The Consumer Financial Protection Bureau (CFPB) recently added a new section to its Supervision and Examination Manual focusing on the use of information technology (IT) by entities within the scope of the CFPB's supervision and enforcement authority. The procedures set forth how examiners assess IT and IT controls as part of a compliance management system (CMS) review. The new procedures are referred to by the CFPB as the "Compliance Management Review – Information Technology (CMR-IT) examination procedures," or "CMS-IT" for short.
Why this matters: IT impacts compliance with federal consumer financial laws. The CFPB may evaluate the
- technology controls of an institution and its service providers; and
- an institution's IT as it relates to compliance with federal consumer financial laws.
As the CFPB repeats frequently in examination materials, "Weaknesses in a CMS can result in violations of Federal consumer financial law and associated harm to consumers. Therefore, the CFPB expects every institution under its supervision and enforcement authority to have a CMS adapted to its business strategy and operations."
What's new? The CMS-IT examination procedures are divided into five modules:
Module 1: Board Management Oversight – Examiners are instructed to:
- Review board meeting minutes and supporting materials during the period under review for coverage of IT and IT controls that may impact compliance with federal consumer financial law.
- Determine board's and management's oversight and review of the IT function (e.g., board meeting minutes, strategic plan, significant initiatives or changes).
- Assess the compliance and IT organizational structures.
- Determine the existence of a board-approved, comprehensive information security program.
- Determine whether the board or a subcommittee of the board reviews the IT risk management process, including risk identification, risk assessment, and risk mitigation. Furthermore, determine whether management has developed adequate policies, standards, and procedures to manage technology risk and whether they are current, documented, and appropriately communicated. Determine whether compliance with federal consumer financial laws is incorporated into the risk process and associated documentation.
- Determine whether the board and management oversee changes or anticipated changes in technology enterprise-wide (e.g., service provider relationships, software applications, and/or service offerings).
- Determine whether management has identified all information assets and systems, including cloud-based and virtualized systems as well as critical service providers that are related to consumer financial services and/or products.
- Determine whether the board and management evaluate whether written policies, control procedures, and standards are thorough, properly reflect the complexity of the IT environment, and incorporate compliance with federal consumer financial laws. Also, evaluate whether these policies, control procedures, and standards have been formally adopted, communicated, and enforced.
- Determine whether the board and management consider whether inherent risks related to IT have been evaluated, including the impact to consumers; controls have been clearly identified; and residual risks are at acceptable levels.
- Determine whether the entity's risk assessment program, including IT-related risk, has been formally approved by the board of directors.
- Determine whether a report of risk assessment findings, including IT-related risk, has been presented to the board of directors for review.
- Determine whether board and management evaluate the adequacy of short-term and long-term IT strategic planning and resource allocation.
- Determine whether board and management oversee the controls around the system development life cycle (SDLC), including the integration of compliance with federal consumer financial laws into the SDLC process, and whether that is appropriate for the size and complexity of the entity.
- Determine whether senior management oversees the IT change management process that aligns with the entity's IT risk appetite. Furthermore, determine whether management has developed adequate policies, standards, and procedures to address change management for applications or systems used to support compliance with federal consumer financial laws.
- Determine whether the board has established an ongoing, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the entity.
- Determine whether management implements and uses IT system reporting and whether it produces accurate and useful reports. Determine the effectiveness of the reports used by senior management or relevant management committees to supervise and monitor the IT functions.
- Draw preliminary conclusions regarding whether board and senior management oversight related to IT is strong, satisfactory, deficient, seriously deficient, or critically deficient. Furthermore, include how IT oversight impacts compliance with federal consumer financial laws.
Module 2: Compliance Program – Objectives include compliance policies and procedures that document and are sufficiently detailed to implement the board-approved policy documents. Exam guidance is provided for the review of policies and procedures, training, monitoring and/or audits, and consumer complaint response.
Module 3: Service Provider Oversight – Examiners are instructed to review the entity's use of service providers, including such topics as oversight and risk management practices; the use and provision of IT functions; formal service level agreements; policies and procedures related to application or system acquisition activities where the application or system is used to support compliance with federal consumer financial law; policies and procedures for corrective action and monitoring for changes or conversion of system provider information systems; and, for critical service providers with access to sensitive consumer information, the entity's assessment of the service provider written information security programs.
Module 4: Violations of Law and Consumer Harm – In the event that examiners identify violations of law, the module provides four factors to consider: the root cause; the severity of the consumer harm; duration of the violation; and pervasiveness of the violation to the extent it violates federal consumer financial law and resulting consumer harm, if any.
Module 5: Examiner Conclusions and Wrap-up – Examiners are given instruction to complete, regardless of the entity's risk, and provide a written summary with corrective action steps, discuss and record findings, and prepare a memo for the work papers and CFPB's official system of record that outlines planning and strategy considerations for the next examination and, if appropriate, interim follow-up.
The Supervision and Examination Manual provides internal guidance to CFPB supervisory staff only, and specific exams and outcomes will vary. But CFPB-supervised entities and service providers should consider that exams have scrutinized and may continue to scrutinize whether their compliance management system is up to date and adequately addresses IT resources and controls. The CFPB will scrutinize the use of IT resources and their contributions to compliance with federal consumer financial law.
* * * * * *