CFPB Consumer
Laws and Regulations CMR
General Principles and Introduction
Supervised entities within the scope of CFPB’s supervision and enforcement authority include both depository institutions and non-depository consumer financial services companies. These financial service providers operate in a dynamic environment influenced by challenges to profitability and survival, increased focus on outcomes to consumers, industry consolidation, advancing technology, market globalization, and changes in laws and regulations.
To remain competitive and responsive to consumer needs in such an environment, supervised entities continuously assess their business strategies and modify product and service offerings and delivery channels. To maintain legal compliance, a supervised entity must develop and maintain a sound compliance management system that is integrated into the overall framework for product design, delivery, and administration – that is, the entire product and service lifecycle.
Ultimately, compliance should be part of the day-to-day responsibilities of management and the employees of a supervised entity; issues should be self-identified; and corrective action should be initiated by the entity. Supervised entities are also expected to manage relationships with third-party service providers to ensure that these providers effectively manage compliance with Federal consumer financial laws applicable to the product or service being provided.
Weaknesses in compliance management systems can result in violations of law or regulation and associated harm to consumers. Therefore, the CFPB expects every regulated entity under its supervision and enforcement authority to have an effective compliance management system adapted to its business strategy and operations. Each CFPB examination will include review and testing of components of the supervised entity’s compliance management system. An initial review will help determine the scope and intensity of an examination. The findings of more detailed reviews and transaction testing will determine the effectiveness of the compliance management system and whether enhancements or corrective actions are appropriate.
CFPB understands that compliance will likely be managed differently by large banking
organizations with complex compliance profiles and a wide range of consumer financial products and services1 at one end of the spectrum, than by entities that may be owned by a single
individual and feature a narrow range of financial products and services, at the other end of the spectrum. Compliance may be managed on a firm- or enterprise-wide basis, and supervised entities may engage outside firms to assist with compliance management. However compliance is managed, a provider of consumer financial products or services under CFPB’s supervisory purview is expected to comply with Federal consumer financial laws and appropriately address and prevent violations of law and associated harms to consumers through its compliance management process.
1 For example, the Federal Reserve Board of Governors expects large banking organizations with complex compliance profiles to implement firm-wide compliance risk management programs and have a corporate compliance function. SR 08-8 / CA 08-11, October 16, 2008. The CFPB will expect no less.
CFPB Consumer
Laws and Regulations CMR
CFPB also understands that supervised entities will organize compliance management to include compliance with consumer-related state and Federal laws that are outside the scope of CFPB’s supervision responsibilities, in addition to the matters that are within CFPB’s scope. CFPB, therefore, expects that compliance management activities will be organized within a firm, legal entity, division, or business unit in the way that is most effective for the supervised entity, and that the manner of organization will vary from entity to entity.
This section of the Manual discusses the common elements of an effective consumer compliance management system: board of directors and management oversight, the compliance program, response to consumer complaints, and audit coverage of compliance matters.
Compliance Management System
A compliance management system is how a supervised entity:
• Establishes its compliance responsibilities;
• Communicates those responsibilities to employees;
• Ensures that responsibilities for meeting legal requirements and internal policies are incorporated into business processes;
• Reviews operations to ensure responsibilities are carried out and legal requirements are met;
and
• Takes corrective action and updates tools, systems, and materials as necessary.
An effective compliance management system commonly has four interdependent control components:
• Board and management oversight;
• Compliance program;
• Response to consumer complaints; and
• Compliance audit.
When all of these four control components are strong and well-coordinated, a supervised entity should be successful at managing its compliance responsibilities and risks.
Compliance Management Examination Procedures
Board of Directors and Management Oversight
In a depository institution, the board of directors is ultimately responsible for developing and administering a compliance management system that ensures compliance with Federal consumer financial laws and regulations and addresses and prevents associated risks of harm to consumers.
In a non-depository consumer financial services company, that ultimate responsibility may rest with a board of directors in the case of a corporation or with a controlling person or some other arrangement. For the balance of this section of the Manual, references to the “board of directors”
or “board” generally refer to the board of directors or other individual or group exercising similar oversight functions. In addition, some supervised entities may be governed by firm-wide
standards, policies, and procedures developed by a holding company or other top-tier corporation for adoption, use, and modification, as necessary, by subsidiary entities.
CFPB Consumer
Laws and Regulations CMR
Board of Directors and Management Oversight –Examination Objectives
Because the effectiveness of a compliance management system is grounded in the actions taken by its board and senior management, CFPB examiners should seek to determine whether the board and senior management have:
1. Demonstrated clear expectations about compliance, not only within the entity, but also to third-party service providers.
2. Adopted clear policy statements regarding consumer compliance.
3. Appointed an appropriately qualified and experienced chief compliance officer and provided for other compliance officers with authority and accountability. (In smaller or less complex entities where staffing is limited, a full-time compliance officer may not be necessary.
However, management should have clear responsibility for compliance management and compliance staff should be assigned to carry out this function in a manner commensurate with the size of the entity and the nature and risks of its activities.)
4. Established a compliance function to set policies, procedures, and standards.
5. Allocated resources to the compliance function commensurate with the size and complexity of the entity’s operations and practices, the Federal consumer financial laws and regulations to which the entity is subject, and necessary to avoid the potential consumer harm associated with violations of such laws and regulations.
6. Addressed consumer compliance issues and associated risks of harm to consumers throughout product development, marketing, and account administration, and through the entity’s handling of consumer complaints and inquiries.
7. Required audit coverage of compliance matters and reviewed the results of periodic compliance audits.
8. Provided for recurring reports of compliance risks, issues, and resolution through a committee structure or to the board.
Board of Directors and Management Oversight –Examination Procedures
Through pre-examination work or follow-up to previous examinations, examiners should request and review records and discuss issues and questions with senior management. With respect to board and senior management oversight, examiners should:
1. Review board meeting minutes and supporting materials during the period under review for coverage of compliance matters.
2. Determine board committee structures and delegated responsibility for compliance matters, such as to an audit committee or risk committee, and review the meeting minutes and supporting materials of those committees for coverage of compliance matters.
CFPB Consumer
Laws and Regulations CMR
3. Determine any management committees with delegated authority and accountability for compliance matters, and review their composition, functions, and reporting to committees of the board or to the board.
4. Determine the authority and accountability for compliance matters of regional or business unit governance bodies; and review their composition, functions, and reporting.
5. Review policies for clarity, comprehensiveness, currency, and appropriate reflection of risks to consumers posed by the organization’s practices, as well as compliance issues and risks facing the organization.
6. Review the formal written compliance function document adopted by the board of directors or an appropriate committee of the board, and determine the resource allocation to
compliance as part of the entity’s budget and planning process.
7. Identify the chief compliance officer and other responsible individuals.
8. Review the role of the chief compliance officer for authority to lead a compliance program and independence from business units.
9. Review board and board committee records for evidence of the chief compliance officer’s independent access to board members and governance bodies.
10. Review processes for the identification of new regulatory requirements, changes in requirements, and planning for implementation.
11. Review processes for development and implementation of new consumer financial products or services, distribution channels or strategies, to determine degree of compliance function participation.
12. Determine degree of compliance review of draft marketing material (including scripts) and their implementation.
13. Review reporting for the identification and resolution of issues and the timeliness and completeness of such actions.
14. Review board or committee consideration of compliance audit matters for coverage of key risks, independence from business functions, and resolution of identified issues.
15. Draw preliminary conclusions about the strength, adequacy, or weakness of board and senior management oversight, subject to risk focused review and testing for compliance.
In the absence of a board of directors and board committee structure, the examiner should determine that the person or group exercising similar oversight functions receives relevant information about compliance and consumer protection matters and takes steps to ensure that the key elements, resources, and individuals necessary for a compliance management system
commensurate with the supervised entity’s risk profile are in place and functioning.
CFPB Consumer
Laws and Regulations CMR
Compliance Program
A sound compliance program is essential to the efficient and successful operation of the supervised entity, much as a business plan. A compliance program includes the following components:
• Policies and procedures,
• Training, and
• Monitoring and corrective action.
A supervised entity should establish a formal, written compliance program, and that program generally should be administered by a chief compliance officer. In addition to being a planned and organized effort to guide the entity’s compliance activities, a written program represents an essential source document that may serve as a training and reference tool for employees. A well planned, implemented, and maintained compliance program will prevent or reduce regulatory violations, protect consumers from non-compliance and associated harms, and help align business strategies with outcomes. The examination objectives and procedures for the
compliance program are divided in this section of the Manual among the three components of a program.
Policies and Procedures – Examination Objectives
Compliance policies and procedures should be documented and in sufficient detail to implement the board-approved policy documents. Overall, examiners should seek to determine whether compliance policies and procedures:
1. Are consistent with board-approved policies.
2. Address compliance with applicable Federal consumer financial laws in a manner designed to prevent violations and to detect and prevent associated risks of harm to consumers.
3. Cover product or service lifecycles.
4. Are maintained and modified to remain current and to serve as a reference for employees in their day-to-day activities.
Policies and Procedures – Examination Procedures
Examiners should request and review compliance policies and procedures and discuss elements with compliance officers or other responsible officers and employees of the supervised entity, as follows:
1. Request and review policies and procedures related to consumer compliance, including Federal consumer financial laws and policies and procedures related to offering consumer financial products and services.
2. Review policies and procedures for changes management committed to make following recent monitoring, audit, and examination findings and recommendations.
CFPB Consumer
Laws and Regulations CMR
3. Review policies and procedures to determine whether and how they address new or amended Federal consumer financial laws and regulations since the preceding examination or since the most recent consumer compliance examination by a state or prudential regulator, if
applicable, if this is CFPB’s first examination.
4. Request and review policies and procedures to determine whether they cover consumer financial products or services introduced since the preceding examination or since the most recent consumer compliance examination by a state or prudential regulator, if applicable, if this is CFPB’s first examination.
5. Review policies and procedures relating to compliance with specific regulatory requirements (such as the privacy of consumer financial information) and their implementing procedures.
6. Review for outdated content, the names of unaffiliated entities, or other indicators that policies are overly general or not tailored to the needs and actual practices of the supervised entity being examined.
7. Review policies and procedures for products with features that may inhibit consumer understanding or otherwise pose heightened risks of unfair, deceptive, or abusive practices.
8. Review policies and procedures for products in which employee compensation structures, pricing or underwriting discretion, or other features may pose heightened risk of unlawful discrimination.
9. Review policies and procedures designed to ensure that the entity’s third-party service providers comply with legal obligations applicable to the product or service of the examined entity and the provider.2
10. Review policies and procedures maintained by different regional, business unit, or legal entities subject to the same corporate or board-level policies for consistency.
11. Review policies and procedures for record retention and destruction timeframes to ensure compliance with legal requirements.
12. If compliance procedures are embedded in automated tools or business unit procedures, determine that a qualified compliance officer or contractor reviewed these tools for
consistency with policies and procedures and compliance with applicable Federal consumer laws and approved them for the purpose for which they are utilized.
13. Draw preliminary conclusions regarding the strength, adequacy, or weakness of policies and procedures, and identify business units, delivery channels, or offices for transaction testing.
Test to confirm that actual practices are consistent with strong or adequate written policies and procedures. Test to determine the impact of apparently weak procedures.
2 Although the CFPB has not yet issued guidance addressing third-party risk management, ample guidance exists from the prudential regulators explaining the need for strong oversight of third-party activities. See, for example, FDIC FIL-44-2008, Guidance for Managing Third-Party Risk, June 6, 2008,
http://www.fdic.gov/news/news/financial/2008/fil08044.html, other interagency supervision guidance, and specific regulatory examination procedures such as those for Privacy requirements.
CFPB Consumer
Laws and Regulations CMR
Training – Examination Objectives
Education of an entity’s board of directors, management, and staff is essential to maintaining an effective compliance program. Board members should receive sufficient information to enable them to understand the entity’s responsibilities and the commensurate resource requirements.
Management and staff should receive specific, comprehensive training that reinforces and helps implement written policies and procedures. Requirements for compliance with Federal consumer financial laws, including prohibitions against unlawful discrimination and unfair, deceptive, and abusive acts and practices, should be incorporated into training for all relevant officers and employees, including audit personnel. Examiners should seek to determine whether:
1. Compliance training is current, complete, directed to appropriate individuals based on their roles, effective, and commensurate with the size of the entity and nature and risks to
consumers presented by its activities.
2. Training is consistent with policies and procedures and designed to reinforce those policies and procedures.
3. Compliance professionals have access to training that is necessary to administer a
compliance program that is appropriate for that supervised entity and its business strategy and operations.
Training – Examination Procedures
Examiners should request and review training records and interview management and staff as appropriate to evaluate this element of the compliance program and to refine and focus the examination. Examiners should:
1. Request and review the schedule, record of completion, and materials for recent compliance training of board members and executive officers.
2. Determine the involvement of compliance officer(s) in selecting, reviewing, or delivering training content.
3. Request and review policies, standards, schedules, and records of completion for compliance- specific training of compliance professionals, managers, and staff, and documents
demonstrating that third-party service providers who have consumer contact or compliance responsibilities are appropriately trained.
4. Request and review samples of the content of training materials and comprehension tests, including training related to new regulatory requirements, new products or channels of distribution, and marketing (including scripts).
5. Request and review training developed as a result of management commitments to address monitoring, audit, or examination findings and recommendations or issues raised in
consumer complaints and inquiries.
6. Determine whether the program is designed to provide training about the specific regulatory requirements relevant to the functions of particular positions, such as the Truth in Lending Act for loan officers.
CFPB Consumer
Laws and Regulations CMR
7. Review records of follow-up, escalation, and enforcement for units with training completion rates that do not meet the supervised entity’s standards or deadlines.
8. Request and review the supervised entity’s plans for additions, deletions, or modifications to compliance training over the next 12 months and any plans for changes to the overall training resources and compare actual training activities to prior plans.
9. Draw preliminary conclusions about the strength, adequacy, or weakness of the training element of the compliance program, and select lines of business, organizational units, or other areas for more detailed review and testing.
Monitoring and Corrective Action – Examination Objectives
Monitoring is a compliance program element that seeks, in an organized and risk-focused way, to identify procedural or training weaknesses in an effort to provide for a high level of compliance by promptly identifying and correcting weaknesses. Monitoring and testing is generally more frequent and less formal than compliance audit coverage and reporting, may be carried out by the business unit, and does not require the same level of independence from the business or
compliance function that an audit program does. Examiners should evaluate monitoring and audit programs to determine whether, considered together, they are adequate and comprehensive.
Examiners review of compliance monitoring and testing should determine whether:
1. Monitoring is scheduled and completed and leads to timely corrective actions where appropriate.
2. The supervised entity is determining that transactions and other consumer contacts are handled according to the entity’s policies and procedures.
3. Monitoring and testing consider the results of risk assessments or other guides for prioritizing reviews.
4. Monitoring addresses deficiencies identified in internal or external audits, and the board’s or management’s directives on resolving the deficiencies.
5. Findings are escalated to management and to the board of directors if appropriate.
Monitoring and Corrective Action – Examination Procedures
Examiners should review monitoring, testing, and corrective action reports; sample supporting documents; and interview individuals responsible for compliance monitoring, testing, and corrective action. Examiners should:
1. Determine the chief compliance officer’s role in the compliance monitoring element of the compliance program.
2. Request and review the monitoring and testing schedule for the current year or next 12 months, and review the currency of reviews in process against the current schedule.
3. Request and review the risk assessments or other documents that led to the monitoring and testing program plan.
CFPB Consumer
Laws and Regulations CMR
4. Discuss with the compliance officer or monitoring manager the coverage of third-party service providers that have contact with consumers.
5. Determine whether and to what extent monitoring includes calculation tools, the content of consumer disclosures and notices, marketing materials, and scripts or guides for employee contacts with consumers.
6. Request and review all compliance monitoring, testing and corrective action reports completed during a specific period of time.
7. Review reports for indications of systemic weaknesses, repeat violations of law and resulting risks or harms to consumers, or other matters of significant concern such as potential
discriminatory effects of policies or procedures or particular business units with continuing or high levels of non-compliance.
8. Review a sample of reports and supporting documents covering potential unfair, deceptive, or discriminatory practices or related matters that pose heightened risks to consumers for thoroughness of review, accuracy of findings, and appropriateness of recommendations.
9. Determine whether monitoring results in corrective action that is timely and appropriate in size and scope.
10. Draw a preliminary conclusion regarding the strength, adequacy, or weakness of the monitoring and corrective action element of the compliance program, and select areas for further review either because of lack of coverage by the monitoring program or to confirm monitoring or corrective action findings.
Consumer Complaint Response
An effective compliance management system should ensure that a supervised entity is responsive and responsible in handling consumer complaints and inquiries. Intelligence gathered from consumer contacts should be organized, retained, and used as part of an institution’s compliance management system.
CFPB Consumer
Laws and Regulations CMR
Consumer Complaint Response –Examination Objectives Examiners will consider consumer complaints to determine whether:
1. Consumer complaints and inquiries, regardless of where submitted, are appropriately recorded and categorized.
2. Complaints and inquiries, whether regarding the entity or its third-party service providers, are addressed and resolved promptly.
3. Complaints that raise legal issues involving potential consumer harm from unfair treatment or discrimination, or other regulatory compliance issues, are appropriately escalated.
4. Complaint data and individual cases drive adjustments to business practices as appropriate.
5. Consumer complaints result in retrospective corrective action to correct the effects of the supervised entity’s actions when appropriate.
6. Weaknesses in the compliance management system exist, based on the nature or number of substantive complaints from consumers.
Consumer Complaint Response –Examination Procedures
Examiners should review records, interview management, and contact consumers if needed to evaluate this consumer response component of the compliance management system. Examiners should:
1. Obtain and review records of recent consumer complaints and inquiries received by CFPB about the entity and its service providers.
2. Review industry or other benchmarking complaint data collected by CFPB.
3. To the extent available, obtain and review records of recent consumer complaints against the institution from the prudential regulator, from state regulators, from state attorneys general offices or licensing and registration agencies, and from private or other industry sources.
4. Request and review from the institution being examined its policies and procedures for receiving, escalating, and resolving consumer complaints and inquiries.
5. Request and review the record of consumer complaints and inquiries received by the institution for a specific recent period of time.
6. Identify complaints alleging deception, unfair treatment, unlawful discrimination, or other significant consumer injury; and review some or all of those complaints for handling, timeliness, disposition, and any prospective and retrospective corrective actions.
7. Determine whether corrective action is offered or taken for any complaint resulting in a conclusion of violation of law or regulation.
8. Determine whether complaints involving third-party service providers or other third parties referring business to the supervised entity receive prompt and appropriate handling and follow-up by the entity.
CFPB Consumer
Laws and Regulations CMR
9. If a supervised entity maintains multiple consumer response centers or units, determine whether it employs a common set of best practices as applicable.
10. Determine whether evaluations of consumer contacts are shared within the supervised entity and included in compliance management reporting to the Board and senior management, and whether such information is used in modifying policies, procedures, training, and monitoring.
11. Draw preliminary conclusions regarding the strength, adequacy, or weakness of the
supervised entity’s response to consumer issues and concerns, and identify business conduct areas, specific regulations, or organizational units for more detailed review.
Compliance Audit
Audit coverage of compliance matters is the fourth component of an effective compliance management system. The audit function should review an institution’s compliance with Federal consumer financial laws and adherence to internal policies and procedures and be independent of both the compliance program and business functions that include customer sales or service.
A compliance audit program provides a board of directors or its designated committees with a determination of whether policies and standards adopted by the board to guide risk management are being implemented to provide for the level of compliance and consumer protection
established by the board. The audit should also identify any significant gaps in board policies and standards.
Compliance Audit –Examination Objectives Examiners will seek to determine whether:
1. The audit program is sufficiently independent and reports to the board or a committee of the board.
2. The audit program addresses compliance with all applicable Federal consumer financial laws.
3. The schedule and coverage of audit activities is appropriate to the size of the entity, its consumer financial product offerings, and its manner of conducting its consumer financial products business.
4. All appropriate compliance and business unit managers receive copies of audit reports in a timely manner.
5. Audit results lead to appropriate, timely corrective action.
CFPB Consumer
Laws and Regulations CMR
Compliance Audit – Examination Procedures
Examiners will review records of the compliance audit program and discuss the audit methods, results, and reporting with audit managers. Examiners should:
1. Request the supervised entity’s audit plans and schedules for the prior year, current year, and the following year.
2. If compliance audit is performed by a third party, request and review the engagement letters or contracts covering the prior year and the current year.
3. Determine the basis for the audit plan and schedule and whether reporting is to the board of directors or to an audit committee or other committee of the board.
4. Request and review all compliance audit reports for a specified period of time.
5. Determine whether written audit reports identify the scope, sampling techniques,
findings/deficiencies, recommendations for corrective action, and management responses with time frames for corrective action.
6. Determine whether audit scopes include previous audit, and examination findings, new requirements, new products and channels, and self-identified higher risk areas of the supervised entity’s operations.
7. Request and review audit workpapers for a sample of audits covering fair lending laws and regulations; potential unfair, deceptive, or abusive practices; or other areas that may pose heightened risks to consumers.
8. Determine whether corrective actions are tracked and any delay in appropriate management response or lack of corrective action is escalated.
9. Determine whether the supervised entity’s chief compliance officer and appropriate business unit head(s) receive copies of audit reports, so that adjustments can be made to compliance program elements in a timely manner.
10. Review audit function structure and policies and procedures to ensure that the audit function, whether internal or external, is sufficiently independent of the business line and compliance management function.
11. Draw preliminary conclusions about the strength, adequacy, or weakness of the compliance audit component of the compliance management system, and identify areas for further review based on gaps in audit coverage or to confirm the accuracy of audit findings and reporting.
