Have you given your finance company's compliance management system a health check-up lately? Just as you review and continually improve other processes in your business, you should assess your compliance program on a regular basis to see where you can make improvements to strengthen your program. Your regulators expect you to have an effective program in place. Self-assessing your program and continually making changes and adjustments to improve your program can help keep your regulators and audit staff content, and avoid fines, enforcement actions, losses, complaints and litigation.

In this article, we review the components of a strong compliance program and provide you with an assessment tool to help you evaluate your program and determine where you can make improvements.

What is a compliance management system?

A compliance management system is how you identify and manage compliance risk to prevent violations of law and consumer harm. No compliance management system is the same but should be based on the size, complexity and risk profile of your business. Your program may start out simple and grow as you grow. The larger and more complex your company is, the more sophisticated and robust your system needs to be. Regardless of your size, the system must be incorporated into the day-to-day responsibilities of management and all employees. It should establish compliance responsibilities, communicate those responsibilities to employees, ensure legal requirements are incorporated into business processes, and provide for review of operations to ensure legal requirements and responsibilities are being met. The system should also help you self-identify issues and take corrective action, and it should include your third-party relationships such as your major vendors.

What are the major components of a compliance management system?

Strong systems have the following components: 1) board and management oversight of the system; and 2) a Compliance Program with policies and procedures, training, monitoring, auditing and a complaint response process. These compliance management system components are identified and discussed in the Consumer Financial Protection Bureau's Supervision and Examination Manual. For further information see https://files.consumerfinance.gov/f/documents/201708_cfpb_compliance-management-review_supervision-and-examination-manual.pdf via (consumerfinance.gov).

Let's take a closer look at each of these components.

1441248a.jpg

Board and Management Oversight

Your board of directors or other governing body, which we will refer to in this article as "the board," should provide oversight and show commitment to the compliance management system. In addition, the board should ensure effective change management processes are in place and that management sufficiently comprehends, identifies and manages compliance risks. Finally, the board should ensure there are processes in place to self-identify compliance issues and that corrective action is taken when issues are identified.

The board can provide oversight of and commitment to the compliance management system in multiple ways. Firstly, the board should ensure that compliance resources have been provided including for systems and staffing. Staff should be knowledgeable and empowered and held accountable for compliance with laws and regulations. The board should ensure management conducts due diligence and oversight of third parties being utilized in the business (i.e., vendors) to ensure compliance with laws including oversight of third-party policies, procedures, controls and training. The board should also demonstrate a culture of compliance and tone from the top to show they value compliance with laws and regulations.

Questions the board may ask themselves about their oversight and commitment to the compliance management system include:

  • Has oversight responsibility been delegated to a management group/committee and is the board providing meaningful oversight?
  • Do meeting minutes include coverage and review of compliance materials?
  • Has a formal compliance program/policy been adopted?
  • Has compliance staff been dedicated to or assigned compliance responsibility within the organization and do these individuals have independent access to the oversight body?
  • Is there a process to identify new regulatory requirements?
  • Is there a process for developing and implementing new products or services?
  • Does the board work with the auditors to set the scope of audits?
  • Does the board or management receive information on issues and corrective actions?
  • Does the board review policies and risk assessments?
  • Does the board set risk tolerances for the business and provide a compliance tone from the top?

In addition to providing oversight and commitment to the compliance management system, the board should ensure there are effective change management processes in place to enable timely and satisfactory responses to any variety of internal or external changes. Responding timely to changes in applicable laws, market conditions, and products and services, as well as conducting due diligence before and testing after product or other changes occur to ensure results were achieved as planned, are areas where change management processes are needed and risk occurs when these are not managed.

Furthermore, the board should ensure there are appropriate risk management processes in place to help comprehend, identify and manage risk arising from products, services and activities of the business. The board needs to understand whether management comprehends and identifies compliance and other emerging risks and what processes management has in place to measure risk such as by conducting risk self-assessments. Common types of risk self-assessments include enterprise-wise risk assessments and area-focused assessments. Focused assessments are often conducted in such areas as information security and vendor management, and for specific compliance regulations such as the Truth-In-Lending Act, Fair Credit Reporting Act or Equal Credit Opportunity Act to name a few. The board should not only ensure such assessments are being conducted but should receive reports of the results of these assessments from management to help it better understand the business risks.

In addition to the above, the board can show its oversight of and commitment to the compliance management system by ensuring processes are in place to self-identify compliance issues and to take corrective action as issues are identified. The board should ensure that management proactively identifies issues and responds to compliance deficiencies and any violations of law or regulations including remediation. Establishing ongoing monitoring or quality control programs help identify risk as well as through conducting internal and external audits. The board should receive information about monitoring and audit programs and results. Early detection can limit the size and scope of consumer harm. Self-identification and prompt correction of serious violations represent concrete evidence of an organization's commitment to responsibly addressing underlying risks. Corrective action, including both correction of programmatic weaknesses and full redress for injured parties, limits consumer harm and prevents violations from recurring in the future. The board should ensure it receives information about compliance issues and the corrective actions that are being taken including following those actions through to completion.

Compliance Program

The second component of a compliance management system is having a compliance program with effective policies and procedures to prevent compliance violations, appropriate staff compliance training, monitoring and auditing of compliance requirements, and an effective complaint response process.

As part of the compliance program, sufficient policies and procedures should be in place, appropriate for the risk in the products, services and activities of the business. Policies and procedures should be comprehensive, updated and provide standards or risk tolerances so compliance risks can be managed to those standards.

Policies are generally approved by the board and often include the following for a finance company:

  • Compliance Program Policy
  • Information Security/Privacy
  • Equal Credit Opportunity Act/Fair Lending
  • Fair Credit Reporting Act
  • Bank Secrecy Act/Anti Money Laundering/Office of Foreign Asset Control
  • Truth In Lending Act
  • Servicemember Civil Relief Act
  • Third Party (Vendor) Management
  • Collection Practices
  • Unfair, Deceptive, Abusive Act or Practices

While policies tend to provide broad direction to the business, procedures contain the operational details to carry out the policies but are not generally board approved. Management updates procedure documentation as processes, systems, staff or products change.

In addition to policies and procedures, an effective compliance program provides comprehensive, timely and up-to-date training for all levels of staff and management including the board. Training should be tailored to the responsibilities of the staff receiving it. It is important that training is updated prior to changes in products or new laws. In addition, compliance staff should have access to the training necessary to administer the compliance program.

Good training practices include:

  • Keeping records of your training, content, attendees;
  • Following up to ensure all staff receive the training; and
  • Developing a compliance training schedule to ensure content is covered regularly and ongoing.

Another important component of a compliance program is ensuring appropriate monitoring and auditing of business activities is conducted. The monitoring and auditing should be comprehensive to cover compliance risks throughout the business, timely, and at the appropriate frequency. Compliance monitoring generally is less formal and more frequent than an audit and may be carried out by the business unit or compliance department staff. A schedule of planned monitoring activities should be prepared and adhered to. Risk assessments should be utilized to identify where there is more risk and help direct where more monitoring may need to occur. In contrast, audits are generally more formal and less frequent and are performed by internal or external parties independent of the business function. An audit plan or schedule should be prepared based on risk and the audit committee or board should approve the plan. Audit results should be provided to the audit committee or board and audit issues tracked through corrective action to ensure appropriate action is taken and completed. Written reports and records should document findings of monitoring and audits and corrective actions taken. Reports of findings and corrective actions should be provided to management and the board.

Finally, an important component of a compliance program is the process of resolving consumer complaints. Effective complaint response processes help identify problems that need to be addressed and therefore help avoid further issues or litigation. Strong compliance programs track complaints to ensure timely and comprehensive investigation and resolution and retain records of the complaints, investigations and responses, as well as provide reporting to management and the board. Processes should be in place to identify and log complaints as well as investigate and respond to complaints promptly and thoroughly. The process should be documented in written procedures setting forth the type of complaints to be tracked, tracking method, responsibility and process for investigation and response, response timelines and record retention. There should be an escalation process for the most serious complaints to management, the board or legal counsel depending on the type and severity of the complaint. Complaint tracking and reports should be reported to management so management can monitor complaints to identify risks and take appropriate corrective action when root cause issues are identified.

Finance companies should continually strive to ensure that the board oversees and is committed to the compliance management system and the compliance program has sufficient and effective policies and procedures, training, monitoring, auditing and complaint response processes. For a healthy compliance management system, finance companies should continually evaluate the strength of its system and look for any gaps that may need to be improved.

Now that we have reviewed and provided examples of the components of a strong compliance management system, take the following compliance system health check-up assessment and see where you can make improvements to your system or identify gaps before they become problematic.

Compliance Management System Health Check-Up Download

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.