The CFPB announced that as part of its overall CMS assessment, the CFPB may evaluate the technology controls of an institution and its service providers.
Institutions within the scope of the CFPB’s supervision and enforcement authority include both depository institutions and non-depository consumer financial services companies. These institutions operate in a dynamic environment influenced by challenges to profitability, increased focus on outcomes to consumers, industry consolidation, advancing technology, market globalization, and changes to laws and regulations. To remain competitive and responsive to consumer needs in such an environment, institutions continuously assess their business strategies and modify product and service offerings and delivery channels. To maintain legal compliance, an institution should develop and maintain a sound compliance management system (CMS) that is integrated into the overall framework for product design, delivery, and administration across its entire product and service life cycle. Ultimately, compliance should be part of the day-to-day responsibilities of management and the employees of a supervised entity. Issues should be self-identified, and corrective action should be initiated by the entity. Institutions are also expected to manage relationships with service providers to ensure that service providers effectively manage compliance with Federal consumer financial laws applicable to the product or service being provided. Institutions often use information technology (IT) that could impact compliance with Federal consumer financial laws. As part of its overall CMS assessment, the CFPB may evaluate the technology controls of an institution and its service providers. The CFPB may also evaluate an institution’s IT as it relates to compliance with Federal consumer financial laws. The Compliance Management System – Information Technology (CMS-IT) examination procedures set forth below are used by examiners to assess IT and IT controls as part of a CMS review.
A copy of the CFPB’s announcement of its examination procedures on the subject can be found here.