In September 2021, Recognizing that information technology (IT) could impact compliance with federal consumer laws, the CFPB has published a new section in its review manual titled “Compliance Management Review – Consumer Technology. information (CMR-IT) ”.
The new section recognizes that as part of its assessment of the compliance management system (CMS), the CFPB may assess the technological controls of an institution and its service providers. The CFPB may also assess an institution’s IT for compliance with federal consumer finance laws.
The CMR-IT includes specific questions to assess:
- Interaction of the board of directors and supervision of its IT group (pages 5-7).
- How compliance and IT intersect when it comes to policies and procedures (pages 7-9).
- How employees are trained on IT issues, including security, and how IT staff are trained (page 10).
- Whether IT functions are properly audited and managed, including QA and QC (pages 12-13).
- Processes, procedures and responses to consumer IT-related complaints (page 14).
- Functions and supervision of the IT service provider (pages 15-16)
The new exam manual is available here.
Any organization subject to the CFPB should regularly review its CMS, at least once a year, to ensure that it meets the expectations of the CFPB. When writing or updating a CMS, these review manuals are extremely helpful. While there are always nuances, the CFPB exam manuals provide a pretty clear overview of what the CFPB will look at if they come knocking on the door.