Compliance Management System (CMS)

A company's CMS is the foundation of its compliance program and provides the guidance and framework for its compliance culture. Regulatory agencies, investors, and other third-party partners focus on the effectiveness of the CMS and look for assurance regarding how an institution1:

  • Establishes its compliance responsibilities;
  • Communicates those responsibilities to employees;
  • Ensures that responsibilities for meeting legal requirements and internal policies and procedures are incorporated into business processes;
  • Reviews operations to ensure responsibilities are carried out and legal requirements are met; and
  • Takes corrective action and updates tools, systems, and materials as necessary.


An effective compliance management system commonly has two interdependent control components:

  • Board and Management Oversight; and
  • Compliance Program, which includes:
    • Policies and procedures;
    • Training;
    • Monitoring and/or audit; and
    • Consumer complaint response.

When the two control components are strong and well-coordinated, a supervised entity should be successful at managing its compliance responsibilities and risks. We help clients assess whether they have implemented a comprehensive CMS through consultation, monitoring, or targeted independent compliance reviews.

1 CFPB Examination Procedures


Every client has different needs and the regulatory compliance services we provide are tailored to those needs. We have worked with clients who are just establishing their compliance management systems (CMS) and with clients who have a mature CMS in place. Our approach ensures we have a clear understanding of a client’s operating environment and governance structure so that the advice and solutions we provide fit the institution and are sustainable in the long term. We provide consultative services that prevent compliance risks or provide early identification and correction. However, we understand that despite all efforts, there may be times when issues are identified that require remediation. We have successfully supported clients with both preventive and reactive efforts.

  • Supervisory/Enforcement Action and Issue Remediation
  • Compliance Review of New Products and Services
  • Policy and Procedure Development
  • Exam Readiness
  • Compliance Training for Staff, Management, and Board of Directors

Assessment & Monitoring

In business we often hear, “What gets measured gets managed.” That statement certainly holds true in reference to the effectiveness of a compliance management system (CMS). It is imperative that an institution periodically assess the effectiveness of the CMS so that it may continue to optimize the system. Our qualitative and quantitative risk assessment approach helps ensures our client’s CMS remains commensurate with its products, services, processes, and compliance risk profile. In addition, to ensure that the preventive and detective controls are functioning properly, we have conducted periodic monitoring (monthly, quarterly, semi-annually, etc.) of a sampling of transactions. This monitoring should not be confused with independent compliance audits, which are typically performed at a point in time. The monitoring results will help with program corrections, ensuring risks are mitigated sooner than later.

  • Compliance Risk Assessment
  • Compliance Monitoring

Independent Compliance Reviews

Taking the initiative to strengthen compliance performance and reduce compliance risk is paramount to a highly effective CMS. A review conducted by a qualified, independent third party will provide compliance management with an unbiased evaluation of the compliance program or execution of compliance processes against regulatory requirements. It also increases the chances of a favorable internal audit or regulatory examination as it allows management to correct issues in the normal course of business. We have conducted the following types of independent compliance reviews for our clients:

  • Compliance Management System
  • Deposit Regulations
  • Lending Regulations
  • Loan Origination
  • Loan Servicing
  • New Products

Representative Engagements

  • Auto Finance Review – Review of the auto finance program covering the various elements of the auto loan life cycle, including origination and servicing processes
  • CFPB MOU Remediation – reviewed several thousand loan modifications and provided detailed reporting allowing client to meet CFPB requirements in a timely manner
  • CFPB Readiness Exams – prepared both originators and servicers for upcoming exams which included enabling “self-reporting”
  • Compliance Consultation Training – provided training to business lines as well as senior management and board committees, both proactively and in response to examination findings
  • Compliance Management System (CMS) Reviews – identified gaps in CMS for various non-depository mortgage entities and fintechs
  • Compliance Management System (CMS) Reviews – reviewed CMS for industrial banks and their fintech strategic partners
  • Compliance Policy and Procedures Development – allowed various clients to strengthen governance and internal controls
  • Due Diligence Review of Residential Mortgage Loans – reviewed a sample of loans from three proposed separate bulk whole loan purchases for compliance with regulatory requirements as well as federal and state disclosures
  • Foreclosure Management Look-Backs – executed numerous reviews which allowed clients to improve their operational controls
  • Review of New Products and Services – assisted a fintech in sourcing local counsel in each of 48 states to perform state specific reviews of its HELOC product
  • TCPA and FDCPA – completed a targeted review of a credit union’s debt collection practices with a focus on compliance with TCPA requirements
  • UDAAP – assisted with a multi-phased review of a regional bank’s administration of debt protection products, including a look-back of thousands of customer loans with debt protection originated over several years
  • Website Compliance Review – reviewed all pages and all links of a credit union’s extensive website for compliance with all applicable regulations and potential UDAAP pitfalls

View Engagements