Now that the dust from the November elections has settled, it’s clear that Washington, D.C., is in an enforcement mood. For credit unions, that means paying close attention to dotting regulatory i’s and crossing compliance t’s.
“The biggest compliance concerns for credit unions this year will be determining which new rules, regulations, and effective dates will apply to them,” says Lori Moore, director of compliance at Attus Technologies, a wholly owned subsidiary of Computer Services Inc.
Chief among these regulations, she says, is the Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) Act, for which the Consumer Financial Protection Bureau (CFPB) has yet to issue specific rules.
Moore says regulators are reluctant to issue rules and clarify UDAAP compliance so anomalies won’t threaten the whole edifice. She cites regulators’ role in applying UDAAP to a case brought against RiteAid Corp. for allegedly failing to protect consumer privacy.
“Say there’s a data breach,” Moore says. “The agency could cite a credit union for failure to observe security protocols, which would be a violation of its pledge to protect consumer privacy.”
In the case brought against Rite- Aid, it was alleged that the company’s written claim of assurance to “respect and protect the consumer’s privacy” was deceptive.
Another big concern this year involves monitoring interest-rate risk, says Joe Donahue, a sales representative at TriNovus. “Regulators are putting more emphasis on stress-testing loan portfolios to see how changes in interest rates might affect financial institutions. How changes in interest rates affect earnings, capital, and loan loss provisions should be evaluated and documented at least annually.”
Donahue adds that the Dodd- Frank Wall Street Reform and Consumer Protection Act has expanded risk management to encompass all areas of compliance. “Regulators are being tougher, with near-zero tolerance for errors. Credit unions must identify critical rules and deadlines, and make sure their disclosures meet regulatory requirements.”
Tony Ferris, managing partner at the Rochdale Group, sees three broadbased compliance concerns in the coming year: vendor management, data management, and enterprise risk management. “We’re seeing an intersection of regulatory pressure and operational complexity creating an environment like never before. Credit unions must not merely address regulatory issues, they must create strategic advantages out of them.”
Ferris admits this is an unpopular opinion, but explains that core business advantages are driven in the engagement of true partnerships, leveraging data for increased knowledge about credit and marketing decisions, and enhancing the risk/ return relationship.
Where to seek help
As credit unions add increased regulatory scrutiny to their long list of challenges, third parties stand ready to help with scalable, customizable solutions. TriNovus, for instance, offers a tool called TriComply, as well as interest-rate risk tools and a vendor management system.
The latter capability is one Donahue believes is becoming much more important. “If you haven’t already done so, you should have a vendor management system in place to evaluate and monitor all third-party relationships,” he advises.
Moore says her company offers automated solutions that can help credit unions comply with complex existing rules that are changing, such as Regulation E and Office of Foreign Assets Control sanctions. It also offers independent reviews and a Managed Compliance Service. “We have assembled a bench of consultants that represent a vast cross-section of expertise,” she says. Managing risks to a credit union’s online presence (including websites and social media), for example, has become far more challenging.
As the use of social media began to explode, Moore says it was only a matter of time before regulatory agencies would address questions surrounding the applicability of existing laws and risk management. The initial stages of this came to fruition when the Federal Financial Institutions Examination Council recently issued proposed social media guidance.
“We want to help credit unions stay ahead of the game, so we’ve been developing tools and adjusting our services accordingly,” Moore says. Attus offers WatchDog Social Compliance®, which monitors—and allows credit unions to diffuse—consumers’ complaints over certain social media outlets.
Donahue commends credit unions for using social media for marketing and member service. “But I tell them to be mindful that they should have a social media policy and staffmembers trained in social media do’s and don’ts.”
Moore warns that penalties for compliance missteps can be daunting, citing “reimbursable violations.” These are infractions where credit unions are compelled to pay out of pocket for faulty interest-rate disclosures or ads containing misstated terms and conditions.
“If an overall compliance program is found to be deficient, it could generate cease-and-desist orders or monetary penalties”—even criminal prosecution in some cases, she says.
Moore adds that NCUA has become more active in its enforcement and in examining complianceand risk-related challenges related to new technologies, such as remote deposit capture, check imaging, and mobile financial services. “New technologies oft en move faster than credit unions’ understanding of the implications for risk and compliance issues.”