ComplianceApril 10, 2019

Effective CMS tactics to support corporate governance

Given the dramatic and fast pace of change in the financial services sector, financial institutions of all sizes need to recalibrate their Compliance Management System (“CMS”) framework to ensure that all corporate governance responsibilities are being addressed as the institution evolves and grows.  Bank boards of directors are tasked with providing effective stewardship to anticipate and combat new risks as issues emerge, and they need to feel confident that internal CMS systems are resilient to weather new governance priorities, while maintaining controls for existing risks. Here are some questions to ask of your financial institution (“FI”) to see if there are some opportunities to update your CMS with new tactics needed for effective corporate governance. 

What is your risk appetite? 

Compliance officers are trained to assess risk within the risk appetite of the company.  When was the last time you had a conversation with your board of directors to help clearly articulate the changes in risk tolerance of your institution consistent with current strategic objectives? For several years, the primary driver of risk management has been driven by regulatory burdens. To the extent that your FI can now shift to focus on growth, do you have a full appreciation and understanding of the nature of the risks the bank is willing to take as opportunities arise?  For example, to what extent is the FI open to partnering with a fintech?  It is important that there is clear, unambiguous guidance articulated by the Board to help align the CMS with the current risk appetite of your institution. 

How has the FI changed?  

We often make granular changes to the CMS without a pause to reflect on a holistic perspective of our FI. This may be a good time to consider what changes may have occurred in the past several years, and help re-align resources commensurate with current areas of higher risk. For example, has the FI made substantial changes in what activities are outsourced to third-party vendors? Such a shift in core activities may mean more or fewer resources dedicated to managing third-party risk. Has the FI recently undergone a tremendous amount of growth either organically or through acquisition? It may be critical to review policies, procedures, training and reporting holistically to ensure that there is active management and coordination of information, documentation and controls. The Board needs to be kept apprised of all relevant risks, in a manner such that it can truly understand and appreciate trends. 

Do you have conduct risk under control?   

Generally speaking, conduct risk arises for a financial institution any time an employee knowingly, or through negligence, breaks the law or violates a regulation. Traditionally, FIs would think about conduct risk associated with facilitating money laundering or perhaps cybersecurity or bribery. More recently, conduct risk that results in consumer or customer harm is a big concern for financial institutions. Regulators are looking for—and finding—these types of issues at several institutions, large and small. It may be critical to look beyond traditional first, second and third lines of defense to consider risk management strategies and techniques that enhance your FI’s ability to detect and mitigate conduct risk. For example, you might consider including human resources in training for Unfair, Deceptive or Abusive Acts or Practices (“UDAAP”), and coordinate more with compliance personnel in the event they become aware of activity that should be escalated to the Board.

Is your CMS ready for your next regulatory exam? 

As your institution grows, regulators will want to know how your Compliance Management System has evolved to manage compliance with the evolving complexities of regulations impacting your business practices. A granular review of your CMS framework will help set the stage for your next regulatory exam and includes a detailed look at your current policies and procedures, compliance monitoring and corrective actions, reporting on trends and escalation to your Board, change management procedures, and the overall compliance culture. Here is a short checklist to help you reassure the Board that your CMS is updated and current: 

  • If your last exam identified any performance gaps in your CMS, check that you have documented your remediation and action plans to address any weaknesses in the CMS.
  • Update policies and procedures to reflect current activities and practices. Avoid using the specific names of key personnel within the text, and instead consider an appendix with current contact information that can easily be updated when there is a change in personnel.    
  • Confirm that your Complaint Management Program includes a clear definition of a “complaint” and adequately documents how complaints are tracked for a prompt and adequate response, analyzed for metrics and reported up to the Board with clear trends and critical data easily identified.
  • The new Home Mortgage Disclosure Act (“HMDA”) brought with it expanded data fields, many of which are in some way made available to the public. This data is also used for Fair Lending analysis as well as assessment of your FI’s obligations under the Community Reinvestment Act (“CRA”). Does your Board truly understand whether there are any issues in the accuracy of your underlying data?
  • Ensure that you have a current Risk Assessment that contains an inventory of relevant controls, and update your compliance monitoring program in accordance with highest areas of residual risk.
  • Validate that you have a comprehensive, third-party vendor management program that includes oversight, monitoring and reporting components. If your third parties include fintechs, you may need to have additional responsibilities, as many fintechs do not have an established internal regulatory framework. 
  • How long has your institution provided the same training modules to staff year after year? Consider updating or customizing your compliance trainings to provide meaningful guidance that can deepen the discussions about values and encourage behaviors consistent with the ideals of your FI’s culture of compliance.   
  • At a time when there are so many competing priorities, having the resources to manage and maintain all the elements that go into an effective CMS can be a challenge. Now may be a good time to discuss with the Board the specific experience and skillsets that are needed to support their ambitious strategic objectives.

A current and effective Compliance Management System is an integral part of a robust corporate governance program. Consider these tactics as your FI expands its capabilities and vision for future growth.


To learn more, please complete the form below and we'll be in touch.