Automated tools often enable your compliance management system (CMS) to work effectively. That said, the CMS is less a technology unto itself and more like a corporate compliance program, where multiple pieces of the whole all work together.
Specifically, a compliance management system looks like a collection of policies, procedures, and processes governing all compliance efforts. As more companies use technology across all parts of the enterprise, however, and as more compliance requirements focus on cybersecurity, that means IT security is also becoming an integral part of the CMS.
What is a CMS?
A CMS helps a company to manage and meet its legal requirements and comply with applicable laws and regulations. Ideally, your CMS is an integrated system that incorporates employee compliance training, focused business processes, operational reviews, and corrective action strategies.
The Federal Deposit Insurance Corp. (FDIC), one of the most important U.S. regulators in the banking industry, defines a CMS this way:
“A compliance management system is how an institution:
- Learns about its compliance responsibilities;
- Ensures that employees understand these responsibilities (via a compliance training program);
- Ensures that compliance requirements are incorporated into business processes;
- Reviews operations to ensure that responsibilities are carried out and requirements are met; and
- Takes corrective action and updates materials as necessary.”
An effective compliance management system, the FDIC states, typically include:
- Board and management oversight;
- The compliance program itself; and
- Regular audits of the compliance program.
What Is Compliance Risk?
The professional services firm Deloitte defines compliance risk as “the threat posed to a company’s financial, organizational, or reputational standing, resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice.”
In other words, compliance risk is your organization’s potential failure to meet its compliance responsibilities. And in numerous industries, the price of non-compliance can be painfully high.
For example, in the financial services sector, compliance risk often equates to financial risk. Financial laws and regulatory compliance requirements—imposed by the FDIC, the Office of the Comptroller of the Currency (OCC), or the Consumer Financial Protection Bureau (CFPB)—are stringent, and those regulators can impose high fines for compliance issues.
When a financial institution (whether a major bank, lender, community bank, or credit union) or service provider suffers a data breach or unauthorized access that results in consumer harm, the firm may find itself facing significant monetary penalties and other costs—particularly if it lacks appropriate data monitoring tools.
In June 2020, the OCC warned banks about compliance risks related to the COVID-19 pandemic.
In its Semiannual Risk Perspective, the OCC warned that compliance risk is elevated “due to a combination of operations, employees working remotely, and the requirement to operationalize new federal, state and proprietary programs designed to support consumers,” including the Paycheck Protection Program.
The OCC also cautioned against interest rate risk, operational risks (again, heightened because of COVID-19), increased cybersecurity risks, and compliance risks related to the Bank Secrecy Act (BSA), consumer compliance issues, and fair lending as areas of concern.
The FDIC in 2020 advised financial institutions to have risk management programs that allow them “to identify, measure, monitor, and control the risks related to social media,” especially regarding consumer complaints that may arise over the platform.
Even institutions that don’t use social media should, “in accordance with its own risk assessment … still consider the potential for negative comments or complaints that may arise within the many social media platforms described above, and, when appropriate, evaluate what, if any, action it will take to monitor for such comments and/or respond to them.”
The Consumer Financial Protection Bureau, a consumer protection agency charged with responding to consumer complaints, focuses on the importance of data integrity and user access and authentication. For example, the CFPB levied a $1 billion fine against Wells Fargo Bank in 2018 for “unfair, deceptive, or abusive acts and practices” (UDAAP) associated with home and auto loans.
So compliance risk management requires a complex web of compliance activities from change management to compliance monitoring to ensure that all business units in an enterprise are conforming to applicable laws. A compliance management system orchestrates all that work in an efficient, productive way.
How to Create an Effective CMS
While it’s easy to assume that a CMS focuses on the ways in which your financial institution protects customers and avoids money laundering, the reality is that market transactions are increasingly digital, using technologies that are vulnerable to unauthorized access.
A CMS, therefore, should focus on protecting data as well as responding to consumer complaints. Here’s how to create a compliance management program:
The Board of Directors
Your compliance program starts with your board of directors. It sets the business objectives that allow your organization to manage and mitigate risks.
Your compliance program consists of written policies and procedures, training, monitoring, and corrective actions.
Traditionally, many of these policies and procedures focus on issues such as fair lending and mortgage servicing. But as financial firms increasingly use Software-as-a-Service (SaaS) platforms for data collection or communications, you need to consider how to avoid privacy violations and remain compliant with the Graham-Leach-Bliley Act (GLBA).
For example, if you plan to use digital technology for loan servicing, you need to ensure that your vendor establishes controls ensuring that consumer protections remain in place.
Consumer Complaint Management Program
You need to be able to respond to consumer complaints and inquiries while also tracking, monitoring, and analyzing them. You also must protect your customer data from unauthorized access that affects its integrity, availability, and confidentiality.
Not only do you need a compliance program. You need to engage third-party auditors to ensure that your organization and your IT suppliers comply with requirements.
Regarding IT infrastructure, the CFPB Supervision and Examination Manual expressly incorporates security requirements of the GLBA and the Electronic Funds Transfer Act. As your customers engage in more electronic funds transfers, you need to ensure that your financial institution incorporates a review of the controls over vulnerabilities to data.
Who needs to be involved?
As with any compliance requirement, your CMS incorporates a variety of internal and external parties.
Once the board establishes its business objectives, senior management begins the vendor risk management (VRM) process. As part of this process, senior management reviews both internal and external written documents to ensure that the vendor’s security practices align with your required controls. VRM is a starting place for the management oversight required in most regulations.
Almost all financial institutions have compliance officers who oversee the CMS. The compliance officer acts as your financial institution’s compliance captain. In charge of everything from researching updates to updating risk profiles, policies, procedures, and processes, the compliance officer also needs to maintain insight into the way in which your organization handles information and vendors.
Your customer service representatives act as the first line of defense against improper access to your customer data. Whether it’s your loan or deposit staff, you need to ensure that they create safe passwords and that only authorized staff can access the information. Your CMS should assure that all employees are appropriately trained based on their role within your organization.
Compliance Management Tools
Regardless of the compliance risks you face, you need to integrate data security throughout all business operations. Even though most consumer regulatory requirements remain silent on data protection, you’re more often sharing information with third parties to enable better asset results.
A number of compliance frameworks are available to help your CMS work effectively, and technology tools can do much of the work of compliance for you, automatically.
With ZenGRC’s compliance management, risk management, and workflow management capabilities, you can bundle many of the tasks required by a CMS into a single tool.
The compliance dashboards and easy audit management functions provide insight into the strengths and weaknesses of your IT infrastructure, showing how well you’re protecting data privacy and transaction-enabling platforms. Task prioritization and workflow tagging let you better communicate within your company to manage the work of managing an increasingly digital lending portfolio.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.