Once your compliance policies have been finalized and distributed to the appropriate personnel, you may feel the hard work is complete. You deserve a moment to breathe and congratulate yourself on a job well done! Before you file the policies away, however, take a moment to lay the groundwork for the ongoing development and testing that must take place in order to reflect changes to legal requirements and business practices. What worked well for your organization on Day 1 may not reflect your organization’s future practices or legal standards.
Further, carefully consider which outside resources should be employed and how to go about doing so. For example, recent settlement agreements and consent orders with the Consumer Financial Protection Bureau have cited evidence from third-party consultants. These organizations likely acted in good faith to test practices and use industry specialists, but the reports appear to have caused unintended consequences since examiners used findings in the reports to initiate or supplement enforcement actions. These external auditors certainly provide a valuable service and organizations should continue to engage their expertise while also carefully considering how to review and correct any findings.
If your board of directors has been engaged in the initial implementation of a policy, you should expect to periodically update them on the testing results. The board should not only authorize and adopt the compliance policies, it should also expect to receive timely reports from management as to how testing will be performed. The board should also require that any corrective action be taken in a timely manner.