Compliance Series #3 – An Operationalized Compliance Management System


For the last several posts we’ve been looking at the implications of the Dodd Frank Act and related legislation outside the US on banks, credit bureaus, card processors and the like. You can find other posts in this series here.

CFPB has said that “one of the most important responsibilities of the CFPB supervisory program is assessing the quality of the compliance management systems employed by the financial institutions under the CFPB’s jurisdiction.” Which begs a question – what is a Compliance Management System?

It’s a set of policies, procedures and practices that explain how an institution intends to comply with regulatory requirements. And a set of information systems that guide staff in compliance and monitor activities for audit and trending purposes. It incorporates business processes that lay out how people and information systems put those policies and procedures into action. Finally, it provides tools to assess how effectively compliance measures are working, and generates feedback used to update policies, procedures and practices.

Here it is in a drawing. Let me know in the comments what you think. These things are fun to discuss and debate. Please join in. The model and our understanding of the issues will be better if you do.


Let’s run down the pieces. Internal components include:

  • Creating Policies & Procedures – devising approaches to comply with new regulations or improved approaches to existing regulations; more broadly, creating methods to deal with the underlying drivers of noncompliance.
  • Process Design – developing processes to institutionalize compliance policies & procedures
  • Training – guiding employees to employ these processes and policies in their everyday work
  • Investigating – responding to requests/assertions from regulators about possible noncompliance
  • Operational Monitoring – assessing the organization’s compliance on a continual basis
  • Exception Handling – managing any issues discovered as a result of operational monitoring or investigating
  • Feedback – conveying insights, patterns or unresolved issues back to the Policies & Procedures function so  updated policies and procedures can be created and brought to the organization

And three external pieces:

  • Environment Scan – assessing the political, competitive, and public environment for regulation-related issues, and using that as input to Policies & Procedures
  • Interactions – situations where employees engage in work with a regulatory impact. Includes both client interactions and internal interactions (i.e., communication among colleagues)
  • Regulatory Requests – questions or accusations coming from regulatory bodies

Next, we’ll take up where Nexidia fits in all this.

Photo: Lamborghini by fotosleuth from Flickr creative commons

Categories: Financial Services