Now that the dust from the November elections has settled, it’s clear that Washington, D.C., is in an enforcement mood. For credit unions, that means paying close attention to dotting regulatory i’s and crossing compliance t’s.
“The biggest compliance concerns for credit unions this year will be determining which new rules, regulations, and effective dates will apply to them,” says Lori Moore, director of compliance at Attus Technologies, a wholly owned subsidiary of Computer Services Inc.
Chief among these regulations, she says, is the Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) Act, for which the Consumer Financial Protection Bureau (CFPB) has yet to issue specific rules.
Moore says regulators are reluctant to issue rules and clarify UDAAP compliance so anomalies won’t threaten the whole edifice. She cites regulators’ role in applying UDAAP to a case brought against RiteAid Corp. for allegedly failing to protect consumer privacy.
“Say there’s a data breach,” Moore says. “The agency could cite a credit union for failure to observe security protocols, which would be a violation of its pledge to protect consumer privacy.”
In the case brought against Rite- Aid, it was alleged that the company’s written claim of assurance to “respect and protect the consumer’s privacy” was deceptive.
Another big concern this year involves monitoring interest-rate risk, says Joe Donahue, a sales representative at TriNovus. “Regulators are putting more emphasis on stress-testing loan portfolios to see how changes in interest rates might affect financial institutions. How changes in interest rates affect earnings, capital, and loan loss provisions should be evaluated and documented at least annually.”
Donahue adds that the Dodd- Frank Wall Street Reform and Consumer Protection Act has expanded risk management to encompass all areas of compliance. “Regulators are being tougher, with near-zero tolerance for errors. Credit unions must identify critical rules and deadlines, and make sure their disclosures meet regulatory requirements.”
Tony Ferris, managing partner at the Rochdale Group, sees three broadbased compliance concerns in the coming year: vendor management, data management, and enterprise risk management. “We’re seeing an intersection of regulatory pressure and operational complexity creating an environment like never before. Credit unions must not merely address regulatory issues, they must create strategic advantages out of them.”
Ferris admits this is an unpopular opinion, but explains that core business advantages are driven in the engagement of true partnerships, leveraging data for increased knowledge about credit and marketing decisions, and enhancing the risk/ return relationship.
Where to seek help
As credit unions add increased regulatory scrutiny to their long list of challenges, third parties stand ready to help with scalable, customizable solutions. TriNovus, for instance, offers a tool called TriComply, as well as interest-rate risk tools and a vendor management system.
The latter capability is one Donahue believes is becoming much more important. “If you haven’t already done so, you should have a vendor management system in place to evaluate and monitor all third-party relationships,” he advises.
Moore says her company offers automated solutions that can help credit unions comply with complex existing rules that are changing, such as Regulation E and Office of Foreign Assets Control sanctions. It also offers independent reviews and a Managed Compliance Service. “We have assembled a bench of consultants that represent a vast cross-section of expertise,” she says. Managing risks to a credit union’s online presence (including websites and social media), for example, has become far more challenging.
As the use of social media began to explode, Moore says it was only a matter of time before regulatory agencies would address questions surrounding the applicability of existing laws and risk management. The initial stages of this came to fruition when the Federal Financial Institutions Examination Council recently issued proposed social media guidance.
“We want to help credit unions stay ahead of the game, so we’ve been developing tools and adjusting our services accordingly,” Moore says. Attus offers WatchDog Social Compliance®, which monitors—and allows credit unions to diffuse—consumers’ complaints over certain social media outlets.
Donahue commends credit unions for using social media for marketing and member service. “But I tell them to be mindful that they should have a social media policy and staffmembers trained in social media do’s and don’ts.”
Moore warns that penalties for compliance missteps can be daunting, citing “reimbursable violations.” These are infractions where credit unions are compelled to pay out of pocket for faulty interest-rate disclosures or ads containing misstated terms and conditions.
“If an overall compliance program is found to be deficient, it could generate cease-and-desist orders or monetary penalties”—even criminal prosecution in some cases, she says.
Moore adds that NCUA has become more active in its enforcement and in examining complianceand risk-related challenges related to new technologies, such as remote deposit capture, check imaging, and mobile financial services. “New technologies oft en move faster than credit unions’ understanding of the implications for risk and compliance issues.”
NEXT: Compliance as opportunity
Compliance as opportunity
Ferris says some institutions have learned to seize opportunities for revenue from the demand for stricter compliance, citing two types of credit unions: The “haves” and “have-nots.”
The former are proactive and embrace compliance and enterprise risk management as a means to discover potential new profit sources, Ferris says. “The have-nots take a minimalist approach, doing only what’s absolutely necessary to comply with regulators. They’re not taking the long-term interests of the credit union into account. When we mention ‘compliance’ or ‘risk management,’ they tune out.”
The have-nots oft en change their minds, however, when Ferris shows them the benefits of paying full attention to compliance and risk management. “A credit union that is mindful of risks across the enterprise better understands the potential enterprisewide consequences, and can pull the trigger much faster either to introduce a new product or program or to cancel it.
“Fundamentally, we ask what and how can we leverage organizational value rather than simply meeting compliance requirements?” he continues. “Some compliance efforts offer an opportunity to rethink processes.”
While most credit unions will successfully address compliance issues, some may decide the burden is too heavy. “Some credit unions are overwhelmed by regulatory burdens, especially those created by the CFPB and the Dodd-Frank Act,” says Donahue. “Smaller credit unions feel like they’re being regulated out of business. Don’t be surprised if this leads to more mergers.”
Over-regulation dampens optimism
Credit union CEOs were much more pessimistic going into 2013 than they were going into 2012, according to a survey of credit union executives by Abound Resources, a CUNA Strategic Services alliance provider.
The primary driver: An increasingly difficult and unpredictable regulatory environment.
One-fourth of credit union CEOs are “very” or “somewhat” pessimistic about their credit union’s outlook for 2013, the survey reports. In 2012, 16% of executives were pessimistic, but none were “very pessimistic.”
Only 37% of those surveyed are optimistic or very optimistic about 2013, compared to 43% in 2012.
Other major issues of concern are a weak economy and poor loan demand.
Attus Technologies: attustech.com
Coalfire Inc.: coalfire.com
Continuity Control: continuity.net
CUNA Strategic Services alliance providers:
1. Abound Resources: aboundresources.com
2. SilverSky: silversky.com
3. TraceSecurity: tracesecurity.com
4. Verafin: verafin.com
FiLink: filink.com • GlobalVision Systems Inc.: gv-systems.com
Rochdale Group: rochdalegroup.com
Safe Systems Inc.: safesystems.com
Security On-Demand: securityondemand.com
Vital Insight: vitalinsight.com
Wolters Kluwer: wolterskluwer.com