In addition to spotlighting the critical importance of a CMS, the CPFB’s citing of CMS-related deficiencies begs the question of whether anyone is capable of meeting the CFPB’s expectations.
The CFPB has generated acute awareness of the term “compliance management system” (CMS) through its highly publicized consent orders. Since it began issuing orders in 2011, the CFPB has invariably cited “significant weaknesses” in the subject party’s CMS along with violations of specific federal consumer financial laws. In addition to spotlighting the critical importance of a CMS, the CPFB’s citing of CMS-related deficiencies against entities engaged in credit card lending, mortgage lending, auto lending, payday lending, check cashing services, payment processing, collections and other financial activities begs the question of whether anyone is capable of meeting the CFPB’s expectations.
This article explores the concept of a CMS, which predates the creation of the CFPB under the Dodd-Frank Act in 2010, and reviews CMS-related guidance issued by a number of sources, including the CFPB. Aside from its consent orders, the CFPB’s primary guidance on CMS expectations is found in its Supervision and Examination Manual (CFPB Manual), which was issued in October 2012. The CFPB Manual’s CMS discussion reflects a strong influence from earlier safety and soundness guidance issued by the federal banking agencies and, in some cases, is nearly identical. Understanding the principles behind the CFPB’s thinking provides a deeper awareness of what an appropriate CMS entails and why having an effective CMS is essential to preventing and mitigating violations of law.
The Comptroller’s Handbook for Compliance Management System was issued by the OCC in 1996 — 14 years before the CFPB was established. It refers to a CMS as “the method by which the bank manages the entire consumer compliance process.” Meanwhile, guidance issued by the FDIC in 2006 refers to “a sound compliance management system that is integrated into the overall risk management strategy of the institution.” These descriptions extend beyond the role served by the compliance function, which is what most people think of when the subject of compliance come up. In fact, the CMS, of which the compliance function is a subset, is itself a component of an institution’s overarching risk management framework.
The Comptroller’s Handbook for Corporate and Risk Governance (OCC Risk Governance Handbook) discusses supervisory expectations for a financial institution’s risk management framework. Within this framework, the institution’s risk management system consists of a three-tiered, integrated structure for identifying, preventing and mitigating business and regulatory compliance risks. The CMS can be thought of as the portions of the risk management system that serve to manage regulatory compliance risks, including consumer-related risks. The following illustration from the OCC Risk Governance Handbook shows the risk management framework in the form of a pyramid:
At the top of the above pyramid is risk culture. The OCC Risk Governance Handbook explains that the board of directors is responsible for establishing the organization’s core corporate values. In this regard, guidance issued by each of the three federal banking agencies (i.e., the OCC, the FDIC and the Fed) and the international Basel Committee on Banking Supervision stresses the critical importance of the “tone from the top.”
Basel guidance elaborates on the role of risk culture as follows:
Compliance starts at the top. It will be most effective in a corporate culture that emphasizes standards of honesty and integrity and in which the board of directors and senior management lead by example. It concerns everyone within the bank and should be viewed as an integral part of the bank’s business activities. A bank should hold itself to high standards when carrying on business, and at times strive to observe the spirit as well as the letter of the law . . . . Compliance should be part of the culture of an organization; it is not just the responsibility of specialist compliance staff.
Although the CFPB Manual does not mention the term “risk culture,” it does emphasize the need for the board and senior management to set “clear expectations about compliance, not only within the entity, but also to service providers.” To this end, the CFPB Manual lists board and management oversight as the first component of an effective CMS, which should encompass:
- board and management oversight
- compliance program
- response to consumer complaints
- compliance audit.
Under federal banking agency guidance, the board of directors is expected to help define the institution’s “risk appetite,” which, along with the term “risk appetite framework,” appears frequently in risk management guidance. Risk appetite refers to an institution’s tolerance for the financial and other adverse consequences flowing from failures to comply with business or regulatory requirements. The risk appetite framework is described in Basel guidance as the:
overall approach, including policies, processes, controls and systems, through which risk appetite is established, communicated and monitored. It includes a risk appetite statement, risk limits and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the risk appetite framework.
The same Basel guidance recommends adopting a formal statement of risk appetite that addresses “quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate.” Guidance issued by the federal banking agencies likewise recommends having a risk appetite statement.
Because the CFPB’s mandate is limited to interpreting and enforcing compliance with federal consumer protection requirements, and does not include safety and soundness, neither the CFPB Manual nor other guidance issued by the agency refers to a supervised entity’s risk appetite. Risk appetite is relevant to consumer compliance, however, because it explains why the responsibility for compliance must necessarily flow to all parts of the organization, including, in the CFPB’s words, “into the overall framework for product design, delivery and administration — this is the entire product and service lifecycle.” Namely, the economic risks presented by potential civil penalties, customer reimbursements, agency enforcement actions and lawsuits brought by federal agencies, state attorneys general or private individuals pose an ever-constant threat to a supervised entity’s continued viability.
Within a “three lines of defense” risk management system, the responsibility for day-to-day adherence to the institution’s operational policies and procedures lies with the organization’s front-line business units, i.e. the first line of defense. The second line of defense functions, in turn, are responsible for conducting monitoring and testing to validate the effectiveness of the first line of defense-managed controls in mitigating the applicable risks. In this regard, the focus of independent risk management broadly extends to all operations, while the focus of compliance targets those controls with a nexus to regulatory compliance. Finally, the third line of defense, which usually consists of internal audit, performs periodic independent testing to validate the respective effectiveness of the first and second lines of defense-managed controls, including the institution’s compliance program.
In all relevant guidance, regardless of issuer, the compliance function is expected to be independent from the first line of defense. Typically this independence is achieved by establishing a separate compliance unit, but the CFPB Manual acknowledges that “compliance will likely be managed differently by large banking organizations with complex compliance profiles and a wide range of consumer financial products and services at one end of the spectrum, than by entities that may be owned by a single individual.” With respect to smaller entities, the CFPB Manual notes that “a full-time compliance officer may not be needed” and suggests that independence may be achieved through segregating duties. Similarly, FDIC guidance provides that, “the formality of the compliance program is not as important as its effectiveness. This is especially true for small institutions where the program may not be in writing, but an effective monitoring system has been established that ensures overall compliance.”
With respect to specific expectations for compliance programs, the relevant guidance is again in accord. Subject to the above-noted exceptions, the CFPB Manual states a general expectation that every supervised financial entity will “establish a formal, written compliance program . . . [which] should be administered by a chief compliance officer.” When read together, the various bodies of guidance provide that an effective compliance program should include:
- up-to-date policies and procedures establishing clear expectations for compliance
- adequate staff and financial resources
- appropriate stature within the organization to be effective
- independence from front-line business management
- direct access to the board of directors
- processes for identifying, measuring and assessing compliance risks
- the provision of ongoing guidance and education to the business regarding applicable risks, including in the form of tracked and appropriately tailored compliance training
- access to relevant information from all relevant business units
- “at the table” compliance involvement in the development of new products and services
- monitoring, testing and appropriate reporting of results
- documented corrective action plans in response to identified material deficiencies or weaknesses in compliance-related controls.
In addition to the above, CFPB- and FDIC-issued guidance both stress the importance of managing consumer complaints, which the CFPB considers to be an essential component of an effective CMS.
Returning to the threshold question of whether any supervised entity is capable of meeting the CFPB’s expectations for CMS, the short answer is yes. In its Summer 2013 Supervisory Highlights, which included a section devoted to expectations for CMS, the CFPB noted that the “majority of banks examined by the CFPB have generally had an adequate CMS structure; however, several institutions lacked one or more of the components of an effective CMS.” In the case of nonbanks, on the other hand, the same discussion noted that some entities had no CMS structure, while others attempted to embed compliance within the business line, which the CFPB noted can lead to problems. Regarding the latter structure, although the CFPB claims that it “does not require entities to structure their CMS in any particular manner,” both the CFPB Manual and its consent orders evidence a marked preference for traditional compliance structures and practices.
Lastly, the reason why CMS-related deficiencies appear in nearly every CFPB consent order — including those levied against banks — may be explained by the following statement from the CFPB Manual: “A well planned, implemented, and maintained compliance program will prevent or reduce regulatory violations, protect consumers from non-compliance and associated harms, and help align business strategies with outcomes.”
If laws and regulations are violated and the violations cause consumers to incur harms of a sufficiently severe nature to warrant the issuance of a consent order, the CFPB will undoubtedly presume the supervised entity’s CMS failed. It will then be incumbent on the entity to explain (i) why isolated deficiencies in its CMS did not contribute to the violations in question and (ii) why its overall CMS is structured appropriately and is well-managed. Based on the CFPB consent orders to date, the first of these challenges may be prove impossible to achieve, but the second should be achievable if the entity’s CMS is grounded in established risk management principles.
The CFPB Manual states that “[e]ach CFPB examination will include review and testing of components of the supervised entity’s compliance management system.” Therefore, every supervised entity should pay careful attention to the structure, resources and effectiveness of its CMS at all times.
The CFPB’s CMS expectations closely mirror safety and soundness expectations for effective risk management adopted by the federal banking agencies. The latter reflect well-accepted international standards and discuss the role of a CMS within an institution’s broader organizational structure. Understanding the concepts that influenced the CFPB is an important step toward structuring a CMS that will satisfy that agency’s standards.
Banking agency-issued guidance discusses the economic drivers for an effective CMS, which is not addressed in CFPB guidance. If economic consequences of failures to comply are duly considered within an established “risk appetite framework,” the need for an effective CMS covering the entire life cycle of a consumer product or service will be obvious.
Based on the prevalence of CMS-related findings in CFPB consent orders, the CFPB likely assumes that any violations of laws were partly caused by some material failure in the supervised entity’s CMS. Demonstrating that any failures were isolated, versus pervasive in nature, is essential in avoiding civil penalties and other increased adverse consequences.