CFPB Watch: How Fit Is Your Compliance Program? Part 2
Some things are worth repeating. Like Compli’s CFPB six-part Webinar series. For those of you who missed out on the webinar the following recap will catch you up on what you missed. And for those of you who were a part of the webinar, this should be a great refresher.
Today, whether you’re an independent auto dealer, franchise dealership (and whether you’re a dealer that keeps your papers or you have a related finance company), a non-banking financial institution, or retail banking you need a compliance management system. As many of you know a compliance management system is complex and must address several issues including identity theft prevention, advertising and marketing for consumer loans and leases, compliance training and related documents, privacy and security practice of service partners, and information security to name a few.
To provide compliance solutions for dealers and financial organizations we break down an effective CMS into four critical parts: board oversight, a compliance program, customer complaint program and an independent audit program. The compliance program is the heart of a CMS and the following will summarize the CFPB webinar’s deep dive on the compliance program with legal expert and partner at Hudson Cook LLP, Patty Covington.
Legal Perspective
A fair credit and fair lending program that will protect you from issues related to or violations of the ECOA and Regulation B needs to be a priority because of heightened scrutiny around dealer participation in fair lending practices by the CFPB.
Your organization cannot afford to have a CMS that is not an integral part of your business operations. The Equal Credit Opportunity Act of 1974 has been around for awhile but what has changed is that the Consumer Financial Protection Bureau and the Federal Trade Commission are more concerned than ever before about what your business is doing to protect consumers from harm. To that end the CFPB requires auto dealers with an F&I department and financial institutions to have a CMS and it must be able to show and tell that your organization can prevent, identify, and detect violations of the law or issues of concern and resolve them.
How do you show federal and state regulators, auditors, inspectors and finance companies that your organization takes compliance seriously and is on top of customer complaints? You guessed it, your compliance program.
We know that a CMS is necessary to do business and that you cannot have a CMS without a compliance program but, what is a compliance program?
Executive Sponsor
A compliance program must have an executive sponsor who oversees the compliance program. The executive sponsor is often the board or an executive but can also be senior management of an organization with the authority, skills, mandate and budget to oversee the compliance program, review and correct the issues as they arise, and report on performance of the compliance program as they relate to the goals of the program to the Board or Executive level management.
Legal Perspective: Executive Sponsor
It is important to be able to identify an executive sponsor of your compliance program and show that they have the mandate with a compliance duty or objective in their job description or a recent performance appraisal that notes time allocated and skills appropriate to oversee your organization’s compliance program.
Policies & Procedures
A compliance program must have policies & procedures that are written with the intent to provide the rules for conducting business and clear expectations for your workforce in all areas such as business ethics, data privacy, and workforce values or any organizational risks. The P&P are also the tactics for ensuring compliance is an integral part of operations and should be clear and consistently written, current and agreed upon by management. The larger your organization the more likely that your P&P will be available online. If P&P can demonstrate that resources have been allocated and you can provide proof of such things as materials, assessments, and training schedule you will be able to show and tell that compliance is important.
Legal Perspective: Policies & Procedures
Do not overlook the importance of a written P&P because of the false belief that ‘actions speak louder than words’ because organizations subject to CFPB and FTC civil investigative demands will be asked to submit a P&P list and copies of the written policies that they will expect to have been signed off on by the governing body of the organization. And do not be surprised if financial lenders who want to stay ahead of the curve check in to make sure auto dealers know the laws that apply and their compliance requirements.
Training
A compliance program cannot be integrated into operations without training that educates its workforce and service providers. Training needs to be appropriate for the role, level of responsibility, location and generation of your workforce to be effective. Measuring effectiveness by assessments is critical to know the results of your training by individual, by department and by location. You must be able to show who was trained, on what P&P, and when to satisfy an audit of training activity.
Legal Perspective: Training
In some cases enforcement action specifically focused on training and requires context that shows the training requirements have been satisfied. Additionally, training is a main way to communicate compliance responsibility and periodic training promotes awareness of compliance regulations.
Monitoring
A compliance program relies upon monitoring to detect in what role, department or location the P&P is not active in day-to-day operations. Simply, does behavior match policy? For a dealership are the deal jackets being regularly reviewed to determine whether or not P&P are being followed? Naturally, if procedures are not being followed as desired this needs to be documented and reviewed by the appropriate management. Where there are issues a speak-up process and exception reporting are vital to correcting the issues before they become problems or violations. Proper documentation of any issues and review of these issues will show whether your training is trending up or down.
Legal Perspective: Monitoring
Whether an enforcement agency is exam mode or under CID, with a CMS in place to prevent, identify and correct issues, an organization’s efforts are credited.
Correction
A compliance program is useless without correction to ensure that your compliance program is continually improving. Are your P&P clear, consistent and appropriate? Are trainings resulting in the desired behavior in an increasingly positive way or negative way? Is your monitoring schedule catching the issues before they become liabilities? Have you reached the compliance score goal? If your board has a high incidence / response rate and is asking these questions you are most likely placing a high level of importance on correction.
Legal Perspective: Correction
Incidents must be corrected completely. If the incident points to a systemic issue conduct a root cause analysis – get to the bottom of the issue. If the incident involves a customer being harmed they must be made whole. Regulators are looking for assurance that the organization understands the law and regulations and is taking compliance seriously. It is not just enough to tell them you must show them and correction is key here. Things such as auditable trending reports which demonstrate to agencies that your organization is striving for continuous improvement of its compliance management system can prevent an issue from becoming a costly, public enforcement action.
We hope the summary has told you and shown you how a compliance program, the heart, brings your CMS to life. The compliance program is a central part of the CMS system and like the heart it must be integrated with the oversight, consumer complaint and audit to be fully functional in the CMS. Similarly, information on how the compliance program is integrating compliance into operations is as vital as blood to the body. Finally, every system is negatively impacted at some time or other. The best way to ensure an ever stronger compliance program is through a cycle of detection, correction and improvement.
