What’s in Your Compliance Management System (CMS)
What’s in Your Compliance Management System (CMS)?
By Evie Dehmey
On November 14, 2016, the FFIEC issued “Uniform Interagency Consumer Compliance Rating System” guidance, which became effective on March 1, 2017. This guidance is intended to update regulatory standards since they were last updated in 1980. Much has changed since then in the way of technology, marketing, and general business practices. Risk assessment is certainly part of that change! The new standards emphasize compliance risk management practices aimed at consumer compliance, an institution’s Compliance Management System (CMS) and minimizing the risk of “Consumer Harm.”
The compliance rating is on a scale of 1-5 with “1” being the highest rating (lowest level of concern) and “5” being the lowest (most critical concern). These ratings are not intended to set new supervisory expectations or add new regulatory burden, but they will change the focus of regulatory compliance exams from a transaction based test to one of evaluating an institution’s overall CMS. Exams should be tailored to the size and complexity of your institution and your specific risk profile (based on location, products & services, etc.). Two key incentives of this new system are (1) to promote rating consistency among the banking agencies and (2) to incentivize institutions to promote consumer protection by self-identifying compliance issues.
Issues that were identified during the comment period include:
- Board and Management Oversight – Governance that achieves a “Satisfactory” or better rating demonstrates a commitment to compliance.
- Corrective Action and Self- Identification – Stronger emphasis on self-monitoring and Internal Audit to identify and correct issues.
- Training – The degree to which training is current and tailored to staff responsibilities.
- Third-Party Relationships – Institutions should not use these relationships to avoid compliance responsibility. As quoted in the preamble, “While an institution’s management may make the business decision to outsource some or all of the operational aspects of a product or service, the institution cannot outsource the responsibility for complying with laws and regulations or managing the risks associated with third-party relationships.” Examiners will evaluate outsourced activities as though they were performed by the institution themselves.
- Violations of Law and Consumer Harm – Incents institutions to prevent, identify, and correct deficiencies when discovered.
More details for the expected compliance standards are embedded in the guidance itself.
What’s important to know is that this guidance also provides a tool that Compliance Officers might use to preliminarily assess their compliance programs. It gives insight into exam measurement so that one can begin to identify strengths and weaknesses in one’s own program and begin to mitigate those risks. It looks at various factors that should be part of every institution’s CMS – Commitment to CMS, Identification and Risk Management, Corrective Action, Policies & Procedures, Training, Monitoring and/or Audit, Consumer Complaint Program, and Severity and Pervasiveness of Regulatory Violations.
We recommend that every intuition adopt this model for self-measurement of compliance by not only adopting the risk matrix but supporting it with actual documentation to support your conclusions. Have a file – whether manual or electronic – ready and available for when your auditor or examiner comes calling. It will bode well in terms of an institution’s grasp on risk management and prevention of consumer harm.
For additional information contact edehmey@fosaudit.com.