CFPB addresses IT examinations in updated Supervision and Examination Manual
Recently, the CFPB updated its Supervision and Examinations Manual to include a new section, Compliance Management Review – Information Technology, to assist examiners when assessing an institution and its service providers’ IT controls as part of a compliance management systems (CMS) review. All institutions under the Bureau’s supervision and enforcement authority are required to have a CMS adapted to its business strategy and operations. Among other things, the new CMS-IT examination manual outlines the following five modules: (i) Module 1: Board and Management Oversight; (ii) Module 2: Compliance Program; (iii) Module 3: Service Provider Oversight; (iv) Module 4: Violations of Law and Consumer Harm; and (v) Module 5: Examiner Conclusions and Wrap-Up. Each module addresses the examination objectives of the relevant policies and procedures, including those related to the oversight and commitment to an institution’s CMS, change management, risk management, self-identification and corrective action, and consumer complaint responses. The modules also discuss appropriate training, monitoring, and auditing of the various stages of an effective CMS program.