For the past three years, credit unions have been reprogramming operations to keep up with a tsunami of regulatory changes. You’ve adopted new policies, procedures, technologies, forms, and training programs. But you aren’t done yet.
Now it’s time to ensure all these changes are working. To verify your full compliance, your credit union needs an audit component, or a systematic approach to ensure you’re implementing regulations correctly and on time.
Some readers might see the word “audit” and immediately think, “It’s not my problem.” That couldn’t be further from the truth.
Remember, a credit union’s board of directors is ultimately responsible for ensuring the credit union follows all applicable rules and regulations. And any audit typically involves staff from departments throughout the credit union.
What’s a ‘compliance audit’?
Let’s step back for a moment and look at the concept of a “compliance management system.” Although the Consumer Financial Protection Bureau (CFPB) only directly supervises the handful of credit unions with more than $10 billion in assets, it’s important to know what the bureau expects of large financial institutions.
You may believe your credit union is a long way from being subject to CFPB’s scrutiny, but consider this: The industry already is experiencing a regulatory “spillover” effect. That means regardless of your size, regulators are talking more about having a compliance management system. For instance, this spring NCUA and the federal bank regulators discussed the importance of having a “fair lending compliance management program.”
The CFPB says an effective compliance management system manages responsibilities and risks, and it consists of four interdependent control components:
1. Board and management oversight;
2. A coordinated response to consumer complaints;
3. A compliance program; and
4. Compliance audits.
A compliance audit is simply a comprehensive review of how your credit union adheres to regulatory requirements and related policies the board adopts. The compliance audit program is an annual review with a defined scope that reviews policies, procedures, training materials, staffing, forms, and work samples.
It concludes with a report of significant findings, conclusions, and recommendations. The process certainly should include reporting back to the board or a designated committee.
All credit union compliance managers know they must complete three compliance audits required by:
1. Automated Clearing House rules;
2. Bank Secrecy Act; and
3. The Office of Foreign Assets Control.
In addition to these required audits, the usual suspects for compliance reviews include: lending, deposits, payment processes, back office, privacy, security, marketing, website, and branches.
ComplySight is a new product many leagues are launching.
It’s a Web-based tracking and management system that allows a credit union not only to measure and report on compliance readiness but also to keep up with changing compliance demands.
Contact your league about availability.
By following a few basic rules and using available resources, there’s no reason why credit unions can’t perform compliance audits internally. This allows for greater customization and control over the compliance function—and saves money as well.
You don’t need an internal auditor or a certified public accountant to conduct a compliance audit. But you can look to the internal audit function for general guidelines. What credit unions need is an individual who has sufficient compliance training and proficiency and a sufficient understanding of your operations, pays attention to details to obtain appropriate evidence, and can maintain sufficient independence.
The fact that the compliance function isn’t directly involved in the operational areas being reviewed gives sufficient independence.
NEXT: Stages of a compliance audit