In the classic 1969 western, “Butch Cassidy and the Sundance Kid,” two train robbers spend days fleeing a relentless railroad posse.
Every so often they look back, only to see their pursuers gaining on them. “Who are those guys?” they wonder in what becomes a running gag each time they pause.
In a way, credit unions also are being chased. For them, “those guys” are the regulators and examiners in charge of compliance. But unlike Butch and Sundance, there’s no getting away. It’s either comply or face sanctions.
“Compliance is arguably the overarching challenge credit unions face,” says Cindy Williams, vice president of regulatory compliance at PolicyWorks LLC. “Managing the continuously increasing impact of changing regulations is putting a strain on credit union people and resources. Compliance is a topmost concern because of the possible consequences.”
Credit union compliance concerns that “have bubbled to the top,” Williams says, include new mortgage rules and Unfair, Deceptive, and Abusive Acts and Practices (UDAAP) for advertisements, as well as features of new and existing products.
The latter is a concern “mainly because it’s a little subjective,” Williams says. “Credit unions are waiting to see how it will be applied and interpreted.”
Financial products’ growing complexity makes marketing and advertising compliance more difficult and important, adds Jane Pannier, senior vice president and in-house counsel for AffirmX. “You don’t want to spark regulatory scrutiny by not meeting UDAAP requirements.”
Effective compliance tracking systems can help with this, she says. In addition, “examiners are especially interested in knowing when a credit union last validated its Bank Secrecy Act/Anti-Money Laundering tracking system, and whether it’s gathering and applying data correctly.”
Wes Withrow, information technology (IT) governance, risk, and compliance expert for TraceSecurity, a CUNA Strategic Services alliance provider, says risk-based compliance falls into three categories of controls: technical, physical, and administrative, each of which requires supporting documentation such as policies and procedures.
“Do you have, for example, a policy about what devices you allow to connect to your network? These devices are part of what we call the ‘threat landscape,’ ” he says. “You need a written policy for this. Say you have an employee who’s a habitual offender in this regard, and you are forced to let that person go. Without a written policy, you may have opened yourself to a lawsuit because you never clearly stated what employees could or could not do on your network.”
Williams says many regulators understand the strain credit unions are under, “but are stuck in the middle between credit unions and Congress, which wrote the laws.”
This is where an experienced third party can help. “We’ll sit at the table as ‘technical direction agents’ when examiners are onsite to explain and describe how a credit union has met its compliance requirements,” says Withrow. “We know the specialized language examiners use, so in a way we act as translators. The examiners like it because they know they’ll be better understood.”