Pub. 2 2021 Issue 2

11 ISSUE 2 | 2021 William J. Showalter, CRCM, CRP is a Senior Consultant with Young & Associates, Inc. (www.younginc. com), with over 35 years’ experience in compliance consulting, advising, and assisting financial institutions on consumer compliance and compliance management issues. He has authored or co-authored numerous compliance publications and articles and developed and conducted compliance training programs for individual banks and their trade associations. Bill can be reached at (330) 678-0524 or wshowalter@younginc.com. consumer laws. An audit is performed on a less frequent basis, usually annually, to ensure that compliance is ongoing, that the CMS as a whole is operating properly, and that the board is aware of consumer compliance issues noted as part of these independent reviews. Audits are best performed by an independent party – usually either an internal auditor or an outside consultant. The CFPB notes that an entity lacking periodic monitoring increases its risk that violations and weaknesses will go undetected for long periods, potentially leading to multiple regulatory violations and increased consumer harm. Additionally, these entities increase the risk that: • Insufficiencies in the periodic monitoring process may not be identified • The board is not made aware of regulatory violations or program weaknesses or • Practices or conduct by employees within the business lines or compliance department that are unfair, deceptive, abusive, discriminatory, or otherwise unlawful could go undetected CMS Elements Although the CFPB states that it does not require any specific CMS structure, it notes that supervisory experience has found that an effective CMS commonly has four interdependent control components, elements that have been advocated by all regulatory agencies over the years: • Board of directors and management oversight. An effective board of directors communicates clear expectations and adopts clear policy statements about consumer compliance for both the bank itself and its service providers. The board should establish a compliance function, allocating sufficient resources and qualified staffing to that function, commensurate with the entity’s size, organizational complexity, and risk profile. The board should ensure that the compliance function has the authority and accountability necessary to implement the compliance management program, with clear and visible support from senior management. Management should ensure a strong compliance function and provide recurring reports of compliance risks, issues, and resolutions to the board or the board’s committee. • Compliance program. The CFPB and other federal financial institutions supervisors expect supervised entities to establish a formal, written compliance program, generally administered by a chief compliance officer. A compliance program includes the following elements: policies and procedures, training, monitoring, and corrective action. The agencies assert that a well- planned, implemented, and maintained compliance program would prevent or reduce regulatory violations, protect consumers from noncompliance and associated harms, decrease the costs and risks of litigation affecting revenues and operational focus, and help align business strategies with outcomes. • Consumer complaint management program. Financial service providers are expected to be responsive to complaints and inquiries received from consumers. In addition, financial institutions should monitor and analyze complaints to understand and correct weaknesses in their programs that could lead to consumer risks and violations of law. Key elements of a consumer complaint management program include: the establishment of channels through which to receive consumer complaints and inquiries (e.g., telephone numbers or email addresses dedicated to receiving consumer complaints or inquiries); proper and timely resolution of all complaints; recordation, categorization, and analysis of complaints and inquiries; and reviews for possible violations of federal consumer financial laws. The agencies expect financial firms to organize, retain, and analyze complaint data to identify trends, isolate areas of risk, and identify program weaknesses in their lines of business and overall CMS. • Independent compliance audit. A compliance audit program provides a board of directors or its designated committees with a determination of whether policies and standards are being implemented to provide for the level of compliance and consumer protection established by the board. As noted above, these audits should be conducted by a party independent of both the compliance program and the business functions. The audit results should be reported directly to the board or a board committee. The agencies expect that the audit schedule and scope will be appropriate for the entity’s size, its consumer financial product offerings, and structure for offering these products. The compliance audit program should address compliance with all applicable federal consumer financial laws and identify any significant gaps in policies and standards. When all of these four control components are strong and well- coordinated, the CFPB states that a supervised entity should be successful at managing its compliance responsibilities and risks.  No agency requires financial institutions to structure their CMS in any particular manner