The CFPB has added a new section to its Supervision and Examination Manual titled “Compliance Management Review-Information Technology.”  The new section supplements the existing section on Compliance Management Review to provide examination procedures to be used by CFPB examiners to assess information technology (IT) and IT controls as part of a Compliance Management System (CMS) review.

In the introduction to the new section, the CFPB recognizes that IT used by institutions can impact their compliance with federal consumer financial laws.  Accordingly, in conducting an overall CMS assessment, the CFPB may evaluate an institution’s IT as it relates to compliance.  It may also evaluate the technology controls of an institution and its service providers.  This follows from the general principle that the Bureau’s supervisory expectations with respect to an institution’s compliance program extends to its service provider relationships.

The new section sets forth IT-specific procedures for examiners to use in assessing:

  • Board and management oversight related to IT
  • A supervised entity’s compliance program related to IT, specifically IT policies and procedures, IT training, IT monitoring and/or audit, and IT-related consumer complaint response
  • A supervised entity’s oversight of service providers that support IT functions