Wipfli logo

Valuation & Litigation Support


Is your compliance management system effective?

Nov 02, 2020

As we’re approaching the end of 2020, now is a good time to review your Compliance Management System (CMS) and start planning for 2021. 

A CMS program is how a financial institution manages consumer compliance risk, supports compliance with consumer protection-related laws and regulations and prevents consumer harm. A strong CMS is the key to managing risks related to compliance violations and will help mitigate the risk of consumer harm and compliance violations.  

An effective CMS comprises two key components: Board and management oversight and a written compliance program that includes policies and procedures, training, monitoring and audit, vendor management and consumer complaint procedures. 

Board and management oversight

Responsibility for a CMS ultimately lies with the board of directors. They are responsible for developing and managing a CMS that ensures compliance with federal and state consumer regulations and addresses and minimizes associated risks of harm to consumers.  

The board and management should be actively involved in the CMS. They should demonstrate a strong commitment to and oversight of the financial institution’s CMS. Appropriate resources should be allocated to the compliance function, including systems, capital and human resources. They should implement a process to ensure staff are knowledgeable, authorized and held accountable for compliance with federal and state consumer regulations. They should ensure compliance personnel have access to the board and can cross departmental lines to administer the regulatory compliance program. Regular reports on compliance activities and results from monitoring and audits should be provided to the Board.

Compliance program 

A sound compliance program is crucial to the effective and successful operation of the financial institution. A risk assessment of applicable regulatory requirements should be conducted to allow the financial institution to develop a compliance program based on risk. 

The risk assessment should be updated as needed but no less than annually. Events that may affect the ongoing risk assessment may include new systems, products or services; turnover of key positions; new or changing regulations; and audit and examination weaknesses, to name a few. 

The financial institution’s compliance program should be written and include policies and procedures commensurate with the institution’s size and complexity. The program should also include the duties and responsibilities of the compliance officer(s), any compliance committee and the staff of the financial institution; training requirements; monitoring and audit requirements; oversight of key vendors used in compliance; and a consumer-compliant process.

Compliance policies and procedures should be written and adequately detailed to manage the compliance risk of the financial institution’s products, services and activities. They should: 

  • Bbe consistent with board-approved policies
  • Address compliance with applicable federal and state consumer regulations in a manner designed to minimize violations
  • Be designed to detect and minimize risks of consumer harm and cover all products and services offered
  • Be reviewed regularly and updated to remain current and comprehensive. 

Management and staff should receive specific, comprehensive training to reinforce and assist in implementing written policies and procedures. The training should: 

Address the requirements for compliance with federal and state regulations

Incorporate the prohibition against unlawful discrimination and unfair, deceptive and abusive acts and practices

  • Be risk-based and encompass all applicable areas and be timely and customized to the responsibilities of the staff receiving it, including those responsible for sales, marketing and customer service
  • Be updated regularly to ensure it includes new and changed regulations 
  • Include, and be consistent with, the institution’s policies and procedures

Monitoring provides for a high level of compliance by promptly identifying and correcting weaknesses. Although it generally occurs more frequently, monitoring is typically not as formal as an audit. Because monitoring does not require the same degree of independence as an audit, it may be performed by the business unit. 

Auditing is completed less frequently than monitoring and is more formal. The audit may be performed by the financial institution’s internal audit department or an outsourced third-party. The audit should be independent of the business or compliance function that does the monitoring. Ideally, the scope and frequency of the monitoring and audit plan should be developed using the financial institution’s risk assessment. 

An effective CMS should also ensure a financial institution is responsive in handling consumer complaints. There should be sufficient policies and procedures for addressing consumer complaints to ensure they are responded to on a timely basis and appropriately. Documentation of the complaints, including the response, should be retained as part of the CMS.  

Complaints that raise legal issues and involve potential consumer harm should be identified and escalated to ensure appropriate action is taken. Management should monitor consumer complaints to identify risks of potential consumer harm and CMS weaknesses and take appropriate action.

No matter how your CMS is set up, it should be commensurate with your institution’s size, complexity and risk profile. A robust CMS will help mitigate the risk of violations, assist in detecting potential violations and reduce the potential for consumer harm.  


Shelley Foster, CRCM, CCBIA
Senior Manager, Internal Audit and Regulatory Compliance
View Profile