The Consumer Financial Protection Bureau has long required that an institution within the scope of the CFPB’s supervision or enforcement authority, including both depository institutions like banks and non-depository consumer financial services companies like auto finance companies, develop and maintain a written, sound, and robust compliance management system (CMS) that is integrated into the overall framework for a product’s design, delivery, and administration across the institution’s entire product and service lifecycle.
In the CFPB’s view, a sound and robust CMS is how an institution, among other things, establishes its federal law compliance responsibilities and maintains legal compliance.
Institutions are also expected to manage relationships with service providers to ensure that service providers effectively manage compliance with Federal consumer financial laws applicable to the product or service being provided. The CFPB has routinely requested those that it supervises/examines and even those that it enforces against to provide the Bureau with a copy of the entity’s CMS.
As a refresher, a CMS is how an institution: (i) establishes its compliance responsibilities; (ii) communicates those responsibilities to employees; (iii) ensures that responsibilities for meeting legal requirements and internal policies and procedures are incorporated into business processes; (iv) reviews operations to ensure responsibilities are carried out and legal requirements are met; and (v) takes corrective action and updates tools, systems, and materials as necessary.
The CFPB claims that an effective CMS commonly has two interdependent control components: (i) Board and Management Oversight; and (ii) a Compliance Program, which includes policies and procedures, training, monitoring and/or audit, and consumer complaint response. Mind you that this is a CFPB requirement to ensure an entity’s compliance with Federal consumer financial services laws and regulations.
I’ve heard from clients over the past year or so of a new and disturbing trend at the state level. The state regulators have been speaking with their counterparts at the Bureau and some have really beefed up their examination procedures. Prior to or during a state examination, some state regulators have been requesting the licensee provide them with a copy of their CMS or compliance management program and other policies and procedures. What used to be a relatively simple and straightforward state exam with a request for a few reports and a questionnaire about a licensee’s practices, has turned into a near-hundred item examination.
Plus, the state regulators are taking after their federal brethren and asking for a copy of the licensee’s policies, procedures, and/or manuals relating to various aspects of a licensee’s advertising; marketing; underwriting; originations; fair lending; servicing and collections; affiliates and related organizations; service providers; training policies and procedures, information technology and cybersecurity; written risk assessments; complaint management; monitoring; and internal and external audit reports. Sound familiar? It should; this sounds as though the state regulators are asking for a written, sound, and robust CMS from the licensee.
Some state regulators may simply request the licensee provide a copy of its CMS or compliance management program and just “check the box;” the licensee either has one or it doesn’t. However, some state regulators take their role and examinations very seriously and consider the failure to have a CMS as a major deficiency. If the licensee has to fess up and admit that it doesn’t have a written CMS or compliance management program in place, then some state regulators will request the licensee to describe in great detail the procedures and methods that it uses to ensure that its complying with the law.
If you don’t have a written, sound, and robust CMS that meets the requirements identified by the CFPB, you can’t hide from your duty any longer because state regulators could ask you to provide it as part of your state examination. So, you can either bite the bullet and pay the piper to have the CMS prepared now, or you can wait until you get that examination letter from either the CFPB or a state regulator demanding a copy of your CMS and policies and procedures and then have to quickly scramble to get everything in place before your examination.
Trust me; it’s going to cost you a whole lot more time, effort, and money to get the CMS rushed into place when you do get that examination letter or Civil Investigative Demand (if it is even possible to do so on such a typically short window), than if you had put the CMS and policies and procedures into place now while you’re not on that tight deadline. The examination and CID demands also typically ask for other reports and documents, so will you actually have enough time to prepare a CMS that’s integrated into the overall framework for a product’s design, delivery, and administration across your company’s entire product and service lifecycle AND get it approved by the Board of Directors before the examination date? Highly, highly doubtful.
Additionally, by rushing through things and slamming a CMS into place, you’re likely to miss something; possibly something particularly important. Finally, rushing your CMS and policies and procedures into place will be readily apparent to the federal and/or state regulator. They are not likely to go easy on your examination (or enforcement) if it looks like you’ve scrambled to put something in place before they examine your shop.
This appears to be a disturbing trend at the state level and we’re sure to see more state regulators demand a licensee provide a copy of its CMS. Take some time to speak with your friendly compliance lawyer about your CMS and policies and procedures before you get that examination letter (or CID) and have to pay the piper!
©Copyright 2024 Eric L. Johnson. All rights reserved. Single print publication rights Non-Prime Times.
