interpret and implement them.
An efficient CMS has a method to actively monitor and quickly review regulatory changes, determine which rules specifically impact the institution, share these changes with affected business units, and develop step-by-step plans for writing, updating and modifying policies and procedures.
2. Cross-Departmental Collaboration
Compliance activities aren’t restricted to the compliance department. Everyone at the FI, from lending to IT to marketing and the frontline, has a role to play in keeping the financial institution compliant. The question is how an institution can effectively build and reinforce a culture of compliance.
"A good CMS should have tools and systems for ensuring the different departments and areas are leveraging each other’s work, rather than duplicating efforts."
It starts at the top with the buy-in of the board and management, and continues with unified execution. Consider vendor management activities. This area of compliance touches cybersecurity, business continuity planning, and enterprise risk management.
A good CMS should have tools and systems for ensuring the different departments and areas are leveraging each other’s work, rather than duplicating efforts. It should make it easy to see regulatory overlap, assign responsibility for specific areas, and ensure that everyone works with the same data and work product.
In addition, an institution’s CMS should make it easy to demonstrate to management and examiners the collaborative efforts undertaken by all units to achieve and maintain compliance. For example, a good CMS needs to account for the fact that employees throughout the institution must engage in compliance training and ensure employees are not only aware of policies and procedures but are following them.
3. Maintaining Organized Records
Everyone who manages compliance knows the cardinal rule of documentation: If you didn’t document it, it didn’t happen.
Financial institutions need a standardized and centralized system to efficiently manage and document the compliance process, including task management. Compliance officers need to demonstrate to the board and examiners that they know what’s being done, when it’s being done and who is responsible for doing it.
Smart compliance officers know financial institutions are filled with people, and people make mistakes. No matter how strong an institution’s policies and procedures, there will be times when things don’t go according to plan. The key is to find and address these mistakes before significant consumer harm occurs or regulators find these errors blindsiding the compliance department.
This can be an enormous task—even for the most diligent compliance officers. A strong audit trail involves many employees and departments, meaning there are many moving pieces to track. Hours are spent tracking down individuals and following up to ensure their parts are completed. It’s a constant effort to track and document. And the stakes are high. If something falls through the cracks and an examiner finds an error, it can cast a shadow over the institution’s entire CMS—not to mention fines and other fiduciary repercussions.
Good documentation demonstrates that an institution is following policies and procedures, testing for weaknesses and actively taking steps to remediate any problems. But good documentation is incomplete without an easy to navigate document repository that produces records when examiners want to see them.
"Poor compliance management can have huge consequences for a financial institution including enforcement actions, fines, and bad publicity."
4. Keeping Track Of Policy Changes And Approvals
It’s not enough to update policies and procedures. An institution also needs to demonstrate that the board and management were involved in developing those policies and have signed off on them. It ties back to board and management oversight. A strong CMS will be able to track and document this process as well as ensure no policy or procedure is neglected and left to collect dust.
It is essential to keep track of different versions of a policy and ensure the most recent policy is being utilized across the financial institution. Without this organization, employees may rely on the wrong process and increase the risk of providing noncompliant products and services.
Embracing these four key elements can help compliance officers more efficiently manage the day-to-day details of compliance management, freeing them to focus on more strategic initiatives while being exam-ready.
Consequences Of Poor Compliance Management
Poor compliance management can have huge consequences for a financial institution including enforcement actions, fines, and bad publicity.
In 2018 a bank in the northeast was fined $641,000 for failing to update its compliance program when regulations changed. The oversight caused it to use a non-compliant disclosure form.
A 2019 enforcement action against a midwestern bank resulted in a $200,000 fine when it failed to implement a compliance management system “commensurate with the level of complexity of the Bank’s operations.” The bank was unable to provide documentation and reports needed for their current business practices.
In 2016, a credit union in the Washington, D.C., metro area was ordered to pay a $5.5 million civil money penalty over federal law violations pertaining to its debt collection practices in addition to providing $23 million in restitution to affected members. According to the enforcement action, “compliance controls and employee training regarding debt collection communication were inadequate.”
Smart institutions recognize that failure to follow applicable laws and regulations poses a substantial financial and reputational risk. They have strong internal controls to ensure policies, procedures and systems are reliable, effective and compliant. They ensure that individuals are accountable for their actions.
Banks and credit unions need to carefully review internal controls to ensure they are effectively mitigating risks throughout the institution—and catching mistakes before regulators do.
The threat of regulatory action for institutions that fall short is anything but empty.
As financial institutions work to build and improve their compliance management systems, the shortcomings of spreadsheets and manual processes for managing compliance are becoming increasingly apparent.
But with so much variability in CMS programs, how does an institution find CMS software that will best support it needs?
The answer is to look for a solution with these seven key features:
1. Tailored to your financial institution. Regulators aren’t always thrilled with out-of-the-box solutions, especially when it comes to a CMS. Federal regulatory guidance says that a CMS should be tailored to fit the size, complexity, and level of risk of the FI. It should also take into account the unique products, services and profile of your institution.
Out-of-the box solutions don’t always provide this kind of flexibility. They expect FIs to bend to meet the needs of their system, instead of working to meet the FIs needs.
Avoid this problem by making sure you understand the special compliance challenges your FI faces before meeting with CMS vendors. Make sure the vendor’s system is capable of meeting your needs now—and in the future. It will need to be adaptable to changes in strategic direction that impact compliance, whether it’s new products and services, new markets, or an acquisition.
If it’s a choice between the software provider’s way or the highway, take the highway and find someone else.
2. Easy to use. It should go without saying that a CMS product should simplify your day-to-day. If the software is hard to understand and manage, you are less likely to use it—and the rest of the FI’s staff will feel the same way.
Instead of using your new software, people will be tempted to revert to manual processes like Excel spreadsheets, re-introducing the problems you were seeking to avoid.
Take the time to dig into the usability of any CMS you are considering to determine how intuitive and organized it is. Does it make sense to you? If it doesn’t, you won’t want to use it.
3. Updated frequently. There were 365 proposed and final rules issued by federal regulators in just the first six months of 2019. The CMS you select needs to help you keep up with them.
Changes to regulation and guidance should be communicated to the users as quickly as possible to allow for planning and collaboration. Ask how often updates will be made, how quickly you can expect the CMS software to alert you to changes, and what form those updates will take.
4. Tracks both proposed & final rules. Some CMS products believe the only rules you need to worry about are those that have been finalized. Don’t fall into this trap. Knowing about potential changes to regulation can help your FI’s strategic planning.
For example, if management is considering introducing a new product or service, but there is a potential regulatory change on the horizon that could impact how you would offer that product or service, it’s important to be aware and communicate it to management.
In addition, some FIs want the ability to provide comments on proposed regulations. If CMS software is only communicating final rules, you’ll miss half the story.
5. Capturing compliance activity & demonstrating compliance efforts. Compliance isn’t a black box activity. Regulators expect you to show your work.
A CMS should make it easy to demonstrate to examiners and auditors what you are doing to stay compliant. From who did what and when to why you made the decision that you did, a CMS should make it easy to document compliance-related activities.
Look at the type of tracking and logging a CMS offers to determine if it’s seems complete enough to satisfy your examiners and auditors.
6. Simplifies communication. Compliance is the responsibility of every single employee and board member of the financial institution. A CMS needs to make it easy to communicate compliance requirements across business units and manage the policy review process.
The policy review process generally requires the collaboration of the policy owner, policy review committee, senior management and board. Having a system that allows all individuals that need to be involved will cut down on the need to send and track countless emails.
Investigate the mechanisms a potential CMS uses for communicating compliance information with staff, management and the board.
7. Facilitates organization. Compliance management is a never-ending parade of policies, procedures and documents. Compliance officers need the ability to retrieve important documents quickly for examinations, audits and internal processes. There is nothing more frustrating than spending hours looking for a document or having to reproduce it because is not in its right place.
A CMS solution should make it easy to store and find the most current and up-to-date version of these documents so they are accessible and available when you need them.
Whether it’s an internal solution or one offered by a third-party provider, make sure any CMS software implemented includes these seven features. It’s the best way to demonstrate that an institution has a fully developed CMS with board and management oversight, a compliance program, and awareness of violations.