Overview of general questions

 Why should I be concerned and what do I HAVE to do? I'm not a big corporation - what's the risk if I don't do anything different? What's different about your system?

 Does my small company really need this system?

Yes. Today regulatory compliance is mission-critical.  All covered businesses are being reviewed for compliance with 13 federal laws protecting consumers. All federal agencies take part in enforcing regs. Primary enforcing and rulemaking originates at the FTC, FCC, CFPB, SEC, and DOJ. Typically they back all the revenue that violators have received and add civil penalties on top.

Who needs a CMS? All U.S. law firms, collection agencies, debt buyers, accounting firms, all direct and indirect finance companies with first party collections, SMBs, auto dealers, consumer businesses, Title and Pay Day Loans companies. 

What kind of penalties have issued ?

Fines have included a one-man homebuilder in Texas, a single real estate development project at a golf course in Kentucky, SMBs and global corporations - ranging from $25,000 to billions of dollars. Papa John's Pizza paid $16.5 million; franchisees sent unsolicited text coupons to cell phone customers.

What activities are governed?

Every corner of business operations are under review, even outside your operation (your vendor's actions). Congress established the Consumer Financial Protection Bureau to enforce consumer financial laws. Among other things, they:

  • Write rules, supervise companies, and enforce federal consumer financial protection laws
  • Restrict unfair, deceptive, or abusive acts or practices
  • Take consumer complaints
  • Enforce laws that outlaw discrimination and other unfair treatment in consumer finance

The Bureau, along with the other alphabet agencies has collected tens of Billion$ in fines and penalties. 

What are the steps leading to an audit?

First, a communication from the agency - likely a CID Letter (Civil Investigative Demand) asking for information. You'll have to gather documents to send to them within ten days. Follow their requests and attempt to gather your own information. You may be able to resolve the issue prior to an audit with supervisory involvement, perhaps on a continuing basis, requesting periodic audits/reports for some period of time. If a resolution is not reached (serious violations, large number of consumers involved, vendor violations with no apparent monitoring having occurred on your side), they may inform you of an intention to audit. IF YOU DO NOT HAVE A CMS AND A COMPLIANCE PROGRAM (INCLUDING A VENDOR MANAGEMENT PROGRAM AS RELEVANT), THE CHANCES OF AN ONSITE AUDIT ARE HIGHER. They will examine everything, sit with employees, listen to customer service phone calls, examine all records, review all advertisements, go through your CMS, procedures, and training (content and records).

How or Why did I get selected for an audit?

Something moved you into view at the agency. Common causes are below - if more than one of these applies, you are "lit up."

  1. Complaint(s) against your firm made by consumer(s);

  2. Your sector (e.g., Payday Loans) is one that has come into focus, often due to complaints or politics;  

  3. The media has decided the public concerns are newsworthy, you're in the news;

  4. A risk factor has triggered - most common is Reputational Risk. your firm is targeted in Facebook, Twitter, etc. by consumers.

How is Compliance Umbrella different than buying compliance software elsewhere?

We use a subscription-based software delivery model. Our single license fee covers your firm and all employees at one location – and all employees need to use the system to achieve compliance. Self-service includes built-in billing, monitoring, and usage reporting and information, giving you a unified view of what you're paying and what you're receiving.

In addition to a fully populated CMS, you have access to a Vendor Management Program, a Data Security Program and other free tools. And we are working on version 2 right now with CMS enhancements, tools, and an added Bank Module.


How does having procedures help me?

The best way to ensure your employees are complying is to use a CMS, with policies, procedures, training, and a complaint management system. If the Bureau chooses to look at your firm, their first step is to:

  • review your CMS – they expect everyone to have a CMS;
  • ensure your staff has correct/current procedures that will direct staff how to comply. There should be a procedure for every statute and regulation. And you won't need to be concerned with regulations that do not apply to your business.
  • examine your training to ensure the staff has learned what’s in your procedures and how to use these;
  • and finally, to examine the complaint system that guides your firm to manage and resolve consumer complaints.

 What’s the difference in your CMS and other companies who offer a CMS?

The CMS by Compliance Umbrella IS compliance-in-a-box, populated with procedures, training lessons, quizzes and other free offerings. This is a major challenge for all businesses, especially small, medium-sized businesses. Look at other products for statments that you can use their product to "load" your procedures, or a service to provide a shell to “manage” your Compliance Program. These products are of minimum value if you do not already have a fully populated compliance program with procedures, training, etc. Compliance Umbrella also offers a Data Security Module and a Vendor Risk Management Program – included at no extra charge, where in most cases, these very important processes and tools are sold separately.



Bank of America knows it is – missing training was a prime factor in a $20 million in a civil penalty and $268 million in refunds. Consent Order #2014-4


It was for Ally Bank. Mandated ECOA training for their vendor/partners was ordered by the CFPB along with the payment of $98 million in restitution and fines. Consent Order #2013-10


GE Capital had to refund $268 million and promise to train every 2 years. If even one employee goes over 30 days without completing training, all operations of the service provider are suspended until training is complete.” Consent Order #2013-9


A major product area at JP Morgan was shut down until a full compliance program (with training and operating procedures) was put in place at a vendor. Consent Order #2013-7.


Mortgage Master, a small mortgage lender that wrote 100 loans during 2010 was notified as deficient in training, operating procedures and audits. They paid a $25,000 administrative penalty and the agency is now monitoring their future operations. Consent Order #2013-6. Another small lender specializing in helping enlisted men at a nearby military base to finance their vechile purchases had to refund $3.3 million to customers due to deficiencies in recordkeeping, training and procedures. Consent Order #2013-4.


A federal Order mandated the exact contents of the Compliance Plan for a single bank (Washington Federal) – with training and procedures at its core. Consent #2013-5.


We have very few complaints (almost none). Does that reduce our compliance risk?

No. One complaint could cause big problems. The complaint database may be the most important module in your CMS. And that’s because the agencies say it is. For example, the CFPB website promotes heavily for consumers to come to their site to enter complaints. They're buying banner ads on websites, advertising for complaints! And the Bureau launched a feedback process to add a social media styled model to complaints.

One of the toughest complaints to handle is the UDAAP (unfair or deceptive) complaint (FTC). Critics contend that the mere occurrence of a UDAAP complaint proves that a UDAAP violation occurred. The standard is subjective – and UDAAP complaints can easily move into the Reputational Risk area, a difficult challenge for firms to avoid/solve.

How does your complaint system work?

All complaints from all sources can be stored, managed, resolved and reported from here. It will be the subscriber’s duty to gather all complaints from various sources into our system. Complaints are forwarded (in most cases) to you by the receiving agency. These may also be shared with the Dept. of Justice for review of possible criminal elements. We have added features to assist in managing your complaints. There is a notepad for all employees to notate call content.


Why is Data Security in the CMS?

Business risks are substantial in the data security area so data security solutions belong in your CMS. When your owner, senior management or Board considers these risks, and approves and implements the steps we've included, your firm demonstrates its concern and action in this area.

Aren't Security Risks lower given the size of my business?

There is a clear trend showing that small/medium sized businesses (SMB) are the major focus for hackers in recent years. One survey reported 60% of all cyberattacks occur at small-medium-sized businesses. Recent regulations and even an Executive Order are spreading the same risks and responsibilities over ALL businesses.

What data security laws am I responsible for?

There are not a large number of regulations that apply to SMBs in data security, although the total number of laws and regulations is approaching dozens, and by virtue of vendor liability, your firm may need the same Safeguards Rule as required of financial institutions in Gramm-Leech Bliley. Using a best practice approach (BPA) and paying attention to training offers a robust method for meaningful improvement and real protection. More could be needed but BPA and training are a good start.

What will I need to do for data security and to avoid being hacked?

Using a best practice approach (BPA) and paying attention to training offers a robust method for meaningful improvement and real protection. More could be needed but BPA and training are a good start. We include a Security Program for your use, not only for security but to enhance your peace-of-mind and increase your standing with your clients and vendors.


Compliance Umbrella conducts research and utilizes our legal team to locate and present the regulatory information in our system. However, we make no express or implied warranty regarding such information or data, and hereby expressly disclaim all legal liability and responsibility to persons or entities that use or access our material, based on their reliance on any information or data that is available through this website.

The information available in this Manual is not intended to be, nor should be considered as legal advice. It is not intended to substitute for obtaining legal advice from competent, independent, legal counsel in the relevant jurisdiction. Transmitting or receiving this information is not intended to create and does not constitute an attorney-client relationship. This website does not purport to be authoritative regarding current federal statutes, regulations, orders or other federal authority, nor does it bind us regarding the matters presented.

The content of this website is not designed or intended to provide authoritative financial, accounting, investment, or other professional advice which may be reasonably relied on by its readers. If expert assistance in this area is required, the services of a qualified professional should be sought.

This general disclaimer is in addition to, and not in lieu of, any other disclaimers found in the Terms of Service, or on pages, applications or programs within this site. In addition, the terms of this disclaimer extend to Compliance Umbrella, its directors, officers, and employees.


What about my vendors and suppliers ?

All federal agencies have put a heavy emphasis on and penalized companies for the actions of their vendors and service providers. This requires appropriate procedures to be in place to help protect your business. At Compliance Umbrella we have a separate Vendor Management Program provided to all subscribers.

What if I’m a vendor or service provider ?

In this case you’ve likely received inquiries from your client(s), often in the form of a VENDOR RISK ASSESSMENT questionnaire or something similar. To satisfy clients and address the mandate they are under, you will need to work toward compliance by installing our CMS, using it as required and communicating all this to your client. Through vicarious liability, your client is liable for your violations, including all penalties and fines.


The extra items we've added (and will continue to add) are an aid for our subscribers to enhance and protect services and profits using open source solutions, partnerships with attractive offerings and free software tools we develop. Some are available now, some are under development.

  • Business Resumption Template (available now)
  • Data Breach Notification Program (available now, covers state laws and federal bill in Congress)
  • Check Lists for document retention and document destruction (coming soon)
  • Client Verification (to provide to clients who inquire about your regulatory compliance program, available in the Vendor Risk Procedure)
  • Internal Audit checklists (various types of audits, an ongoing project here at Compliance Umbrella)


After I subscribe, what steps are needed to activate my subscription

Because of the way our software is delivered, over your own secure web pages, setup is very easy and happens very quickly. The tasks for your firm to perform include:

  1. Involve the Board of Director, owners and upper management in making the decision to initiate a robust compliance system; document the approval and the communicate of your support to all employees.
  2. Designate your compliance coordinator and any other who will manage the CMS activities. (then document)
  3. Enter user IDs for all employees who have compliance responsibilities.
  4. Oversee their logging in and password setup for their use.
  5. Hold employee meetings to inform, orient and instill compliance as a daily concern, using the CMS as the integration tool for this.

Your compliance coordinator will determine the schedule for:

  1. Lists of employees with compliance responsibilities;
  2. Other team leaders and coordinators for Business Resumption;
  3. Set timeline for:
    • Reading procedures

    • Covering lessons

    • Taking quiz

    • Complete brief lesson on complaints, in Complaint Module