Developing and Maintaining a Sound Compliance Management System

  • Article

Compliance with consumer protection regulations and laws is essential to manage risks that may result in litigation, civil money penalties and formal enforcement actions. Financial institutions manage the risk by implementing a Compliance Management System (CMS) throughout the financial institution. A CMS is not new, it has been required by regulators for many years. However, recently, it has moved to the forefront of regulatory examinations as they become more risk focused. For this reason, it is critical for your institution to have a strong, effective CMS to manage compliance and reputation risk effectively, and mitigate the risk of non-compliance and consumer harm.

Components of a Sound CMS

Your institution’s CMS should be a formal, written program that includes these key required components:

  • Board and management oversight
  • A written compliance program
  • Compliance monitoring
  • Training
  • Policies and procedures
  • Complaints
  • Auditing the compliance program

Board and Management Oversight

Regulatory examiners are looking to assess your institution’s board of directors and management, as appropriate for their respective roles and responsibilities, based on the following assessment factors:

  • Oversight of and commitment to the institution’s CMS.
  • Effectiveness of the institution’s change-management processes, including responding timely and satisfactorily to any variety of change, internal or external, to the institution.
  • Comprehension, identification and management of risks arising from the institution’s products, services or activities.
  • Self-identification of consumer compliance issues and corrective action undertaken, as such issues are identified.

Ultimately, your board of directors is responsible for developing and administering a CMS to ensure compliance with consumer protection laws and regulations. Oversight can be provided via a supervisory/governance committee (should include a director), minutes reported to the board or by direct reporting on the CMS to the board. Periodic full or summary compliance reports should be provided to the board to keep them informed on activities related to all components of the CMS. They need to be kept up-to-date on standards, regulatory findings and unresolved corrective actions.

Written Compliance Program

A well planned, implemented and maintained compliance program is a sound business practice that will prevent or reduce regulatory violations, while providing cost efficiencies. However, a compliance program is not static. The compliance program must be dynamic and constantly amended on an ongoing basis to focus resources where needed most based upon risks to the institution. An effective CMS process will vary depending on the size of the institution and complexity of services offered. It will help to identify compliance risks related to the institution’s products, services and other activities, along with helping the institution to be responsive to deficiencies and violations. Generally, a formal, written compliance program should be established to include board oversight, policies and procedures, training, monitoring, prompt handling of consumer complaints and auditing of the compliance program. In addition to being a planned and organized effort to guide the institution’s compliance activities, it is also an essential source document to help serve as a training and reference tool for all employees. Regardless of the degree of formality, all financial institutions are expected to manage their compliance programs proactively to ensure continuing compliance. Compliance efforts require an ongoing commitment from all levels of management and should be a part of an institution’s daily business operations and integrated into the overall risk management strategy.

Compliance Monitoring

Monitoring is a proactive approach to identify procedural or training weaknesses; and promote consumer protection by preventing, self-identifying and addressing compliance issues in a proactive manner to preclude regulatory violations. A robust CMS appropriate for the size, complexity and risk profile of an institution’s business often will prevent violations or will facilitate early detection of potential violations. Early detection can limit the size and scope of consumer harm. Moreover, self-identification and prompt correction of serious violations represents concrete evidence of an institution’s commitment to responsibly address underlying risks. Appropriate corrective action, including correction of programmatic weaknesses and full redress for injured parties, limits consumer harm and prevents violations from recurring in the future. A follow-up of any findings should be included to ensure they were rectified, any systemic concerns were addressed, corrective actions were completed retrospectively and prospectively, and consumer harm was considered. To aid in this tracking, a compliance review tracker to monitor the status of each review, including dates of reviews, management response target date and follow-up date should be implemented. The target date should be reasonable and the board should be kept informed of any corrective actions that are pending, completed, past due or on track.


Education of a financial institution's board of directors, management and staff is essential to maintaining an effective compliance program. Line management and staff should receive specific, comprehensive training in laws and regulations, and internal policies and procedures that directly affect their jobs. While, board and senior management should receive compliance training, including UDAAP and Fair Lending, to be knowledgeable of regulatory requirements to perform their oversight responsibilities. An effective compliance training program is frequently updated with current, complete and accurate information as it relates to:

  • Products
  • Services
  • Business operations
  • Consumer protection laws and regulations
  • Internal policies and procedures, including all required training and emerging issues.

Policies and Procedures

Policy statements on compliance topics provide a framework for the institution’s procedures and provide clear communication to management and employees of the board’s intentions toward compliance. Policies should be established to include goals and objectives, as well as appropriate procedures for meeting those goals and objectives. Generally, the degree of detail or specificity of procedures will vary in accordance with the complexity of the issue or transactions addressed. An institution's policies and procedures should provide personnel with all the information needed to perform a business transaction. Compliance policies and procedures are the means to ensure consistent operating guidelines support the institution in complying with applicable federal consumer protection laws and regulations, including Fair Lending and Unfair, Deceptive, or Abusive, Acts or Practices (UDAAP). Also, these criteria will provide standards by which compliance officers and line managers may review business operations.


An institution should be prepared to handle consumer complaints promptly. Procedures should be established for addressing complaints, and individuals or departments responsible for handling them, should be designated and known to all institution personnel to expedite referrals. Complaints may be indicative of a compliance weakness in a function or department. Therefore, the compliance officer should be aware of the complaints received and act to ensure a timely resolution. A compliance officer should determine the cause of the complaint act to improve the institution's business practices, as appropriate. Complaint tracking should include information to help track source, description of compliant, due dates and include any supporting documentation. By including this information, a monthly and annual review of the complaint tracking report can be completed to determine any systemic concerns, trends, potential UDAAP or Fair Lending issues, or if additional training is required. Procedures should be developed on how compliance will analyze the outcome of the complaint trend reporting, how often and who the information is reported and delivered to.

Auditing the Compliance Program

The CMS should be audited to determine whether it adequately identifies, measures, controls and monitors compliance risks associated with products and services, considering the complexity of its operations and structure; and reporting structure allows for adequate oversight. The results of the institution’s CMS audit should indicate the program promotes a cohesive and consistent approach for compliance management. By including the components described, and with strong prioritization and oversight direction from the board of directors, the institution should have a collective view to develop and implement an effective CMS. The assignment of a leader and delegating responsibility and accountability to either a combination of individuals or a committee demonstrates commitment to developing and maintaining an effective compliance management system.

Bringing It All Together

“Compliance with consumer protection laws and regulations is strong and the compliance management system is effective. The CMS provides effective program oversight. Compliance officer is knowledgeable and well informed of regulatory expectations. Management proactively responds to regulatory changes. Training is comprehensive, consisting of online modules, webinars, and departmental in-house training. Management tailors training to job functions and responsibilities. Board and senior management oversight is adequate. Examiners considered strengths and weaknesses in Board and senior management, the CMS structure, and compliance program administration when arriving at this conclusion.” This is the comment you want to see in your regulatory examination report. Remember, when it comes to implementing a strong effective CMS for your institution, your auditors and regulatory examiners are your BFF’s, and are only a phone call or email away. Need help developing a sound CMS? Contact Doeren Mayhew’s financial institution compliance specialists today to help you get started.


Marcia Baker, CRCM – Senior Compliance Specialist, Financial Institutions Group

Subscribe for more VIEWPoints