Meeting the challenge

Williamson says her biggest compliance challenge is managing all of its different facets.

“You not only need to ensure your policies comply with regulations, but that you also tie procedures back to your policies and complete risk assessments,” she says. “You need risk assessments for everything.”

Diaz says the uncertainty of the regulatory landscape proves challenging. SchoolsFirst Federal, for example, is subject to the California Consumer Privacy Act, which has stringent data privacy rules.

While the law went into effect on Jan. 1, 2020, the attorney general didn't submit final proposed regulations until June 1, 2020. “This is a compliance officer’s worst nightmare.”

The same holds true for the Unfair, Deceptive, or Abusive Acts or Practices standard required by the Dodd-Frank Act, Diaz adds. “Other than through enforcement, the CFPB has never truly defined its rule.”

Ihrig suggests creating a culture of compliance from which you build your compliance program “because more compliance requirements are likely coming.”

Doing so involves conducting a compliance risk assessment that examines:

• Compliance and ethical procedures and standards.
• Board and senior management program oversight and governance.
• Communication and training.
• Monitoring and testing procedures, including misconduct reporting processes.
• Compliance incentives, enforcement, and disciplinary processes.
• Responsiveness to misconduct.

Diaz warns against complacency. Just because your credit union is small or has never incurred regulatory penalties doesn’t mean that it can’t happen.

“Many, if not most, consumer protection regulations have a ‘private cause of action’ as a remedy,” he says. “This means you could be sued for a violation, either by an individual plaintiff or as a class action."

“Check your management and professional liability insurance policy,” Diaz continues. “You may be surprised to learn some policies exclude coverage for certain ‘high-dollar’ items such as collections practices under the Fair Debt Collection Practices Act. It only takes one member to initiate a significant financial and reputational liability.”

He cites the cases of some credit unions receiving fines from the U.S. Department of Justice for repossessing vehicles without properly following the procedures of the Servicemembers Civil Relief Act.

“In one instance, it started with a single phone call to a hotline from the spouse of an actively deployed servicemember whose car had been repossessed,” Diaz says. “Bottom line: Don’t get lulled into a false sense of security.”

Ihrig says there’s a common misconception the Military Lending Act applies only to credit unions with a significant number of active-duty servicemembers in their field of membership. “If your credit union extends consumer credit to a covered borrower for a covered loan, you have to comply with the act’s provisions,” he says.

Fortunately, technology is available to offer a helping hand with these issues.

NEXT: Beyond the spreadsheet