The Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) has released a “Supervisory Highlights” report for Fall 2012. The report highlights specific supervisory action the Bureau has taken, but also provides very instructive guidance. The most important part of the report outlines the CFPB’s views regarding:

  • Compliance Management Systems; 
  • The use of affiliate and third-party service providers or vendors (“service providers”); and 
  • Fair Lending compliance programs


The Supervisory Highlights report states that “[a] critical component of a well-run financial institution is a robust and effective compliance management system” and “one of the most important responsibilities of the CFPB supervisory program is assessing the quality of the compliance management systems employed by the financial institutions under the CFPB’s jurisdiction.” An effective Compliance Management System must address:

  1. Internal controls and oversight; 
  2. Training; 
  3. Internal monitoring; 
  4. Consumer complaint response; 
  5. Independent testing and audit; 
  6. Third-party service provider oversight; 
  7. Recordkeeping; 
  8. Product development and business acquisition; and 
  9. Marketing practices

An effective CMS must also be applied to a financial institution’s “entire product and service lifecycle.” The CFPB has discovered multiple situations where an effective Compliance Management System was lacking across the entire consumer financial portfolio. Financial institutions must have the “ability to address risks presented by [all] its lines of business.” This requires adopting and following “comprehensive” internal policies and procedures. The CFPB Supervisory Highlights report stresses the importance of expanding compliance staff that are competent, experienced, well-trained and knowledgeable and enhancing “regulatory knowledge and expertise.”

It is not enough that a financial institution simply adopt comprehensive policies and procedures – they must also be:

  1. Clearly communicated to employees; 
  2. Fully implemented; and 
  3. Regularly followed.

Management must actively participate in ensuring compliance, and the CFPB indicates that it will evaluate “both the understanding and application” of compliance programs by managers and employees, and has noted its discovery of several situations where appropriate compliance policies were articulated but not followed. The necessity of an effective Compliance Management System must be “fully appreciated by management [and] employees.”

In other words, the Compliance Management System must be an important part of the job of not only management but every level of employee involved in consumer products and services. In addition, compliance departments must be: (i) given access to the information resources and (ii) provided sufficient personnel to allow them to carry out their compliance duties.

Service Providers

While recognizing the use of service providers “is often an appropriate business decision,” the report stresses that oversight of these service providers is “a key component of an effective [Compliance Management System]” and the CFPB expects supervised entities retaining service providers or operating through service providers “to have an effective process for managing the risks of those relationships to ensure compliance.” The report also makes special note of the fact that delegating tasks to service providers “does not absolve [a] financial institution for responsibility” for compliance and “does not give it a license to ‘turn a blind eye’ to violations of Federal consumer financial laws and regulations.”

The report notes the CFPB has found instances where service provider oversight was inadequate because a financial institution did not “establish a comprehensive service provider management program” or because it “failed to effectively manage service providers . . . to ensure compliance.” As an example, the report cites the failure of a financial institution and a service provider to “adequately coordinate their correspondence with consumers” to prevent confusion.

Fair Lending Compliance Program

All financial institutions “should establish fair lending policies, procedures and internal controls” to ensure compliance with the Equal Credit Opportunity Act. The report lists a number of common features of well developed fair lending compliance programs, including:

  1. An up-to-date fair lending policy statement; 
  2. Regular fair lending training; 
  3. Ongoing compliance monitoring; 
  4. Review of lending policies for potential fair lending violations; 
  5. Regular assessment of the marketing of loan products; and 
  6. Meaningful management oversight.


Overall, the following takeaways can be drawn from the Fall 2012 Supervisory Highlights report:

  1. An effective Compliance Management System must be comprehensive and cover all products and services; 
  2. Comprehensive policies and procedures must not only be adopted, but be fully implemented and regularly followed; 
  3. Management must understand policies and procedures and actively participate in ensuring compliance; 
  4. Compliance departments must have sufficient resources and personnel and financial institutions must ensure that compliance departments have sufficient regulatory knowledge and expertise; 
  5. Financial institutions using service providers retain responsibility for ensuring compliance at the service provider level and must ensure effective oversight of such service providers; and 
  6. The effective development, implementation and review of fair lending policies and procedures is essential.

The full report can be found by clicking here.