In late 2012, the CFPB published version 2 of its 924-page Supervision and Examination Manual that examiners use in determining whether companies are violating federal consumer financial laws.  The most important takeaway is that we now know the questions that the CFPB will ask when they examine a company. And, the first question will be whether the company has a Compliance Management System (“CMS”).

The purpose of this post is to review the requirements for a finance company to adopt a CMS.    

What is a CMS?

A CMS is exactly what it sounds like—it is a system for ensuring compliance with federal consumer financial laws with the objective of addressing risks of harm to consumers.   The CFPB has directed supervised companies to implement and maintain a CMS that is incorporated into all aspects of a company’s business, including product design, delivery and administration.

In various publications, the CFPB describes an ideal CMS with words like “robust”, “sound”, “comprehensive” and “effective”.  The CFPB also stresses that the CMS must be appropriate to the size, nature and scope of the Company’s business.  In the words of the CFPB, “[T]he CFPB expects every regulated entity under its supervision and enforcement authority to have an effective compliance management system adapted to its business strategy and operations.”

A company’s CMS should achieve a number of goals, including establishing compliance responsibilities, communicating responsibilities to necessary employees, ensuring that compliance responsibilities and policies are incorporated into business practices, reviewing existing policies and procedures to ensure compliance, and taking corrective action when necessary.

Who needs to adopt a CMS?

All consumer finance companies should adopt a formal and complete CMS.  In 2013, the CFPB released a bulletingiving guidance regarding “responsible conduct” that will be considered in enforcement actions.  Specifically, in order to avoid an enforcement action by the CFPB, or mitigate any potential penalties, a company should engage in: self-policing, self-reporting, remediation and cooperation.  Adopting a CMS is the ideal way to exercise “responsible conduct.”

According to the CFPB, “[A] robust CMS appropriate for the size and complexity of a party’s business will not always prevent violations, but it will often facilitate early detection of potential violations, which can limit the size and scope of consumer harm.”

Why is this especially important for finance companies?

We expect that the CFPB will concentrate on companies that have not been historically subject to federal regulatory oversight.  A recent CFPB publication explained, “The CFPB has found, through supervisory work, that nonbanks are more likely to lack a robust CMS, as their consumer compliance-related activities have not been subject to examinations at the federal level for compliance with Federal consumer financial laws prior to the Bureau’s existence.”

Given the lack of federal oversight until recently, many finance companies have compliance deficiencies.

What are the key components of a CMS?

The CFPB has consistently identified four common key components of a successful CMS:

  1. Board and Management Oversight. A company’s board of directors or senior management is ultimately responsible for the development and administration of the CMS. To effectively implement the CMS, the company should appoint one or more compliance supervisors who have the clear responsibility of facilitating the CMS and acting as a liaison to the board of directors or senior management.  Additionally, companies must exercise oversight over third-party service providers to ensure that such service providers are complying with federal consumer financial laws.
  2. Comprehensive Compliance Program. This is the most important and central component of the CMS. Each supervised entity must adopt a formal, written compliance program designed to prevent or reduce regulatory violations, protect consumers from non-compliance and associated harms, and help align business strategies with these outcomes.  The Compliance Program must include at least three necessary elements: (1) policies and procedures; (2) training; and (3) monitoring and corrective action.
  3. Response to Consumer Complaints. The Supervision and Examination Manual stresses the necessity of appropriately dealing with and learning from consumer complaints.
  4. Compliance Audit. Companies must review existing policies, procedures and practices to determine whether any changes are necessary to be in compliance with federal consumer financial laws.