As consumer finance attorneys, we spend the majority of our time explaining compliance obligations to our clients. Equally important, especially to the Consumer Financial Protection Bureau (“CFPB”), is our work to ensure day-to-day compliance with those obligations. To that end, we create compliance management systems (“CMS”) for our clients.
Developing and implementing a robust CMS for a client is an ongoing process that clients should undertake well before a CFPB examiner shows up. As a compliance lawyer drafting individual policies and procedures in a CMS, you should tailor each policy to your client’s business, products and services, as well as to the CMS as a whole. In this article, we address some considerations, issues, and landmines you might encounter in developing and implementing a CMS for your client. We begin by defining a CMS and explaining the goals of a CMS; then, we suggest strategies to tailor a CMS to your client’s industry and individual business operations. Lastly, we address some challenges that arise when tailoring a CMS and offer suggestions.
What is a “compliance management system”? A CMS is how a company establishes its compliance responsibilities, communicates those responsibilities to employees, and ensures that the company monitors and audits its efforts to meet its compliance obligations. The CMS should focus on the risks of non-compliance faced by a particular company and its products and services. A CMS should be comprehensive, addressing all compliance obligations for the entire lifecycle of the product and service handled by the client. A CMS may encompass legal obligations other than consumer finance laws and regulations, or those other legal compliance issues may be addressed elsewhere.
A CMS is a “system” because it is more than just a collection of individual policies and procedures addressing consumer credit law obligations. In addition to individual policies and procedures (often collectively referred to as the “compliance program”—think of an assortment of individual policies and procedures), the CMS should contemplate a holistic strategy for compliance. A CMS should have provisions on board and management oversight, a complaint management system, and an audit program. A CMS must include procedures for how a company’s compliance obligations are incorporated into business processes. A CMS should also include training procedures on compliance obligations, how compliance obligations are monitored, what corrective action is undertaken when compliance issues are uncovered, and how the CMS is updated. The individual policies and procedures should, in a sense, speak the same language of compliance and speak to one another. Policy and procedure documents should be organized in similar ways, should use the same language when discussing similar and related compliance obligations, and should integrate the methods of compliance into business processes in similar ways so that compliance functions minimally impact the provision of a company’s products and services.
As an example, the CFPB expects companies to have a separate compliance function instead of embedding compliance within each business line.1 This gives the compliance function independence. Compliance efforts at a company need to be coordinated across the business lines to ensure consistency, timely response to compliance failures, and comprehensive monitoring. This oversight should be multi-layered. In addition to oversight by the board and senior management, a company might consider embedding monitoring functions in specific policies and procedures to which the monitoring procedures are tailored as well as developing an independent audit function across the various procedures. Monitoring and independent audits are extremely important to the CFPB, and a CMS that simply states policies and procedures without providing a mechanism to ensure that those policies and procedures are followed could be viewed by the CFPB as deficient.
Before you begin the process of drafting a CMS, you should step back and make sure you understand the consumer finance industry in which the company works, as well as how your client’s business operates, as the CFPB expects that its supervised entities have a CMS adapted to its business strategy and operations. The goal of this exercise is not only to get a sense about how to draft specific policies and procedures, but also to know what sorts of policies and procedures are needed in your client’s CMS.
As part of any review of your client’s industry, ask yourself what policies and procedures other industry participants are including in their CMS. If possible, you should obtain copies of other CMS to review the policies and procedures other industry participants have included. If the CFPB has obtained a consent order against an industry participant, then consider the CMS deficiencies that the CFPB discussed, if any. You should also review the CFPB’s Supervision and Examination Manual and apply the CFPB’s instructions regarding a CMS to your client’s business.2 Pay special attention to the Examination Objectives published for each CMS section and to areas of focus described in other CFPB notices and publications. For example, the CFPB has regularly placed emphasis on auditing—the CFPB expects that a CMS will include independent consumer compliance audits.
An effective CMS must reflect your client’s individual business in every respect. This includes providing specific policies and procedures that account for your client’s products and services, target customers, organizational structure, and regulatory requirements. Because this is not a “one size fits all” proposition, it is important that you manage client expectations about the time and amount of communication required to effectively draft a comprehensive and robust CMS.
In particular, you should focus on your client’s current practices, identify lapses in compliance, and develop a solution that your client can implement. At each stage of the drafting process, your client should review the proposed policy and procedures and obtain feedback from management and the teams that will need to implement that portion of the CMS.
One drafting strategy is to request that one of your client’s employees take notes about every stage of a task that she is involved in, and then use those notes to construct procedures. This process offers a real-world perspective about how employees implement compliance objectives and may identify weaknesses to address in the new CMS.
The CFPB has consistently stated that the size and complexity of a regulated entity will determine the complexity of a CMS and the CFPB’s supervisory expectations.3 Despite these assurances, the CFPB has provided no detail regarding how a smaller entity may limit the scope and complexity of its CMS. The CFPB has indicated that its supervisory expectations are not uniform but are “principles-based” in recognition of the differing size and complexity of organizations.4 However, the CFPB has also stated that it will apply consistent standards using the same procedures to examine different supervised entities—to the extent possible. Therefore, absent a clear articulation of how a small supervised entity may limit the scope and complexity of a CMS, a compliance attorney limits the scope of the CMS at her peril.
With smaller organizations, which may include already over-worked employees and a small legal budget, a compliance attorney may need to prioritize the completion of many different CMS sections. When deciding whether to complete a portion of a CMS immediately or postpone its creation until the client is larger or has a bigger compliance staff (and presumably with a larger legal budget), do a risk analysis with your client when considering any omissions. When thinking about the prioritization of CMS sections, you and your client should consider the risks of non-compliance, including potential examinations, lawsuits for statutory violations or for unfair and deceptive acts and practices.
Finally, we offer three final recommendations. First: although you will have to draft individual policies one by one, because you may issue-spot and improve your approach to drafting a CMS later in the process, you should revisit the entire suite of policies and procedures at the end of the process to ensure all of the separate parts of the CMS work well together. Second: federal law only requires companies to have a few written policies in a few areas (for example, a red flags policy), but a more effective CMS encompasses all compliance obligations, including state law obligations, which may include record retention rules, mini-Fair Debt Collection Practices Acts, or identity theft rules. And third: developing a CMS is an on-going process because the CFPB expects a CMS to be updated, not only for changes in the law, but also for changes in the company’s business processes. Therefore, an effective CMS must specify how the company will update the CMS and who will do it.