2021 brought the financial services industry new requirements to add to their Risk Management Framework. I’d be hard-pressed to find a creditor who wasn’t aware of the CFPB’s Regulation F, and the additional monitoring and auditing responsibilities that are required when forwarding accounts to third-party collection agencies.
Additionally, the Federal Reserve, FDIC and OCC have proposed new Risk Management Guidance for banking organizations for managing risk associated with third-party relationships, including relationships with vendors. This proposed guidance would combine the three agencies’ current guidelines into one streamlined risk management guidance document. But this has yet to be posted in the Federal Register.
However, in September 2021, the CFPB also updated their exam procedures to include additional requirements related to Information Technology. And that update didn’t get nearly the press that Reg F or the combined agency guidance did.
The CFPB’s Exam Procedures Compliance Management Review – Information Technology (CMR-IT) is an additional exam procedure specifically related to Information Technology and IT controls within a covered entity. When comparing it side-by-side with the CFPB’s Exam Procedures (CMR) (last updated August 2017), it appears that much of the introduction and explanatory sections are an exact duplicate of the CMR.
However, an additional paragraph has been added to the introduction that helps explain what the CFPB is looking for:
“Institutions often use information technology (IT) that could impact compliance with Federal consumer financial laws. As part of its overall CMS assessment, the CFPB may evaluate the technology controls of an institution and its service providers. The CFPB may also evaluate an institution’s IT as it relates to compliance with Federal consumer financial laws.”
It’s also important to point out the CFPB’s expectations of a covered entity relating to compliance management in general:
“Institutions are expected to manage relationships with service providers to ensure that service providers effectively manage compliance with Federal consumer financial laws applicable to the product or service being provided.”
This is a good reminder to add this additional checkpoint to your regular audits of your service providers, and other third parties you engage with.
There are five Modules in the CFPB’s Exam Procedures for IT. The Module section names are the same as in the CMR, as are the explanations of each module and the examination objectives.
However, the differences come in the actual exam procedures and the requirements of what the examiners are looking for. In the new CMR-IT, the procedures that will be reviewed relate to IT function, IT controls, IT organizational structures, etc.
Let’s break down the five Modules and take a look at the new examination procedures.
The CFPB reminds us: “… the board of directors is ultimately responsible for developing and administering a compliance management system that ensures compliance with Federal consumer financial laws and addresses and minimizes associated risks of harm to consumers.” In the absence of a formal board of directors, companies should have a group or team that is responsible for these tasks. This is the group the CFPB will look to for the information needed to complete this section of the exam.
Examiners will request documentation, including board meeting minutes, organizational reporting structure and duties, information security program, IT risk management process, policies and procedures, risk assessment program, IT strategic plan, SDLC controls, change management process, business continuity plan, IT system reporting, and other documents as necessary to determine compliance.
The CFPB expects your compliance program to be a formal written document, administered by your chief compliance officer. They require the compliance program to contain four components: Policies & Procedures, Training, Monitoring/Audit and Consumer Complaint Response. The examiners have varying objectives and procedures for each component.
An institution’s policies & procedures should follow the policy enacted by the board of directors.
Examiners will require access to your IT policies & procedures so they can review how your program is structured and how it interacts with your IT functions. The examiners will also require information on who created the policies & procedures, when they were created and who maintains them. They will review your SLDC to see how your IT policies & procedures fit into it. Additionally, they will require access to your records retention and destruction timeframes. If you have more than one office, they will need to review the policies & procedures for each location to determine if they are consistent with the applicable corporate-level policies.
Educating your entire staff, from the board on down, is essential to maintaining an effective CMS.
Educating your entire staff, from the board on down, is essential to maintaining an effective CMS. The CFPB expects that training should be sufficient to cover the duties of the individual. Training should not just cover your policies & procedures, but also the regulations relating to Federal consumer financial laws, including unlawful discrimination and Unfair Deceptive Abusive Acts and Practices (UDAAP).
Examiners will need an explanation of how your board or management is involved in training, and how training is selected for each group of employees. Examiners will require access to your IT training materials as well as your schedule of training and records of completion as well as any follow-up, escalation or enforcement that comes out of the training program. They will also require access to any IT training you have provided for your service providers, along with schedule and documentation of completion. They will also need to see your plan for new training that will be rolled out in the next 12 months.
Monitoring is essential to identify your CMS’s weaknesses through the prompt identification of such weakness. Monitoring is generally done more often than auditing, and auditing is generally a more formal process, and likely carried out by an audit department or outside contracted party. IT and compliance audits provide the board of directors with crucial information to ensure the company is in compliance with regulations, consumer laws and policies & procedures that have been established by the board.
Examiners will require access to monitoring and audit documentation, including; Quality Assurance and Quality Control procedures and the schedule of these procedures, policies & procedures pertaining to IT audits, any other documentation related to monitoring and audit. Additionally, the examiners will require proof of the independence of the monitoring/audit functions, and how well it identifies and reports weaknesses. They will also need to review auditor expertise and training to ensure it is sufficient for the complexity of the IT functions of the institution. If your auditing is performed by a third-party, the examiners will need to review the applicable policy, contracts, etc. you have with that auditor for the review period. The examiner will also need to see that the monitoring/audit coverage includes assessment of IT system capabilities and compliance with Federal consumer financial laws, and that it addresses access restrictions and unauthorized access. They will also check to ensure the board of director’s risk assessment process is being properly executed, that the board is receiving reports of the monitoring and audits and that any findings are being properly remediated.
The CFPB expects that you will not only have a consumer complaint process in place, but that you will also gather information from consumer interactions in an organized fashion, that the information be retained, and that it be used as a part of your CMS. Additionally, the CFPB requires that companies make a deliberate and good faith effort to resolve each consumer complaint.
The examiner will review any IT related consumer complaints, including any that are received at the institutions service providers. They will require access to policies and procedures relating to consumer complaints. Examiners will also review any responses, corrective actions, analysis and categorization of any IT complaints, and determine whether correct corrective action was taken.
Consumer complaints and inquiries should be an integral part of an institution’s compliance management system.
While the CFPB acknowledges third-party service providers may be a necessary part of doing business, they also state that engaging with a service provider does not negate the institution’s responsibility to comply with Federal consumer financial laws. Service providers must be familiar with any legal requirements applicable to the products being offered and must have processes in place to ensure consumer protections. Legal responsibility may lie not only with the service provider, but also the institution if there is consumer harm.
The examiner will require a list of the institutions service providers as well as a description of the services each service provider provides for the institution, and what IT functions the service provider may support. They will also require access to documentation relating to service providers including the institution’s risk management program for service providers that support IT functions that could have consumer compliance implications, policies & procedures, contracts, audits, monitoring and tests performed, and the results. Additionally, if service providers have access to sensitive consumer information, the examiner will also need access to the service provider’s written information security programs.
Creditors may be held liable for the actions of their service providers.
Throughout the exam process, the examiner will be looking for violations of law and consumer harm. If a violation is found, the examiner will determine if the institution’s CMS identified the violation, and if so, what remediation resulted. If a CMS is not appropriate for the institution’s size, complexity and risk profile of the institution’s business, it may not be suited to catch violations. The CFBP views self-identification and subsequent corrective action as evidence of an institution’s commitment to responsibility and consumer protection.
Self-identification and correction of violations of law reflect strengths in an institution’s CMS.
In the event an examiner identifies a violation of Federal consumer financial law, they consider the following factors:
If an examiner determines there has been a violation of law that has resulted in consumer harm, they must review the conclusions drawn from the previous Modules in the exam that were identified as the root cause of the violation. They must then determine if the institution self-identified the violation, and review the documentation related to the identification and any corrective action taken as a result of the violation, including management’s awareness, and length of time it took to resolve. The examiner must determine the level of weakness in the institution’s CMS, and how critical they were to the violation. They must then determine the extent of consumer harm as a result of the violation, including financial harm and non-financial harm. Lastly, they must determine how pervasive the violation was by determining the number of consumers impacted.
This module is the written summary of the previous four Modules. The examiner will provide their conclusions on the effectiveness of the institution’s Compliance Management System in relation to their IT functions.
The examiner must now summarize their findings, supervisory concerns and conclusions for each module completed. They must identify any action needed to correct weaknesses in the institution’s CMS. The examiner will discuss their findings with the institution’s management, and, if necessary, obtain a commitment for corrective action. Finally, the examiner must report their findings back to the CFPB via their official system of record.
While the new exam procedures for compliance management review for IT will only be used by the CFPB when they are examining a company, and while your company may not (yet) be on the list of company’s the CFPB is looking to examine, it is still considered a best practice to follow the CFPB’s guidelines and be prepared.
When risk of consumer harm is at stake, financial services companies can never be too careful. And those who use outside service providers have an additional level of risk to their customers. The strength of your compliance management system will help enormously when and if the CFPB comes knocking on your door. Will you be ready?
NeuAnalytics provides the only comprehensive compliance management system built for financial institutions to monitor their third-party service provider’s daily activities for performance and compliance risk. ISP is purpose-built for CFPB compliance, including early warning of possible consumer harm and management reporting.
Contact us today to learn how NeuAnalytics can strengthen your compliance processes.