Most compliance teams inherit a patchwork of frameworks. The CFPB outlines five pillars for a Compliance Management System (CMS). The FDIC describes three, plus a set of sub-pillars. The BSA/AML program calls for six: five traditional pillars plus the newest addition, enterprise risk assessment.
The problem? None of these frameworks, on their own, covers everything a modern compliance program actually needs to manage, especially if you’re a fintech, a crypto company, or a bank navigating multiple regulatory relationships at once.
Drawing on decades of experience across large international banks, fintechs, startups, and Amber de Volk, CEO and Founder of Equinox Compliance, developed a unified framework, the Equinox CMS. A comprehensive, 12-pillar framework consolidates regulatory expectations into a single, actionable model.
Equinox CMS Framework
1. Board Oversight
Every effective CMS starts at the top. Board oversight means the governing body actively monitors compliance risk, receives regular reporting, and sets the tone for the entire organization. Without documented board engagement, examiners and auditors will flag a governance gap before they look at anything else.
2. Written Policies and Procedures
A policy states what you do. A procedure explains how you do it. Examiners expect both, and they expect them to reflect reality.
Key hygiene practices:
- Review and update policies at least annually, or whenever products, regulations, or operations change.
- Use job titles instead of individual names so policies remain accurate through staff turnover.
- Maintain version control with effective dates and approval dates clearly documented.
- If you can’t follow your policy, change the policy, or change the procedure. The two must align.
A critical distinction: An outdated policy is a governance gap. A policy that exists on paper but isn’t followed is an operational failure, and may involve consumer harm. Regulators care about what actually happens, not what the document says.
3. Compliance Training
Off-the-shelf training programs are rarely sufficient on their own. Examiners look for evidence that your training is customized to your products, your risk profile, and your people.
What a defensible training program includes:
- Defined roles and responsibilities
- Measurable effectiveness criteria
- Retraining protocols when gaps or control weaknesses are identified
Training is often used to close control gaps, but only when it’s thoughtfully designed and documented.
4. Complaint Management
How you take in, define, track, and resolve complaints tells a story about your program’s maturity. A strong complaint management function includes:
- A clear definition of what constitutes a complaint in your organization
- Documented intake flow and responsibility assignment
- Root cause analysis on every complaint
- Outputs that drive compliance improvement
Complaints are external. They come from customers or third parties (not vendors). The resolution process should eventually cross compliance’s desk, and root cause findings should feed back into training, policies, or controls.
5. Monitoring and Testing
These are two distinct activities, not interchangeable terms.
- Testing is periodic, usually conducted by the first line. It’s where you discover initial issues.
- Monitoring is less frequent. It involves reviewing testing outputs and looking for trends, exceptions, and patterns.
Each requires its own plan, its own cadence, and its own documentation. If an examiner asks for your monitoring report and it doesn’t exist, credibility erodes quickly.
6. Issue Management and Corrective Action
Issue management is different from complaint management. Issues are typically internal, often engineering or operational problems that require a fix. Complaint management handles external feedback.
Both should follow a similar discipline:
- Track and categorize every issue
- Conduct root cause analysis: Was it a policy failure, a procedural failure, or human error?
- Escalate appropriately and document the resolution
- Link findings back to the control, process, or training that needs to change
7. Third-Party Risk Management (TPRM)
Vendor management is an area of increasing examiner focus. If your organization relies on third-party service providers (payment processors, cloud platforms, data vendors, compliance tools), you need a documented program for assessing, onboarding, monitoring, and offboarding those relationships.
Examiners want to see that you treat vendor risk with the same rigor you apply to internal operations.
8. Risk Assessment
Proactive risk assessment is now a baseline expectation, not a “nice to have.” For BSA/AML programs, enterprise risk assessment became a formal pillar in recent guidance. For general CMS frameworks, it means identifying, measuring, and prioritizing compliance risks across products, channels, and business lines before problems surface.
9. Independent Audit (Third Line of Defense)
Your third line of defense provides an objective evaluation of the entire compliance program. Independent audit, whether internal or external, validates that controls are functioning, risks are appropriately managed, and the first and second lines are doing their jobs.
10. Information Security, Privacy, AI and Data Governance
Data flows into every compliance function. This pillar addresses:
- What information you collect and how you control it
- Who has access, and who shouldn’t
- How you prevent data leakage
- What you do when a breach or exposure occurs
With increasing regulatory attention on data privacy and AI-driven processes, this pillar is becoming more prominent in exam scopes.
11. Exam Management and Regulatory Affairs
Exam management is a skill in itself. This pillar covers the operational discipline of preparing for, managing, and responding to regulatory exams, audits, and assessments.
Best practices include:
- Maintaining an audit calendar with all scheduled exams, audits, and testing windows
- Assigning a lead point of contact for every exam
- Running mock exams and readiness drills
- Starting preparation well before the formal request letter arrives
- Responding to findings with completed remediation, not just promises
The goal: when an exam begins, you’re gathering evidence, not generating it.
12. Specialty Items
Every organization has unique compliance obligations based on its products, markets, and risk profile. This pillar captures requirements like:
- Fair lending (Reg B, ECOA)
- Red Flags Rule and identity theft prevention
- AI and model risk governance
- Any emerging regulatory area specific to your business
These specialty items should be integrated into the broader CMS framework rather than managed as standalone efforts.
Why a Unified Framework Matters
Regulatory agencies each describe their expectations differently, but the underlying obligations overlap significantly. Managing compliance against three or four separate frameworks creates gaps, redundancies, and confusion, especially in fast-moving organizations.
A unified 12-pillar CMS framework helps compliance teams:
- Map obligations clearly across CFPB, FDIC, BSA/AML, and other regulatory expectations
- Identify gaps that fall between agency-specific frameworks
- Prioritize resources by focusing on the pillars that carry the most risk for their specific business model
- Prepare for exams with a single, organized program rather than scrambling across disconnected workstreams
For Startups and Smaller Teams
Twelve pillars can feel overwhelming for a lean organization. The key is to start where you are. You don’t need perfection. You need repeatability and documentation.
Compliance should never be a blocker for growth. When compliance is embedded early in product development and decision-making, it supports speed rather than slowing it down.
