What To Do To Prepare for a CFPB Examination


cfpb-12-28-15.pngThe Consumer Financial Protection Bureau’s exams are an open book text, but does your organization have the book? Obviously, there are subjective elements to every exam. But we do recommend doing your homework.

Read Up on What to Expect
The first document you need is entitled “Debt Collection Examination Procedures,” October 24, 2012, available on the CFPB website. There are a number of different ways to use the manual, but a critical task is to take each requirement in the manual and inventory all the ways your bank can answer: How can we prove that we are meeting this? What tangible evidence exists that we can put in front of an examiner?

The second document is the general CFPB Supervision and Examination Manual, from October 1, 2012. The full text is now over 900 pages long, so we recommend that banks start with the Risk Assessment Template. At a minimum, banks should consider two sections:

  • Risk Assessment Template: We recommend that companies use this as a means of seeing the organization as the CFPB will. Where are the risk areas for potential consumer harm and how are you mitigating those risks?
  • Part II.A. Compliance Management Systems (CMS): This covers the process used to identify regulatory changes, assess their impact on your organization, incorporate the changes into your regular processes and monitor compliance on an on-going basis.

Catch Up on Current Events
It can be challenging to stay abreast of CFPB developments: We recommend that those responsible for managing the examination read up on as much public information as possible about what the CFPB has been doing, including:

  • The CFPB website often has speeches and Congressional testimony from its leadership. This often is a good source of information on what the CFPB is emphasizing and their areas of focus.
  • The CFPB publishes a document two to three times per year entitled “Supervisory Highlights,” which summarizes issues they have seen and actions they have taken during their routine examinations. The actions summarized here and presented anonymously provide insight into common issues at regulated entities.
  • Websites from CFPB watchers: Several law firms maintain very good web sites that track and comment on CFPB related developments.

Get All Hands on Deck
Some organizations see regulatory exams as a legal matter, others as compliance. We recommend mustering all internal resources which can assist, regardless of their normal duties. In addition to legal and compliance, this could include internal audit and operations. It is important that the team that will participate in the examination is involved right from initial planning through final resolution. We have seen situations where upfront planning is handled by a single function, for example the legal department, and the actual examination is given to another department, say compliance. This can lead to a bad handoff, poor communication and other problems.

Clients sometime ask us who should be available to work with the examiners. You want your “go to” people available. This may skip official reporting lines—often times the nominal head of function may not be the most knowledgeable about daily processing or issue resolution. It is in all participants’ interest to efficiently clear any preliminary issues raised during the examination.

Heal Thyself
Do you have the kind of organization where people can raise their hand when they see a problem, or is it the kind where bad news is suppressed? One of the authors of this article worked at a bank where quality metrics where a very large component of operations management’s performance evaluation, so operations management fought every issue that the internal Quality Assurance and Quality Control functions raised. Subsequently, the high quality metrics were overstated and the bank was surprised at the number and severity of issues raised by their regulator. Don’t underestimate the power of an executive sitting down with personnel a few levels below him or her and asking, “What do you think could burn us with the examiners coming in?

Prepare Your People
Many of your organization’s resources participating in an examination are not individuals who routinely reach outside your organization. Few organizations would send a sales person out into the market to represent the company without preparation. However, we have observed an equivalent situation occur with unprepared resources have critical roles for examinations. Make sure that management prepares everyone who will participate.

While On Site
Anyone who has spent time as an auditor has experienced being put in dank, windowless basements. Have your organization treat the examiners like you would an important client that was coming in: have a welcome message in the lobby and have decent space for them. In short, they are human and like all humans are going to respond to any perceived disrespect.

The Internal Auditor’s Role in Regulatory Compliance


risks.jpgThe compliance audit, like other audit activities, is intended to provide feedback to management and the audit committee about the control environment, ongoing compliance and conditions for potential risk. The compliance audit should evaluate the effectiveness of the compliance management program, including policies and procedures, training, monitoring and consumer complaint response. A financial institution’s audit committee should determine the scope of an audit and the frequency with which audits are conducted.

This topic is often a key component of regulatory compliance examination feedback, particularly when specific regulatory violations have occurred. We see examiners questioning institutions about their overall compliance program management and digging into the elements of policies and procedures, training, quality control assessment and the like. Overlying compliance program management is the role of internal audit. What was internal audit’s assessment of the institution’s compliance with individual regulations, and of the program overall?

Elements of a Compliance Management Program

Regulatory guidance and best practices have helped define which elements are necessary to help an organization mitigate risks associated with compliance.

Typically, the basic elements include:

  1. Designation of a compliance officer
  2. Policies
  3. Procedures (internal processes and controls)
  4. Regulatory change management
  5. Training
  6. Quality control (monitoring)
  7. Consumer complaint response process
  8. Audit

Historically, compliance has been viewed as an organizational stepchild rather than an essential core function of an organization. Integrating the compliance function into the culture of the business empowers those responsible for compliance with a framework to fulfill their mission. Successful integration encompasses shared communication and education about compliance-related responsibilities, which helps employees at all levels to understand their responsibilities.

The two elements of assessing the overall effectiveness of a compliance program are quality control and audit. Let’s expand more on those components.

1.    QUALITY CONTROL

The end goal of a quality control function is to monitor how well departmental policies and procedures are being executed. Ultimately, the function should be risk-based, focusing the most resources on the areas of greatest risk. An effectively designed quality control program has an employee–such as a supervisor or other employee independent of the originator of the activity–review an ongoing risk-based sample of the work performed in an applicable area. A quality control program should be designed to assess certain areas based on the residual risk exposure of non-compliance.

Completed quality control reviews should be aggregated and reported to the compliance officer for review. The compliance officer should assess applicable areas for overall effectiveness to identify any increasing trends within departments. This oversight allows management to allocate resources on a risk-based, quantifiable basis.

Finally, the compliance officer should provide a consolidated report to the board of directors or designated compliance committee for final oversight. The consolidated report should provide a broad overview of the organization’s compliance posture so the board can continue to provide big-picture, strategic direction.

2.       COMPLIANCE AUDIT

The compliance audit provides for an independent assessment of departmental policies and procedures as well as a review of compliance with rules and regulations. Like the quality control program, the compliance audit should be risk-based. Determining where to focus audit resources should be based on an initial risk assessment that considers various information, including (but not limited to) examination findings, changes to the regulatory landscape, errors or violations, problems in the past, employee turnover in the compliance department or line of business and results of the quality control reviews. The results of the risk assessment determine the scope of the coverage and testing of the compliance audit.

The compliance audit results should be provided in formal, detailed reports that outline findings and management’s action plan to resolve each finding. These audits should be conducted by an individual independent of the compliance management function and reported in the same format, manner, and protocol as the organization’s overall audit function. Auditing the compliance function should be conducted on a less frequent basis than the quality control program; timing of the audits can be on a rotational basis and supported by the results of the risk assessment process.

It should be noted that the compliance audit scope can and should cover all of the elements of the compliance management program, including training and quality control, and not be limited to detailed testing of compliance with regulations. The resulting audit reports should be presented directly to the audit committee, and all findings should be tracked for resolution.

Compliance Across the Board

The current regulatory environment requires a new business model for compliance that stretches to all facets of an organization. The role of internal audit can enhance the success of a compliance management program by providing informative feedback that enhances the program’s effectiveness and sustainability.