Consumer Compliance

Compliance Management System (CMS): The CFPB Framework

The short version

A Compliance Management System (CMS) is how a financial company manages the consumer-compliance risk across its products and operations. The CFPB assesses it through a Compliance Management Review, and its framework has two interdependent components. The first is board and management oversight: the governance that sets the tone, allocates resources, and holds the program accountable. The second is the compliance program itself, which has four interdependent elements: policies and procedures, training, monitoring and corrective action including audit, and consumer complaint response. A weakness in any one element undermines the others.

Consumer compliance is not a single rule; it is a portfolio of them, from fair lending to electronic transfers to debt collection. A Compliance Management System is the structure that holds all of it together, so the company is not managing each regulation in isolation. The CFPB treats the CMS as the first thing it assesses, because a sound CMS is what catches problems in any individual regulation before they reach consumers. This guide covers what a CMS is, the CFPB framework, the four program elements, why examiners lead with it, how to build one, and where it goes wrong.

What a CMS is

A Compliance Management System is the combination of governance, policies, processes, and controls a company uses to manage compliance with the consumer-protection laws and to prevent harm to consumers. The CFPB evaluates it through a Compliance Management Review, and a strong CMS is the difference between a company that finds and fixes its own problems and one that waits for an examiner or a lawsuit to find them.

The two components

The CFPB framework rests on two interdependent components.

The four program elements

ElementWhat it does
Policies and proceduresWritten policies that translate each applicable consumer-protection law into how the company actually operates.
TrainingRole-based training so the staff who carry out the processes understand the requirements that apply to them.
Monitoring and corrective actionOngoing monitoring and periodic audit that test whether the controls work, with a process to correct what they find. This is the compliance audit function.
Consumer complaint responseA process to capture, resolve, and learn from consumer complaints, which are an early signal of compliance problems.

The elements are interdependent. A policy that no one is trained on does not operate. Monitoring that never feeds corrective action produces findings that recur. Complaints that are resolved but never analyzed waste the clearest signal a company gets.

Why examiners lead with it

An examiner assesses the CMS first because it predicts everything else. A company with a strong CMS will have caught most individual violations itself; a company with a weak one will have systemic problems an examiner expects to find across products. The CMS review is also where the examiner judges whether a violation is an isolated error or a symptom of a program that cannot govern itself, which drives the severity of the response.

How to build one

Step 1: Establish board and management oversight

Set the compliance expectations at the top, designate a qualified compliance officer with authority and resources, and define the reporting that holds the program accountable.

Step 2: Inventory the applicable laws and write the policies

Identify every consumer-protection law that applies to the products, and write policies and procedures that translate each into operations.

Step 3: Train the people who carry it out

Deliver role-based training so staff understand the requirements that apply to their work, and track completion.

Step 4: Monitor, audit, and correct

Test the controls through ongoing monitoring and periodic independent audit, and route findings into corrective action that closes.

Step 5: Capture and learn from complaints

Build a complaint-response process that resolves issues and analyzes them for the compliance problems they reveal.

Where it goes wrong

A Compliance Management System is the structure that makes every individual consumer-protection rule manageable. The regime guides below sit inside it. For the unfairness standard that cuts across all of them, see the UDAAP guide; for the equivalent structure in financial crime, see the BSA/AML program pillars.

Primary sources

Common questions

What is a Compliance Management System?
A Compliance Management System (CMS) is how a company manages compliance with the consumer-protection laws and prevents harm to consumers. Under the CFPB framework it has two components: board and management oversight, and a compliance program made up of policies and procedures, training, monitoring and corrective action including audit, and consumer complaint response.
What are the elements of a CFPB compliance program?
Four interdependent elements: policies and procedures that translate each applicable law into operations, role-based training, monitoring and corrective action including periodic audit, and a consumer complaint response process. They sit underneath board and management oversight, and a weakness in one undermines the others.
Why does the CFPB assess the CMS first?
Because the strength of the CMS predicts everything else. A company with a strong system will have caught most individual violations itself; a weak one will have systemic problems across products. The CMS review also tells the examiner whether a violation is an isolated error or a symptom of a program that cannot govern itself.
How does a CMS relate to the individual consumer-protection laws?
The CMS is the structure that manages all of them together: UDAAP, fair lending, FCRA, Regulation E, debt collection, and the rest. Each regulation is implemented through the same four program elements, so the company manages a single system rather than each law in isolation.
From the team behind this guide

A CMS examiners credit

Compliance Command Center builds and runs the Compliance Management System the CFPB framework describes: oversight, policies, training, monitoring and audit, and complaint response, with the evidence each element produces kept current. Practitioners build it, with a human reviewing every deliverable, so the program reads as sound when an examiner assesses it.

See Compliance Command Center Talk to a Practitioner