What Does Your Compliance Committee Look Like?
A member writes in with the following question:
Hello, The CFPB audit guide advises collection agencies should have a "Compliance Committee". Does anyone have this? What staff members make up your team? What responsibilities do they take on? Is this really just another name for a Compliance Department? Any information that you can provide would be great.
The CFPB updated its Supervision & Examination Manual in June of 2020, so this is the latest guidance they have on compliance committees and board/management oversight:
Board and Management Oversight – Examination Procedures
1. Review board meeting minutes and supporting materials during the period under review for coverage of compliance matters.
2. Determine board committee structures and delegated responsibility for compliance matters, such as to an audit committee or risk committee, and review the meeting minutes and supporting materials of those committees for coverage of compliance matters.
3. Determine any management committees with delegated authority and accountability for compliance matters, and review their composition, functions, authority, and reporting to committees of the board or to the board.
4. Determine management’s oversight and review of heightened areas of risk, such as fair lending; sales practices and production incentives (including performance goals); and unfair, deceptive, or abusive practices; commensurate with the institution’s size, complexity, and risk profile. Such review should include a review of management oversight, delegations, authorities and input into substantive policies or procedures, audits, and monitoring related to heightened areas of risk.
5. Determine the authority and accountability for compliance matters of regional or business unit governance bodies, and review their composition, functions, and reporting.
6. Review the formal compliance program adopted by the board of directors or an appropriate committee of the board, and determine whether commensurate resource allocation for compliance is part of the entity’s budget and planning process.
7. Identify the chief compliance officer and other individuals responsible for compliance.
8. Review the role of the chief compliance officer for authority to lead a compliance program and for independence from business units.
9. Review board and board committee records for evidence of the chief compliance officer’s independent access to board members and governance bodies.
10. Review processes for the identification of new regulatory requirements, changes in requirements, and planning for implementation.
As far as the committee make-up and practical responsibilities that your peers in the industry are following, here are some thoughts:
1) We have a committee that is made up of our C-level execs, compliance and legal. We meet quarterly to review any compliance/legal related items. The mission of the committee is to ensure a strong and consistent governance framework, and to assist the Board in its oversight of the company’s management of key risks, including compliance, regulatory, operational, legal and reputational risks, as well as the guidelines, measurement, procedures and processes for monitoring and mitigating such risks.
2) We are a small collection agency and I am just now starting to put together our compliance program, but it will only be one person, not a committee.
3) Our compliance committee consists of Chief of Compliance, CEO, COO and CSO
Our experience is that this committee should be made up of a couple of senior officers of the company, including compliance. They would review potential changes, onboarding of new vendors, review audit results and have compliance reporting shared with them. This allows multiple functions of the business to understand what is happening both in the company and with clients.
4) Our Compliance Committee is a fully functioning group of the company officers and other senior management stakeholders (16 people currently) that meets each month and reviews the results of the Compliance Program to ensure it is effective. There is a very formal process with notes taken, complaint and audit reviews, an annual report, training program schedules approved, policy change approvals etc.
5) I think the look of the “Compliance Committee” will be different based on the size of your organization. But the Compliance committee should not just be your Compliance Dept. It needs to be different. The whole point is to have oversight (and insight) into the Compliance landscape. Typically a Compliance Committee will consist of members of Sr. Mgmnt or Board Members of the company. These people may or may not be involved in the day to day compliance operations, but should be aware of what’s going on and meet regularly (quarterly or monthly). The Chief Compliance Officer (or equivalent) should report regularly to the Compliance Committee on Compliance projects/activities/issues within the organization and also what’s going on in the industry.
6) Yes, we have a compliance committee. Actually it is a subcommittee of the management committee, which comprises the partners of the firm—essentially our board of directors. Three of the partners, including the CCO, are on the compliance subcommittee. Technically, the CCO reports to the subcommittee about a host of topics, including risk assessment, risk management, training, monitoring, structural controls, auditing, and complaint handling. The subcommittee uses that information to set priorities and adjust policies, and to give the CCO direction on the next round. The compliance management system, in other words, forms a big feedback loop, with policy informing procedures, and performance informing policy. That’s probably more than you asked for, but it’s all so interconnected that it’s hard to break out.
No, it is not the compliance department. That comprises the CCO and the staff that work for the CCO. We have 2 staff who answer to the CCO, but neither works full-time in the compliance department. The staff’s most important function is to perform internal & external audits. (Technically, the CCO should direct, but not actually participate in, the audit process.) The staff also helps with other tasks, like uploading tests to our test site, confirming completion & passing scores, assisting in updating procedures and the mechanics of our policy & procedure management system, and the like.
7) We have a compliance committee. We have documented discussions regarding issues and strategies for improvement. We have a set agenda based on the CFPB exam model… we don’t always have an item to discuss for everything on the list.
Our team is the compliance manager, general counsel, collection manager, operations manager and President.
8) I am a committee of one. I think they would have to consider the size of your agency. Some agencies likely require a committee, but it wouldn’t make economic sense to have a committee when you are a small agency.
That’s a common sense answer, not necessarily the right one.
9) Its usually a combination of compliance and ops people. Maybe even an HR person
In my organization it’s the CCO, VP of ops and the COO. We also invite other team members who may be SME’s in the topic we are discussing at that time.
They take on the role of reviewing key policies and procedures related to the CMS program and ensuring that they comply with all regulations and internal policy statements, especially around consumer facing procedures.
They should produce regular reports to the board to satisfy the oversight requirements
10) This is a Board or Sr Exec Group that does not report up through the Performance Group. The idea is that they will review compliance trends and decisions and confirm that compliance is not being pushed aside for performance. The Compliance Dept should report to this group rather than a Sales or Performance manager.
11) Vice President, Senior Operations Manager, Vice President, IT Department, Chief Privacy and Compliance Officer, Compliance Department Supervisor, Manager, Collections (Permanent) CMS committee and other invited to participate depending on subject matter.
12) We had one at my last company. Made up of:
- COO – Chief Operating Officer
- Director of Collection
- Compliance Manger - organizer
- Director of Customer service
- Director of HR
We also had our Attorney group. Top 3 meet weekly with attorney to keep up with industry changes. When action items came up everyone meet to make sure we considered everything from our respective point of view. Worked well and all stake holders were considered.
13) In my experience, the Compliance Committee is composed of the Chief Compliance Officer, the General Counsel (if the company has one), the CEO/COO, Quality Assurance manager/director, and other individuals who have authority to make operational decisions, and establish, approve and enforce policies. It doesn’t have to be too big, but its members should be willing and able to walk the walk and talk the talk related to compliance. They will set the tone from the top.
Their duties would be to receive and review data related to compliance (complaints, lawsuits, corrective actions with employees and vendors), look at trends and make decisions about how to reverse negative or harmful trends, review policies, write new policies, discussion the company’s approach to rewards and consequences related to good/bad compliance behaviors. Big picture stuff related to compliance.
14) We have a compliance committee that is made up of one person from each department. We discuss all items compliance and they take it back to share at their staff meetings. They also bring compliance questions/updates from their group to the meeting to share. We also have a few of them that volunteer their time to monitor calls, assist in compliance trainings, etc.
15) We do not have a Compliance committee. Our Compliance Department consist of one person, me. Perhaps this is because we are only considered a mid-sized company, 150 employees.
16) Corporate Compliance Committee Members:
- General Counsel
- SVP HR
- Director of Compliance – chairs the meeting
- Others may but are not required to attended, for example
- VP Operations
- Corporate counsel
- Director of Internal Audit
17) We have a few different committees focused on Compliance, and no the Compliance department doesn’t make up the majority of the membership.
- Senior Management Level – meets monthly to discuss trends in consumer interactions (disputes, complaints, etc.) and made up of Senior Management in General Counsel, Operations (we break ours by group – management from complaints/disputes, digital operations, legal recovery operations, etc.), Strategy, and chaired and led by Compliance. Guests can attend at the request of one of the members, but they typically do so in a listening capacity.
- Executive Management Level – meets quarterly at minimum to discuss all Compliance aspects: rolled up reports of testing, vendor management, consumer interactions, monitoring, etc. All Executive Management are members, and it is led/chaired by Compliance Executive Management. Guests may attend, again in a listening capacity, at a member’s request.
- Board Committee – this would be a chartered committee of an organization’s Board of Directors, should this be appropriate for the organization.