Is Your CMS Keeping Pace?

Lately, anyone reading the news is bound to see a story about bank compliance and risk management failures. A Top 10 U.S. bank has been in the headlines after reaching a record $290 million class action settlement for failing to enforce know your customer (KYC) rules in the Bank Secrecy Act (BSA). A website tracking bank violations reports that financial institutions have been fined over $377 billion for various legal and regulatory violations since 2000. Moreover, analyses of recent bank failures by the Federal Reserve and Federal Deposit Insurance Corporation (FDIC) found that the institutions’ boards of directors and management fell short of ensuring compliance with their own board-approved risk limits.

It is clear from these news stories that regulators (and bank customers) are not limiting their focus to how banks comply with basic consumer laws and regulations. They are also looking at their corporate risk management cultures and systems for ensuring compliance with all applicable laws and regulations as required under their own internal policies and procedures.

In 2016, regulators formalized the first system for rating banks’ institution-wide management of compliance, under the Federal Financial Institutions Examination Council’s (FFIEC’s) Uniform Interagency Consumer Compliance (CC) Rating System. The CC Rating incents a financial institution to establish an effective compliance management system (CMS) across the institution to self-identify risks and take the necessary actions to reduce the risk of non-compliance and consumer harm. Importantly, regulators apply this rating system to banks of all sizes.

While all banks must have a CMS, the manner in which the CMS program is implemented and the type of oversight needed for that program can vary considerably depending on the scope and complexity of the organization’s activities, its geographic reach, its overall size and complexity, and other inherent risk profile factors. As banks offer more diverse products, expand their operations, or offer more complex products, they need to review their CMS to make sure it is keeping up with their evolving business and risk management strategy. Below are 10 questions for a bank to ask itself when assessing whether its CMS is keeping up with changes in its business strategy, products and services, and overall risk profile:

1. Is the bank aware of all applicable laws and regulations with which it must comply? Increasingly, we have seen regulators ask banks this question. Regulators are looking for a complete inventory that covers more than just consumer regulations. Are there state or local laws and regulations that impact the bank? Are there laws and regulations outside of those issued by the bank’s primary federal banking regulator that should be identified? Is the bank offering new products or services that are the subject of different laws and regulations? One way banks seek to address this issue is by developing a registry that describes the applicable requirements in plain English and ties the requirements to bank risk management and compliance policies and procedures. Such a list can highlight gaps that may exist in a bank’s CMS.
2. Is the CMS program institution-wide? The coverage of the compliance program needs to extend within and across business lines, support units, legal entities, and jurisdictions of operation. This is particularly important for areas like anti-money laundering, privacy, affiliate transactions, conflicts of interest, and fair lending, where legal and regulatory requirements may apply to multiple business lines or legal entities within the banking organization.
3. Is the CMS a formal, comprehensive program with clearly identified roles and responsibilities and adequate staffing across all three lines of defense? The CMS should be a framework for identifying, assessing, controlling, measuring, monitoring, and reporting compliance risks across the organization, and for providing compliance training throughout the organization. The framework should be documented in policies, procedures, and standards.
4. Does the compliance officer have appropriate authority and accountability? The Compliance Officer needs to have the requisite stature, authority, and independence to act across departmental lines, have access to all areas of the bank’s operations, and be able to mandate and enforce corrective actions. To do so, the compliance officer needs to have direct access to the board of directors and/or relevant board committees and senior executive management to perform this role effectively.
5. Does the compliance officer have a seat at the table when new products and services are considered? We have seen many banks release new products and services without considering what different laws and regulations might apply or without adequately assessing their operational impacts. Such errors can be costly. Similarly, does the compliance team review posted notices, marketing literature, and advertising? Mistakes in these materials could cause consumer harm and put the bank at risk of financial and other regulatory penalties.
6. Does the CMS cover products that third parties offer on the bank’s behalf? Regulatory guidance on vendor management, along with more frequent enforcement actions, have made it clear that banks are expected to be fully accountable for the compliance obligations of their third-party vendors. In a recent consent order with the FDIC, a bank with a broad array of fintech partners agreed to ensure that the bank’s monitoring of third-party compliance with applicable fair lending laws and regulations covered all credit products offered by the bank and third parties involved.
7. Is the board of directors involved in compliance? The board should appoint the compliance officer, approve compliance policies and programs, receive regular reports from the compliance officer, and require independent reviews of the compliance function. The amount of time the board devotes to compliance sends a clear message to bank management and staff about the importance of this issue.
8. Does the compliance function perform adequate monitoring and testing? The compliance team should monitor the testing of internal controls that were put in place to ensure compliance with applicable laws and regulations. To monitor these controls, they need to be identified and documented. Metrics from compliance testing should be included in reporting to the board and senior management.
9. Does the compensation program consider compliance? Regulators expect any compensation program to promote sound risk management and compliance with laws, regulations, and internal standards, including those pertaining to the overall corporate compliance culture and conduct.
10.  Does the organization devote sufficient resources to implementing and enforcing the CMS on a proactive basis? As evidenced again and again in examination findings and consent orders, failures to invest timely in a bank’s compliance culture and program often lead to amplified restitution efforts and related costs that constrain the bank’s near-term ability to actively pursue other corporate opportunities.

The Takeaway

Compliance with laws and regulations is a regulatory expectation—and an expectation of bank customers. Increasingly, regulators are focusing on the systems banks have in place to ensure institution-wide compliance with all applicable laws and regulations as well as their own policies and procedures. The expectations apply to all banks, understanding that their risk and compliance management systems must be tailored to their size and complexity. Asking the 10 questions above is a good check to see if your CMS is keeping pace.