The CFPB has updated its Supervision and review manual by adding a new section called Compliance Management Review – Information Technology. The new review procedures are intended to help CFPB examiners assess an entity’s information technology (IT) controls as part of a compliance management system (CMS) review. Among other things, the new review procedures describe the following five modules: (i) board and management oversight; (ii) Compliance program; (iii) oversight of the service provider; (iv) Violations of the law and harm caused to consumers; and (v) Reviewer’s conclusions and recap. Each module focuses on the components of a compliance program and the IT function, including policies and procedures, training, monitoring and / or auditing, and responding to consumer complaints.
Put into practice : At the heart of the new examination procedures is the emphasis placed by the CFPB on the IT controls of an establishment’s service providers. The new section notes that agreements with third parties can “put institutions at risk when not managed properly” and that institutions “cannot outsource the responsibility of complying with federal financial laws to consumers. or manage the risks associated with relationships with service providers ”. CFPB’s oversight authority over service providers was granted under Title X of Dodd-Frank, then clarified in subsequent guidance (See CFPB Compliance Bulletin and Policy Guidelines 2016-02). Third-party risk management has also recently been the focus of attention from the Federal Reserve, FDIC, and OCC (we have previously discussed this latest trend in Consumer Finance & FinTech blog posts). here, here, and here).