The Consumer Financial Protection Bureau (CFPB) reiterated the importance of robust compliance management systems (CMS) for CFPB supervised institutions.
A well-developed compliance management system, or CMS, lessens risks to consumers and reduces the potential for violations of Federal consumer financial law. Because of the importance of a robust CMS, every CFPB examination contains some level of CMS review. As CFPB has described in its Supervision and Examination Manual, CMS is how an entity:
The CFPB does not require a particular CMS structure. However, supervisory experience has found that an effective CMS commonly has four interdependent control components:
When all of these control components are strong and well-coordinated, a supervised entity is likely to be more successful at managing its compliance responsibilities and risks.
The leadership of a supervised entity, up to and including the board of directors, is expected to establish clear lines of accountability and provide oversight of its CMS, including the establishment of a comprehensive program commensurate with its size, consumer risk profile, and product offerings.
A strong compliance program consists of adequate policies and procedures, training, and monitoring and corrective action. Policies and procedures should include guidance to the company’s personnel regarding how to carry out their responsibilities in compliance with applicable Federal consumer financial laws. These policies and procedures should be consistent with one another, and they should be written, followed, and board- or leadership-approved. Additionally, institutions need to implement training programs robust enough to provide effective and comprehensive instruction to personnel. With appropriate breadth and depth, training is expected to address all applicable Federal consumer financial laws, and a company’s leadership is expected to ensure that its staff is trained regarding how to perform their jobs in a compliant manner. Appropriate training programs typically include formal training schedules, attendance records, and written reference materials. Additionally, training programs should be responsive to new or changing regulatory requirements, new products and services, and product changes. Monitoring should, in an organized and risk-focused way, identify procedural or training weaknesses in an effort to provide for a high level of compliance by promptly identifying and correcting weaknesses.
Supervision expects entities to respond to their customers’ complaints, not only to address potential consumer harm in a single instance, but to identify major issues and trends that may evidence broader concerns, including risk to consumers, gaps in compliance management, and potential violations of Federal consumer financial law.
Compliance audit programs should include an audit plan that takes consumer compliance risks into consideration. Moreover, compliance audits should include a process by which the institution reports its findings to appropriate leadership and managers, responds to exceptions, implements corrective action, and monitors the results of corrective action. Importantly, these audit programs should be independent of both the compliance program, including the monitoring function, and those business functions that include customer sales or service.
Finally, CFPB recognizes the importance of third-party service providers to the operations of many supervised entities. However, as the CFPB explained in Bulletin 2012-03, it expects entities to select these service providers carefully, include compliance expectations in contracts, and monitor service providers’ work and complaints about their work. If a third-party service provider fails to perform properly, a supervised entity is expected to require remediation and to take measures that may include, in appropriate circumstances, termination of the service provider’s contract. The fact that a supervised entity enters into a business relationship with a service provider does not absolve the supervised entity of responsibility for complying with Federal consumer financial law and, depending on the circumstances, it may be held legally responsible for violations by the third party.