February 15, 2023

Podcast - Compliance Management System: You Better Have One ... or Else

Clearly Conspicuous Podcast Series

In the third episode of his "Clearly Conspicuous" podcast series, "Compliance Management System: You Better Have One... or Else," consumer protection attorney Anthony DiResta identifies the three main components of a compliance management system, or CMS: board/management oversight, an effective compliance/monitoring program and an audit system. Mr. DiResta explains the importance of each of these elements and why companies need to have an effective compliance management system in place to minimize risks.

Listen to more episodes of Clearly Conspicuous here.


This is Tony DiResta, and I want to welcome you to our third podcast of "Clearly Conspicuous." As we noted in the previous sessions, our goal in these podcasts is to make you succeed in this current regulatory and governmental environment that's very aggressive and progressive. We want to make you aware of what's going on with the federal and state consumer protection agencies and to really give you some practical tips for success. Today we talk about something that's practical and essential. Yes, it's essential. This session will possibly be the longest that we've done so far, but its contents are essential to success and to risk management. Companies succeed or fail based on what we'll be talking about today. Today's topic is, "What Is a Compliance Management System? You Better Have One…or Else." The federal and state regulators all require a compliance management system. It's expected, there's no exceptions and all companies must have one.

What Is a Compliance Management System, and Why Is It Important?

Let's start from the beginning. What is a compliance management system (CMS)? Basically it's how a company learns about its compliance responsibilities, ensures that employees understand these responsibilities, ensures that requirements are incorporated into the business processes, reviews operations, and that a company takes corrective action and does updates and provides materials as necessary. OK, so why is the CMS important? It helps manage risks associated with changing product and service offerings and also helps manage new regulations that are enacted to address developments in the marketplace. Noncompliance with consumer protection laws may result in litigation, governmental investigations or inquiries, monetary penalties, press releases by the government and other formal enforcement by federal and state regulators.

Board and Management Oversight

Let's step back and take a 30,000-foot perspective. An effective CMS is comprised of three interdependent elements. First, board of directors and management oversight. Second, a compliance program. Third, a compliance audit. So let's begin by talking about the board oversight. As we all know, the board of directors or the owners are ultimately responsible for developing and administrating a CMS that ensures compliance with federal and state consumer protection laws and regulations. For the board, it's a fiduciary responsibility. A board can demonstrate commitment to maintaining an effective CMS (and fulfilling your obligations as a fiduciary) by demonstrating clear and unequivocal expectations about compliance not only with the institution or the company, but also with respect to third party providers. As a footnote, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) are very concerned about how you engage with third party vendors, and those agreements are essential to compliance management. You want to be sure that the board can demonstrate clear policy statements, and importantly, there has to be a chief compliance officer with authority and accountability. You want to be sure that the board allocates resources to compliance functions commensurate with the level and complexity of the company. You want to be sure that the board ensures that there is periodic compliance audits. Lastly, you want to be sure that the board receives recurrent reports by the compliance officer and that the board not only hears, but evaluates, those reports. Let's take a moment to talk about what the chief compliance officer is or who should be. Now, the first step that a board or senior management should take in providing the administration of a compliance program is the designation of a compliance officer and or a compliance committee, depending upon the profile of the company. The compliance officer's duties include ensuring that an institution or a company develops compliance policies and procedures, ensures that the management and employees receive proper training in the consumer protection laws and regulations, reviews policies and procedures for compliance with applicable laws and regulations, and that the company's stated policies and procedures are in place. The chief compliance officer also assesses emerging issues, potential liabilities, developments in the law and regulations and provides proper responses to consumer complaints. Complaint management is critical to the federal and state regulators as they think about who to target in their investigations. The chief compliance officer reports compliance activities and audit review to the board of directors, and the chief compliance officer ensures corrective action. As you can see, the chief compliance officer wears many hats, but that person is essential to be sure that you have a robust compliance program that satisfies governmental and regulatory expectations. Indeed, a compliance committee can be formed to assist the compliance officer in coordinating the program.

Effective Compliance Programs

Now, let's talk about the program itself. We've gotten through the board responsibilities. We've gotten a clear understanding of the chief compliance officer. We'll talk about the program now. An institution or a company should generally establish written compliance programs. I can't emphasize this enough — for the dozens of investigations I've been involved in, one of the key document requests or expectations is that the program is done in writing. In addition to being a planned and organized effort to guide the company's compliance activities, a written program represents an essential source document, an Exhibit A, that will serve as a training and reference tool for all employees. A well-planned, implemented and maintained compliance program will prevent or reduce regulatory violations, provide cost efficiencies and is really a sound business step. A sound compliance program includes the following components: one, policies and procedures, two, training, three, monitoring, four, consumer complaint responses. Let's start with policies and procedures. Policies and procedures should include the goals and the operational procedures for meeting the goals, include all the information needed for personnel to perform an appropriate business transaction and be reviewed and updated as the company's business and regulatory environment change. In terms of training, proper training for the board, for the management and for the staff is essential. Let me say that again, across the board training is required for the board, senior management and the staff or employees. An effective compliance training program is frequently updated with current, comprehensive, complete and accurate information. First, the products and services about the company's operations. Second, consumer protection laws and regulations, internal policies and procedures. Third, emerging issues in the public domain. What's going out there in the real world, in the environment with your competitors, is essential to understanding the kind of compliance program. Now, let's talk about monitoring for a second. Monitoring is a proactive approach by the institution to identify procedural or training weaknesses in an effort to prevent regulatory violations. Institutions that include a compliance officer in the planning, develop[ment] and implementation of propositions increase the likelihood of success of its compliance monitoring function. Now, an effective monitoring system includes regularly scheduled reviews of disclosures and calculations of various product and service offerings, document filings and retention procedures, posted notices, marketing literature and advertising, various state consumer protection laws and regulations, third party service provider operations and internal communication systems that provide updates and revisions of the applicable laws and regulations to the management and to the staff. Let's now move to a consumer response system. As I said earlier, I can't repeat enough that having a consumer response system, a complaint management program, is essential. So a company should promptly handle consumer complaints. Timing is critical to the regulators on how you handle consumer or other kind of regulatory compliance, BBB compliance, complaints from consumers, state, federal, regulatory bodies, etc. Procedures should be established for addressing these complaints. Written procedures and policies and individuals or departments responsible for handling them should be designated and known to all company personnel to expedite the response. Who's the go-to person or group when you receive a complaint? That needs to be known. A compliance officer should be aware of complaints received and to act to ensure a timely resolution. Again, this is one of the hats the compliance officer needs to wear, and that complaint trend should be evaluated to identify compliance programs. When you're monitoring or auditing the integrity of your compliance management system, looking at compliance trends and developments are essential. And indeed, when you're in the midst of an investigation or an inquiry, the government will want to see the documents that are reflecting your analysis of the trends or the complaints.

Compliance Audits

Let's now talk about compliance audits. A compliance audit is an independent review of the company's compliance with consumer protection laws and regulations and the company's adherence to internal policies and procedures. A compliance audit helps management ensure that ongoing compliance exists and that compliance risk conditions are identified. An audit complements the institution or the company's internal monitoring system, and the board needs to be involved. Indeed, it's best practices for a board to determine the scope of the audit and the frequency with which audits are conducted. Now, regardless of whether audits are conducted by the company personnel, a third party, by counsel or other third party service provider, the audit findings should be reported directly to the board or to a committee of the board. A written compliance audit report should include the scope of the audit, including the departments, the division, the branches, the third party relationships that were reviewed, the deficiencies or modifications identified, the number of transactions that were sampled by category or product type and the descriptions or suggestions for corrective action and the time frames for correction.

Conclusion and Key Takeaways

I realize that today's podcast was lengthy and pretty dense with content, but I cannot overstate its importance. Here are the key takeaways. In a nutshell, to have an effective compliance management system, you've got to have, one, written policies and procedures, two, an implementation program of those policies and procedures such as training and disciplining of employees, and third, auditing of those policies and procedures to be sure that they're effective. Obviously you should have experienced counsel assist you in each of these elements. In today's environment, you want to be absolutely certain to minimize your risks and to maximize your reputation on the ground. Please stay tuned to further programs as we identify and address the key issues and developments and provide strategies for success. I wish you continued success and a meaningful day. Thank you.

Related Insights