Automated tools allow your compliance management system (CMS) to work effectively. That said, a CMS is less technology unto itself and more like a corporate compliance program, where multiple, distinct pieces of a larger whole all work together.
Specifically, a compliance management system looks like a collection of policies, procedures, and processes governing all compliance efforts. But as more companies use technology across all parts of the enterprise and more compliance requirements focus on cybersecurity, IT security is becoming an increasingly central part of the CMS.
So how does a modern CMS program operate? This article will explore that question.
What is a Compliance Program?
A compliance program helps a company to meet its legal requirements and to comply with applicable laws and regulations. Ideally, your CMS is an integrated system to govern that program, which should include employee training, focused business processes, operational reviews, and corrective action strategies.
The Federal Deposit Insurance Corp. (FDIC), a primary U.S. banking regulator, defines a CMS as how an institution:
- Learns about its compliance responsibilities;
- Assures that employees understand these responsibilities (via a compliance training program);
- Assures that compliance requirements are incorporated into business processes;
- Reviews operations to confirm that responsibilities are carried out and requirements are met; and
- Takes corrective action and updates materials as necessary.
An effective compliance management system, the FDIC continues, typically includes:
- Board and management oversight;
- The compliance program itself; and
- Regular audits of the compliance program.
What Is the Difference Between a Compliance Program and a Compliance Plan?
A public, written document, known as a compliance plan, outlines the rules an organization intends to follow while putting compliance aspects into practice. This document must accurately reflect the organization’s compliance obligations at any given moment, and be reviewed and revised regularly to stay current with the organization’s compliance initiatives. It is a living, breathing document.
A compliance program, in contrast, consists of formal organizational mechanisms designed to avoid, recognize, and address possible issues brought up by staff members and other stakeholders.
A compliance plan is one of the foundational elements necessary to create an effective compliance program, but a compliance program cannot be only a written document. Rather, it is a way of thinking and an operational model for how a business has formed its compliance culture. A compliance program that works is not a “thing in a box.” The best compliance initiatives develop over time.
What Is Compliance Risk?
Deloitte defines compliance risk as “the threat posed to a company’s financial, organizational, or reputational standing, resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice.”
In other words, compliance risk is your organization’s potential failure to meet its compliance responsibilities. And in numerous industries, the price of non-compliance can be painfully high. In banking, for example, the FDIC, the Office of the Comptroller of the Currency (OCC), or the Consumer Financial Protection Bureau (CFPB) are stringent regulators that can impose high fines for compliance issues. Let’s look at several examples.
The OCC
In June 2020, the OCC warned banks about compliance risks related to the COVID-19 pandemic.
In its Semiannual Risk Perspective, the OCC warned that “compliance risk is elevated due to a combination of altered operations, employees working remotely, and the requirement to operationalize new federal, state and proprietary programs designed to support consumers,” including the CARES Act and Paycheck Protection Program (PPP).
The OCC also cautioned against interest rate risks, operational risks (again, heightened because of COVID-19), increased cybersecurity risks, compliance risks related to the Bank Secrecy Act (BSA), consumer compliance issues, and fair lending as areas of concern.
FDIC
The FDIC in 2020 advised financial institutions to have risk management programs that allow them “to identify, measure, monitor, and control the risks related to social media,” especially regarding consumer complaints that may arise over the platform.
Even institutions that don’t use social media should, “following a risk assessment … still consider the potential for negative comments or complaints that may arise within the many social media platforms described above, and, when appropriate, evaluate what, if any, action it will take to monitor for such comments and respond to them.”
CFPB
The Consumer Financial Protection Bureau is a consumer protection agency that responds to consumer complaints. For example, in 2018 the CFPB levied a $1 billion fine against Wells Fargo Bank for “unfair, deceptive, or abusive acts and practices” (UDAAP) associated with home and auto loans.
So compliance risk management requires a complex web of compliance activities (from change management to compliance monitoring, and much more) to assure that all enterprise business units conform to applicable laws. A compliance management system orchestrates that work in an efficient, productive way.
How to Create an Effective CMS
While it’s easy to assume that a CMS focuses on how your financial institution protects customers and avoids money laundering, market transactions are increasingly digital, using technologies vulnerable to unauthorized access.
Therefore a CMS should focus on protecting data and responding to consumer complaints. Here’s how to create a compliance management program:
Board of Directors
Your compliance program starts with your board of directors. The board sets the business objectives for your organization to manage and mitigate risks.
Compliance Program
A compliance program consists of written policies and procedures, training, monitoring, and corrective actions.
These policies and procedures traditionally focus on fair lending and mortgage servicing issues. But as financial firms increasingly use software-as-a-service (SaaS) platforms for data collection or communications, you need to consider how to avoid privacy violations and remain compliant with the Graham-Leach-Bliley Act (GLBA).
For example, if you plan to use digital technology for loan servicing, you need to assure that your vendor establishes controls to keep consumer protections in place.
Consumer Complaint Management Program
You need to be able to respond to consumer complaints and inquiries while also tracking, monitoring, and analyzing them. You also must protect your customer data from unauthorized access that affects its integrity, availability, and confidentiality.
Compliance Audit
Besides simply having a compliance program, you need to engage third-party auditors to ascertain whether your organization and IT suppliers comply with requirements.
Regarding IT infrastructure, the Consumer Financial Protection Bureau Supervision and Examination Manual expressly incorporates security requirements of the Gramm-Leach-Bliley Act (GLBA) and the Electronic Funds Transfer Act.
As your customers engage in more electronic funds transfers, you need to assure that your financial institution incorporates a review of the controls over vulnerabilities to data. Independent auditors can provide objective expertise to verify compliance.
Who Needs to Be Involved?
As with any compliance requirement, your CMS incorporates a variety of internal and external parties.
Senior Management
Once the board establishes business objectives, senior management begins the vendor risk management (VRM) process. As part of this process, senior management reviews internal and external written documents to assure that the vendor’s security practices align with your required controls. VRM is a starting place for the management oversight required in most regulations.
Compliance Officer
Most financial institutions have compliance officers who oversee the CMS. This individual is in charge of everything from researching updates to reviewing risk profiles, policies, procedures, and processes.
The compliance officer must also maintain insight into how your organization handles information and vendors.
Front-Line Employees
Your front-line employees are the first line of defense against improper access to customer data. Whether it’s your loan or deposit staff, controls must assure that these employees create safe passwords and that only authorized staff can access the information.
In addition, your CMS should assure that all employees are appropriately trained based on their role within your organization.
Why Is a Corporate Compliance Program Important?
Primarily because the state, federal, and international authorities have ramped up their actions against corporate misconduct, including the imposition of significant financial fines; that’s why.
The most straightforward approach for a business to avoid those fines is to show that it made a sincere effort to abide by its regulatory obligations. This evidence (which the business may subsequently provide to law enforcement) is produced by compliance programs.
For instance, if you require staff members to take periodic training on the Foreign Corrupt Practices Act (FCPA), teaching them that paying bribes to foreign government officials is illegal, then you can demonstrate to the government: “Here are all our training records. As you can see, this employee attended the course 12 times in 10 years.”
In addition, if you cooperate with investigators and provide evidence of your employee’s involvement in an FCPA violation, such as email records, prosecutors are more inclined to prosecute the employee individually rather than the firm.
Evidence of a successful corporate compliance program shows that the organization is aware of the regulations and laws and makes earnest efforts to abide by them. If your company doesn’t implement a compliance program or cannot prove periodic compliance training, the firm could be liable for its employee’s misconduct.
What Are the Elements of an Effective Compliance Program?
The compliance program ties together several components of compliance activities. It typically covers everything, from evaluation and prevention to cooperation and enforcement.
Such programs are best viewed as a collection of several steps, rules, and regulations. This aids a business in uniformly adhering to compliance standards across all divisions. A compliance program is also a dynamic system of operation that benefits all industries equally.
One of its primary responsibilities is supporting and implementing new rules; businesses need to make changes swiftly without wasting resources. Other justifications for the requirement of a compliance program include:
- To provide guidelines for operations
- Effective risk management
- To align corporate practices with moral principles
- To implement the appropriate controls
- To implement supervision procedures
- To establish a compliance culture
- To successfully address violations and breaches
Here are seven crucial components of a compliance program that fulfill these demands.
Guidelines and Practices
Written policies that define a company’s expectations serve as the foundation of a compliance program. A prime example is the firm’s code of conduct or code of ethics, which applies to the board of directors and all employees. The code of conduct trains, informs, and guides staff members and outside parties on how to act appropriately throughout business interactions.
Policies and procedures also support an effective compliance program. For example, business processes integrated with segregation of duties controls ensure requirements are implemented and enforced.
Committee for Compliance
One of the most critical jobs is program supervision. A compliance manager serves as the chair of the in-house group that manages all compliance initiatives. Representatives from senior management and business operations make up these committees. They are in charge of assuring that the compliance policies are carried out effectively.
A subcommittee may be in charge of implementation and execution. Regular assessments are essential to the program. In addition to internal audits and supervision, this committee contributes to developing a compliance culture.
Risk Evaluation
Risk assessment is a continuous activity that improves the organization’s awareness of risk areas. As a result, the compliance manager and his or her team will be able to detect high risks and prioritize their remediation with the aid of accurate risk assessments over time.
The goal of the risk assessment, which must be carried out as part of a comprehensive approach following a compliance program, is to identify potential issues in advance. Every firm should conduct thorough risk analyses at least once a year or before introducing new products or services.
Any business must go through this process, which is best managed by a compliance program. Without it, there may be wasted time or compartmentalized risk management, which has a poor track record.
Regulations and Standards
Companies need to follow established compliance frameworks to avoid non-compliance. Compliance regulations for financial institutions differ from compliance in healthcare, so it’s crucial to understand the applicable laws. A successful compliance program depends on your industry, your organization’s risk areas, and the required internal controls.
Internal controls are essential for assuring procedures are followed as planned, but that’s not all. You must establish applicable standards and documentation to confirm that your organization’s compliance program is alive and well. Controls, including standard operating procedures (SOP) and other methods, assist in ensuring this.
Communication and Education
Training is an essential component of a successful compliance program. Everyone who is a member of the organization, both locally and internationally, must be informed about compliance, including corporate officers, employees, and third parties.
The training should cover applicable laws and rules, company policies, and prohibited behaviors. Compliance programs have established protocols to support business efforts in delivering this training. For example, an audience mapping program will have procedures for each step, from audience response to audience reaction.
Without the organized approach provided by a focused program, businesses risk losing their employees’ interest or losing sight of the goal. Unfortunately, compliance training is frequently included simply as onboarding and then ignored. Annual training routines are recommended.
Reporting
The human resources team often addresses compliance-related issues and infractions requiring disciplinary action. Maintaining total compliance, however, necessitates active feedback from all parties. The compliance committee should be involved in reporting.
Internal hotlines should also be available for employees to report compliance issues anonymously; this fosters a culture of compliance. Traditional reporting methods might not provide this, and employees are less inclined to produce quality reports if they are concerned about retaliation or losing their job.
Surveillance and Audits
Robust compliance programs include continuous monitoring, and businesses greatly benefit from it. It is a vital component of risk assessment since it enables prompt identification of potential dangers. Additionally, periodic audits are mandated by compliance frameworks. These enhance internal controls, address risk management requirements, and drive employee accountability.
Streamline Your Compliance Program with ZenGRC
Several compliance frameworks are available to help your CMS work effectively, and technology tools can automatically eliminate manual tasks to drive program effectiveness.
With ZenGRC compliance, workflow, and risk management capabilities, you can bundle many tasks required by a CMS into a single tool.
The compliance dashboards, metrics, and audit management features provide insight into the strengths and weaknesses of your IT infrastructure, showing how well you’re protecting data privacy. In addition, task prioritization and workflow tagging allow you to better communicate with other stakeholders to assure nothing falls through the cracks.
Worry-free compliance management is the Zen way. Contact us for a demo for more information on how ZenGRC can enable your CMS.