The FDIC expects a bank’s board of directors and management to have a compliance management system (CMS) adapted to its business strategy to effectively manage compliance risk. It should be consistent with the size and complexity of its products, services, and markets.
Compliance risk is the potential for violating any of the laws and regulations that govern credit union operations, including those related to federal consumer financial protection enforced by the FDIC. From the Bank Secrecy Act to the SAFE Act, it seeks to determine how well a bank is managing the risk of compliance violations.
A CMS addresses how a bank learns about consumer compliance responsibilities and ensures that they are understood by employees, incorporated into processes, followed carefully, and that corrective action is taken as needed.
The FDIC’s CMS approach is based on the principles of the FFIEC’s Consumer Compliance Rating System. The FDIC says a CMS is comprised of two interdependent elements:
- Board & management oversight
- Consumer compliance program
Board and Management Oversight
The FDIC believes the success or failure of a CMS begins with board and management action. The board and management need to:
- Appoint a compliance officer with independence and authority. The FDIC says designating a compliance officer should be the board’s first step when setting up a compliance program. This person can be part-time, full-time, shared with another institution or outsourced. (A compliance committee can also be an alternative).
This individual should understand applicable consumers laws and regulations and the bank’s operations. He is responsible for developing compliance policies and procedures, training management and employees in consumer protection laws and regulations, reviewing policies and procedures for compliance, assessing emerging issues or potential liabilities, coordinating consumer complaint responses, reporting compliance activities and audit/review findings to the board, and ensuring that corrective actions are implemented in a timely fashion and findings do not reoccur. He should be given training and the time and resources to do their job. A compliance officer does not negate the board and management’s compliance responsibility.
The compliance officer may be empowered to oversee compliance, but the board and management are still ultimately responsible for compliance.
- Demonstrate leadership. The board and management should talk about compliance in their meetings and leave no doubt to staff and third-party providers (vendors) that compliance is a high priority and part of daily operations. A culture of compliance is a must.
- Adopt policy statements. These communicate the bank’s approach and serve as guidelines for procedures.
- Dedicate resources to compliance. They should be appropriate for the complexity of the bank’s operations.
- Oversee third parties. The board and management are responsible for the compliance of third-party vendors and partners. There should be a compliance risk management process that typically includes risk assessment, due diligence, contract structuring and review, and sufficient oversight of third-party activities.
- Periodic audits.
- Ensure the compliance officer provides regular reports.
To learn more about compliance management and how to construct a CMS, tune in to Ncontracts’ webinar, What Is A CMS And Why You Should Have One.
A Compliance Management Program
The FDIC wants to see a written, proactive and dynamic compliance management program. It should reflect the size, structure, business strategy, complexity, location and other characteristics of the bank. No two compliance management programs should be exactly the same.
The FDIC prioritizes effectiveness over formality as long as strong monitoring is in place. Larger banks and those going through a period of expansion or staff turnover need a more formal, written program.
That includes:
- Policies and procedures. These should be documented and regularly updated. They should include all the information staff needs to engage in an activity or transaction. The more complex the issue, the more specifics should be provided.
- Training. Training should be timely, specific and comprehensive and address the laws, regulations and internal policies and procedures staff needs to know to do their jobs. The compliance officer should set a training schedule for directors, management and staff (and sometimes third-party providers) with knowledge assessed periodically.
- Monitoring and/or Audit. Monitoring proactively identifies weaknesses to avoid violations. Audits should independently test internal controls, operations and the compliance risk framework. It can be done internally our outside. Even if a compliance program seems strong, monitoring and audit is necessary and based on the size, complexity and risk profile of the bank. The FDIC details says an effective monitoring system reviews product disclosures, document storage procedures, marketing materials, usury and consumer protection laws, third-party provider operations, and internal compliance communication systems, transaction-level reviews, and employee performance.
The board decides on the scope and frequency of audits based on institutional expertise, staffing, transaction volume, product complexity, consumer complaints, branch network, size, third-party usage, formality of program, and how much a program has changed. It can be ongoing or once a year and done in-house or outsourced. Auditing for consumer compliance should involve substantial transaction testing with findings sent directly to the board or a board committee. Deficiencies and findings should be addressed and follow-up should assure there are no reoccurrences.
- Consumer complaint response. Defined procedures should ensure customer complaints are identified and addressed promptly. Compliance officers should be aware of complaints and plans to address them.