top of page

Join our mailing list

Recent Posts
Search By Category
Search By Tags
No tags yet.
Connect
  • Twitter Social Icon
  • LinkedIn Social Icon

A Strong CMS Without a Compliance Officer

We know we need a strong "CMS", but can we have a strong CMS without a dedicated compliance officer?

While having a dedicated compliance officer is one factor in determining our CMS score, there are plenty of institutions with a strong CMS that operate without one. First a recap on CMS in general and then some thoughts below on scoring well with CMS despite a compliance officer.

Remember the 4 components of a Compliance Management System:

  1. Board/Senior management oversight (including the appointment of a Chief Compliance Officer)

  2. Compliance program (internal monitoring, policies and procedures, training)

  3. Response to consumer complaints

  4. Compliance audit

"CMS" Refresher (intro)

So you all know that regulators continue to move towards a risk-based approach for compliance examinations and away from a transactional approach. So that just means we'll be judged more on the strength of our policies, procedures, training efforts, work responding to audits and consumer complaints, Board/Management oversight, etc. (aka Compliance Management System) and less on the results of individual violations.

Example:

Regulators look at 5 loan files and find 1 with a TRID violation. Here's how this might go differently depending on CMS strength:

  • Strong CMS (situation A). Although this violation occurred, we claim it was an outlier and occurred despite strong training and controls. In fact, our internal monitoring self-identified the error and refunded the borrower. This was reported to senior management who made sure changes were made to prevent reoccurrence. Regulators determine there is no need to look at more loan files, satisfied that the 1 violation was a coincidence.

  • Weak CMS (situation B). This violation occurred and we can't strongly state there aren't more. Our internal monitoring is weak and didn't catch this issue. We have no proof that it didn't occur in many other instances. There was no training on this particular issue. There is no record that Senior management or the Board had been monitoring for TRID issues or that this risk had been identified before by them.

Strong CMS Sans Compliance Officer (today's topic)

As you'd read in your regulator's examination manual, the appointment of "an appropriately qualified and experienced Chief Compliance Officer" is a key component of an effective CMS. But for many institutions a full-time dedicated compliance officer may not be necessary.

This is not to say a good compliance officer isn't more helpful than ever before, but if you happen not to have one, well here are some thoughts on operating without one:

1. Compliance by Committee (not Officer)

A common mistake made by an institution without a dedicated compliance officer is to designate one person to accept this responsibility. Perhaps it is a member of senior management or the head of a business unit that has shown an interest and capability in compliance-related matters. In many cases it would be better to form a compliance committee because, whether or not you have a full-time compliance officer, compliance management is a full-time job. This could be made up of several people with complimentary responsibilities, for example the Chief Lending Officer, Head of HR, and person in charge of deposit operations -- whatever makes sense for your institution, really.

Why do I say this? Check out the CMS expectations from the FDIC or CFPB or whoever audits you. You'll find the compliance officer is held accountable for any compliance violations. This person is responsible for all compliance-related training, for the annual audit, for reporting to the Board, for internal monitoring. In any size institution, it is difficult for one person to accept this responsibility on top of any existing duties.

Now this Committee idea is expressly supported by Federal regulators, for example, see the FDIC manual that reads "In smaller or less complex institutions, where staffing is limited, a full-time compliance officer may not be necessary; instead, the compliance responsibilities may be divided between various individuals by type of regulation, such as loan-related or deposit-related regulations."

2. Compliance Officer (or Committee) Authority, Independence, & Responsibilities

This is a related issue. Here's what makes up a good compliance officer (think about whether it may be easier to satisfy these expectations by committee at your organization):

  • Has significant authority to allocate resources to satisfy compliance needs

  • Sets a budget on compliance-related spending (to be approved by Board, if applicable)

  • Can establish and enforce expectations for employees across the organization. Has the authority to act quickly to effectuate real change

  • Has independent access to Board to deliver reports

  • Manages institution-wide practices regarding collection and response to consumer complaints

  • Can enforce and implement all expectations across departmental lines without limitation by anyone other than those at Senior Management orhigher level

  • Is accountable to Senior Management and Board for all compliance matters (meaning they have to be knowledgeable enough in all areas to provide meaningful information)

  • Be "qualified," meaning an understanding of all consumer protection laws and regulations that apply, along with a general knowledge of the overall operations of the institutions

  • Is involved with all new products and services and any new employees

So do you see why I think why it might often be inappropriate for one single person to claim responsibility for this when they are not dedicated to this full- time? Why it might be better to form a committee to manage this?

In Other News

  • We've looked at the interesting issue of Airbnb income for underwriting purposes before, but for some New Yorkers it might not matter - with state legislators passing a law to make Airbnb illegal in urban areas. Your reaction?

  • Check out this short and interesting case about a Nevada banker banned from the industry by the FDIC for "reckless" acts such as approving residential construction loans without verifying ability-to-repay.

 

I wanted to share today an exciting effort being spearheaded by the Compliance Officer at Mutual Bank in Whitman. Have you heard of "Project Outreach?" This is an effort to combat the growing heroin epidemic in Massachusetts through both (a) community outreach and (b) supporting overdose follow-up (visits within 24 hours after someone overdoses on a drug).

In terms of community outreach, the group hosts a drop-in center twice a month with FREE health care, testing, and education. These centers host a growing number of health care providers who help with treatment options and train and distribute Narcan for free (a drug that can reverse opiate overdose). Drop in centers are open for anyone who is looking for information about treatment. Family and friends are encouraged to attend (this is not just for addicts). What makes this special is the undivided attention of a healthcare worker who specializes in substance abuse. They will answer any questions you have, explain the science of addiction, discuss treatment options, help to work through issues with paying for treatment, and help to get into a treatment program.

The overdose follow-up work is also exciting. After an overdose occurs in a participating community, the Project Outreach team of safety officials and healthcare providers determines the best course of action to help that person. If it is determined that an in-person follow-up may help, a healthcare worker and safety official will go to the overdose victims' home. The healthcare worker discusses treatment options with the individual and helps to get them into treatment as soon as possible if they choose to go.

Project Outreach is still young, but has expanded now into 12 Massachusetts communities (from Plymouth now to Rochester and Pembroke). Since December 1, 2015, 84% of people who were located were connected with treatment.

Project Outreach is asking for the support of more community banks, credit unions, and mortgage lenders to help work towards the goal of ending the stigma of addiction and keep Project Outreach open and running. Anyone who would like to learn more or make a donation can reach out to Brian Bacci at BBacci@mymutualbank.com or (781) 523-4420. Because he's in compliance you might also want to pick his brain as to the benefits of such a donation in terms of CRA or MCLI requirements.

 

"We [CFPB] know that sometimes you [mortgage industry] are focused only on one side of the equation, namely the compliance costs you have incurred in implementing the rules we issued. That is a fact, but it is an inevitable one. No economic sector that precipitates a global financial meltdown could possibly expect to escape far-reaching reforms, as the Congress so dictated. But the safeguards we have put in place around underwriting, servicing, and loan originator compensation have improved industry performance, promoted responsible lending, and helped restore consumer trust that was badly shaken by the events of the past decade.These improvements benefit responsible lenders just as much as they benefit consumers."

~ Richard Cordray

 

Thanks so much for reading our weekly newsletters. We're not always going to be perfect, but because we always do our best and try not to overpromise, we hope that we're always going to be trustworthy. Your calls and e-mails are very helpful - please keep contributing.

bottom of page