There is a generally subscribed to notion that “my bank or mortgage company” will not be held accountable for compliance and will not be the subject of close regulatory scrutiny given its business model, size, history, etc. A common conclusion is that the Consumer Financial Protection Bureau (CFPB) is simply focusing on the “big fish,” looking for large trophies to show off, and that smaller lenders, community banks and even credit unions have an implied “pass” to skate by without giving much thought to compliance management or corporate governance.

Fingerprints are unique to each individual. Likewise, every company is unique. Thus, the notion that onerous examination, and the need to plan and develop a mature compliance strategy, differs from one financial institution to another is akin to the myth of fingerprints. Paul Simon sang about this myth: the false notion that every person, with his or her unique qualities, is different from one another — when, in fact, we are all the same. This is evident through the CFPB’s actions during its relatively short history.

We have all read about large enforcement actions for egregious failures in various aspects of compliance management. The CFPB has covered nearly every area of concern: advertising and sales practices, originator compensation, fair lending and kickbacks, to name a few. These actions have hit large and small institutions alike.

What is not closely tracked, and is only available by anecdotal discussion, is that the CFPB has examined hundreds of banks and nonbank lenders. In doing so, the bureau has closely reviewed every detail of a company’s operations. Typically, examiners issue private guidance and specific expectations for the future based on their findings. And, usually, the results are not pretty. This is all the more evident when considering that the CFPB will return in three to six months to assess whether a company has corrected its failures.

It is notable that the CFPB has not financially crippled every institution in which it has found problems. However, the bureau is continuously learning, and examiners are becoming very familiar with common weak points and vulnerabilities. By now, they have seen it all, again and again.

The results of these private reports are sometimes a harsh wake up call. More and more, the lessons to be learned are the same. Bank and nonbank lenders are repeatedly being held culpable for failing to maintain a mature compliance management system and provide proper governance and oversight. These institutions, because of a failure to plan, then open themselves up to repeated CFPB visits, very significant costs of correction and continued oversight by “big brother.”

If you are a student of the CFPB’s examination manual, one would assume that the bureau views compliance as “one size fits all.” The same goes for examination guidelines from the OCC, FDIC and state regulators. While one size does not fit all, there is a commonality among all financial institutions — the need to plan and execute a comprehensive system of checks and balances.

This is not accomplished by simply publishing policies that are bought off the shelf or by reacting, after the fact, to changes and new guidance (as we have seen in the past month on the subject of MSAs). It is accomplished by being proactive and dedicating thought and resources to discover and fix problems before they become systemic in nature.

It is expected that every institution will have a system in place that provides effective oversight and control over every element of its business. The need for that system to be a central pillar in every organization — to display the maturity desired by the CFPB — is the same for every regulated institution.

Yes, every lender may have its own set of fingerprints. However, the need for every lender to maintain effective management and control is the same across the board. Every financial institution is in the same boat, whether or not you think the CFPB will examine you and whether or not you feel your organization is subject to the bureau’s oversight. (Yes, they can and will regulate any company coming between a consumer and its money.)

As more and more companies are receiving “private” write-ups for failing to maintain a “mature” compliance management system, we expect to see large fines and published penalties on this very subject in the near future. They are definitely in the works.

What is the correct action plan? The first step is honest evaluation and gap analysis of where your company may be falling short. This is often best accomplished by an outsider with a fresh set of eyes. Companies must also tighten their governance structure and document their efforts. When the CFPB comes knocking, you must have something to report. When we are asked by clients to evaluate these issues, we often see an absence of structure and a lack of planning and accountability.

Large and small banks, credit unions and nonbank lenders continually fall into the same traps. They are not unique. However, the art of implementing effective tools to fit each company’s particular gaps is where companies may differ, and where a trained outsider can assist.

What are you doing to address this issue? Are you prepared to handle the scrutiny that may be headed your way?