The Federal Reserve defines a compliance management system (CMS) as a credit union’s overall approach to managing compliance risk.
Compliance risk is the potential for violating any of the laws and regulations that govern bank operations, including those related to federal consumer financial protection. From the Bank Secrecy Act to the SAFE Act, it seeks to determine how well a bank is managing the risk of compliance violations.
The Fed’s CMS approach is identical to the first two categories of principles of the FFIEC’s Consumer Compliance Rating System.
- Board & management oversight
- The compliance program
The Fed recognizes that different institutions will have different CMS implementations based upon the size, complexity, or individual risk profile of the institution.
Board & Management Oversight
Fed examiners are looking for four elements:
Oversight and commitment. The board and management must demonstrate knowledge of and commitment to the CMS. Examiners assess this by looking for communication, the allocation of appropriate capital and human resources, and a staff that is well trained and accountable for compliance. Management due diligence and oversight of third-party vendors’ commitment to consumer compliance is a must.
Change management. When laws, regulations, and market conditions change, management needs to have a process in place to promptly evaluate the impact of the change and respond accordingly. Similarly, if a credit union considers introducing a new product or service or changing an existing one, it should consider the product’s life cycle and review whether the product or service has performed as expected.
Comprehension, identification, and management of risk. A bank should have systems in place to identify and manage both existing and emerging risks. It should have a strong culture of compliance with risk management that minimizes the potential for serious compliance violations. Comprehensive self-assessments are an important element of risk management.
Corrective action and self-identification. Management should be able to proactively identify compliance deficiencies, including violations of law or regulation, and then take prompt corrective action.
The effectiveness of a compliance program is assessed by the following elements:
Policies and procedures. These should be strong, comprehensive and provide standards both internally and for third-party relationship management to manage compliance risk.
Training. From the board and management to staff, compliance training should be comprehensive, timely and tailored to staff job duties. Training should be updated along with new consumer protection laws or regulations or when new products are introduced.
Monitoring and/or audit. A bank should have comprehensive, timely, and successful systems for identifying and measuring compliance risk. Adjustments should be made when weaknesses are identified.
Consumer complaint response. Examiners want to see prompt and thorough complaint responses and for management to assess complaints for consumer harm.
Specific Examples of What the Fed Is Looking at in a CMS Exam
Each of the assessment factors will be reviewed for strengths and weaknesses by examiners and will depend on the size, complexity and risk profile of the bank. Examiners will look at the control environment for each product, service, and activity and identify weaknesses.
For example, if an institution has introduced a new third-party lending relationship or product, examiners may place more attention on change management or risk management than if nothing had changed since the last exam. That’s because change and risk management are especially important in a dynamic environment.
To learn more about compliance management and how to construct a CMS, tune in to Ncontracts’ webinar, What Is A CMS And Why You Should Have One.