The CFPB updated its Supervision and Examination Manual by adding a new section titled Compliance Management Review – Information Technology. The new examination procedures are meant to assist CFPB examiners when assessing an entity’s information technology (IT) controls as part of a Compliance Management System (CMS) review. Among other things, the new exam procedures outline the following five modules: (i) Board and Management Oversight; (ii) Compliance Program; (iii) Service Provider Oversight; (iv) Violations of Law and Consumer Harm; and (v) Examiner Conclusions and Wrap-Up. Each module focuses on the components of a compliance program and the IT function, including policies and procedures, training, monitoring and/or audit, and consumer complaint response.
Putting Into Practice: Central to the new exam procedures is the CFPB’s focus on the IT controls of an institution’s service providers. The new section notes that third-party arrangements may “expose institutions to risks when not managed properly” and that institutions “cannot outsource the responsibility for complying with Federal consumer financial laws or managing the risks associated with service provider relationships.” The CFPB’s supervisory authority over service providers was granted under Title X of Dodd-Frank and then clarified in later guidance (See CFPB Compliance Bulletin and Policy Guidance 2016-02). Third-party risk management has also been a recent focus of the Federal Reserve, FDIC, and OCC (we previously discussed this latest trend in earlier Consumer Finance & FinTech Blog posts here, here, and here).