What Does a Compliance Management System Look Like?

Published January 2, 2019 by 4 min read

While automated tools often enable your compliance management system (CMS), the CMS is less a technology and more a corporate compliance program. A compliance management system looks like a series of policies, procedures, and processes governing all compliance efforts. However, as more companies embed technology across the enterprise, and more compliance requirements focus on cybersecurity, information security integrates across the CMS.

What is a Compliance Management System

How to define a CMS

A CMS focuses on the way in which a company manages its legal requirements and its ability to integrate those requirements throughout the organization. Creating an integrated system that limits legal risk incorporates employee training, focused business processes, operational reviews, and corrective action strategies.

What is the compliance risk?

As a heavily regulated industry, the financial sector’s compliance risk often equates to financial risk. Whether it’s your asset-liability calculations or your regulatory compliance requirements from the Federal Deposit Insurance Company (FDIC), the Office of the Comptroller of the Currency (OCC), or the federal Consumer Financial Protection Bureau (CFPB), you can face fines arising from non-compliance. Whether harm to consumers’ data comes from internal control failure or a third-party vendor, financial institutions lacking appropriate data monitoring tools increasingly find themselves subject to notice of violations.


In December 2018, the OCC defined four key risks facing the federal banking system. Of these, operational risk from a complex operating environment and compliance risk arising from amended customer protections both incorporated cybersecurity.


At the same time, the FDIC released a joint statement with the Financial Crimes Enforcement Network (FinCEN) detailing their commitment to innovative strategies and technologies better enabling Anti-Money Laundering/Bank Secrecy Act (AML/BSA) for managing compliance risks associated with those legal and regulatory requirements.


Also in December 2018, the CFPB in conjunction with the Consumer Advisory Board, Community Bank Advisory Council, and the Credit Union Advisory Council engaged in a review of emerging trends in the financial services industry. They focused on the increased use of artificial intelligence and consumer access to financial records. These new technologies increasingly risk unauthorized data sharing arising out of an institution’s inadequate operations and controls which can lead to fines. Thus, as a consumer protection agency charged with responding to consumer complaints, the CFPB also focuses on the importance of data integrity and user access and authentication.

How to Create an Effective CMS

While it’s easy to assume that a CMS focuses on the ways in which your financial institution protects customers and keeps itself safe from money laundering. In reality, market transactions increasingly embed enabling technologies. Thus, the CMS needs to focus on the ways in which you protect data to limit the unintended consequences that lead to the customer complaint response process.

The Board of Directors

Your compliance program starts with your Board of Directors. They set the business objectives that allow your organization to manage and mitigate risks. If you’re planning on incorporating a digital technology for loan servicing, you need to ensure that your vendor establishes controls ensuring consumer protections remain in place.

Compliance Program

Your compliance program consists of formal, written documents, policies and procedures, training, monitoring, and corrective actions. Traditionally, these policies and procedures focus on Fair Lending and Mortgage Servicing. However, as your financial institution increasingly uses Software-as-a-Service (SaaS) platforms to engage in data collection or communications, you need to think about the ways in which your technology integrates into the process to protect you from privacy violations under the Graham-Leach-Bliley Act (GLBA).

Consumer Complain Management Program

You need to be able to respond to consumer complaints and inquiries while also tracking, monitoring, and analyzing them. As part of this, you need to be sure to protect your customer data from unauthorized access that impacts its integrity, availability, and confidentiality. For example, your IT infrastructure increasingly supports your auto financing objectives. If your auto lender isn’t secure, their data to you may not be appropriate. Thus, you may find yourself in violation of requirements.

Compliance Audit

Not only do you need a program, but you need to engage third-party auditors to ensure that your organization, and your IT suppliers, comply with the requirements. In terms of IT infrastructure, the CFPB Supervision and Examination Manual expressly incorporates GLBA and the Electronic Funds Transfer Act. As your customers engage in more electronic funds transfers, you need to ensure that your financial institution incorporates a review of the controls over vulnerabilities to data.

Who needs to be involved?

As with any compliance requirement, your CMS incorporates a variety of internal and external stakeholders.

Senior Management

Once the Board establishes the business objectives, senior management engages in the vendor risk management (VRM) process. As part of this process, senior management reviews both internal and external written documents to ensure that the vendor aligns with your required controls. VRM functions as a starting place for the management oversight required in most regulations.

Compliance Officer

Almost all financial institutions have compliance officers who oversee the CMS. The compliance officer functions as your financial institution’s compliance captain. In charge of everything from researching updates to updating risk profiles, policies, procedures, and processes, the compliance officer also needs to maintain insight into the way in which your organization handles information and vendors.

Front-Line Employees

Your customer service representatives act as the first line of defense against improper access to your customer data. Whether it’s your loan or deposit staff, you need to ensure that they create safe passwords and that only authorized staff can access the information. In terms of your CMS, you need to make sure that all employees are appropriately trained based on their role within your organization.

Incorporating ZenGRC as Part of Your CMS

Regardless of the compliance risks you face,  you need to integrate data security throughout all business operations. Even though most consumer regulatory requirements remain silent on data protection, you’re more often sharing information with third parties to enable better asset results.

With ZenGRC’s compliance management, risk management, and workflow management capabilities, you can wrap many of the tasks required by a CMS into a single tool.

The compliance dashboards and easy audit management functionalities provide insight into the strengths and weaknesses of your IT infrastructure. As such, they provide insight into how well you’re protecting data privacy and transaction enabling platforms.

Moreover, with our task prioritization and workflow tagging functionalities, you can better communicate with all internal stakeholders to manage the workflows associated with managing an increasingly digital lending portfolio.

For more information on how ZenGRC can enable your CMS, contact us for a demo.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo