by Brian Lane and Paul Becht, Baker Tilly
Regulators have been focusing on organizations’ “compliance management systems,” or CMS, as a critical step in their examination process. For example, the CFPB’s first listed objective in its published Examination Manual for Debt Collectors is, “to assess the quality of the regulated entity’s compliance management systems, including its internal controls and policies and procedures, for its debt collection business.” This post focuses on some common CMS questions.
What is the Definition?
A CMS is the processes used to:
(1) Identify the laws and regulations that a particular organization must comply with, (2) Assess those laws and regulations for the impact on the organization, (3) Manage the implementation across multiple functions, systems, and personnel, (4) Monitor, test, and report compliance
It is, in effect, a change management process. Many organizations already have a change control process, however it is probably used for information technology projects. Sometimes called a “System Development Life Cycle” or SDLC it is a structured process to initiate requests for changes, approve the changes, manage and test changes.
How are SDLCs Implemented?
Most organizations have implemented them in in order to create order around new or changed processes that have company-wide implications. The current SDLC you use might be a good predictor of the type of CMS that will work for your organization. Larger organizations tend to have more structure, including standard forms for each step in the SDLC process, formal approvals and sign-offs. Smaller organizations sometimes use less formal approaches such standing committee meetings to discuss, prioritize, and approve changes.
The most effective process the authors have observed happened to be the most informal:
- All managers affected by a pending system change met in a room and discussed progress.
- When they were all comfortable that appropriate development, training, etc, had been completed they went ahead with the change.
Are Regulators Telling us We Have to Acquire a New Computer Application?
No – our observation has been that regulators want an effective process and use the term “system” in its highest sense – basically a process that works for your organization. That being said, software in this area has progressed extensively in the past few years, and we generally recommend that organizations consider using technology. For one area in particular, the acquisition of regulatory content, there are a number of regulatory content providers such as SAIGlobal, Thomson Reuters, Ellie Mae, and Walters Klewer. They typically have a menu of regulators for whom they provide content, and a software tool to help you manage the content.
Why buy something (the text of regulations and changes to regulations) that I can get free?
Organizations that have purchased these services have done so because the volume of regulatory changes is so great that processes based on spreadsheets or simple databases are cumbersome and prone to error. Also, the consequences of not getting ahead of changes can be costly as implementation processes need to be rushed.
How Would I Get Started Rethinking or starting to build My CMS?
- Start with the End in Mind – think about the results you want to have with your business and regulator(s), and build toward that goal.
- Current State Analysis – Identify the regulators that have jurisdiction over your organization. This is a function of where you are legally domiciled, where you have contact with consumers, and where you may expand. Identify the processes your organization already has in place – the processes may be spread over functions such as Legal, Compliance, Internal Audit, etc. We have found that organizations often may understate what they already have, and may have a much better starting position than they realize.
- Evaluate any gaps between #1 and #2 above.
- Taking into account your size and culture, what type of process will work best for your organization? As discussed above, there are a range of options from automated, off-the-shelf tools, to highly manual, high-touch processes.
Isn’t This Just Bureaucracy?
CMS have traditionally been back-office programs, so it may be easy to think of them as part of a bureaucracy given the focus on policies and procedures. However, you can turn it to your advantage as a way of advertising your commitment to quality and effectiveness. As something that regulators will be keenly interested in, the documents outlining your CMS because a quasi-public document, one that can set the tone for a positive examination and positive public perceptions in general.
About the Authors
Paul Becht is an audit partner at Baker Tilly in charge of the firm’s Debt Collection Services Group. Mr. Becht has over 15 years of experience in accounting and auditing debt buyers and debt collectors. He has helped clients assess their internal controls and satisfy their compliance requirements. He can be reached at paul.becht@bakertilly.com.
Brian Lane is a Partner at Baker Tilly with decades of experience assisting financial service organizations with internal control, governance, and regulatory compliance issues. He has assisted clients to assess their CMS needs, select and implement systems. He can be reached at brian.lane@bakertilly.com.