Compliance Management System (CMS)
    • 28 May 2024
    • PDF

    Compliance Management System (CMS)

    • PDF

    Article summary


    Generally, your Company owns several key functions that have compliance implications, which requires a Compliance Management System (CMS):

    • Product and features
    • Application and user interface for customer accounts and transactions
    • Customer onboarding
    • Customer servicing and support
    • Marketing and advertising

    Effective CMS will have the following:

    • Robust internal policies, standards, procedures, and risk assessments;
    • A thorough and ongoing training program;
    • A designated compliance officer; and
    • Structured and ongoing testing and monitoring of internal controls

    The below sections are intended as guidance and not legal advice.

    Roles and Responsibilities vs. Sponsor Bank

    Your Company is responsible for following compliance policies and procedures that are approved by your Sponsor Bank and adhering to any banking or consumer compliance regulations. Many of these responsibilities are considered part of a "first line of defense" given the Company's ownership over the customer relationship and product.

    These responsibilities include the following:

    • Having a qualified Compliance Officer
    • Setting up compliance policies and procedures
    • Compliant onboarding / KYC of customers
    • Compliant display of disclosures and notices
    • Managing customer support and customer complaints
    • Identifying and escalating customer disputes
    • Maintaining a compliant marketing / advertising program
    • Conducting compliance training
    • Conducting periodic compliance testing and assessments
    • Assessing third parties (external to Synctera) that are used to provide card and account-related products and services
    • Providing input on fraud rules and settings based on knowledge of customer behavior and product
    • Supporting AML or fraud investigations, as necessary
    • Responding to bank and bank examination inquiries

    The Sponsor Bank is accountable for your Company's compliance since customer accounts are opened with the bank and transactions occur via the bank's rails. They are also accountable to banking regulators that may want to closely examine your Company's customers, products, and compliance functions - making it crucial to work effectively together.

    Accountability for Consumer Compliance

    While Sponsor Banks have accountability for banking compliance, your Company may also be directly accountable for certain consumer compliance rules and regulations, such as those under the scope of the Consumer Financial Protection Bureau, and can be directly fined or punished for failing to meet those regulations, which can apply to non-banks.

    The Sponsor Bank primairly operates in an oversight role and may even operate certain first line functions depending on the risk and business model of the Company and the compliance model of the Sponsor Bank. The bank's responsibilities will include the following:

    • Reviewing and approving the Company's compliance policies
    • Setting risk appetite and boundaries pertaining to products, fees, and limits
    • Reviewing and approving program changes such as new products, new marketing, new bonus programs, new customer bases / geographies
    • Overseeing the anti-money laundering program and sanctions screening including filing reports to FINCEN as necessary
    • Periodically testing, auditing or requiring external audits to be performed
    • Requesting ongoing information of the Company such as complaints logs, training logs, evidence of testing, and company information

    Compliance Officer

    Role of the Compliance Officer

    The Compliance Officer is responsible for developing, maintaining, and administering the CMS. A qualified officer will generally be required by your Sponsor Bank and they will be interested in the individual's background and qualifications.

    The role of the officer broadly includes:

    • Conducting annual compliance-specific risk assessments;
    • Developing and maintaining compliance policies and procedures;
    • Developing a yearly training plan to ensure staff is appropriately equipped to perform their functions in a compliant manner.
    • Developing and implementing appropriate controls to identify and monitor the Company’s practices with respect to UDAAP concerns, including a process for handling and responding to complaints;
    • Monitoring changes in law, regulations, examination trends, and disseminating this information to appropriate personnel
    • Developing and implementing compliance strategies and coordinating all compliance activities;
    • Developing, maintaining, and executing a monitoring and testing program with preventative and detective controls designed to detect and prevent potential violations of applicable laws and regulations;
    • Formulating corrective actions when needed and taking follow-up measures to ensure corrective actions have been taken;
    • Assisting with due diligence efforts related to new third-party vendors; and
    • Keeping the Sponsor Bank, the Board of Directors, and the Company’s executive leadership apprised of compliance risks
    Compliance Officer and Ground Control

    Synctera offers a service known as Ground Control, which can assist with compliance operations as the company scales up. This includes support on KYC reviews, fraud reviews, AML reviews, and disputes. However, this service does not replace the need for a qualified Compliance Officer, who should have day-to-day knowledge of the company's compliance infrastructure and needs. Banks expect a company to have a Compliance Officer - this may be a fractional / compliance consultant for smaller companies that are still scaling.

    When to Hire a Compliance Officer

    We strongly encourage the Company to have a Compliance Officer in place prior to launch to assist with implementation and to work with the Sponsor Bank on any outstanding questions or issues that may arise. In our experience, having strong compliance expertise allows the Company to have a streamlined, efficient implementation and quicker approval with the Sponsor Bank.

    At a minimum, a qualified Compliance Officer must be in place by launch. Live programs with existing banking products should expect to already have a Compliance Officer in place.

    Qualifications of a Compliance Officer

    Compliance Officers should have an understanding of banking compliance and regulations.

    • Expertise: The level of expertise should align to the complexity and scope of your product. For instance, consumer banking products should involve Compliance Officers that have a strong understanding of Regulations E, CC, DD. Products that involve credit or lending require expertise in topics such as Regulation Z and fair lending.
    • Experience: Generally, having a background working with a company that has faced similar regulations such as a bank or a fintech with bank partnerships is preferable. Their experience may include building compliance programs, testing/assessing products and services, reporting to leadership on key issues, and working with auditors and bank examiners.
    • Certifications and Licensing: This will depend on the type of Compliance Officer - and can include legal backgrounds in compliance and certifications such as the Certified Regulatory Compliance Manager (CRCM) that is well respected in the industry.

    This may be performed by a fractional Compliance Officer depending on the complexity of your Company's products and services and the existing size of your customer base (live programs should already have a Compliance Officer).

    Policies and Procedures

    Companies should have a set of policies, standards, procedures, and risk assessments (collectively referred to as “Compliance Governance Documents”) that outline the compliance function’s general governance, roles and responsibilities, risks, processes and controls.

    • Policies serve as high-level guidelines or principles that define an organization’s goals, values, and rules. They provide a framework for decision-making and establish an organization’s culture and direction.
    • Standards provide high-level guidance regarding what is considered an acceptable level of quality or performance. In essence they provide specific examples that address the practical application of a policy. For example, if a policy states that it is the Company’s policy to adhere to all applicable law when advertising their products, the advertising standard can provide positive examples of how to compliantly advertise a financial product as well as negative examples of advertising that has resulted in a fine or loss of customer trust.
    • Procedures provide the more specific step-by-step instructions that outline how particular tasks or activities are performed within the organization. They are meant to be more detailed than both policies and standards and should provide clear step-by-step guidance on how to execute specific processes.

    Finalized Compliance Governance Documents are required in order to launch with your Sponsor Bank. Moreover, while Synctera has an array of templates to leverage, all templates must be customized based on your Company’s products and services and overall structure, as well as its size, maturity, and complexity.

    Reviewing Policies and Procedures

    It is of particular importance that your Company carefully review and construct policies and procedures based on its planned practices. This is because all processes defined in these documents are subject to ongoing testing and monitoring. Failure to meet the standards defined in your governing documents can result in negative consequences such as —

    • Your Sponsor Bank withdrawing from the relationship due to breach of contract;
    • Restrictions on new product roll-outs and company growth; and/or
    • A relationship with both your Sponsor Bank and your customer base characterized by a lack of trust and transparency.

    Risk Assessments

    Risk assessments provide a structured process for identifying, evaluating, and prioritizing risks that could negatively impact you and your Sponsor Bank if left unaddressed. They enable the organization to focus time on the most significant risks and provide a roadmap to enhance controls when necessary.

    Assessments can be performed internally and generally do not require external vendors unless you require additional expertise or prefer an independent view. The following are typical self-assessments that may be required prior to launch or performed at least annually:

    • BSA/AML Assessment - Identifies inherent money laundering risks associated with your customer base, geography, and product types. Examples include working with non-residents and non-domestic businesses, cash intensive businesses, and offering ability to transact with large limits or instant transfers.
    • UDAAP Assessment - Identifies consumer compliance risks that may arise from unfair, deceptive, and abusive acts and practices. The inherent risk is generally higher for consumer customer bases and more complex financial products or products that can impact the financial health of the customer.
    • ID Theft Red Flags Assessment - This assessment helps ensure that controls are in place to mitigate identity theft and the negative consequences for consumers, particularly engaged in credit products or involve credit reporting.
    • ACH Risk Assessment - May be required for companies engaged in higher volume or transaction sizes, ACH debits, and business customers that have more frequent ACH activity. This assessment helps you ensure you are deploying controls to mitigate unauthorized ACH transactions and high ACH return rates.

    Compliance Training

    All companies are required to maintain a compliance training program. This should be broadly discussed in the Compliance Management System Policy and outlined in greater detail in your Company’s Compliance Training Matrix. Training requirements will vary depending on job description, responsibilities, product offering, but generally speaking compliance training should at minimum address the following subjects:

    • Data privacy (GLBA);
    • Unfair, Deceptive, and Abusive Acts or Practices, i.e. UDAAP;
    • BSA/AML/OFAC including customer identification, due diligence, and enhanced due diligence;
    • Errors, disputes (Reg E) and complaints;
    • Fraud scenarios;
    • Information security topics;
    • Marketing financial products and services; and
    • E-SIGN

    Additional training that covers lending and/or deposits should also be included where applicable.

    Training must be completed by required personnel before launch and at a regular cadence thereafter (but at least annually).

    Your Sponsor Bank will generally request a training log to evidence your completion of compliance training at least once a year for audit purposes.

    The log should include the following, at a minimum:

    • Team member name
    • Courses taken by team member
    • Final score or pass/fail status
    • Date course was completed
    Compliance Training Vendors

    Synctera can provide compliance training program referrals if you do not have compliance training developed or a vendor identified.

    One example is BAI, which provides online courses that can be taken to meet the requirements. Courses that should be taken with BAI include the following:

    • BSA and AML: Essentials
    • CIP Procedures and Protections
    • CIP: CDD and Beneficial Ownership [Mini Course] (For companies with business customers)
    • Reg E: Handling Errors and Complaints
    • Unfair, Deceptive, and Abusive Acts or Practices (UDAAP): Mitigating Risk
    • Understanding Privacy: The Gramm-Leach-Bliley Act (GLBA)
    • Data Protection and Encryption for Financial Institutions
    • Cybersecurity Incident Notification Requirements [Mini Course]
    • Understanding Marketing Regulations

    Another example is Affinity, which can provide more specialized compliance training oriented toward fintechs.

    Testing and Monitoring

    Testing and monitoring refers to the process and cadence of evaluating whether established controls are adequately controlling compliance risk. This process should ideally preemptively identify any control gaps or control failures prior to actually realizing a negative result that could harm your Company. While testing and monitoring will vary from company company, it generally includes the following steps:

    1. Establish a testing schedule and cadence for processes outlined in your Company’s Compliance Governance Documents (e.g. annually, semi-annually, quarterly, monthly, etc.)
    2. Define key risk indicators for compliance processes subject to testing. Specifically, in conjunction with your Synctera and your Sponsor Bank, define what percentage of a control sample must pass in order for a control to be considered effective.
    3. Develop a sampling methodology. This will vary depending on how many times a control is performed in a testing period as well how the control is structured. For instance, randomized sampling will be necessary for a control that is performed several times over a given testing period, whereas a control that is seldomly invoked (e.g. three times a year) will require 100% testing.
    4. Execute the control test and document the results
    5. Document issues in an issue log in the event that any control failures are identified in the process, alongside an appropriate corrective action.

    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.