Pub. 2 2021 Issue 2

www.cbak.com 10 In Touch Managing Compliance BY WILLIAM J. SHOWALTER, CRCM, CRP SENIOR CONSULTANT; YOUNG & ASSOCIATES, INC.; KENT, OHIO W e have been told repeatedly over the years that we need to manage compliance, just like all aspects of our business. This maxim is particularly true in today’s escalating compliance environment. There are so many new and changed rules that have been added to the mix over the past few years that we could easily be overwhelmed if we did not proactively manage the compliance process. Over the years, supervisory agencies have shared general outlines of compliance management systems with the financial institutions they regulate. They have been quick to point out that there is no one “right” way to manage compliance but that there are certain basic needs that any such program must meet. Compliance Management Systems The Consumer Financial Protection Bureau (CFPB) and other agencies view compliance management as vital to preventing violations of federal consumer financial laws and the resulting harm to consumers. In its Supervisory Highlights publication, the CFPB spelled out its expectations for an effective compliance management system (CMS) – which mirrors those from other supervisory agencies. The CFPB states that it expects every entity it supervises (large financial institutions and nonbank financial firms) to have an effective CMS adapted to its business strategy and operations. According to the CFPB, a CMS is how a supervised entity: • Establishes its compliance responsibilities • Communicates those responsibilities to employees • Ensures that responsibilities for meeting legal requirements and internal policies are incorporated into business processes • Reviews operations to ensure responsibilities are carried out, and legal requirements are met • Takes corrective action and • Updates tools, systems, and materials as necessary No agency requires financial institutions to structure their CMS in any particular manner. They recognize the differences inherent in an industry comprised of banking organizations of different sizes, differing compliance profiles, and a wide range of consumer financial products and services. In addition, some financial firms outsource functions with consumer compliance-related responsibilities to service providers, requiring adaptations in their CMS structure. However compliance is managed, all the federal supervisory agencies expect entities to structure their CMS in a manner sufficient to comply with federal consumer financial laws and appropriately address associated risks of harm to consumers. CFPB Findings The CFPB has found that the majority of banks it has examined have generally had adequate CMS structures. However, several institutions have lacked one or more of an effective CMS component, which creates an increased risk of noncompliance with federal consumer financial laws. The most common weakness identified during CFPB reviews of banks’ CMS is a deficient system of periodic monitoring and independent compliance audits. The CFPB has noted that an effective CMS implements an effective internal compliance review program as an integral part of an overall risk management strategy. Such a program has two components — both periodic monitoring reviews and an independent compliance audit. These two types of controls are not interchangeable. They must be complementary. The periodic monitoring reviews are more frequent and less intensive than the audits, focusing on areas that carry the most risk – where mistakes should not be allowed to go uncorrected too long. Monitoring is an ongoing process conducted by either the individual business lines or the compliance officer/ department on a relatively frequent basis, allowing the bank to self-check its processes and ensure day-to-day compliance with federal consumer financial laws. The independent compliance audit is a review of all operations impacted by A s s o c i a t e M e m b e r