The Consumer Financial Protection Bureau has long required that an institution within the scope of its supervision or enforcement authority, including both depository institutions like banks and non-depository consumer financial services companies like auto finance companies, develop and maintain a written, sound, and robust compliance management system, or CMS, that is integrated into the overall framework for a product's design, delivery, and administration across the institution's entire product and service lifecycle.
In the CFPB's view, a sound and robust CMS is how an institution, among other things, establishes its federal law compliance responsibilities and maintains legal compliance. Institutions are also expected to manage relationships with service providers to ensure that those providers effectively manage compliance with federal consumer financial laws applicable to the product or service being provided. The CFPB has routinely requested those that it supervises/examines and even those against which it has enforcement authority to provide it with a copy of the entity's CMS.
As a refresher, a CMS is how an institution: (1) establishes its compliance responsibilities; (2) communicates those responsibilities to employees; (3) ensures that responsibilities for meeting legal requirements and internal policies and procedures are incorporated into business processes; (4) reviews operations to ensure that responsibilities are carried out and legal requirements are met; and (5) takes corrective action and updates tools, systems, and materials as necessary.
The CFPB claims that an effective CMS commonly has two interdependent control components: (1) board and management oversight; and (2) a compliance program, which includes policies and procedures, training, monitoring and/or audit, and consumer complaint response. Mind you that this is a CFPB requirement to ensure an entity's compliance with federal consumer financial services laws and regulations.
I've heard from clients over the past year or so about a new and disturbing trend at the state level. State regulators have been speaking with their counterparts at the CFPB, and some have really beefed up their examination procedures. Prior to or during a state examination, some state regulators have been requesting that the licensee provide them with a copy of their CMS or compliance management program and other policies and procedures. What used to be a relatively simple and straightforward state exam with a request for a few reports and a questionnaire about a licensee's practices has turned into a near-hundred-item examination.
Plus, the state regulators are taking after their federal brethren and asking for a copy of the licensee's policies, procedures, and/or manuals relating to various aspects of the licensee's advertising; marketing; underwriting; originations; fair lending; servicing and collections; affiliates and related organizations; service providers; training policies and procedures; information technology and cybersecurity; written risk assessments; complaint management; monitoring; and internal and external audit reports. Sound familiar? It should; this sounds as though the state regulators are asking for a written, sound, and robust CMS from the licensee.
Some state regulators may simply request that the licensee provide a copy of its CMS or compliance management program and will just "check the box;" the licensee either has one or it doesn't. However, some state regulators take their roles and examinations very seriously and consider the failure to have a CMS as a major deficiency. If the licensee has to fess up and admit that it doesn't have a written CMS or compliance management program in place, then some state regulators will request the licensee to describe in great detail the procedures and methods that it uses to ensure that it's complying with the law.
If you don't have a written, sound, and robust CMS that meets the requirements identified by the CFPB, you can't hide from your duty any longer because state regulators could ask you to provide it as part of your state examination. So, you can either bite the bullet and pay the piper to have the CMS prepared now, or you can wait until you get that examination letter from either the CFPB or a state regulator demanding a copy of your CMS and policies and procedures and then have to quickly scramble to get everything in place before your examination.
Trust me; it's going to cost you a whole lot more time, effort, and money to get the CMS rushed into place when you do get that examination letter or Civil Investigative Demand (if it is even possible to do so in such a typically short window) than if you had put the CMS and policies and procedures in place when you were not on that tight deadline. The examination and CID demands also typically ask for other reports and documents, so will you actually have enough time to prepare a CMS that's integrated into the overall framework for a product's design, delivery, and administration across your company's entire product and service lifecycle AND get it approved by the Board of Directors before the examination date? Highly, highly doubtful.
Additionally, by rushing through things and slamming a CMS in place, you're likely to miss something, possibly something particularly important. Finally, hurrying to put your CMS and policies and procedures in place will be readily apparent to the federal and/or state regulator. The regulator is not likely to go easy on your examination (or enforcement) if it looks like you've scrambled to put something together before the examination.
Enhanced examination procedures appear to be a concerning trend at the state level, and we're sure to see more state regulators demand that a licensee provide a copy of its CMS. Take some time to speak with your friendly compliance lawyer about your CMS and policies and procedures before you get that examination letter or CID. 
