Compliance Management Systems Will Get New Scrutiny from Regulators

Vong, John, CMB, CMT

December 09, 2016

(John Vong, CMB, CMT, is president and co-founder of ComplianceEase, Burlingame, Calif., a provider of automated compliance services to the financial services industry. He can be reached at

Donald Trump's surprise victory has understandably created a great deal of speculation as to what the regulatory landscape will look like going forward. But while our industry has been absorbing this news, they may have missed some important signals that suggest regulators, in the near term, will be taking a much harder look at compliance management systems in upcoming examinations.

CMSs were the focus of the Consumer Financial Protection Bureau's latest Supervisory Highlights report, and earlier this month, the Federal Financial Institutions Examination Council released new guidance on revisions to its Consumer Compliance Rating Systems that will take effect in March.

For those of you who are not familiar with Supervisory Highlights, it is a quarterly report the CFPB issues discussing findings and outcomes of its examinations of lenders. The names of the lenders are not revealed, just the category that they lend in: mortgages, consumer finance, auto, etc.

In the report, the CFPB said it had examined one or more mortgage lenders that, on the surface, had what appeared to be a relatively strong CMS given "the size, risk profile and operational complexity of their mortgage origination business." It noted that their boards and management took an active role in reviewing and approving policies and procedures and that the companies had compliance training "tailored to the institutions' job functions" and a monitoring function that "took corrective action to address deficiencies."

According to the Federal Deposit Insurance Corp., a CMS is how an institution:

--Learns about its compliance responsibilities.
--Ensures that employees understand these responsibilities.
--Ensures that requirements are incorporated into business processes.
--Reviews operations to ensure responsibilities are carried out and requirements are met.
--Takes corrective action and updates materials as necessary.

Despite these best practices, the Bureau found deficiencies in CMSs at one or more institutions, and examiners concluded that a weak CMS allowed violations of Regulations X and Z to occur.

A lack of independent compliance audits of originations' activity is also a concern. "For example, one or more supervised entities failed to allocate sufficient resources to ensure compliance with federal consumer financial law," the report said. "As a result, these entities were unable to institute timely corrective-action measures, failed to maintain adequate systems, and had insufficient preventive controls to ensure compliance and the correct implementation of established policies and procedures." The CFPB said it notified the entities' management of these findings, and corrective action was taken to improve the entities' compliance management systems.

Another area of weakness is vendor management. Lenders had not implemented procedures for establishing clear expectations to adequately mitigate the risk of harm arising from third-party relationships.

Other No-No's
In addition to its concerns regarding CMSs, the CFPB also highlighted three actions it took against other mortgage companies. In one case, it found that a lender using an internet-based tool that aggregates employer data and estimates income based upon each consumer's residence address, zip code, job title and years in their current occupation as income verification for the purpose of testing ability to repay had not sufficiently verified income or assets as required by Regulation Z. In a second examination, which occurred prior to TRID, it found that the lender hadn't provided timely disclosures. Finally, it reported that one or more federally regulated lenders had failed to comply with the SAFE Act by using staffing agencies whose employees were not properly registered or licensed.

Revised Rating System
Compliance management was also the subject of guidance this month from FFIEC, the interagency body that sets the principles and standard for the federal examination of financial institutions.

FFIEC updated the rating system that agencies will use to evaluate the sufficiency of covered lenders' CMSs. The system ranks institutions on a scale of 1 to 5, with one being the highest rating. The ratings focus primarily on board and management oversight, the scope of compliance programs and an assessment of an identified violation or consumer harm.

"In developing the revised Consumer Compliance Rating System," FFIEC said, "the Agencies believed that it was also establish incentives for institutions to promote consumer protection by preventing, self-identifying and addressing compliance issues in a proactive manner. Therefore, the revised rating system recognizes institutions that consistently adopt these compliance strategies."

As a member of FFIEC, the CFPB will use this rating system, beginning in April 2017, to rate institutions with $10 billion in assets or more.

What's the takeaway from the new report and rating system? Going forward, regulators will be looking for deficiencies in lenders' CMSs, starting with lenders that either don't have written policies and procedures and/or are lacking of system controls. A good CMS needs to function flawlessly from both the top down and bottom up. In examinations, management will need to demonstrate not only their controls and systems, but also the steps that they have taken to cultivate a compliance culture in their organization from the CEO to the LO.

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor does it connote an endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions; articles should be of a general nature on the real estate finance industry. Inquiries can be sent to Mike Sorohan, editor, at

Share this article