In September 2021, recognizing that information technology (IT) could impact compliance with Federal consumer laws, the CFPB published a new section to its examination manual titled, "Compliance Management Review – Information Technology (CMR-IT)."
The new section acknowledges that as part of its Compliance Management System (CMS ) assessment, the CFPB may evaluate the technology controls of an institution and its service providers. The CFPB may also evaluate an institution's IT as it relates to compliance with Federal consumer financial laws.
The CMR- IT includes specific questions to evaluate:
- The board of directors interaction and oversight of its IT group (pages 5-7).
- How compliance and IT intersect when it comes to policies and procedures (pages 7-9).
- How employees are trained on IT-related issues, including security, and how IT staff is trained (page 10).
- Whether IT functions are properly audited and managed, including QA and QC (pages 12-13).
- Processes, procedures, and responses to IT-related consumer complaints (page 14).
- IT service provider functions and oversight (pages 15-16)
The new exam manual can be found here.
Any organization subject to the CFPB should be routinely reviewing its CMS, annually at a minimum, to ensure it meets the CFPB's expectations. When drafting or updating a CMS, these examination manuals are extremely helpful. While there is always going to be some nuance, the CFPB's examinations manuals give some pretty clear insight into what they CFPB will be reviewing if they come knocking.