Podcast - The Core Elements of an Effective Compliance Management System

Anthony DiResta: Welcome to another podcast of Clearly Conspicuous. As we've noted in previous sessions, our goal in these podcasts is to make you succeed in this current environment that's actually very aggressive and progressive, make you aware of what's going on with both the federal and state consumer protection agencies, and give you practical tips for success. It's a privilege to be with you today.

Today we discuss the elements of an effective compliance management strategy. This episode is just squarely aimed at senior executives, general counsels, chief compliance officers, board members, and any employes or executives or people involved in compliance. And let me just say this: It's important for the senior executives to hear this, because the people who set the tone for how a company operates need to hear this. Our topic today is one that every business leader needs to understand: the elements of an effective compliance management system (CMS).

Now, why does this matter? The Federal Trade Commission (FTC) [is] the nation's primary consumer protection agency, and its mission is protecting the public from deceptive or unfair business practices and from unfair methods of competition. They do this under Section 5 of the FTC Act, where it's unlawful to engage in "unfair or deceptive acts or practices in or affecting commerce." That broad prohibition applies broadly to all persons engaged in commerce.

Now over the decades, the FTC has brought hundreds of enforcement actions. It's promulgated rules, it's issued guidance and it's delivered congressional testimony — all designed to communicate to companies and their leaders what is expected. And those expectations boil down to this: Every company, whether large or small, must create and implement a CMS, a compliance management system, that is tailored to its size, its complexity and its risk profile.

So today, we are going to walk through the core elements of such a system, drawing on the framework established by not only the FTC, but the Consumer Financial Protection Bureau (CFPB), the Federal Deposit Insurance Corporation (FDIC), the Department of Justice (DOJ) and federal sentencing guidelines. Now these frameworks are remarkably consistent in what they expect, and they apply well beyond the financial services industry. They apply to all industries.

What Is a Compliance Management System?

A CMS is how an organization learns about its compliance responsibilities, ensures that employees understand those responsibilities, incorporates legal requirements into its business processes, reviews its operations to confirm that those responsibilities are being carried out, and takes corrective action and updates its materials as necessary.

So why is this important? First and most practical, it helps manage risk — risk associated with changing products and service offerings, new legislation and developments in the marketplace. Second, noncompliance with consumer protection laws can result in litigation, monetary penalties and formal enforcement action. So the message is clear: Compliance is not a nice-to-have. It's a must-have.

The Architecture: Two Interdependent Components

Now an effective compliance management system is built on two interdependent control components. The first is board and management oversight. The second is the compliance program itself, which includes policies and procedures, training, monitoring and audit, and consumer complaint response. While these two components are strong and well-coordinated, an institution is typically successful at managing its compliance responsibilities and risks. Now when either component is weak — when leadership is disengaged, or when policies exist only on paper — the result is often violations of the law, consumer harm and regulatory consequences.

Board And Management Oversight: "Tone at the Top"

The first and most important element of a CMS is board and management oversight. This is what compliance professionals often call "tone at the top." The board of directors is ultimately responsible for developing and administering a CMS that ensures compliance with federal consumer protection laws and regulations.

So what does a strong board oversight actually look like? A board can demonstrate its commitment by demonstrating clear and unequivocal expectations about compliance, not only within the institution, but also extending to third-party service providers. It means adopting clear policy statements that articulate the company's compliance expectation. It means appointing a compliance officer with genuine authority and accountability, and critically, it means allocating resources — systems, capital and human resources — to the compliance function that are commensurate with the institution's size, complexity and risk profile.

Now this is not a ceremonial role, folks. Regulators will assess whether the board and management demonstrate a strong commitment and oversight of the CMS, whether the institution's change management processes are effective, whether management comprehends, identifies and manages compliance risks, and whether the institution self-identifies consumer compliance issues and takes corrective action when problems are found.

The Four Pillars of a Compliance Program

Now let's turn to the compliance program itself, starting with policies and procedures. Every institution — every company — should establish a formal, written compliance program. In addition to being a planned and organized effort to guide the institution's compliance activities, a written program represents an essential source document that serves as a training and reference tool for all employees. Policies and procedures should include goals and the procedures for meeting these goals. They should include all the information needed for personnel to perform a business transaction in compliance with the law. And they should be reviewed and updated as the institution's business and regulatory environment changes.

Now the second pillar of the compliance program is training. Proper training for the board, management and staff is essential to maintaining an effective compliance program. You can have the finest written policies in the world, but if your people do not understand them, they are just words on paper. Now an effective compliance training program is frequently updated with current, complete and accurate information on the institution's products and services and business operations, on consumer protection laws and regulations, on internal policies and procedures, and on emerging issues in the public domain. Now the third pillar is monitoring and audit. These are related, but they're distinct functions. Monitoring is a proactive approach by the company to identify procedural or training weaknesses in an effort to preclude regulatory violations. It is generally more frequent and less formal than an audit. Institutions that include a compliance officer in the planning, development and implementation of business propositions increase the likelihood of success of their compliance monitoring function. Now an effective monitoring system includes regularly scheduled reviews of disclosures and calculations for various product offerings, document filing and retention procedures, posted notices, marketing literature and advertising, applicable state consumer protection laws and regulations, and third-party service provider operations, and internal compliance communication systems that provide update and revisions of applicable laws and regulations to [management] and staff.

Now a compliance audit, by contrast, is an independent review of a company's compliance with consumer protection laws and regulations and adherence to internal policies and procedures. The audit complements the internal monitoring system. The board should determine the scope and frequency of audits, and the audit function should be sufficiently independent — it should report to the board or a committee of the board.  Now a written compliance audit report should include the scope of the audit, deficiencies or modifications identified, the number of transactions sampled by category of product type, and descriptions of or suggestions for corrective actions and timeframes for correction.

The fourth pillar of a compliance program is consumer complaint response. An institution should promptly handle consumer complaints. Procedures should be established for addressing complaints, and individuals or departments responsible for handling them should be designated and known to all institution personnel so that responses can be expedited.

Now the compliance officer should be aware of complaints received and act to ensure timely resolution. And — this is critical — complaint trends should be evaluated to identify systematic compliance problems. Individual complaints are data points. But when you look at complaint data in the aggregate, patterns emerge. And those patterns can reveal systemic issues with products, processes, or disclosures that require broad corrective action.

Risk Assessment and Third-Party Oversight

Two additional elements cut across the entire CMS and deserve special attention. The first is risk assessment. Now the DOJ's guidance makes clear that the starting point for evaluating any compliance program is understanding how the company has identified, assessed and defined its risk profile. This includes understanding specific factors that mitigate the company's risk and the degree to which the program devotes appropriate scrutiny and resources to the remaining spectrum of risks. This evaluation should account for emerging risks as internal and external circumstances impacting the companies evolve. A compliance program that was effective five years ago may be inadequate today if the company has changed its products, expanded into new markets or adopted new technologies.

Now the second is third-party and service provider oversight. And I can't stress this enough, because regulators consistently emphasize that while a company may outsource the operational aspects of a product or service, the company cannot outsource the responsibility for complying with federal consumer protection laws or managing the risks associated with service provider relationships. Strong institutional conduct comprehensive and ongoing due diligence and oversight of third parties is necessary, and they ensure that service providers understand their consumer compliance responsibilities and are capable of meeting them.

Conclusion

If you are a senior executive, a board member or a compliance professional, or somebody associated with compliance, here is what you need to take away from this discussion. An effective compliance management system is not optional. It is expected by every major federal regulator, including the FTC, the CFPB, the FDIC and the DOJ. It requires genuine board and management oversight — a real "tone at the top" that permeates the organization. It requires a compliance program with robust policies and procedures, role-specific training, proactive monitoring and independent audit, and a responsive consumer complaint process. It requires ongoing risk assessments and diligent oversight of third-party relationships. And it requires a culture of compliance — one where employees are encouraged to raise concerns without fear of retaliation, where misconduct is addressed through appropriate discipline, and where the compliance function is given the resources, authority and independence it needs to do its job.

So here's the key takeaway, and this is simple: Compliance is a business imperative. Build the system. Resource it. Test it. Improve it. And make sure it starts at the top.

So folks, stay tuned for further programs as we identify and address the key issues and developments, and provide strategies for success. I wish you continued success and a meaningful day. Thank you.