By Angela Cheek
Today’s residential mortgage industry is a dynamic environment influenced by mergers and consolidation, advancing technology, and new laws and regulations. To remain profitable, your organization is continuously evaluating and adjusting product offerings and operations in the context of your overall business strategy. All of these forces combine to create inherent risk—specifically, inherent compliance risk. To address this risk, federal law and regulation require your company to develop and maintain a sound compliance management system (CMS) that is integrated into the overall management strategy of your organization. An integrated and automated approach to CMS includes many benefits for your organization, not just at a strategic level but also at the operational, day-to-day level. Technology is assuming a key and enabling role in delivering sustainability, consistency, efficiency, and transparency of your CMS.
Examples of Federal consumer financial law:
Alternative Mortgage Transaction Parity Act
Consumer Leasing Act (Regulation M)
Electronic Fund Transfer Act (Regulation E)
Equal Credit Opportunity Act (Regulation B)
Fair Credit Billing Act
Fair Credit Reporting Act (Regulation V)
Home Owners Protection Act
Fair Debt Collection Practices Act
Home Mortgage Disclosure Act (Regulation C)
Home Ownership and Equity Protection Act
Privacy of Consumer Financial Information (Regulation P)
Real Estate Settlement Procedures Act (Regulation X)
S.A.F.E. Mortgage Licensing Act (Regulation G)
Truth in Lending Act (Regulation Z)
Truth in Savings Act (Regulation DD)
Interstate Land Sales Full Disclosure Act
Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)
Examples of State consumer financial law:
Uniform Consumer Credit Code (a few states)
Consumer, mortgage lending, secondary loan and credit card statutes
State-law equivalents to federal TILA (a few states)
Home improvement, home solicitation, rental purchase, and retail installment sales acts
Mortgage banking and mortgage broker acts
State usury laws
State deceptive acts and practices statutes
Is CMS a new requirement?
CMS requirements are not new. Historically, regulators of financial institutions, such as banks, thrifts, and credit unions, required a CMS as part of the overall safety, soundness, and integrity of the institution. Entities not traditionally subject to federal and state “banking” regulation did not have a CMS requirement until the Consumer Financial Protection Bureau (CFPB) created one, ensuring all organizations would be treated alike, and consumer protections would be implemented regardless of entity type. The Dodd-Frank Act granted the CFPB authority to conduct rulemaking, supervision, and enforcement with respect to various federal consumer financial laws; however, prudential regulators (OCC, FDIC, FRB, and NCUA) retain examination and enforcement authority for institutions with assets of $10 billion or less. Although prudential regulators have their own version of a CMS requirement, this article focuses on the CFPB’s CMS requirements.
How important is a CMS to the CFPB?
The CFPB first issued CMS requirements in October 2012. CMS requirements are the first topic addressed in the CFPB’s Supervision Manual. The CFPB mentions CMS frequently in its bulletins, Supervisory Highlights (June 2015 and November 2015), and enforcement actions. CFPB rules generally focus on a particular practice or issue. In contrast, CFPB CMS requirements are aimed at your organization’s operation, not just at a strategic level but also at the operational level, imposing obligations throughout all levels of your organization. The CFPB believes “A sound and robust compliance management system is essential to ensuring compliance with Federal consumer financial law and preventing associated risks of harm to consumers.” CFPB also understands that “supervised entities will organize compliance management to include compliance with consumer-related state and Federal laws that are outside the scope of CFPB’s supervision responsibilities, in addition to the matters that are within CFPBs scope. CFPB, therefore, expects that compliance management activities will be organized … in the way that is most effective for the supervised entity, and that the manner of organization will vary from entity to entity.”
What are the components of a Compliance Management System?
A compliance management system is how an organization:
- Establishes its compliance responsibilities
- Communicates those responsibilities to employees
- Ensures business processes incorporate internal policies for meeting legal requirements
- Reviews operations to ensure accountability for meeting assigned responsibilities and legal requirements
- Takes corrective action and updates tools, systems, and materials as needed
A continuous CMS cycle allows you to create, maintain and update your compliance management system so that it is effective in identifying, measuring, monitoring, controlling, and addressing compliance risks to consumers and to your organization.
An effective CMS commonly has four control elements:
- Board and Senior Management Oversight
- Compliance Program
- Consumer Complaint Response
- Compliance Audit
Let’s take a closer look at these four key elements.
ELEMENT 1: Board and Senior Management Oversight
The effectiveness of a CMS starts with the actions of your organization’s board of directors and senior management. Although an effective CMS starts with the board, it must be disseminated throughout your organization. Your board and senior management must demonstrate their commitment and respond quickly to issues raised by your customers or issues found through your CMS. Compliance manuals sitting on a bookshelf—even updated ones—are no longer enough.
Your board and senior management must establish clear expectations concerning compliance within your organization. Board minutes should reflect the adoption of clear policy statements concerning compliance with consumer protection law and regulations. Your board should appoint a qualified and experienced compliance officer with authority and
accountability. If your organization is not large enough, this responsibility could be shared by a group of individuals, such as a compliance committee. Whoever fills this role must follow a set of compliance policies, procedures, and standards created and approved by the board. The compliance officer/compliance committee role must be independent from business units, and should have independent access to the board and senior management.
Your compliance officer/compliance committee may use service providers to help administer your compliance program or audit functions. It is important to remember, however, that your board and senior management are responsible to the same extent as if the activity was handled within your organization. So, if you outsource a function, your board and senior management must ensure that the third-party operations, products, services, and activities are reviewed for compliance with consumer protection laws and regulations, with appropriate contract structuring and review, and sufficient oversight of third-party activities.
Your board and senior management should review your organization’s process for development and implementation of new products or services, marketing materials, distribution channels or strategies, with a particular focus on their potential fair lending and compliance risk. Your board should create a process to identify changes in regulatory requirements. Your board also must have a plan on how your organization will address consumer complaints and inquiries. It is critical for your organization’s board and senior management to receive regular reports from routine audits, and if they reveal any compliance risks and issues, the board and senior management must establish follow-up procedures to verify the effectiveness of any corrective actions.
ELEMENT 2: Compliance Program
A comprehensive compliance program includes a commitment by your organization to create, maintain, and update compliance policies and procedures, education and training, monitoring, and appropriate corrective actions. A written compliance program is a crucial document and reference tool for your employees. The benchmark by which you should measure your compliance program is its effectiveness in proactively ensuring your organizations continued compliance with federal and state consumer financial law.
Policies and Procedures
The gradual build-up of regulations over the years may have created duplication of compliance processes, policies, and procedures within your organization. There may be no integrated view of compliance and this may lead to higher costs, lack of uniform coverage, and risk of noncompliance. Are your compliance program’s policies and procedures:
- Consistent with board-approved policies?
- Designed to address compliance with applicable federal and state consumer financial laws and regulations?
- Designed to cover your product or service lifecycles?
- Updated to remain current and to serve as a reference for employees in their day-to-day activities?
Compliance policies and procedures should ensure consistent operating guidelines that support your organization in complying with applicable federal consumer protection laws and regulations, both directly and through service providers. Your policies should include goals and objectives with appropriate procedures for them. Your compliance policies and procedures should provide employees with the information they need to perform their duties. This may include applicable regulatory and legal citations and definitions, sample forms with instructions, and organization policy. It is important for your organization to have a process in place, internally or through a third-party service provider, to regularly review and update your compliance policies and procedures based upon new and revised federal and state consumer financial laws and regulations.
Education and training are often the most effective corrective action your organization can implement.
Education and training may be conducted in-house or through third-party learning management systems. It is critical that your organization’s compliance officer/compliance committee education and training is sufficient to oversee your CMS.
To be effective, your compliance education and training program should be frequently updated with current, complete, and accurate information on products, services, and business operations applicable to your organization. Your organization should consider what tools it can use to document your organization’s compliance education and training materials, training schedule, and records of completion. You should be able to connect your education and training materials to their appropriate federal and state consumer protection law and regulation and to the appropriate sections of your organization’s CMS policies and procedures.
You should regularly test your employees to assess their knowledge and comprehension of the specific regulatory requirements relevant to the functions of their particular positions. You should pay special attention to the education and training of employees and service providers who have direct consumer contact or compliance responsibilities. You should have procedures in place to enforce and escalate any education and training standards or deadlines failures. It is important for you to provide evidence of updates to your education and training program that result from board or senior management commitments based upon monitoring, audit, examination findings, or consumer complaints and inquiries.
Monitoring and Corrective Action
Monitoring helps your organization proactively identify procedural and training weaknesses in order to prevent compliance violations and to assist you in any necessary corrective action based upon those weaknesses. Monitoring occurs on a more frequent basis and is less formal than a compliance audit. Changes to regulations, your business operations, products, or services should trigger a review of your compliance monitoring procedures. Consider whether your organization’s monitoring and testing:
- Leads to timely corrective action
- Confirms transactions and consumer interactions follow your organization’s policies and procedures
- Addresses deficiencies identified in internal or external audits
An effective monitoring system should include regularly scheduled reviews of:
- Disclosures and calculations for your products
- Document filing and retention procedures
- Posted notices, marketing literature, and advertising
- Federal and State usury and consumer protection laws and regulations
- Third-party service provider contracts and operations
- Internal and external systems that inform changes to applicable laws and regulations to management and employees
- Daily activities of employees in every unit of your organization
Monitoring at this level supports employee and management accountability and will help you identify potential problems in a timely manner. Monitoring and testing results should be escalated to the board and senior management, as appropriate, in order to determine the need for any corrective action.
ELEMENT 3: Complaint Response
The nature and number of consumer complaints may demonstrate weaknesses in a particular department or function, or possibly in your organization’s overall CMS. As a result, your organization must create or use a third-party to create a system whereby:
- Consumer complaints and inquiries are appropriately recorded and categorized
- Consumer complaints and inquiries are addressed and resolved promptly
- Consumer complaints that raise legal issues involving potential UDAAP, discrimination, or other regulatory compliance issues are appropriately escalated
It is important for your organization to adjust your business practices based upon consumer complaint data, when appropriate.
ELEMENT 4: Compliance Audit
A compliance audit must be an integral part of a CMS. It is an independent review of your organization’s compliance with consumer protection laws and regulations and adherence to internal policies and procedures, to ensure ongoing compliance and identify compliance risk conditions. It is in addition to your organization’s internal monitoring system.
Your board should determine the scope of your organization’s audit, and the frequency with which it is conducted. You may perform the audit yourself, or you may contract with an outside firm or consultant. If your organization uses an external auditor, you should make certain the audit program is comprehensive, the external auditor is experienced in consumer compliance, and the audit program is based on current law and regulation.
Consider whether your organization’s audit program:
- Is sufficiently independent and reports to your board
- Addresses compliance with all applicable Federal and State consumer financial laws
- Agenda and coverage is appropriate for your organization
- Provides timely reports to compliance and business unit managers
- Results lead to appropriate, timely corrective action
The compliance officer/compliance committee should receive a copy of all compliance audit reports, and address any deficiencies to ensure full compliance with consumer protection laws and regulations. Your board and senior management should promptly respond to any audit report findings, and senior management should also establish follow-up procedures to verify, at a later date, that the corrective actions were lasting and effective.
Why does your organization need a CMS?
The CFPB knows it cannot fully protect consumers unless your organization, your board, and senior management also want to protect consumers. In the CFPB’s mind, a CMS helps ensure that your organization’s board, management, employees, and the CFPB are on the same page concerning compliance, which should reduce costs for the CFPB, the industry, and consumers over time. If your organization does not follow the rules, a CMS will help establish mitigating factors when the CFPB determines what penalties are appropriate. If there is a failure in your CMS, the consequences your organization may face run the gamut from rescission, restitution, refund of money or property, damages, and public notification of violations, to suspension or termination of activities, and civil money penalties ranging from $5,000 per day to $1 million per day. Ultimately, compliance with federal and state consumer protection laws and regulations and your CMS should be an integral part of the daily routine of management and employees of your organization, creating a true “culture of compliance.”
Angela Cheek, as Vice President and Counsel of Product Compliance, leads the team responsible for implementing and maintaining automated residential mortgage lending compliance in Ellie Mae’s and Mavent’s software applications and systems. She can be reached at Angela.Cheek@EllieMae.com.