TPPPA Compliance Management System (CMS)

One of the key objectives of the TPPPA is to create, promote and sustain industry best practices for payment processing. We call our best practices the TPPPA Compliance Management System (CMS).

The TPPPA believes that organizations should be able to support any legal product, service or industry if these organizations can demonstrate that they have effective compliance management systems that address all forms of related risk with special emphasis on Compliance Risk. The TPPPA CMS is designed to support members in designing and documenting their unique, risk-based compliance management program.

pic2

What is the CMS?

The TPPPA CMS consists of a distinct set of controls that comprise the TPPPA CMS Control Framework. This control framework was designed by the TPPPA to support our members in creating and maintaining risk-based, documented compliance management programs that adjusts as internal changes occur, such as new products or systems, or new industries are supported, and as external changes occur, such as the nature of payments, laws and regulations and changes in public policy.

The TPPPA CMS Control Framework is a holistic set of controls that work equally well for financial institutions, payment processors of all types (third-party payment processors, third-party senders, ISOs, payment facilitators, etc.,) money transmitters and merchants. The controls are payment type and industry or product type agnostic. In essence, it is a systematic disciple that works for all types of organizations, that is incorporated around each organization’s distinct programs and requirements.

How was it created?

The CMS was devised after extensive conversations with regulatory agencies and exhaustive study of laws, rules, regulations and guidance. It is designed to incorporate the guidance of bank regulators, FinCEN, the Federal Trade Commission (FTC), the Department of Justice (DOJ), the Consumer Financial Protection Bureau (CFPB) and the Federal Financial Institutions Examination Council (FFIEC).

What is the TPPPA CMS Control Framework?

The TPPPA CMS Control Framework has slight variations for financial institutions, payment processors and merchants, based upon the distinct obligations of each entity. For example, the TPPPA considers that a payment processor is a hybrid of a third-party service provider and a financial institution customer. Therefore, third-party vendor management is a key control for financial institutions. Payment processors have a direct relationship with merchants; therefore, merchant relationship management such as agreements and training are key controls for payment processors. However, there are distinct controls that relate equally and directly to financial institutions, payment processors and merchants. These include: Risk Assessment, Board Oversight, Program Manager/Compliance Officer, Policies, Procedures, Customer Due Diligence, Ongoing Monitoring, Periodic Review, Agreements, Training and Internal Control Testing.

How is the TPPPA CMS maintained?

The TPPPA shares the CMS Control Framework with regulatory agencies on a regular basis and makes updates as necessary, although only minor updates have been required since its creation in 2013. We also closely monitor changes to laws and regulations, as well as public policy on a state and federal basis, and engage in advocacy efforts as necessary to support fair and consistent changes to laws and regulations.

What tools and resources are available to members to support implementation of the TPPPA CMS?

Monthly member meetings are designed to keep members up-to-date on regulatory and legal actions that may impact member’s risk assessment. Members have the opportunity to learn about the current state of affairs and update their risk assessment and internal controls based upon new information provided at these meetings.

Model Policies, Procedures and Templates have been created to provide members with tools they can utilize to support their efforts in creating documentation to demonstrate the effectiveness of their compliance management systems.

Free CMS Training via webinar is provided to all TPPPA members as part of their membership. These webinars are designed to help support members in implementing their unique compliance management program utilizing the TPPPA CMS Control Framework.

Free Regulatory Training via webinar is provided to all TPPPA members to provide guidance in how various laws, rules and regulations may impact their compliance management programs.

Expert Compliance Support is provided to members via phone or email by TPPPA accredited payments and compliance staff members.

CMS Consulting by TPPPA is available to members. TPPPA personnel will visit the member’s location, interview management and staff, review systems and documentation, perform a CMS Gap Analysis and provide a report describing what is missing in the member’s current program, and then support members in addressing the gaps.

CMS Certification Audits are performed by the TPPPA to provide members the opportunity to have a third-party review of their program and an associated audit report. Successful completion of an audit with minimal findings results in certification of the member’s CMS program for one year. (See more under the Certification tab.)

Note: Audit and Consulting Services are not included as part of the membership dues. Additional fees may apply.)

The CMS is an exclusive member benefit of TPPPA members and is not for public use or distribution.

TPPPA CMS Control Framework

Bank ControlsPayment Processor Controls
  • Risk Assessment
  • Program Due Diligence
  • Board Strategic Objective
  • Board Designated Oversight Committee
  • Program Manager
  • Third-Party Risk Management
  • Program Controls Management
  • Prohibited Activities
  • Program Policies and Procedures
  • Processor Due Diligence and Approval
  • Ongoing Monitoring
  • Processors Suspicious Activity Reporting
  • Periodic Processor Review
  • Quarterly Reporting Requirements to Committee
  • External Audit Requirements
  • Employee Training
  • Customer Agreements
    • Risk Assessment
    • Program Compliance Officer
    • Compliance Officer Duties
    • Program Policies and Procedures
    • Third-Party Risk Management
    • Internal Controls Testing
    • Quarterly Management Reports
    • External Audit Requirements
    • Training Program
    • Merchant Training and Communications
    • Customer Due Diligence and Monitoring
    • Merchant Agreements
    • Customer Identification Program
    • Suspicious Activity Reporting
    • Consumer Complaint Monitoring

    Note: The TPPPA CMS Controls can also be customized for merchants.