President & Managing Director
Lenders Compliance Group
In my view, there are ten core
competencies to implementing a Compliance Management System, often referred to
by its acronym CMS. The Consumer Financial Protection Bureau requires it, state
regulators are now asking for it, and investors want assurance of its
application.
I have written extensively about
the CMS concept and its importance in mortgage risk management. For instance,
see my article on Creating a Culture of Compliance. Also, other articles here. When
I speak on the subject, it is often the case that some in the audience actually
have no idea about what constitutes the CMS. They think it is no more than a
compilation of policies and procedures. But, the fact is that a viable CMS is
composed of several integral features, each of which contributes to the
cohesiveness of the whole compliance function.
Here’s a brief synopsis of the Ten
Core Competencies that should inform a CMS:
1) Loan portfolio, secondary and
capital market management processes, mortgage servicing.
2) Loan flow process, from point of
sale to securitization or secondary market transaction.
3) Internal Audit and Control Plan,
including calendrical reviews, reporting protocol, rank and file training in
all departments, and testing.
4) Consumer disclosures, all loan
types, federal and state.
5) Mortgage quality control, not only
random sampling, but proactive audits that target criteria.
6) Record retention and maintenance,
securing against unauthorized alteration or destruction.
7) Marketing and advertising,
including use of third-party services.
8) Vendor, settlement agent, closing
agent, and third-party vetting and approvals.
9) Safeguards for privacy protection
of consumer records and information.
10) Reporting mandates to agencies,
both federal and state, investors, and third-party relationships.
The compliance framework is built
on the foregoing competencies. Destabilize one of them and it is possible that
the others will crash like a tottering stack of cards!
Also, it should be noted that there
is a growing expectation amongst regulators for a residential mortgage lender
or originator to have a business continuity plan.
It is not necessary to consolidate
all compliance policies and procedures into a single document. Nor does it
require compliance managers to memorialize every action that must be taken in
order to remain in compliance with federal and state banking law. In some
cases, it may be enough for the compliance policies and procedures to allocate
responsibility within the organization for the timely performance of many
obligations, such as the filing or updating of required forms.
However, observed instances in
which compliance policies and procedures were not followed or the actual
practices were not consistent with the description in the compliance manuals,
will likely lead to an adverse banking examination finding. Observed practices
in areas that are required to be reviewed in accordance with specific
regulations and in areas that include policies and procedures, but are not
expressly required to be reviewed by regulations, will come under significant
regulatory scrutiny.
What good is a compliance
management system if it is not continually reviewed and, where needed, updated?
In our work with new clients, we have found the following issues happening
often:
· Critical areas not identified, thus
certain compliance policies and procedures were not adopted.
· Policies were adopted, but were not
applicable to the businesses and operations.
· Critical control procedures were
not performed, or not performed as described in the CMS.
· Annual Review of the compliance
function was rarely, if ever, implemented.
