What Board Oversight of CMS Really Means

Lori Peterson, Director, Regulatory Infrastructure, CRCM

Nov 07, 2017

Since its introduction in March as one of the four factors evaluated in new rating guidelines, Boards of Directors have been curious about how they should prove they are engaged and involved in effective oversight of the institution’s Compliance Management System (CMS).  

While the Board will depend on management to execute the other three factors - change management, risk management, and correction of identified issues - the oversight of and commitment to the CMS remains squarely in the realm of Board responsibility.


A Board seeking to fulfill this duty has to go beyond what was customary in the past. Demonstrating active oversight demands more than just making vague remarks in meeting minutes that compliance was “discussed” or a report presented; and showing a commitment requires establishing a compliance culture and setting a “tone at the top” that fosters effective compliance.


According to the Federal Reserve Board, a financial institution’s Board’s core responsibilities include: 

Guiding the development of the institution’s risk tolerance.
This means that the Board is responsible for approving the institution’s overall business strategies. It is not enough to give a cursory glance at risk. Since risk determinations and risk appetite are key to building sound corporate policies, this step shouldn’t be delegated down if it’s to be perceived as effective.

The Board will need to be aware of and consider products and services currently offered and proposed as well as the regulatory environment that affects those products and services. The Board must also approve significant policies. What is considered significant will differ from institution to institution and examiners will expect the Board to dictate what it deems significant. For example, in the compliance area, a policy addressing complaints would likely be considered significant for most institutions.  


Overseeing senior management.
The Board needs to hold senior management accountable for effective risk management and compliance and to ensure that senior management is fully capable of implementing approved strategies. To do so, the Board needs to receive regular management reports regarding the steps management is taking to identify, measure, monitor, and control risks (see our prior blog post “What Should I Tell the Board?”).


Supporting independent risk management and audit functions and adopting effective governance practices. 
Effective internal controls are essential to ensuring compliance and avoiding, or promptly detecting and correcting, violations and consumer harm. Results from independent testing of these controls should be reported to the Board or a committee thereof. The Board should decide, based on these reports, whether management is capable to implement the CMS. If not, the Board should consider new, different or additional resources.


Implementation of the above will help your institution achieve a solid consumer compliance examination rating. How is your institution making sure that your Board is demonstrating its commitment to the CMS?


Continuity’s RegAdvisor Pro solution can assist you in implementing a regulatory change system and RegControls™ includes pre-built compliance monitoring programs. Contact us at info@continuity.net if you'd like to learn more about how we can help! 

Topics: CMS

Compliance Webinars

View All Webinars