Mitigate Electronic Banking Compliance Risks

Guard against regulatory pitfalls before adopting the latest, greatest technology.

August 20, 2014

In today’s “technology is great” environment, credit unions increasingly implement new electronic technologies to communicate with—and deliver financial products and services to—their membership.

Some of the electronic services and products available include ATMs, electronic funds transfers (EFT), automated clearinghouse (ACH), websites, online banking, bill pay systems, mobile banking, text banking, remote deposit capture, e-statements, e-advertising on social media, and e-disclosures. More are developed daily, it seems.

Credit unions oft en worry they must jump on the electronic services bandwagon or be left behind. While that may be true, credit unions still need to evaluate each product or service for compliance risk before signing up.

Regulatory requirements

The laws and regulations that mandate how credit unions conduct business face-to-face also apply to electronic banking. Many have specific requirements regarding disclosures, notices, advertising, and record-keeping. These laws and regulations include, but are certainly not limited to:

Truth in Savings;

Truth in Lending (Regulation Z);

Equal Credit Opportunity Act (Regulation B);

Home Mortgage Disclosure Act (Regulation C);

Real Estate Settlement Procedures Act (RESPA);

Customer/member identification requirements under the USA PATRIOT Act;

Privacy; and

Unfair, Deceptive and Abusive Acts and Practices (UDAAP).

One of the biggest potential compliance risks in electronic banking stems from a lack of understanding of the Electronic Funds Transfers Act (Regulation E) liability provisions, compounded by the absence of an error resolution procedure.

Some credit unions still want to make members who write their personal identification numbers (PIN) on their debit card liable for unauthorized transactions that occur after someone steals the card. That’s clearly prohibited under Regulation E, Section 1005.6(b)(2).

Other credit unions want to delay or even forgo investigating an alleged error until and unless the member files a police report regarding the fraudulent transactions. Again, that’s clearly not allowed under Reg E, as a bank in Indiana discovered a couple of years ago when it was hit with civil penalties of $82,500 for Reg E violations.

Reputation risk is tied inextricably with compliance risk. One need only say the word “Target” to understand the reputation risk in electronic services posed by identity theft and data breaches.

Your credit union’s leaders must understand that offering electronic banking services and products significantly increases the level of reputation risk.

Contracts and disclosures

Contracts and disclosures pose a huge compliance risk, because credit unions must ensure consistency between paper and electronic advertisements, disclosures, and notices. Implement processes that assure your credit union updates paper and electronic disclosures when adding new services.

Consistency is crucial in avoiding regulatory violations. Look at your funds availability policy and your electronic funds transfers policy: Do they contain the same definition of business day?

Also, be aware of the potential for copyright violations if your credit union adopts another financial institution’s mobile banking agreement rather than buying a customized form from a reputable vendor. Contract term issues can pop up if those institutions’ mobile banking services differ from yours, and your credit union fails to adjust the mobile banking agreement.

Record retention

Record retention provisions apply to electronic disclosures and advertisements to the same extent required for nonelectronic disclosures and ads.

Do you know how you maintain your electronic records? Tracking electronic documents is pretty easy, but what about advertisements using social media—how are those being maintained?

Also, if your credit union accepts mortgage applications electronically, you must obtain and store the required government monitoring information.

These are but a few examples, so review your credit union’s record retention policy and procedures to ensure they address all electronic disclosures and advertisements.

Risk mitigation

You might not be able to erase risk and you certainly can’t ignore it. But you can mitigate risk as it relates to electronic banking products, services, and advertising by following these steps:

Develop a strong Regulation E error resolution procedure. Assign responsibility to a person, people, or department. Establish a timeline and tracking system to ensure your credit union starts investigations, sends notifications, and makes credits in a timely manner.

Demonstrate your credit union’s compliance by noting dates and retaining records. Provide training to your staff so all employees know whom to contact if a member comes to them with an alleged error. Finally, test your procedures and document the testing.

Compare electronic and paper disclosures for your various products and services. Do they contain the same basic information relating to the credit union’s business days and hours of operation?

Ask legal counsel to review disclosures and agreements, especially those you “borrow” from another financial institution, to ensure they are compliant and that nothing conflicts with how the product or service works at your credit union.

Review all your policies and procedures relating to your electronic products and services regularly, and reappraise them whenever implementing a new electronic service.

Educate your members through your website, newsletters, and other communications about how they can minimize fraud risk. The suggestions offered in NCUA’s Letter to Credit Unions No. 11-CU-09 (multifactor authentication for online banking) hold true for all electronic services.

To help your members recognize phishing scams, remind them of the circumstances under which you might contact them, and the communication channels you would use. Provide members a list of credit union contacts to use in the event they notice suspicious or unauthorized activity on their accounts.

Monitor electronic banking risk trends, as well as changes to pertinent laws and regulations.

Risk is a reality of offering electronic services. But by recognizing potential problem areas and taking simple steps to mitigate those risks, you can confidently continue to provide members the next new electronic technology.

KRISTEN TATLOCK is vice president of COMPASS 4 CUs, LLC (, a credit union service organization wholly owned by Belvoir Federal Credit Union in Woodbridge, Va. She will lead a session on electronic banking regulatory compliance at the CUNA Regulatory Compliance School, Sept. 14-19 in Chicago.

CUNA Regulatory Compliance School

Gain a comprehensive understanding of the regulatory environment—including the major regulations affecting credit unions—by attending the CUNA Regulatory Compliance School in Chicago, from Sept. 14-19. For more information and to register, visit