Effective Compliance Management Systems: Core Elements for Every Business and Industry

The Federal Trade Commission (FTC) is the nation's primary consumer protection agency, with a mission to protect the public from deceptive or unfair business practices, as well as unfair methods of competition. Under Section 5 of the FTC Act, it is unlawful to engage in "unfair or deceptive acts or practices in or affecting commerce." That prohibition applies broadly to all companies and management engaged in commerce, and an act or practice is considered "unfair" if it causes or is likely to cause substantial injury to consumers, cannot be reasonably avoided by consumers and is not outweighed by countervailing benefits to consumers or competition. An act or practice is "deceptive" if it involves a material representation, omission or practice that is likely to mislead a consumer acting reasonably under the circumstances.

Over the decades, the FTC has brought hundreds of enforcement actions, promulgated rules, issued guidance and delivered congressional testimony – all designed to communicate to companies and their leaders what is expected. These expectations boil down to this: Every company, whether large or small, must create and implement a compliance management system (CMS) that is tailored to its size, complexity and risk profile.

This Holland & Knight alert identifies the core elements of such a system, drawing on the frameworks established not only by the FTC, but from the Consumer Financial Protection Bureau, U.S. Department of Justice, other federal agencies and state attorneys general enforcement actions. These frameworks are remarkably consistent in what they expect, and they apply to all industry sectors.

What Is a CMS?

A CMS is how an organization learns about its compliance responsibilities, ensures that employees understand those responsibilities, incorporates legal requirements into its business processes, reviews its operations to confirm that those responsibilities are being carried out, and takes corrective action and updates its materials as necessary.

The development of a CMS cannot be ignored. First and most practically, it helps manage risk associated with changing product and service offerings, new legislation and developments in the marketplace. Second, noncompliance with consumer protection laws can result in litigation, monetary penalties and formal enforcement actions. Third, when things go wrong – when an enforcement agency comes knocking – the existence and quality of a compliance program will be one of the first things the government evaluates. An effective program can reduce penalties, influence the form of any resolution and even determine whether a monitor is imposed.

Compliance is not a nice-to-have. It is a must-have.

The Architecture: Two Interdependent Components

An effective CMS is built on two interdependent control components: 1) board and management oversight and 2) the compliance program itself, which includes policies and procedures, training, monitoring and audit, and consumer complaint response.

When these two components are strong and well-coordinated, an institution is typically successful at managing its compliance responsibilities and risks. When either component is weak – such as when leadership is disengaged or policies exist only on paper or an intranet – the result is often violations of law, consumer harm and regulatory consequences.

Board and Management Oversight: "Tone at the Top"

The first and most important element of a CMS is board and management oversight, or what compliance professionals often call "tone at the top." The board of directors is ultimately responsible for developing and administering a CMS that ensures compliance with federal consumer protection laws and regulations.

A board can show its commitment by demonstrating clear and unequivocal expectations about compliance, not only within the institution, but also extending to third-party service providers. It means adopting clear policy statements that articulate the company's compliance expectations, appointing a compliance officer with genuine authority and accountability, and, critically, allocating resources – systems, capital and human resources – to the compliance functions that are commensurate with the institution's size, complexity and risk profile.

The compliance officer is a linchpin of the entire system. A compliance officer's duties include ensuring that 1) the institution develops compliance policies and procedures, 2) management and employees receive proper training in consumer protection laws, 3) policies are reviewed for compliance with applicable laws and regulations, 4) emerging issues and potential liabilities are assessed, 5) consumer complaints receive proper responses, 6) compliance activities and audit findings are reported to the board, and 7) corrective action is taken when needed. In addition, the compliance officer must have sufficient authority and independence to cross departmental lines, access all areas of the institution's operations and effect corrective action.

This is not a ceremonial role. Regulators will assess whether 1) the board and management demonstrate a strong commitment and oversight of the CMS, 2) the institution's change management processes are effective, 3) management comprehends, identifies and manages compliance risks, and 4) the institution self-identifies consumer compliance issues and takes corrective action when problems are found.

Institutions that earn the highest ratings from regulators demonstrate a strong, proactive commitment: They place the importance of compliance at the top, effectively promoting a "culture of compliance" throughout the organization. They dedicate substantial compliance resources, their staff has extensive experience, expertise and depth to manage risks, and they conduct comprehensive, ongoing due diligence of third-party vendors.

The Compliance Program: Policies and Procedures

Every institution should establish a formal, written compliance program. In addition to being a planned and organized effort to guide the institution's compliance activities, a written program represents an essential source document that serves as a training and reference tool for all employees.

Policies and procedures should include goals and the steps for meeting those goals, as well as all the information needed for personnel to perform a business transaction in compliance with the law. These policies and procedures should be reviewed and updated as the institution's business and regulatory environment changes.

For top-rated institutions, compliance policies and procedures and third-party relationship management programs are strong, comprehensive and provide standards to effectively manage compliance risks. They address all applicable regulatory requirements, are updated to remain current and serve as a practical resource tool for staff.

Training

The critical pillar of the compliance program is training. Proper training for the board, management and staff is essential to maintaining an effective compliance program. An organization can have the finest written policies in the world, but if its employees do not understand them, they are just words on paper.

An effective compliance training program is frequently updated with current, complete and accurate information on the institution's products, services and business operations, as well as consumer protection laws and regulations, internal policies and procedures, and emerging issues in the public domain.

Training should be role-specific. The training provided to the marketing team should differ from what is provided to customer service representatives, which should differ from what is provided to the board of directors.

Monitoring and Audit

Monitoring and auditing are related but distinct functions. Monitoring is a proactive approach by the institution to identify procedural or training weaknesses to preclude regulatory violations. It is generally more frequent and less formal than an audit. Institutions that include a compliance officer in the planning, development and implementation of business propositions increase the likelihood of success of their compliance monitoring function.

An effective monitoring system includes regularly scheduled reviews of disclosures and calculations for various product offerings, document filing and retention procedures, posted notices, marketing literature and advertising, applicable state consumer protection laws and regulations, third-party service provider operations and internal compliance communication systems that provide updates and revisions of applicable laws and regulations to management and staff.

A compliance audit, by contrast, is an independent review of an institution's compliance with consumer protection laws and regulations, along with adherence to internal policies and procedures. The audit complements the internal monitoring system. The board should determine the scope and frequency of audits, and the audit function should be sufficiently independent: It should report to the board or a committee of the board.

A written compliance audit report should include the scope of the audit, deficiencies or modifications identified, the number of transactions sampled by category of product type, and descriptions of or suggestions for corrective actions and time frames for correction.

Consumer Complaint Response

An institution should promptly handle consumer complaints. Procedures should be established for addressing complaints, and individuals or departments responsible for handling them should be designated and known to all institution personnel so that responses can be expedited.

The compliance officer should be aware of complaints received and act to ensure timely resolution. And – this is critical – complaint trends should be evaluated to identify systematic compliance problems. Individual complaints are data points. But when complaint data is considered in the aggregate, patterns emerge. Those patterns can reveal systemic issues with products, processes or disclosures that require broader corrective action.

Risk Assessment and Third-Party Oversight

Two additional elements cut across the entire CMS and deserve special attention.

1. Risk Assessment: The starting point for evaluating any compliance program is understanding how the company has identified, assessed and defined its risk profile. This includes understanding specific factors that mitigate the company's risk and the degree to which the program devotes appropriate scrutiny and resources to the remaining spectrum of risks. This evaluation should account for emerging risks as internal and external circumstances impacting the company evolve. A compliance program that was effective five years ago may be inadequate today if the company has changed its products, expanded into new markets or adopted new technologies.
2. Third-Party and Service Provider Oversight: Regulators consistently emphasize that although a company may outsource the operational aspects of a product or service, the company cannot outsource the responsibility for complying with federal consumer protection laws or managing the risks associated with service provider relationships. Strong institutions conduct comprehensive and ongoing due diligence and oversight of third parties, and they ensure that service providers understand their consumer compliance responsibilities and can meet them.

Conclusion

An effective compliance management system is not optional – it is expected by every major federal and state regulator. It requires genuine board and management oversight setting a tone at the top that permeates the organization. It requires a compliance program with robust policies and procedures, role-specific training, proactive monitoring and independent audit, and a responsive consumer complaint process. It requires ongoing risk assessment and diligent oversight of third-party relationships. And it requires a culture of compliance – one where employees are encouraged to raise concerns without fear of retaliation, misconduct is addressed through appropriate discipline, and the compliance function is given the resources, authority and independence it needs to do its job.

Here is the straightforward bottom line: Compliance is a business imperative. Build the system. Resource it. Test it. Improve it. And, make sure it starts at the top.

If you need assistance drafting a CMS or improving an existing program for your business, contact the author or another member of Holland & Knight's Consumer Protection Defense and Compliance Team.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.