CMS Part 2: Program Components

We continue in the compliance-management domain with the second area, the compliance-program components. If governance is the brain, these components are the muscles, the operational machinery that turns policy into practice. The outline lists five: policies and procedures, training, complaint management, third-party risk management, and compliance monitoring.

Each appears on the exam, and each connects back to the risk assessment from the last lecture, you build, prioritize, and resource these components according to where the risks are. Let's walk through them, keeping in mind that a strong C-M-S is judged on how well these pieces work together, not on whether any one exists on paper.

Policies and procedures translate law into instructions. The compliance manager establishes, reviews, and maintains an overarching compliance-management policy appropriate to the bank's size and complexity, plus regulation-specific policies, and the procedures needed to administer the program. A key duty the outline highlights is reviewing the first line's procedures to ensure regulatory requirements are actually being met, for example, confirming that the front-line process for Reg E error resolution or Reg Z disclosures is correct.

Policies must be living documents, updated as rules change. On the exam, distinguish policy, the what and why, from procedure, the step-by-step how. A common finding is a good policy undermined by a procedure that doesn't implement it.

There's a related, frequently tested gap: the difference between what's written and what actually happens. Examiners test not only whether policies and procedures exist and are adequate, but whether the front line follows them in practice. A bank can have flawless documentation and still fail if loan officers ignore it or branch staff improvise.

That's precisely why the manager's duty to review first-line procedures, and to confirm through monitoring that they're being executed, matters so much. Documentation is necessary but never sufficient; execution is what regulators ultimately judge.

Training keeps the program's knowledge current. The compliance function develops and conducts appropriate regulatory-compliance training for the board, management, and staff, both enterprise-wide training on broad obligations and job-specific training for roles with particular exposure, like loan officers on fair lending. Training materials should be reviewed for accuracy, and completion tracked, because examiners check whether the right people were trained.

Beyond formal training, compliance provides ongoing support to internal partners, answering questions and conducting research and analysis when the business hits a regulatory question. The exam may test the distinction between enterprise-wide and job-specific training or the duty to track it. The principle: a control only works if the people executing it understand the rule.

Two more components. Complaint management means administering or monitoring a program that captures consumer complaints, routes them, and ensures timely resolution of those with a regulatory-compliance impact. Complaints are an early-warning system: a cluster of complaints about a fee can reveal a UDAAP or disclosure problem before an examiner finds it, so the program feeds back into risk assessment and monitoring.

Third-party risk management means assessing new vendors through documentation to ensure their regulatory risks are addressed, and participating in ongoing due diligence, periodic reporting, reviewing scripts, confirming training, for vendors with regulatory impact. Remember: the bank remains responsible for compliance even when it outsources the activity. The exam tests both the complaint-resolution duty and the vendor-oversight principle.

The fifth component, compliance monitoring, is the program's ongoing self-check. The manager develops and maintains a risk-based monitoring plan grounded in the institution's strategic plans and risk assessments, the overall compliance assessment, the fair-lending assessment, new products and services. Monitoring defines a scope and tests policies, procedures, controls, reportable data, and transactions against regulatory requirements to identify risks and potential exceptions.

When exceptions surface, the manager confirms findings with the business units, issues a report to senior management including amounts to be remediated, and reviews changes to products, processes, and external communications and marketing. Crucially, monitoring is a second-line activity performed by compliance itself, distinct from the independent audit we'll cover next. The exam tests that distinction, so keep monitoring and audit separate.

A clean way to remember it: monitoring is compliance checking its own work continuously throughout the year, while audit is an independent party periodically checking compliance's work, including the monitoring itself. Monitoring asks, are the controls working right now; audit asks, is the whole program, monitoring included, designed and operating effectively. Both produce findings, but only audit provides the independent assurance the board relies on.

When a fact pattern describes the compliance team reviewing transactions, that's monitoring; when it describes internal audit or an external firm evaluating the compliance function, that's the third line. Mislabeling the two is a classic wrong answer the exam plants.

Recap of the program components. A C-M-S runs on five: policies and procedures sized to the institution, with the manager reviewing first-line procedures; training that's enterprise-wide and job-specific, and tracked; complaint management that captures and resolves issues with regulatory impact; third-party risk management with due diligence and ongoing oversight; and risk-based compliance monitoring that tests controls and transactions and reports exceptions for remediation. Remember monitoring is second-line, not the independent audit.

Go test yourself, then we cover managing regulatory expectations, audit, issues, and exams.