What you'll learn: Regulation F is here and regulators suddenly have a lot of new expectations for collections and recovery IT risk management. This means that now is the right time to assess the CFPB's new exam procedures and update your risk management framework accordingly. In this article, you'll get the deep-dive you need through all five CFPB IT exam procedure modules, so you'll be ready when regulators arrive.
2021 brought the financial services industry new requirements to add to their Risk Management Framework. I’d be hard-pressed to find a creditor who wasn’t aware of the CFPB’s Regulation F, and the additional monitoring and auditing responsibilities that are required when forwarding accounts to third-party collection agencies.
Additionally, the Federal Reserve, FDIC and OCC have proposed new Risk Management Guidance for banking organizations for managing risk associated with third-party relationships, including relationships with vendors. This proposed guidance would combine the three agencies’ current guidelines into one streamlined risk management guidance document. But this has yet to be posted in the Federal Register.
However, in September 2021, the CFPB also updated their exam procedures to include additional requirements related to Information Technology. And that update didn’t get nearly the press that Reg F or the combined agency guidance did.
The CFPB’s Exam Procedures Compliance Management Review – Information Technology (CMR-IT) is an additional exam procedure specifically related to Information Technology and IT controls within a covered entity. When comparing it side-by-side with the CFPB’s Exam Procedures (CMR) (last updated August 2017), it appears that much of the introduction and explanatory sections are an exact duplicate of the CMR.
However, an additional paragraph has been added to the introduction that helps explain what the CFPB is looking for:
“Institutions often use information technology (IT) that could impact compliance with Federal consumer financial laws. As part of its overall CMS assessment, the CFPB may evaluate the technology controls of an institution and its service providers. The CFPB may also evaluate an institution’s IT as it relates to compliance with Federal consumer financial laws.”
It’s also important to point out the CFPB’s expectations of a covered entity relating to compliance management in general:
“Institutions are expected to manage relationships with service providers to ensure that service providers effectively manage compliance with Federal consumer financial laws applicable to the product or service being provided.”
This is a good reminder to add this additional checkpoint to your regular audits of your service providers, and other third parties you engage with.
Exam Procedure Modules
There are five Modules in the CFPB’s Exam Procedures for IT. The Module section names are the same as in the CMR, as are the explanations of each module and the examination objectives.
However, the differences come in the actual exam procedures and the requirements of what the examiners are looking for. In the new CMR-IT, the procedures that will be reviewed relate to IT function, IT controls, IT organizational structures, etc.
Let’s break down the five Modules and take a look at the new examination procedures.
Module 1: Board and Management Oversight
The CFPB reminds us: “… the board of directors is ultimately responsible for developing and administering a compliance management system that ensures compliance with Federal consumer financial laws and addresses and minimizes associated risks of harm to consumers.” In the absence of a formal board of directors, companies should have a group or team that is responsible for these tasks. This is the group the CFPB will look to for the information needed to complete this section of the exam.
- Does the board demonstrate their commitment to the CMS? Do they provide resources, including capital that are in line with their institution’s size, complexity, and risk profile? Is the staff knowledgeable of Federal consumer financial laws, and are they empowered to comply and are they held accountable? Does the board conduct ongoing due diligence and oversight of service providers including review of policies & procedures, internal controls, and training?
- Does the board respond promptly to changes in the applicable Federal consumer financial laws and determine if changes need to be made across their business?
- Does the board comprehend and identify compliance risks? Do they engage in managing the risks? Are the potential risks and harm to consumers by the institution addressed as products are developed, marketed and administered?
- Are issues proactively identified? Once issues are identified, are they promptly responded to and remediated?
Examiners will request documentation, including board meeting minutes, organizational reporting structure and duties, information security program, IT risk management process, policies and procedures, risk assessment program, IT strategic plan, SDLC controls, change management process, business continuity plan, IT system reporting, and other documents as necessary to determine compliance.
Module 2: Compliance Program
The CFPB expects your compliance program to be a formal written document, administered by your chief compliance officer. They require the compliance program to contain four components: Policies & Procedures, Training, Monitoring/Audit and Consumer Complaint Response. The examiners have varying objectives and procedures for each component.
1. Policies & Procedures (Board Approved):
An institution’s policies & procedures should follow the policy enacted by the board of directors.
- Ensure policies & procedures are designed to effectively manage IT controls and compliance risk in the products, services & activities of the institution.
- Ensure they are consistent with board approved compliance policies.
- Do they address compliance with applicable Federal consumer financial laws and designed to minimize violations, and detect and minimize risks to harm to consumers?
- Do they cover the full life cycle of all IT products and/or services offered?
- Are they maintained and modified to remain current?
Examiners will require access to your IT policies & procedures so they can review how your program is structured and how it interacts with your IT functions. The examiners will also require information on who created the policies & procedures, when they were created and who maintains them. They will review your SLDC to see how your IT policies & procedures fit into it. Additionally, they will require access to your records retention and destruction timeframes. If you have more than one office, they will need to review the policies & procedures for each location to determine if they are consistent with the applicable corporate-level policies.
Educating your entire staff, from the board on down, is essential to maintaining an effective CMS.
Educating your entire staff, from the board on down, is essential to maintaining an effective CMS. The CFPB expects that training should be sufficient to cover the duties of the individual. Training should not just cover your policies & procedures, but also the regulations relating to Federal consumer financial laws, including unlawful discrimination and Unfair Deceptive Abusive Acts and Practices (UDAAP).
- Ensure training is comprehensive, timely and specifically tailored to the responsibilities of the staff receiving it.
- Is training program updated proactively in advance of the rollout of new or changed products?
- Is the training consistent with policies & procedures?
- Do the compliance and IT professionals have access to training?
Examiners will need an explanation of how your board or management is involved in training, and how training is selected for each group of employees. Examiners will require access to your IT training materials as well as your schedule of training and records of completion as well as any follow-up, escalation or enforcement that comes out of the training program. They will also require access to any IT training you have provided for your service providers, along with schedule and documentation of completion. They will also need to see your plan for new training that will be rolled out in the next 12 months.
3. Monitoring and/or audit
Monitoring is essential to identify your CMS’s weaknesses through the prompt identification of such weakness. Monitoring is generally done more often than auditing, and auditing is generally a more formal process, and likely carried out by an audit department or outside contracted party. IT and compliance audits provide the board of directors with crucial information to ensure the company is in compliance with regulations, consumer laws and policies & procedures that have been established by the board.
- Ensure the institution’s compliance monitoring, management information systems, reporting, auditing and internal control systems, including IT controls, are comprehensive, timely and successful at identifying and measuring compliance risk throughout the institution.
- Ensure programs are monitored proactively to identify weaknesses and mitigate regulatory violations.
- Ensure all consumer engagements supported by IT systems are handled according to the entity’s policies & procedures.
- Ensure monitoring considers the results of risk assessments and that findings resulting from monitoring are properly escalated.
- Ensure the audit program is independent and reports to the board. Ensure appropriate compliance and business unit managers receive copies of audit reports in a timely manner.
- Does the program address compliance with all applicable Federal consumer financial laws?
- Ensure the schedule and coverage of the audit activities is appropriate for the institution’s size, complexity, and risk profile.
Examiners will require access to monitoring and audit documentation, including; Quality Assurance and Quality Control procedures and the schedule of these procedures, policies & procedures pertaining to IT audits, any other documentation related to monitoring and audit. Additionally, the examiners will require proof of the independence of the monitoring/audit functions, and how well it identifies and reports weaknesses. They will also need to review auditor expertise and training to ensure it is sufficient for the complexity of the IT functions of the institution. If your auditing is performed by a third-party, the examiners will need to review the applicable policy, contracts, etc. you have with that auditor for the review period. The examiner will also need to see that the monitoring/audit coverage includes assessment of IT system capabilities and compliance with Federal consumer financial laws, and that it addresses access restrictions and unauthorized access. They will also check to ensure the board of director’s risk assessment process is being properly executed, that the board is receiving reports of the monitoring and audits and that any findings are being properly remediated.
4. Consumer Complaint Response
The CFPB expects that you will not only have a consumer complaint process in place, but that you will also gather information from consumer interactions in an organized fashion, that the information be retained, and that it be used as a part of your CMS. Additionally, the CFPB requires that companies make a deliberate and good faith effort to resolve each consumer complaint.
- Are the processes and procedures for addressing consumer complaints appropriate?
- Are the investigations and responses reasonable?
- Are the complaints appropriately recorded, categorized, addressed, and resolved promptly?
- Are complaints that may raise legal issues appropriately categorized and escalated?
- Are complaints monitored by management to identify risks of potential consumer harm, and to see if a CMS deficiency or IT issue has caused the complaint?
- Is corrective action being taken when appropriate?
- Note the number of consumer complaints received by the entity during the exam time period.
The examiner will review any IT related consumer complaints, including any that are received at the institutions service providers. They will require access to policies and procedures relating to consumer complaints. Examiners will also review any responses, corrective actions, analysis and categorization of any IT complaints, and determine whether correct corrective action was taken.
Consumer complaints and inquiries should be an integral part of an institution’s compliance management system.
Module 3: Service Provider Oversight
While the CFPB acknowledges third-party service providers may be a necessary part of doing business, they also state that engaging with a service provider does not negate the institution’s responsibility to comply with Federal consumer financial laws. Service providers must be familiar with any legal requirements applicable to the products being offered and must have processes in place to ensure consumer protections. Legal responsibility may lie not only with the service provider, but also the institution if there is consumer harm.
- Review the Risk Management Program for Service Providers to determine appropriateness based on size, scope, complexity, importance and potential for consumer harm.
- Does the Service Provider Risk Management Program include initial and ongoing due diligence reviews to ensure compliance with Federal consumer financial laws?
- Does the institution ensure each service provider conducts proper training and oversight of employees?
- Does the contract with the service provider include clear expectations relating to compliance and appropriate and enforceable consequences for violation?
- Has the institution established internal controls and ongoing monitoring to determine compliance with Federal consumer financial laws?
- Does the institution take prompt action to address any problems or violations identified through the monitoring process?
The examiner will require a list of the institutions service providers as well as a description of the services each service provider provides for the institution, and what IT functions the service provider may support. They will also require access to documentation relating to service providers including the institution’s risk management program for service providers that support IT functions that could have consumer compliance implications, policies & procedures, contracts, audits, monitoring and tests performed, and the results. Additionally, if service providers have access to sensitive consumer information, the examiner will also need access to the service provider’s written information security programs.
Creditors may be held liable for the actions of their service providers.
Module 4: Violations of Law and Consumer Harm
Throughout the exam process, the examiner will be looking for violations of law and consumer harm. If a violation is found, the examiner will determine if the institution’s CMS identified the violation, and if so, what remediation resulted. If a CMS is not appropriate for the institution’s size, complexity and risk profile of the institution’s business, it may not be suited to catch violations. The CFBP views self-identification and subsequent corrective action as evidence of an institution’s commitment to responsibility and consumer protection.
Self-identification and correction of violations of law reflect strengths in an institution’s CMS.
In the event an examiner identifies a violation of Federal consumer financial law, they consider the following factors:
- What was the root cause of the violation? Was a weakness in the CMS a contributing factor?
- The severity of consumer harm and type of harm resulting from the violation.
- The duration of the violation.
- The pervasiveness of the violations.
If an examiner determines there has been a violation of law that has resulted in consumer harm, they must review the conclusions drawn from the previous Modules in the exam that were identified as the root cause of the violation. They must then determine if the institution self-identified the violation, and review the documentation related to the identification and any corrective action taken as a result of the violation, including management’s awareness, and length of time it took to resolve. The examiner must determine the level of weakness in the institution’s CMS, and how critical they were to the violation. They must then determine the extent of consumer harm as a result of the violation, including financial harm and non-financial harm. Lastly, they must determine how pervasive the violation was by determining the number of consumers impacted.
Module 5: Examiner Conclusions and Wrap-Up
This module is the written summary of the previous four Modules. The examiner will provide their conclusions on the effectiveness of the institution’s Compliance Management System in relation to their IT functions.
The examiner must now summarize their findings, supervisory concerns and conclusions for each module completed. They must identify any action needed to correct weaknesses in the institution’s CMS. The examiner will discuss their findings with the institution’s management, and, if necessary, obtain a commitment for corrective action. Finally, the examiner must report their findings back to the CFPB via their official system of record.
While the new exam procedures for compliance management review for IT will only be used by the CFPB when they are examining a company, and while your company may not (yet) be on the list of company’s the CFPB is looking to examine, it is still considered a best practice to follow the CFPB’s guidelines and be prepared.
When risk of consumer harm is at stake, financial services companies can never be too careful. And those who use outside service providers have an additional level of risk to their customers. The strength of your compliance management system will help enormously when and if the CFPB comes knocking on your door. Will you be ready?
Linda Straub Jones is a Sr. Account Executive with NeuAnalytics. She has over 30 years of experience in the credit/collections industry and has worked as a collector, skip tracer, paralegal, and a data specialist for bankruptcy, deceased, and compliance data.
NeuAnalytics provides the only comprehensive compliance management system built for financial institutions to monitor their third-party service provider’s daily activities for performance and compliance risk. ISP is purpose-built for CFPB compliance, including early warning of possible consumer harm and management reporting.