Continuity Expands Risk Focused Vendor Management Offering with the Addition of VendorRisk Product Line. Learn More.
   Continuity Expands Risk Focused Vendor Management Offering with the Addition of VendorRisk Product Line. Learn More.

Call out appropriate
for the page.

Building a Better Compliance Management System

Six best practices for a more efficient, regulatory friendly CMS

Executive Summary

Financial institution (FI) adherence to regulatory expectations for a compliance management system (CMS) is strictly up to the FI when deciding how to implement their compliance program. Based on regulatory guidance, this white paper explains the six key objectives of an effective CMS: understanding the regulations that apply to a financial institution; keeping up with applicable regulatory changes that apply; making sure everyone understands their regulatory responsibilities; embedding regulatory requirements into daily operations; routinely verifying that the FI is on track; and having a reliable and transparent way to fix what breaks. The paper also offers a holistic solution for satisfying and implementing the six points of the CMS framework:

Compliance Management System
The method by which a bank or credit union manages the entire consumer compliance process.
It includes the compliance program and the compliance audit function.


Since the 1990s, most banking regulators have advocated the use of a CMS to manage regulatory obligations, including interpreting and managing regulatory change. During this time a majority of FIs continued to rely on their traditional methods, which tended to be manual, and decentralized processes. In addition, many FIs have been distracted from the bigger compliance picture by the constant flood of regulations, forcing them to react to rules as they emerge instead of proactively implementing an institution-wide approach to compliance. This results in FIs repeating the same compliance process of spreadsheets and department-specific systems year after year instead of working toward a fully implemented CMS.

It’s a dangerous trade-off. Failure to properly oversee compliance can subject institutions to regulatory criticism or, in severe circumstances, enforcement actions that may include fines and civil money penalties. In just the first quarter of 2015, enforcement actions rose by 30 percent as regulators cracked down on non-compliant FIs, according to the Q1 2015 Banking Compliance Index
(BCI) (, a quarterly tracking index measuring the incremental
cost burden on financial institutions to keep up with regulatory changes.

The good news is that these factors have forced regulatory agencies to become more transparent and definitive about what constitutes a strong CMS. Today FIs have direction on what a CMS should look like—from key responsibilities to the distinct components.

“...when businesses under invest in compliance management systems it can pose significant reputational and financial risks.”
CFPB Deputy Director Steve Antokakes, June 2014
Building a Better Compliance Management System Page 3

What is a CMS?

At its core, a CMS is the FI’s overall methodology for managing the entire compliance process. A CMS is made up of three parts: board
and management oversight, the compliance program and the compliance audit function. Board and management oversight is responsible
for ensuring that audits identify the root cause of weakness and make sound remediation recommendations. The compliance program is
all of the policies, procedures and processes put in place to ensure an institution is adhering to laws and regulations. The audit function
tests the effectiveness of the compliance program.

What does an effective CMS look like? It all boils down to six key compliance management objectives:
1. Understand the regulations that apply to the FI.
2. Keep up with applicable regulatory changes.
3. Make sure everyone understands their regulatory responsibilities.
4. Embed regulatory requirements into daily operations.
5. Verify the FI is on track on a routine basis.
6. Have a reliable and transparent way to fix what breaks.

It’s important to note that these objectives are not limited to a “compliance management system” in terms of a specific technology
solution. Nor are these objectives a pre-defined set of activities. These objectives provide a framework for FIs to help them manage the
process of compliance and create a degree of standardization for compliance management, audit and examination.
It’s a matter of perspective. Instead of seeing the CMS as a “thing,” FIs need to view it as the “how.” It’s how they manage regulatory
change in a way that enforces compliance without compromising their business. It ensures requirements are interconnected across the
banking organization.

Let’s take a closer look at these objectives:

1. Understand the regulations that apply to the FI.
No banker needs to be told that the number of regulations FIs contend with is overwhelming. With more than 13,000 citations in the Code
of Federal Regulations (CFR), the sheer volume is astounding. That’s especially true when you consider the first goal of a CMS: determine
which of these many rules apply to an FI and then translate these rules into actionable information.

The heavy language of the rules must be analyzed to determine what areas of each regulation apply to the FI based on its charter, size,
complexity and products and services offered. Then the FI must interpret the intent of the regulators to determine the institution’s
compliance responsibilities.

With that awareness and understanding of applicable regulations, the next step is for an FI to develop specific and actionable policies, procedures and processes. This includes risk assessments, compliance monitoring processes, auditing protocols and other standards. Everything must be reviewed by the board on a timely basis.

Unfortunately, this is easier said than done. Studies show that many compliance officers spend half their time reading regulations—yet that is just a small fraction of their job responsibilities. Then there is the matter of correctly interpreting the rules. Too often, FIs only find a deficiency in their understanding of regulations when examiners uncover them—putting the bank or credit union at risk of regulatory action. And with exams covering only a handful of areas, there is always the potential of an undetected problem.

2. Keep up with applicable regulatory changes.

Rules are always evolving. In 2014 alone there were more than 300 regulatory changes. For the average FI, these changes required 2,000+ hours to track and implement, according to the BCI — that’s in addition to the time and costs associated with maintaining compliance with existing

Every rule change must be identified, read, analyzed and broken down to determine which products are impacted by the rule and whether the change requires an FI to modify policies, procedures or risk assessments. Then the FI needs a game plan on how to implement the changes into the organization. Many FIs tackle these changes on a rule-by-rule, case-by-case basis—an overwhelming task considering the complexity and volume of regulatory change.

A good CMS has specific procedures and processes in place to quickly and accurately identify and interpret regulatory changes. Best practices include a centralized, top-down approach with easily repeatable steps that efficiently implement rule changes across the organization. Missing a rule change or failing to incorporate new requirements properly puts the FI at risk of regulatory action.

Compliance is “effective” when it is:

• Embedded into existing workflows
• Achieved with minimum friction
• Accounting for human nature
• Provided at the lowest practical price point
• Resulting in few or no examiner criticisms

In 2014 alone there were more than 300 regulatory changes. For the average FI, these changes required 2000+ hours to track and implement, according to the BCI - that’s in addition to the time and costs associated with maintaining compliance with existing regulation.

3. Make sure everyone understands their regulatory responsibilities.

Every employee plays some role in keeping the institution compliant. Employees must understand their responsibilities in meeting regulatory requirements, be trained in the appropriate policies and procedures specific to their positions and execute them properly. Each of these steps also needs to be documented.

In a good CMS, an institution identifies every component of responsibility and assigns accountability for compliance to a particular role inside the institution. Every role should be given assignments—the actual activities that must be completed, including training, procedures, checks and validations. These assignments and responsibilities need to be spelled out directly and clearly so that there is no chance that an employee is unaware of how or when to complete them.

There also needs to be a visible reporting system where employees are reminded of pending compliance assignments and management is fully aware of which tasks are done and which are not. Ideally, employees are assigned responsibilities, compliance tasks are automatically cued at the right time and there is proper documentation.

4. Embed regulatory requirements into daily operations.

Compliance touches virtually every activity performed across a banking organization. When compliance is fully
integrated into a financial organization, it is pervasive, yet invisible. Rather than existing as a burden and headache,
compliance management simply becomes ingrained into the institution’s operations.
That’s easier said than done, judging by the homegrown approach to compliance management used at many FIs. At a
single institution, compliance oversight can be distributed across many groups of people, each using a different
method. Some tasks are automated, while others are manual. Some employees rely on calendar reminders and
spreadsheets while others keep checklists and thick folders on their desks.
An FI must be able to prove to examiners that it has met its regulatory obligations. From an operations perspective, it
wants to do so in the most efficient and cost-effective manner possible. By embedding compliance requirements into
the work steps already being done as part of day-to-day duties, both goals are achieved. A few examples support this
• An institution reporting Home Mortgage Disclosure Act (HMDA) data decided that, rather than having lenders complete a
separate form to gather loan data, it would pull a report of this data from its loan origination system instead. Because the
data already had been entered to the system at the time the loan was made, the duplicative effort of logging the data by
hand was eliminated. And another benefit: data submission errors were reduced by more than 75% from the prior year.
Building a Better Compliance Management System Page 6
• An institution’s account opening team gathered all of the information required to open an account on
the deposit account platform. After the account was open, another department performed the initial
due diligence (required by bank secrecy/anti-money laundering rules) by entering answers to checklist
questions in a spreadsheet. Then a third department tallied the information from the spreadsheets into
a consolidated report. When the institution switched to a process that allowed the person opening the
account to also gather the due diligence data and record answers in a centralized compliance
management system (CMS), it was able to eliminate the data compilation and reporting steps. The
data was gathered up front by the new account rep, who entered the information into the CMS. The
extra step of gathering the data in a second department was eliminated, and the department reviewing
this data could now generate its reports with ease. The institution saved over $25,000 annually by
making this simple shift to embed compliance into the business process.
With so many steps and ever-changing rules, it’s not hard to imagine losing track of this chain of
tasks. In simpler times, FIs were able to manually track and document policies, procedures,
processes and training. But in today’s environment, those traditional models are time-consuming
and introduce risk. A better approach is to use central workflows that automate the compliance
function across all facets of the business and document compliance activities as they happen.
These functions need to integrate into existing business processes to ensure they are completed.
5. Verify the FI is on track on a routine basis.
The typical FI has roughly 100 different compliance management programs across the organization.
Because most FIs employ manual methods for the majority of compliance activities, monitoring can
be overwhelmingly time-consuming and tedious—and prone to error.
A good compliance management system should be able to quickly assess an institution’s
compliance standing, from monitoring to verification processes. Managers and owners need to
know if all areas are on-track for compliance—and what steps are being taken to move the FI in that
direction, if a strong CMS isn’t already in place. Personnel being out of the bank for the day,
forgetting to save or make updates to a spreadsheet or failing to update a procedure are not
excuses for noncompliance.
The key word is visibility. An institution should be able to peer over the proverbial shoulder of every
employee. How many of a manager’s reports have outstanding items over the last 30 days? Why is a
particular employee always falling behind with her tasks? Who has tasks to complete next week?
The same visibility is necessary with compliance areas, such as Bank Secrecy Act (BSA), Community
Reinvestment Act (CRA), business continuity and lending. In a matter of minutes, an institution
should be able to determine what specific BSA tasks are outstanding. It should be able to dig into
specific issues like vendor management and know how many contracts are outstanding, when they
were last reviewed and when was the most recent risk assessment. It should know exactly what
compliance activities were supposed to have happened in the last 90 days but didn’t.
In simpler times, FIs
were able to
manually track and
document policies,
processes and
Building a Better Compliance Management System Page 7
By regularly monitoring the state of an organization’s compliance, the FI can identify issues before
exam time, prioritize action, minimize risk, reduce audit costs and continuously align compliance
programs with examiner expectations.
6. Have a reliable and transparent way to fix what
Like most compliance tasks, corrective action has typically been managed through email and
spreadsheets. From an examiner perspective, this opens the door to remediation failure—either
through activities simply falling through the cracks or falsification.
All remediation activities should be easily tracked with an audit trail to give your board and
examiners progress reports and confidence that the work is getting done. That includes auditor
scheduling, the management of findings and board reporting.
This is best accomplished through role-based assignments, central and automated execution and a
central audit trail. This provides examiners and the board the assurance that the proper steps are
being taken and documented. As the Office of the Comptroller’s guidance notes, “Prompt, capable
management response to those weaknesses and required changes is the final measure of the
compliance system’s effectiveness.”
Beyond Examiner Expectations - Benefits of an
automated CMS
Most conventional compliance tools and point solutions don’t align with the holistic nature of the
six-point CMS framework. To address compliance once and for all, an FI would need a team of
former examiners, banking operations experts and an automated tool combining best practices and
hardened processes to implement an effective CMS and stay on top of compliance.
A complete, automated compliance management system would need to combine technology with
regulatory expertise and strategic guidance so FIs can safely focus on the business of banking.
Instead of conducting compliance activities in separate silos using separate methods, all regulatory
business activities would be performed in one place that is kept continuously up to date.
“Prompt, capable
response to those
weaknesses and
required changes
is the final
measure of the
Office of the Comptroller
The four essential elements of an automated CMS:
Regulatory Change Management
A Regulatory Change Management System (RCMS) would enable the compliance officer to oversee and direct all
aspects of compliance for the FI in one place. Regulatory changes in DC would be interpreted by a team of experts
outside of the FI and delivered through packaged implementation plans tailored to the particular FI. These plans
would automatically inform and request appropriate action from resources within the FI in order to maintain
compliance. These same experts should be available to answer any compliance question the FI should have, giving
the compliance officer an on-demand team of experts at their disposal at any time. Ideally, an RCMS would be a
cockpit for the compliance officer, enabling them to see everything that’s happening in real time, be alerted to any
issues and report back on successful completion of actions in relation to specific regulatory change.
Specific Compliance Solutions
In addition to Regulatory Change, there are other areas of compliance that need to be addressed in a complete,
automated CMS. Examples include Vendor Management, Business Continuity Planning, BSA, CRA, HR, IT and many
more. These specific solutions must be persistently compliant, meaning any change in regulations that apply to the
way in which these areas of compliance need to be addressed are automatically updated, the compliance officer
notified and the relevant processes seamlessly modified. These solutions must also be seamlessly integrated into
the business processes of the FI, where people typically not involved in the act of compliance are consistently
achieving compliance by their day-to-day actions using the automated CMS. For example, an IT manager being asked
to confirm their IT security vendor contract is still current.
Strategic Guidance
Transitioning to and integrating an automated CMS into the business processes of the FI can seem like a daunting
prospect, but it shouldn’t be. A good CMS solution should consist of a blend of technology and experts to help guide
the FI through the transition and to ensure continuous improvement. Strategic guidance should help FIs execute on
their strategic objectives by reducing the impact of compliance on their institution. Ideally, these experts work with
hundreds of other FIs in the same situation and are able to call on that experience to drive best practices throughout
the FI as they move to a complete CMS.
Monitoring and Auditing
An essential part of the 6 objectives of a CMS is to ensure that the FI is aware of any deficiencies and is able to fix
them quickly. Any automated CMS worth its salt should have full monitoring and reporting capabilities, instant
exception reporting and alerting based on preset parameters and an independent auditing capability. Using
technology, there is no reason why audits need to be conducted onsite. The next generation of audits will leverage
technology to be conducted virtually. Since in an automated CMS the act of compliance is a continuous process,
virtual audits should be completed in a fraction of the time and cost of traditional ones.
Let’s see how a complete, automated CMS meets the six CMS objectives regulators expect:
Building a Better Compliance Management System Page 8
1. Understand regulations that apply to the FI. The automated CMS is connected to the Code of Federal Regulations
electronically and houses electronic financial institution profiles that allow the system to understand the FI’s
financial condition, size, complexity, and product and service offerings. An initial diagnostic is run to quickly and
accurately determine which program areas apply to the FI, and an initial evaluation of the FI’s current compliance
management and governance structure is performed.
2. Keep up with applicable regulatory changes. The CMS solution must include expertise as well as technology. A
team of compliance, legal and regulatory experts continuously monitor every regulatory change and distill them into
alerts delivered to the FI through the automated compliance platform. By the time the FI is made aware of the
impact of a regulatory change, more than half of the work has been done to push that change through to
3. Make sure everyone understands their regulatory responsibilities. The CMS assigns employee responsibilities
and automatically assigns compliance tasks electronically at the right time with the proper documentation.
4. Embed regulatory requirements into daily operations. Creating and integrating simple online workflows into
existing business processes is an essential operation of an automated CMS. These workflows automate the
compliance function across all facets of the business and document compliance activities as they happen.
5. Verify the FI is on track on a routine basis. Monitoring is constant as all regulatory business activities are
performed in the CMS. FIs have real-time access to their compliance standing.
6. Have a reliable and transparent way to fix what breaks. All remediation activities are now performed online and
easily tracked with an audit trail to give the board and examiners progress reports and confidence that the work is
getting done.
The immediate benefit of a complete, automated CMS is its ability to meet the CMS requirements
while reducing compliance cost and mitigating risk—both today, and as requirements continue to
Compliance Core
Continuity’s Compliance Core™ is a complete, automated compliance management system that can
be tailored to the individual needs, pains and objectives of the FI. The Core is actually a combination
of solutions, including Regulatory Change Management, Vendor Management, Auditing, Strategic
Guidance and more, that enables each FI to take their own path to a full CMS at their own pace and
in alignment with strategic objectives.
It’s also engineered for easy implementation and non-disruption. The solution is built for fast,
painless on-boarding using a proven 30-day approach, which is broken into four distinct stages that
allow financial institutions of all sizes to easily implement the components of the Compliance Core
they need today and build a path to future value.
Lastly, and perhaps most importantly, the Compliance Core makes compliance universal yet
inconspicuous. Instead of viewing compliance as a roadblock, FIs can turn their attention to finding
innovative ways to grow their business in any regulatory climate. The ability to do that represents a
powerful differential in the marketplace.
Benefits of the
Compliance Core
• Reduces Risk
• Minimizes and stabilizes
• Streamlines exam and
• Ensures accurate
interpretation of
regulatory changes
• Allows FIs to focus on
Learn more about the
Continuity Compliance
Core at or
Building a Better Compliance Management System Page 9

About Continuity

Continuity provides the Compliance Core™ for banks and credit unions. The Compliance Core is a combination of
compliance products and services, engineered to reduce compliance risk and cost for financial institutions by
bringing together strategic planning, technical execution and world- class insight. These services are delivered using
a compliance control platform that is continuously updated with regulatory data from D.C. and best practice
compliance processes from other Compliance Core institutions. Built by bankers and former examiners, Continuity’s
Compliance Core helps financial institutions quickly adapt to regulatory change, streamline the workload and ensure
© 2015 Continuity
Building a Better Compliance Management System Page 10
For more information email us at
Final Thoughts
The current regulatory and enforcement climate indicates that there is little relief ahead for FIs of every size.
Regulatory activity is expected to maintain its upward trajectory over the long term, and any dips will be temporary and
countered with stricter rule enforcement. As the pace of change quickens, so does the need to respond to those
changes with speed, agility and accuracy. A strong CMS, such as the Compliance Core, combines the intelligence and
technology required to meet this demand—in a way that reduces compliance risk and cost today, while preparing the FI
for any new challenges ahead.

Bottom of the page summary / call to action

Mauris pharetra vel ante eget rutrum. Proin dictum diam a felis convallis, vitae viverra quam aliquet. Phasellus in velit augue. Proin cursus tortor et elit dignissim, vel varius leo vehicula. Pellentesque ipsum justo, consequat placerat purus quis, volutpat mattis mauris.