Creating a Culture of Compliance within your Organization

We are here to help companies make managing compliance, well, manageable. We’ve defined the role and responsibilities of the Chief Compliance Officer. We’ve helped delineate what a Compliance Management System (CMS) is all about. We are now here to share the next best kept industry secret to achieving compliance success – creating a culture of compliance within your organization.

You can tell a lot about a company’s overall compliance posture by speaking with their employees. A positive attitude towards compliance means a positive working environment and employee buy-in. There are plenty of obstacles to overcome as a Chief Compliance Officer, so our goal is to help encourage steps you can take to create a positive culture of compliance within your organization, share some tips for creating incentive programs and overcoming bad habits and negative behavior, and discuss some ways to communicate risk in order to change management direction.

Creating a positive culture of compliance and driving cultural change within your organization requires strong leadership skills.  Your position as the Chief Compliance Officer gives you the authority, but that’s not all that’s required. An effective leader should have a vision, strong communication, and a clear strategy.

Vision is the first step in driving cultural change in a positive direction. You can’t just spout change without having an end goal in sight. In what direction should the organization go? You’ll need an idea of what you are wanting to change before you are able to set out to change it. The oversight and guidance is there to help shape your vision for achieving your organizational compliance goals.

The next step in achieving this culture of compliance is the importance of effective communication – starting with the Board of Directors/Executive Level Management. By understanding the requirements associated with your role as the Chief Compliance Officer, you can educate management by identifying associated business risks. Asking for their support will help spread the culture you’re after from the top down. Show them relevant enforcement actions so they can truly understand the risks associated with the industry. A common question asked by this level of management is “What’s it going to cost me?” Well, what’s at stake? Compliance has to come first. Show them what you’re protecting the company from. Show them specific cases and the ownership of what happened to each agency.

Communicating with mid-level management is also important. They should also be educated on the associated risk, but more importantly, should be involved in the risk management process itself. By developing and showing a risk/reward analysis, you can show how making a change can actually increase revenue and increase reward. A change in the culture of your organization is not a negative thing, and that’s what needs to be stressed and communicated effectively to this level of management as well. Demanding change without presenting a solution can be a risky move if you’re not wanting an operations team vs. compliance team war. Suggest things you can do within the organization to help reach common goals. Provide proof of your concept while making and implementing any changes.

Lastly, effective communication with collectors is key. You must deliver clear expectations with useful and accessible policies, procedures, and work instructions. You shouldn’t have any expectations without them being documented. Training and awareness will help your collectors understand the importance of compliance while helping them get on-board. If the tone is set from the top, they will follow. Creating collector buy-in should be done using fair and equal treatment, such as rewards for compliance as well as discipline for violations. Remember, it can take time to break bad habits and strive for positive change!

The final step in creating a culture of compliance within your organization is having a fully developed strategy and plan for continuous improvement (Plan, Do, Check, Act). Use your monitoring and audit results to plan for further improvements. Part of your responsibilities as Chief Compliance Officer is to stay current with any new rules and regulations in order to react effectively. And lastly, continue to involve management in the evaluation of risks in order to help to continue to create a positive culture of compliance.

Looking for a consultation in regards to your CFPB compliance and compliance efforts? Contact us!

Secure Web Application Best Practices

It isn’t news that maintaining a secure web environment is extremely important in today’s technological climate. Performing regular scans and tests of your security posture is best practice and becoming an essential piece to maintaining security at your organization. Web applications have become a common target for hackers, thus the need for better practices.

Last week, we tapped into our own developers’ minds to help us put together a list of best practices for secure web application in order to educate and inspire our community of security-minded individuals.

Here are our top Secure Web Application Best Practices:

1. Training

If you’re a web application developer, you should always be aware of security risks and best practices for defending your application from those risks. OWASP is a great resource for learning about web application security. The OWASP Top 10 is a great list that creates awareness around some of the most critical web application security flaws. SANS is another great resource for information security training. Additionally, many web application frameworks publish security guides that cover built-in security features. (Ex. Ruby on Rails, Django, and .NET publish security guides to help you as you are building applications).

2. HTTPS Everywhere

HTTPS provides your users with the confidence that the web application they are connecting to is, in fact, yours. It also provides a secure channel for sending and receiving data. One risk involved in using HTTPS is when additional content is loaded insecurely over HTTP. While your site may be securely loaded over HTTPS, even a single JavaScript file loaded insecurely over HTTP is at risk to be intercepted and modified by an attacker. Ensure all your content and resources are loaded securely.

3. Strong Password Storage Practices

When storing users’ passwords, it is extremely important to follow best practices. Never, ever, store passwords in plain text. You should store your users’ passwords as hashes, making use of cryptographic algorithms that are designed for password protections. View the OWASP Password Storage Cheat sheet.

4. Keep Application Dependencies Up-to-Date

Your web application most likely makes use of a framework and several libraries or components. Each one of these components is potentially vulnerable to attack. It is best to identify all of the components and versions currently being utilized in your application. Once you have that, monitor public databases (CVE, NVD) for reported risks to the components you use. Also, keep up to date with security mailing lists relevant to the frameworks you use and immediately update any components that release security fixes.

5. Always Install Security Patches

Related to keeping your application dependencies up to date, you should also ensure your application stack is up to date. Ensure you OS, web server, application server, and databases are all up to date with the latest patches and configurations.

6. Web Application Firewall

A web application firewall (WAF) can be helpful in identifying and blocking threats to your application. A WAF applies rules to the HTTP traffic coming in to your application. If certain patterns are detected that are commonly associated with attacks, the request is blocked. These rules can be customized based on the specific threats to your application. Running a WAF requires maintenance and tuning, but it can be very effective in blocking many known attacks.

7. Logging

It is always important to know what is going on within your applications. Collecting logs is vital to having an audit trail of activity. You should collect all authentication and user access events including access to your servers and user access to your applications. Collect data access, user events, and errors. Logs should be centrally collected and stored where they can be reviewed and correlated.

8. Assume All Input from Users is Malicious

As a developer, you should always assume that all user input is malicious. This includes form data, URL parameters, query strings, cookies, and HTTP headers. Validate all input based on type, length, and a whitelist of allowed value ranges. Many attacks such as SQL injection and cross-site scripting take advantage of applications that trust user input without proper validation. View the OWASP Data Validation.

9. Security Testing

Testing your application for vulnerabilities is an important step in finding and fixing flaws before you suffer from an attack. This can include static code analysis and penetration testing. Static code analysis will scan your source code for flaws and potential security risks. These tools can be integrated into the development lifecycle, alerting developers to potential hot-spots in their code. Web application penetration tests simulate attacks in order to analyze the security of your system. These tools are necessary in order to ensure your application is secure.

For more information or help regarding the security of your web applications, contact us today.

Conducting Incident Response Plan Table Top Exercises

So, your Incident Response Plan looks good on paper – it’s been mapped, planned, documented. But has it been tested? Will it work?

Testing and drilling your employees and your Incident Response Team to understand how to respond in the event of an incident not only prepares them for an actual event, but it also helps to ensure that your plans are current and effective in the existing threat and organizational climate. Experts suggest that participating in table top exercises to simulate a real-world scenario is the best way to prepare.

When facilitating these exercises at your organization, be sure that the employees understand the purpose for conducting the exercises. They should be fully engaged so that you can determine if your team has all bases covered and be able to identify any previously unknown gaps in your current plan. The should understand that participating in these exercises will help determine if everyone can hypothetically talk through their respective functions during an incident and be sure everyone fully understands their role when responding to an actual incident.

The facilitator should present a scenario, asking participants specific questions related to the scenario, and from there, participants will engage in a discussion that focuses on roles, responsibilities, coordination, and decision-making during an incident. Prepare several scenarios in advance that will address specific areas of your Incident Response Plan you wish to test. Some sample scenarios include:

  • During a routine evaluation of system logs, an administrator discovers that company data has been obtained by an unauthorized user account.
  • A remote user has lost his/her laptop containing stored sensitive company data.
  • After a recent move, it has been discovered that a locked cabinet containing sensitive company data is missing.
  • A former employee, disgruntled after employment termination, has realized that he/she still has remote access to the company’s server and decides to infect the system with a virus.

We are already familiar with the stages of Incident Response: Preparation, Detection and Identification, Containment, Remediation, Recovery, Lessons Learned. Once presented with a scenario, the participants should begin going through these stages to determine what steps to take to handle the incident appropriately.

Here are some example questions that participants should be addressing during each stage of the exercise:


  • How are we currently preparing for a security incident? What are we doing to prevent an incident from occurring? What are we doing to limit the impact of this type of incident occurring?
  • Do we have proper policies and procedures in place for handling an incident? Are they adequate?
  • What actions would have helped to prevent this type of incident from happening?

Detection & Identification:

  • What controls are currently in place that would help identify this incident, and what are the procedures for reporting this incident?
  • How do we detect malicious activity of unknown origin on our systems?
  • How would we respond quickly to a suspected incident?
  • What tools or assets do we have to assist us in detecting unauthorized activity?
  • How would we assess the incident?
  • Do we have a specific incident response team for this type of incident?


  • How are we documenting the incident? What evidence should be collected? Have all aspects of the incident been assessed? (size, scope). What is the risk of the incident on operations?
  • What do our procedures say about containing an incident?
  • What strategies should we take to contain the incident?
  • How can we prevent further damage from this incident?
  • What could potentially happen if the incident were not contained properly?


  • How can we clean the system?
  • Have we documented the footprint of the intruder? Where did it originate?
  • Have we made necessary changes to ensure successful restriction of a repeat incident?
  • Have the changes been tested?
  • Have we implemented any remote wipe capabilities?
  • Has a system access review been completed to ensure there are no other users that need to be removed?
  • What chain of custody procedures have been modified to ensure incident will not reoccur?


  • How do we securely restore the system?
  • What monitoring procedures will be in place to ensure successful recovery?
  • What backups of files existed to replace the lost files?
  • Have we prepared a backout plan if recovery is unsuccessful?
  • Have we considered alternatives for database access without the infected system being involved?

Lessons Learned

  • What happened? What gaps can we now identify from this incident?
  • How do we go about regaining our customers’ confidence?
  • Now we must revise our policies and procedures to prevent future attacks. What adjustments should be made to avoid these attacks going forward?

Use this exercise to be a teaching, educating, and inspiring experience. Practicing your step-by-step Incident Response Plans will help your organization to be able to respond quickly and effectively during a real-world incident.

With help developing your Incident Response Plan or for unbiased guidance on Information Security best practices, contact us today.

Top 10 Scorecard Components for Call Monitoring

As a Chief Compliance Officer, call monitoring is a big part of managing the compliance within your organization. It’s your responsibility to determine: Are your collectors compliant with federal and state laws? FDCPA? CFPB? Are they meeting contractual agreements with clients? An effective call monitoring program is essential to your overall compliance. One of the ways you should monitor your collector calls is by developing and using a Call Monitoring Scorecard to ensure that your collectors are following the policies and procedures you have set forth in regards to communications with consumers.

Developing your own Scorecard isn’t necessarily a “one size fits all” process. There are many components to be considered. You must first take into consideration your own Risk Assessment. Utilize a weighted score of components based on the risk level and exposure is the first place to start when developing your own scorecard components. What kind of consumer complaints have you received? What about overall consumer lawsuits? CFPB complaint statistics? What should you be monitoring to ensure that your collectors are using compliant practices when collecting on a debt?

There are so many things you should include on your Scorecard to ensure compliance with consumer financial law. We’ve compiled a list of the Top 10 Scorecard Components based on activity we’ve seen to help give you some guidance to get started.

Top 10 Scorecard Components:

  1. Call Recording Disclosure
  2. Proper Identification of the Consumer
  3. Mini Miranda
  4. FDCPA Third Party Disclosure
  5. UDAAP (Tone, Language, Deception)
  6. Proper Account Updates
  7. Payments Applied According to Consumer Instructions
  8. Regulation E (Disclosure & Authorization) as Applicable
  9. Proper Voicemail Instructions Followed
  10. Proper Communication Regarding the Consumer Credit Report

Do you need assistance with developing your Compliance Management System to meet CFPB regulatory requirements? Contact us today for details on how we can help.

4 Phases of a Compliance Management System (CMS)

According to the CFPB, a “robust and effective compliance management system” is a critical component of the structure of an organization. Best practices define a Compliance Management System (CMS) as a set of interrelated or interacting elements that organizations use to direct and control how compliance policies are implemented and compliance objectives are achieved.

Since the CMS is essentially the foundation of your organization, let’s start from the bottom and talk about how to build and maintain your CMS. What does a “robust and effective CMS” look like? How does the flow of this management system work? The CFPB defines a CMS by having four interdependent control components: board and management oversight, compliance program, response to consumer complaints, and compliance audit. Here are 4 Phases of a Compliance Management System to help you see how these components work together:


This is where you establish the systems intent and goals. What do we intend to accomplish here? Compliance with consumer laws? What does success look like? When there’s a systematic process in place? When clear and effective communication happens? When all employees understand their roles and responsibilities in regards to compliance? When continuous improvement is happening? Take the time to define your resources. Who will audit? What technical resources are needed? The Plan phase is where we assess our risks, ranked from the greatest to least. Written policies and procedures should be developed here that are directly tied to any identified risks from your Risk Assessment. Board and Management involvement is critical during the planning phase, to help establish the “tone of compliance” and to be involved throughout the entirety of the process.


The implementation and operation of a Compliance Management System takes place during the “Do” phase. Most people think this phase is the CMS, however, it takes all of the phases working together to maintain an effective CMS. During this phase, Management should provide clear support throughout the process. All employees should be trained on the policies and procedures that you have developed and documentation of these policies and procedures should be easily accessible to all employees. The Compliant Resolution Program is also developed and implemented during this time, and should be included in the policy and procedure documentation.


Monitoring and reviewing what we are doing to maintain compliance within our organization should be a regular and integral part of ensuring that we are doing what we say we are doing. An Internal Audit is a great way to determine this by looking at what our policies and procedures say we are supposed to be doing versus what we are actually doing. Are there any gaps? Are there any areas of our CMS that need to be improved upon? Are we meeting our pre-established compliance goals? After the internal audit has taken place, Management should review the audit, identify where any action is needed, and provide direction when necessary.


The fourth and final phase of implementing and maintaining a “robust and effective CMS” is all about improving upon what we’re doing and taking any corrective and preventative action that is deemed necessary throughout the process. Be sure to document any areas of non-compliance. Don’t be discouraged by findings! A good CMS WILL find areas of non-compliance, but this is to be considered a good “quality test” and will only further strengthen your CMS. Next, develop an action plan. Write down any preventative and corrective actions that need to take place. Be sure to document in your follow-up that these actions have been completed.

Maintaining a “robust and effective CMS” is an ongoing process. It’s a constant cycle of reviewing and implementing to better strengthen the compliance at your organization. Are you in need of some assistance in developing your CMS? Are you lacking policy and procedure development? We can help! Contact us today for help with custom policy and procedure development as well as help assessing your CMS.