One of the less frequently discussed requirements of the CFBP is that companies have in place a Compliance Management System. This has resulted in a lot of concern and confusion about what exactly they are requiring. Typically when discussions involve the term system, most often it is a discussion about technology. Yet it is commonly assumed that this is not a requirement to implement an entire new technology platform focused on meeting all the regulations. In fact, not all the regulations have been finalized. Therefore even though there is great concern about making sure the requirements are met, this requirement can’t be about technology. So what in fact is this requirement all about? Let’s break it down:
When it comes to understanding what the CFPB means when it requires a “management system” lenders must remember that the term system is far broader that just a technology platform. A system is a set of principles according to which something is done. In the business world it is the set of values and possibly a mission statement under which the business operates. Imbedded in this set of principles are the goals and objectives of the company. These typically revolve around the expected results of the company and generally focus on three sets of stakeholders. These include shareholders who are expecting a good return on their investment, customers who expect that the products and/or services promised will be produced and the members of the organization. Turning these principles into the expected results is the “system” under which the company operates.
While some business systems are relatively simplistic, most are very complex, having numerous functions operating together to produce the desired result. This complexity is addressed through operational functions such as marketing, production, financial management, risk management and regulatory compliance. In order to ensure that all functions are working in an effective manner, a coordinated monitoring and feedback system is put in place. Part of this system’s management responsibility is developing the goals and objectives for the organization. Flowing from these goals and objectives are the development of which products and/or services will be produced.
Designing the product/service that the company will produce is typically the responsibility of individuals with significant knowledge about the company’s goals and how such products/services are generated. In most manufacturing companies this is the work of the engineering team. In mortgage banking however, we look to credit policy and secondary marketing experts for this design work. Their work results in the specifications of what is going to be produced and is most frequently seen as policy statements and requirements.
Once the product and/or service policy has been designed, the operational units must produce the corresponding operational functions. For example, if the product policy statement contains requirements which include ensuring the integrity of the data, then the operational staff must incorporate a process to make this happen and document it through a procedure that is given to the operations staff to follow. An integral part of this development process is the identification, selection and implementation of the technology that will be used in conjunction with the production of the products.
In both of the systems involved in mortgage lending (production and servicing), there are numerous overlapping procedures that must also be incorporated into the final product. Operation management must ensure that these overlaps are clarified and consistent among all staff and are grounded in the organization’s policies and procedures. In other words, can management demonstrate how a policy is actually implemented in the procedures across all operational units used by the company? Among these overlapping functions are risk, accounting and regulatory compliance. Because of all these overlapping systems, mortgage lending and servicing is an extremely complex business and requires highly complex systems to make it work. It is also why a management system is an essential part of the business.
All business have some type of management system. They can be as simplistic as having one person deciding the goals of the business and then determining how those goals are to be met. This individual must also determine what risks the organization faces in meeting these objectives and how these risks will be addressed as well as monitor the output of the operational processes and direct any changes that are necessary to meet the goals and objectives. However in a business as complex as mortgage lending, it is impossible for one individual to accomplish this and most frequently there are several key members in the organization with specific responsibilities.
While not always recognized as a “system”, the interaction between these individuals is the leadership that successful companies require. If one of the functions within a leadership system overwhelms all other functions the result is typically an organization that fails to meet its overriding responsibilities for its shareholders, customers, regulators and/or employees.
Management systems have three basic responsibilities that, when effectively executed, assure that the founding principles are followed and goals and objectives met. These functions include governance, risk and control.
Governance refers to the system of structures, duties, and support by which corporations are directed and controlled. Governance provides the structure through which corporations set and pursue their objectives and monitor the actions, policies and decisions of the corporation. In other words, governance involves determining what the company will produce and putting in place all the elements that will ensure the production. This includes oversight of all the processes, people and technology and all facets of these operational requirements.
The second is risk management. Risk is commonly defined as the chance of something happening that will have an impact on the objectives of the company. Every organization contains numerous risks and a management system must have a means of identifying, evaluating and determining how these risks will be addressed. This includes ensuring that there are coordinated, delegated resources to minimize, monitor and control these risks. One such risk is, of course, complying with all regulatory requirements. This includes not just those related specifically to consumers, but comprehensive regulatory risks as well.
Finally management must maintain a strong control environment. A control environment is one in which there is a systemic approach by management to compare actual business performance to previously established standards and/or objectives to determine whether they are being met by the organization’s operational processes. Management must then determine if it is necessary to take any remedial action to see whether corrective actions including human and other corporate resources are required or are being used in the most effective and efficient way possible in achieving those objectives. It is an important function because it helps to check the errors and to take the corrective action so that deviation from standards are minimized and stated goals of the organization are achieved in a desired manner.
So what does it mean to have a Compliance Management System? Do lenders have to have another management structure that focuses on nothing but regulatory compliance? Or does compliance in this sense mean conformance to all the company policies and procedures? If it does, does this mean lenders already have a compliance management system in place? There are several answers to these questions and several ways to establish that a lender is meeting this requirement.
First, management must have some type of methodology in place to provide governance, risk management and control of the organization. If this is not clearly defined and documented, it should be done. This documentation must show that management, or the management group, oversees how the organization is operating. While well established companies most likely have some approach to this, many times it is not formal nor the results of decisions documented. Management meetings should be held on a regular basis and the results recorded.
Within these meetings, issues concerning all areas of responsibility should be addressed. These may be organized around the stated goals and objectives of the company and include operational issues, risks to the organization, identification of the controls and the results of these monitoring functions.
Determining the approach to take in meeting this CFPB requirement most likely depends on the size of the company as well as its complexity. If a lender chooses to incorporate the compliance function into an existing system, it must make sure that the current policy statements include all regulatory requirements. The corresponding processes must clearly show how these regulatory requirements are implemented within the organization. Finally, the control functions, specifically the quality control and if separate, the regulatory review function must be reporting on a regular basis. If they are to be used to meet the regulatory requirements, the report should include more than lists of issues of the overall findings of the review. The results should clearly identify the level of non-compliance while isolating contributing factors if warranted. In other words, it is not enough to say I looked at 10% of the loans and of that 10%, 8% had a problem with disclosures. More specific information is necessary if management is going to address this issue. Finally, the management team minutes should reflect any decisions about how any unacceptable level of risk is going to be addressed. This issue should then be part of the management meeting discussions until it is resolved.
The management system should also include general regulatory issues, such as Fair Lending, which should be incorporated into the policy, risk and control discussions and updates for the management committee meetings.
If the company decides to implement a separate compliance management system, the same requirements apply. One thing that must be kept in mind is that this system must involve the same people that are involved in the other management system if it is going to be effective. All too often compliance groups involve only legal staff and control units. As a result, the issues identified in this meeting are minimized in the larger management meeting. This management group must also incorporate the governance, risk and control elements that are found in all management systems. The group’s meetings must be documented and issues resolved.
Since the announcement of the requirement for a compliance management system, lenders have initiated various approaches. One of the most frequent is the development of a separate compliance group to manage all the new requirements. In many cases these groups are implemented at the urging of a consulting group that has been retained to assist companies. Unfortunately many of these have been delegated to “sub-committees” of the larger management committee and their output is no better than what was happening previously.
There are two main causes for this. The first is that the committee is most likely run by an attorney or someone in the organization more familiar with the requirements than the company’s policies and procedures. As a result they tend to focus on “How can I implement this requirement so that everybody does it.” And less on imbedding the requirement into the process. Many times there are no production people involved and the result is something that cannot be implemented.
Also, the control environment has not been updated to accurately determine the level of non-compliance risk. The same type of sampling and reviews are done that produce the same type of data leaving a gap in the level of information available to management. Take for example, Fair Lending. The HMDA data is reported once a year and is tested for accuracy and validity based on FFIEC standards. Once the report is generated, how many management systems include the requirement for the data to be analyzed against the data for other years. How many companies obtain the entire report when it is released and compare themselves to other lenders? Very few if any. As a result, these control findings are not effectively used to update policies and procedures to meet the compliance requirements. Furthermore, there is no evaluation of the entire operational system to determine if the Fair Lending Policy imbedded in the organization’s value system is actually working.
At the end of the day, despite the requirement for a Compliance Management System, the efforts to date have not met that objective. Only when we truly understand how a well-run management system can improve performance will we be focused on meeting the standards. The companies that take this seriously and makes the necessary changes in the functions required will be the ones who succeed and survive any future crises that come our way.