By Pam Perdue
For financial institutions under the jurisdiction of the CFPB or a prudential banking regulator, recent updates to a 40-year-old examination rating system yield new clues for how to manage compliance more effectively. This new rating system brings both challenges and opportunities to mortgage lending organizations.
The Federal Financial Institutions Examinations Council (FFIEC) recently released an updated Uniform Interagency Consumer Compliance Rating System (CC Rating System) that offers lenders clear guidelines on how to best create a sound compliance management system. The new rating system takes into account whether the compliance program design is appropriate for a lender’s size, complexity, and risk profile. As of April 1, 2017, new exam procedures require examiners to evaluate CMS effectiveness when assigning compliance ratings. Ultimately, the key to success is having the board and management demonstrate a strong, ongoing commitment to compliance, having a robust compliance program in place, and avoiding (or swiftly addressing) violations of law.
I: Board and Management Oversight
Oversight and commitment. The CC Rating System requires examiners to consider whether the board oversight of and commitment to the lender’s CMS is sufficiently applied and demonstrated. Effectiveness will be evaluated on a few key factors. The rating system will consider whether appropriate resources have been dedicated to compliance: Are the right people in the roles, and are there enough human and technological resources to get the job done? Team size, technology choices, and the allocations of dollars and resources set aside for complying with consumer protection laws will be scrutinized. Even among organizations of similar size, the resources deemed adequate may differ greatly from one lender to another. There is no “one-size-fits-all” approach. A lender who’s great at leveraging technology may need only a few qualified personnel, while one who relies on mostly manual processes might require an army-sized staff to handle the compliance burden.
Management must also conduct comprehensive initial and ongoing oversight of third-party service providers. Lenders must place specific emphasis on those solution providers who are critical to compliance management functions. This oversight should include covering the provider’s policies, procedures, internal controls and training programs as applicable to its consumer compliance responsibilities. Lenders are ultimately responsible for the compliance of products and services provided to them by partners and vendors.
Change management. As the industry is continually changing, lender compliance needs change, too. To create an effective CMS, lenders need to address how to handle changes that impact compliance. These changes can stem from new or updated regulations; at other times, change will be driven by internal or external operating conditions that impact performance. Strategic shifts, competitive pressures, organizational changes, management, or staff turnover all create types of change that affect compliance performance and outcomes. A management team must be able to demonstrate that they are able to anticipate and respond promptly to changes across all business lines, including regulatory changes, or changes in the market, products, and services. This also includes conducting appropriate due diligence before and after products or services are changed, throughout the lifecycle of the product.
Risk management, self-identification and corrective action. Another important element of an effective CMS is management’s ability to understand and manage compliance risks, up to and including establishing a means to identify changes in risk exposures over time, and respond promptly. Examiners will want to see that the CMS is designed to enable management to identify emerging and continuing compliance risks and that action is taken when risk exposures exceed the institution’s risk appetite. A lender’s management team must continually assess risk exposures and their potential impacts. Strong detective controls that include appropriate quality assurance, monitoring and auditing programs should be in place. A lender should be using its CMS to quickly spot when things go wrong, and have corrective action procedures in place that allow for weaknesses to be remedied quickly and thoroughly.
II: Compliance Program
Policies, procedures, and training. Examiners will consider a lender’s overall compliance program in their evaluation of CMS effectiveness. Lenders must develop policies and procedures to ensure that compliance risk is effectively managed, including assuring that appropriate preventive controls around third-party relationships are addressed. These standards should be clearly stated, with specific procedures well-defined to ensure that all employees can carry out these expectations. The CMS must also provide the lenders’ employees and management with comprehensive compliance training, tailored to their specific roles and responsibilities. Ongoing, updated training must also be provided before regulatory changes occur and prior to launching new products and services.
Auditing and monitoring. Lenders must identify potential compliance risk through comprehensive monitoring practices, information systems, reporting, audit, and internal controls. Management should initiate these monitoring practices proactively to identify any weaknesses in procedures that could result in regulatory violations or harm to consumers. This self-evaluation should also extend to training practices, which should be reviewed regularly to address any potential violations. Any necessary changes should be implemented as soon as possible to minimize potential risks.
Consumer complaint response. Addressing borrower complaints is another vital aspect of an effective CMS. The program should include a process for reporting consumer complaints to the appropriate staff member for resolution. Additionally, lenders must build a system to track complaints to identify patterns and trends. Recognizing consistent patterns may shed light on training weaknesses, system limitations or computing errors, or rogue staff. These insights can prompt lenders to strengthen their procedures to correct problems that borrowers commonly face. A strong complaint management protocol is more than just sound business practice; it’s a regulator expectation.
III: Violations of Law and Consumer Harm
The final evaluation category in the CC Rating System is how a lender handles violations of law and any situations leading to consumer harm. Examiners first analyze the root cause of the problem, such as whether a weak CMS contributed to the violation. Any issues resulting from critical weaknesses in the CMS are attributed to a lack of management oversight and are considered the most serious infractions. Second, examiners evaluate the severity or level of impact on consumers as a result of the violation. The third factor considered is the length of time the violation occurred and the duration of the resulting consumer harm. The final factor is pervasiveness: whether the problem impacted a significant number of consumers.
With the CC Rating System enforcing new, stricter exam criteria, lenders must make building an effective CMS a high priority. The assessment criteria show that regulators expect lenders to have a CMS designed intentionally and thoughtfully for all stages of marketing, application, origination and servicing. To accomplish these goals, lenders should not rely solely on manpower, which is an inefficient and ineffective solution to a complex objective. When lenders have a well-defined system to tackle compliance, it becomes possible to automate compliance management. Automation ensures that a lender follows specific processes and addresses the same variables each time, ensuring a CMS that will stand up to even the harshest regulatory scrutiny.
Pam Perdue is EVP and chief regulatory officer at Continuity, a RegTech solutions provider.