The Consumer Financial Protection Bureau (CFPB) has long required that institutions within its supervision or enforcement authority develop and maintain a written, sound and robust compliance management system, or CMS. Establishments include depository institutions such as banks and non-depository consumer financial services companies such as RV dealerships.
The CMS should be integrated into the overall framework for a product’s design, delivery and administration across the institution’s entire product and service life cycle.
In the CFPB’s view, a sound and robust CMS is how an institution establishes its federal law compliance responsibilities and maintains legal compliance. Institutions are expected to manage relationships with service providers to ensure those providers effectively manage compliance with federal consumer financial laws applicable to the product or service being provided. The CFPB has routinely requested those it supervises or examines—and even those against which it has enforcement authority—to provide the CFPB with a copy of the CMS.
As a refresher, a CMS is how an institution:
- Establishes its compliance responsibilities.
- Communicates those responsibilities to employees.
- Ensures that responsibilities for meeting legal requirements and internal policies and procedures are incorporated into business processes.
- Reviews operations to ensure that responsibilities are carried out and legal requirements are met.
- Takes corrective action and updates tools, systems and materials, as necessary.
The CFPB claims an effective CMS commonly has two interdependent control components. The first is board and management oversight. The second is a compliance program, which includes policies and procedures, training, monitoring and audit and consumer complaint response.
Mind you, this is a CFPB requirement to ensure compliance with federal consumer financial services laws and regulations.
I have heard from clients over the past year or so about a new and disturbing trend at the state level. State regulators have been speaking with their counterparts at the CFPB, and some state regulators have really beefed up their examination procedures.
Before or during a state examination, some state regulators have requested the company provide them with a copy of its CMS or compliance management program and other policies and procedures. What used to be a relatively simple and straightforward state exam, with a request for a few reports and a questionnaire about practices, has become an examination with nearly 100 items.
Plus, state regulators are taking after their federal colleagues to ask for much more. That includes:
- A copy of the company’s policies and procedures.
- Manuals relating to various aspects of advertising, marketing, underwriting, originations, fair lending, servicing and collections.
- Affiliates and related organizations.
- Service providers.
- Training policies and procedures.
- Information technology and cybersecurity.
- Written risk assessments.
- Complaint management.
- Internal and external audit reports.
Sound familiar? It should. This sounds as though the state regulators are asking for a written, sound and robust CMS.
Some state regulators may simply request the company provide a copy of its CMS or compliance management program and will just “check the box.” Either the company has one or does not. However, some state regulators take their roles and examinations very seriously. Some consider the failure to have a CMS as a major deficiency.
If the company has to fess up and admit it does not have a written CMS or compliance management program in place, some state regulators will request the company to describe in great detail the procedures and methods used to ensure the company complies with the law.
If you do not have a written, sound and robust CMS meeting the CFPB’s requirements, you cannot hide from your duty any longer. State regulators could ask you to provide it as part of your state examination. You can either bite the bullet and pay the piper to prepare the CMS now or wait. When you eventually get that examination letter from the CFPB or a state regulator demanding a copy of your CMS and policies and procedures, you then have to quickly scramble to get everything in place before your examination.
Trust me—it is going to cost a whole lot more time, effort and money to get the CMS rushed into place after receiving an examination letter or civil investigative demand (CID). Preparing a CMS may be impossible in such a short window.
The examination and CID demands typically ask for other reports and documents. Will you actually have enough time to prepare a CMS that is integrated into the overall framework for a product’s design, delivery and administration across your company’s entire product and service life cycle and get board approval before the examination date? The chances are highly, highly doubtful.
Additionally, by rushing through things and slamming a CMS in place, you are likely to miss something, possibly a particularly important item. Finally, hurrying to put your CMS and policies and procedures in place will be readily apparent to the federal and/or state regulators. A regulator is not likely to go easy on your examination or enforcement if you have scrambled to assemble a CMS before the examination.
Enhanced examination procedures appear to be a concerning state-level trend. We are sure to see more state regulators demand that a company provide a copy of its CMS.
Take some time to speak with your friendly compliance lawyer about your CMS and policies and procedures before you get that examination letter or CID.
Eric L. Johnson is a partner in the Oklahoma City office of Hudson Cook, LLP. He helps banks, credit unions, and RV and auto dealers with nationwide mortgage and auto finance programs; online vehicle sales; and electronic payment programs.
