CFPB added a new section to its supervision and review manual entitled “Compliance Management Review-Information Technology”. The new section complements the existing section on the Compliance Management Review to provide review procedures to be used by CFPB examiners to assess information technology (IT) and IT controls in the context of ” a review of the compliance management system (CMS).
In the introduction to the new section, the CFPB recognizes that the information technologies used by institutions may have an impact on their compliance with federal consumer finance laws. Accordingly, by performing an overall assessment of the CMS, the CFPB can assess an institution’s IT for compliance. It can also assess the technological controls of an institution and its service providers. This stems from the general principle that the Bureau’s oversight expectations of an institution’s compliance program extend to its relationships with service providers.
The new section sets out IT-specific procedures that reviewers should use to assess:
- IT-related board and management oversight
- A supervised entity’s IT-related compliance program, in particular IT policies and procedures, IT training, IT monitoring and / or auditing, and responding to IT-related consumer complaints
- Supervision by a supervised entity of the service providers that support the IT functions