Years ago, the phrase compliance management system (CMS) rocked our world when the Consumer Financial Protection Bureau (CFPB) introduced a compliance program which included a CMS requirement for all financial institutions the bureau oversees. Dealerships had a leg up on how to create a CMS, as our industry was required to implement a similar program when developing a Safeguards program and then with the Red Flags Rule program.
A CMS is simply described as a structured approach to developing and implementing processes in each of the dealerships operations that are compliant with any state, federal, or industry standards requirements. Many dealers may have a CMS implemented in their dealership and not even realize their compliance efforts meet the criteria of a CMS.
A CMS is the method by which a dealer manages the entire compliance process, including not only a compliance program, but also an audit function.
The compliance program includes the dealerships policies and procedures. It outlines the laws, regulations, and provides potential litigation defenses the dealership employees need to adhere to.
The audit function is an independent test of the transactions and processes to determine the level of compliance to the laws, rules, regulations, as well as the policies and procedures, set forth by the dealership.
The process of implementing a CMS is like the five components required by the FTC in its guidance with the Safeguards Rule and The Red Flags Rule, which include:
- Appoint a compliance officer
- Conduct a risk assessment to gauge current practices
- Develop policies and procedures to address compliance requirements
- Provide and document employee training on the policies and procedures
- Perform periodic audits to confirm continued compliance with the policies and procedures
A Sixth Component?
The Consumer Financial Protection Bureau has identified that an effective CMS must include an audit function. Their position is compliance should be part of the day-to-day responsibilities of dealership management. Management needs to identify any issues and take immediate corrective action. Though necessary, annual periodic audits do not fulfill the need to identify immediate compliance issues. This is because an annual audit identifies a snapshot in time, but it runs the risk of finding issues months later. Risk managers are starting to look at a sixth component, something closer to a continuous, real-time audit component. Continuous monitoring is a process used to detect compliance and risk issues over time. It tracks audits over time and detects weaknesses in the CMS.