An Unfollowed Policy Does More Harm than No Compliance Program at All
What are your binders really binding you to?
You may already know that a compliance program contained in dusty binders is about as effective as no compliance program at all. But according to Michael Semanie, an attorney with Killgore, Pearlman, Stamp, Denius & Squires, P.A, that old-fashioned method of managing and tracking compliance is not just useless, but actively harmful to your organization.
Here’s Mike, talking to the audience at our “Blueprint for a Modern Compliance Program” webinar last week:
“Let’s say, for example, you, adopted a Red Flags Rule policy years ago. For years now, it’s been sitting on the shelf, you’ve had new issues that have come up to where you could have modified the policy: you could have adapted to certain things that are new changes in the way identity is being stolen and being used, and different ways that you could be more responsive to that—to actually achieve the importance of that rule—and you haven’t done it.
“So now, a regulator, or potentially a compliance attorney, comes in and says, ‘Okay, well, we know that you understood that that rule was out there. We know you understood that you had a responsibility, and we know that because you adopted a policy years ago. And you’ve completely neglected that responsibility because you haven’t done what you’re supposed to do and update your policies based on changes in the law, changes in court rulings on how things should be interpreted, new products and services you’re offering, [or] just the facts of different ways things are being done.’”
To a regulator, an unfollowed policy statement is worse than having no compliance policy in place. In other words, beware of a so-called compliance program that binds you to a promise you don’t intend to keep.
Ditch the Binders, and Establish a Fluid Compliance Management System
According to Mike, an effective compliance management system is cyclical: “you find out where there’s a problem or where you have a responsibility, you go through a process to resolve that, and you basically get the feedback and start over. It’s a loop.” Taking a tour around the loop—from compliance program to consumer complaint response, to audit, to board of director oversight—Mike walked through each of the steps.
First up: identifying relevant compliance responsibilities. Said Mike: “We find out what we are supposed to be doing, what standard we’re gonna be held to, and what responsibilities we have That’s the first step of the process.”
The next step is ensuring that employees understand those responsibilities. Mike told us this where he often sees issues: “It’s the distribution of that information and training to employees. It goes back to ‘we adopted a policy statement’—the policy statement does you no good if your employees don’t know what to do and how to comply with that policy.”
Once your employees understand their responsibilities, you’ll need to ensure your legal requirements are integrated into business processes. Mike mentioned that he’s seen a lot of policy statements that discuss what the relevant statutes require, but it say nothing “about how you actually integrate that then with what you’re doing as a business and how your processes work for your particular business.” The critical question is “How are you going integrate those requirements into those processes so it’s effective and it’s not just words on a piece of paper?”
After that, an organization must conduct regular reviews to ensure responsibilities are met:
“You have to be able to review these processes again and again to make sure that they’re addressing all the issues that need to be addressed, that there’s not something new that you should be looking at. And from that point, when you do see something that needs to be addressed, you require corrective action and updates as necessary.”
Mike used cybersecurity threats targeting financial institutions’ and businesses’ private records as an example: “That’s something that should be addressed. That’s something that, okay, you know about now, and you should be updating your Gramm–Leach–Bliley [Act] policy or any of your data security policies to make sure that you’re complying with that and that you’re addressing that issue that comes up.”
Mike emphasized that compliance is a fluid, flexible, living and breathing process that needs to be updated in accordance with court rulings, emerging best practices, and guidance from the Consumer Financial Protection Bureau. Additionally, organizations should review compliance management systems, from top to bottom, at least once a year—but ideally more frequently, to avoid delays in implementation of critical processes.
Next: Updating Your CMS in Response to Current Fair Lending Regulations and Enforcement Actions
This article looks at the “what” of a robust CMS; next up, we’ll take you through the “why” and “how”: why you can’t afford to ignore the latest regulatory updates and enforcement actions, and how to put that fluid, responsive CMS into effect.
(But if you’d rather not wait until the next post, you can view the webinar, on demand, for free!)
