Why You Need a Compliance Management System: An Attorney’s Viewpoint
Why does your organization need a compliance management system?
Host Kynzie Sims posed that question to our friend and collaborator Eric Johnson during a recent episode of the Smart Compliance Podcast. Eric is a partner at Hudson Cook’s Oklahoma office, and a go-to attorney for members of the auto dealer and consumer lending industries. He told Kynzie why implementing a Compliance Management System (or CMS) is considered a best practice regardless of whether an organization is required to have one in place.
KYNZIE SIMS:
Let’s jump right in. As the regulating bodies move and shift, why does it matter as an organization if you have a Compliance Management System in place?
ERIC JOHNSON:
That’s a great question. I think it’s a particularly interesting time right now when you start talking about the regulating bodies and who they are, and how the sands are shifting a bit. In the current political environment, there is this perception that there are efforts taking place in Washington to, in essence, defang the Consumer Financial Protection Bureau at the federal level. That’s been taking place really ever since President Trump won the election and took office, and you started seeing even more of a flurry of bills coming out to defang the CFPB.
So, there is this perceived weakness out there. It’s a real interesting time with what’s happening at the federal level, and how that may impact on the other federal regulators, like the Federal Trade Commission, the State Attorneys General, Consumer Advocates and plaintiff’s attorney.
An organization needs to be aware of what’s going on at the federal and at the state level to be able to determine where they should look. It’s like a football player having his or her head on a swivel—always looking around to see where these possible attacks could be coming from. One day, it may be the CFPB; the next, it may be the FTC or state attorney general. And it’s not only where they’re coming from and what direction, but also what practices or operations those entities may be attacking, because one regulator may not attack the same issue or practice that another regulator may attack.
How can I be proactive in planning my business, given these shifting sands?
Make yourself aware of what is happening at the federal and the state levels, and then look and understand what your obligations are, whether that’s to have certain policies and procedures in place—or if your are regulated and enforced by the CFPB—then you need to have a compliance management system, or a CMS, in place. Even if an organization is not required to have a CMS in place, that’s slowly becoming the expectation in the industry and/or a best practice.
So, even if the CFPB does go through those changes—even if there is a “defanging” and they don’t have as much teeth as they used to—it’s still important to keep your compliance activities in check. because there is other regulatory bodies monitoring those same types of initiatives.
That’s exactly right. Nature abhors a vacuum, and where some states—or consumer advocates in those states—have that perception of the CFPB weakening, we’ve seen a lot of new enforcement activity by the states, primarily by the state attorneys general going after organizations for their practices, their operations—their very non-compliance with the law. We’ve seen a lot more active states than we have in a long, long time.
What other regulators have you been seeing taking action?
The FTC has been around for over 100 years or more. They’re the entity focused on organizations that are otherwise exempt from the CFPB. And not to be outdone by the CFPB, they’ve been certainly more active in the last few years attacking organizations for Truth in Lending and Consumer Leasing Act violations, as well as disclosure issues and unfair and deceptive acts and practices.
Consumer advocates have been very active as well, as have plaintiff attorneys, armed with information from the CFPB’s database.
This interview has been edited and condensed. Want to listen to the full podcast?
Just press play!
Eric Johnson is a partner in the firm’s Oklahoma City office. He assists national and state consumer finance organizations and motor vehicles dealers with nationwide finance, online vehicle sales assistance, litigation funding, and electronic payment programs. He also provides responses to regulator examinations, comments on proposed statutes and regulations to legislators and regulators, and assists financial services providers with statutory and regulatory changes occasioned by the Dodd-Frank Act.
Hudson Cook is one of our esteemed partners who have authored a pre-loaded library of content and trainings that takes the hassle out of staying current with ever-changing compliance requirements. The result? Compli makes it easy to maintain an effective workforce compliance program.
Given those players in the game, how does a Compliance Management System help organizations stay prepared?
It boils down to the fact there is a need, but also a requirement for organizations subject to the CFPB’s authority. That could be supervision authority, where the Bureau comes out and examines an organization. The CFPB expects those entities to have a robust CMS.
Other organizations are subject to the CFPB’s enforcement authority, where the Bureau enforces federal consumer financial laws against the organization. For these organizations, too, the CFPB expects to see an effective, robust CMS that’s been adapted to your business—to your strategy, to your operations, your products, et cetera. That’s an expectation.
If the Bureau does supervise or seeks to enforce the federal law against an organizations, one of the first things they say is “give us a copy of your CMS.” And if you don’t have one of those in place, that automatically moves the exam or enforcement up a notch. The CFPB is thinking, “Ah, well, now we can see that they’re not a well-run financial institution or dealership. They probably have weak controls in place, or no controls in place, to ensure they’re complying with the law.”
So, it’s kind of a trigger for them to say, “oh, now I’m going to take an even closer look than maybe what I would have originally”?
That’s right. I would equate it to peeling back the onion. An investigation has many different layers, and when they see that somebody does not have a CMS in place, they just keep peeling that onion your back further and further. Any organization without a CMS is a highly desirable target for the CFPB. It indicates to the Bureau that the target is probably not complying with federal law.
I get that this is a requirement, but why might I want a Compliance Management System outside of just the requirements of having it? How could that help my business operations?
Even if you’re not required to have a CMS, there are reasons why I think you should consider implementing a CMS.
I can think of a number of organizations that are otherwise exempt from CFPB authority, but who have started to put in place and implement a robust, written CMS. It’s an expectation from state regulators. State regulators have seen what the CFPB has been doing the last few years, and are starting to pick up on asking companies for a copy of their CMS. It’s starting to become an expectation.
It’s not only state regulators. If an organization has a line of credit like through a bank or other funding source, those creditors may also ask for a copy of your CMS. And if you don’t have one or haven’t put one in place, then again, that moves things up a notch to dig a little bit further by either the state regulator or by your very own lender.
It’s actually making sure that you have that lending partner on good terms with you, from a business perspective.
That’s right. Of course, you wanna keep your line of credit—your lender—happy, so that has become an expectation with them. And as other organizations implement a CMS, and that becomes the norm, then the organization that doesn’t have CMS in place is perceived to be somewhat lacking. They’re behind. They’re not keeping up in par with their competition. So, it’s also a competitive feature.
Moreover, having a CMS in place really does offer an organization better protection. By implementing a written and robust CMS, it forces the organization’s management and senior managers to take a hard look at their operations, practices, and overall compliance—or maybe non-compliance—with those laws. It causes you to take a hard look at your organization and ask, “Are we compliant with the law? Do we need to change some things to keep ourselves in compliance with the law and better protect ourselves from regulators or consumer advocates or even plaintiff attorneys?”
Do you find that businesses that have a Compliance Management System in place typically do better business?
I have seen how it makes the organization a better-run and more compliant organization. In turn, that tends to make for happier customers and more repeat customers, as well as fewer consumer complaints and fewer sleepless nights on behalf of the owners or the managers that are running the organization.
It really is a competitive advantage to have a CMS in place. It makes that organization that much stronger when they do have a plan toward compliance and doing what they need to be doing with the law, rather than just “this is how we’ve always done it and never had any complaints.” It’s just a better-run organization more of the time than not.
For the full conversation, listen to the episode of the Smart Compliance Podcast.