Download - Compliance Management Systems
Compliance Management Systems
A Structure of Excellence
• Jim Bedsole’s Working Definition:
A compliance management system (CMS) is the process used by a financial institution to provide a comprehensive program designed to reasonably ensure compliance with consumer protection laws and related regulations and minimize and remediate violations and instances of consumer harm resulting from violations.
What is a Compliance Management System?
• Uniform Interagency Compliance Rating System (Effective Mar 2017) Defines components – three main categories
Board and Management Oversight
Compliance Program
Violations of Law and Consumer Harm
Establishes risk‐based benchmarks
Provides for consistency and transparency Actionable Incent strong compliance and self‐identification and correction
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
What is a Compliance Management System?
CMS in Practice
• Failure to institute clear policies & procedures, lines of communication, and employee training
• Inconsistent investigation processes
• Failure to take corrective action (“sweep it under the rug”)
• Records of complaints and resolution not adequately retained or centralized
CMS Deficiencies – Complaint Management
• Complaint management policy – define what is a complaint, including complaints resolved at point of contact• Monitor complaints from all sources (verbal, written, regulatory, social media)• Training & accountability• Emphasize self‐identification of issues as a positive• Automate where possible• Easy to access complaint recording tools• Centralized review of complaint trends and resolution• Root cause analysis• Open lines of communication at all levels including Board and Management
CMS Deficiencies – Complaint Management
How to avoid:
• Training not tailored to staff roles and responsibilities
• Compliance culture not threaded through product development, marketing, customer service
• Monitoring and/or audit schedule and coverage not aligned with risk assessments and prior audits/exams
• Third party management, oversight, and due diligence not appropriately scaled to risk
CMS Deficiencies – Misappropriately Scaled CMS
• Compliance committee structure – involve all parties who own compliance risk or indirectly address compliance risk
• Align technology for risk assessments, compliance monitoring, and auditing where possible
• Plan internal audits strategically and in alignment with risk profile
CMS Deficiencies – Misappropriately Scaled CMS
How to avoid:
• Policies don’t match procedures and processes
• Required policies are not reviewed, revised, updated, adopted, or maintained
• Policies are a “check‐the‐box” exercise with no real oversight or governance
• Policies and procedures are hard to retrieve, in various formats and locations
CMS Deficiencies – Governance
• Centralize policy management – leverage technology
• Assign policy owner for each policy
• Create and automate policy review schedule
• Ensure regulatory change management includes policy review and revision where needed
• Standardize format
• Don’t use policy templates without appropriate tailoring to your institution
• Policy attestation by affected employees
CMS Deficiencies – Governance
How to avoid:
• Changes are not captured and evaluated for impact (cost, systems, policies & procedures, training, monitoring)
• Action plans are weak or non‐existent• Responsible parties not assigned• Progress due dates not tracked/reported
CMS Deficiencies – Change Management
• Automate tracking
• Spend time analyzing change
• Leverage technology and third parties
• Solid action plans
• Due date tracking and reporting – accountability
• Post‐implementation evaluation – what can we do better next time?
CMS Deficiencies – Change Management
How to avoid:
Build It or Buy It?
What is Unique About Today’s Environment?
Governing body roles: Integrity, leadership, and transparency
Third line roles:Independent and objective assurance and advice on all matters related to the achievement of
objectives
First line roles:Provision of
products/services to clients; managing risk
Second line roles:Expertise, support, monitoring, and challenge on risk‐related matters
Achieving CMS Agility ‐ Three Lines Model
GOVERNING BODYBoard/Audit Committee/Compliance Committee
Accountability to stakeholders for organizational oversight
MANAGEMENTActions (including managing risk) to achieve
organizational objectives
INTERNAL AUDITIndependent assurance
KEY: Accountability, reportingDelegation, direction,Resources, oversight
Alignment, communication coordination, collaboration
EXTER
NAL A
SSURANCE P
ROVIDER
SExte
rnal A
udit/R
egulato
rs
Deployment and Implementation of RegTech
What Does Agility/Adaptability Look Like in a CMS?
Board & Management Oversight
Risk Assessment
Policies/ Procedures/ Controls
Systems
TrainingMonitoring
Complaint Management
Independent Testing
Corrective Actions
Compliance Culture
Compliance as a Competitive Advantage
OODA Loop
Q&A Time
Regulator CMS Expectations
OCC: Comptroller’s Handbook, Consumer Compliance, Compliance Management Systems (June 2018)
FDIC: Consumer Compliance Examination Manual – Compliance Management Systems (June 2019)
FRB: Community Bank Risk‐Focused Consumer Compliance Supervision Program
CFPB: Examination Procedures – Compliance Management Review (August 2017)
Uniform Interagency Compliance Rating System
Contact Me