Pace of change challenges compliance

For credit unions, the legacy of 2008 comes down to two simple factors: increased regulation and breakneck technological advances. Those developments have created a much higher-pressure compliance environment than what existed a decade ago.

“One of the main challenges for credit unions’ regulatory compliance is the speed of technological change, which increases risks for credit unions,” says Jeff Kelly, vice president of governance, risk, and compliance at OnCourse Learning Financial Services. 

“The changes in payments technology, such as mobile banking, have been dramatic,” Kelly continues. “And since 2008, wave after wave of additional regulations have hit credit unions. That’s a lot to digest, along with the squeeze on interest rates and having limited resources to allocate to compliance.”

“In the current regulatory environment, one of the biggest challenges credit unions face is, ‘How do we keep up? How do we stay on top of things?’ ” says Cindy Williams, vice president of regulatory compliance at PolicyWorks. 

“One factor that adds complexity to compliance is ‘regulation by enforcement,’ ” she adds. “Credit unions used to wait for regulatory bodies to hammer out a final regulation before acting on it. Now, if a compliance officer isn’t already responding to industry consent orders and other issuances, that officer’s credit union might be liable for sanction.”

The Dodd-Frank Act triggered the increased complexity of regulatory compliance, Williams says: “It used to be that a credit union could appoint a compliance officer who would then learn on the job. You can’t do that anymore.”

From his vantage point, Chris Akenson, information security analyst at TraceSecurity, a CUNA Strategic Services alliance provider, says that after 10 years of watching the demands placed on credit unions, “the pressure itself hasn’t changed much, but regulators’ focuses have.” That forces credit unions to focus on specific topics and actions. 

Key compliance priorities

“One aspect of compliance financial institutions sometimes ignore is litigation, especially when it comes to mortgage lending,” Kelly says. “Lack of a compliance management system opens a credit union to risk if an employee says the wrong thing or marketing outreach implies bias—for example, an advertisement that shows no diversity among the people a credit union is trying to reach.” 

It’s important to train employees on how to conduct a phone interview during a mortgage origination, Kelly adds: “This is one of the hardest areas to manage.”

Akenson sees another aspect to compliance management. “While compliance professionals might have their hands full with regulations in the era of the Dodd-Frank Act and Consumer Financial Protection Bureau (CFPB), it’s important to remember that information security regulations are designed to protect the organization from the financial losses of fraud and theft,” he says.

“It should be no secret to managers of a financial institution that a good, strong lock on the door will deter the casual thief from just walking into the organization in the middle of the night and stealing money from an open safe,” Akenson adds. “Information security should be no different.

“Financial institutions have seen the need to protect their assets from the day they opened their doors for business,” he continues. “In the past 20 years, information technology (IT)—and the data it supports—have become among the most critical assets to any organization. Understanding how to effectively protect IT assets should be a top priority for executive management and compliance professionals alike.” 

Credit union professionals’ comfort with—and knowledge of—proper compliance runs the gamut, says Akenson: “They’re at different levels of maturity.”

What vendors offer

Credit unions rank among the U.S. industries most willing to outsource vital functions to third parties that understand their cultures and their needs, according to Kelly.

“Credit unions are required to keep a finger on the pulse of such change and allocate limited resources to deal with them,” he says. “While large credit unions can deal with compliance by themselves, most credit unions can’t. They need to work with a reliable partner.”

Kelly says OnCourse Learning Financial Services “provides training via an e-learning system that delivers content about compliance risks, technology, and management, as well as guidance that allows credit union clients to design, distribute, administer, and track adherence to compliance regulations. Partners can license a solution and customize it to meet their unique needs.”

Credit unions also can turn to CUNA’s compliance resources, a wide array of training programs and tools that represent a 360-degree approach to easing regulatory burden.  

CUNA members have access to comprehensive, accurate, and up-to-date compliance support and resources, including the CUNA Compliance Team and its CompBlog, the CUNA eGuide to Federal Laws, and the CUNA Compliance Community, which features extensive guidance and documentation.

Akenson, stressing his company’s focus on IT security, says, “TraceSecurity Risk Assessment and IT Audit reports are a great way to effectively communicate IT risks to executive management. Our trained analysts communicate their recommendations in a clear, concise manner so executive management can understand the risks to their IT infrastructure and the data it supports. Understanding the risk empowers a credit union’s leaders to make an informed decision on how to best protect their assets.”

Akenson suggests credit unions ask three questions when looking for outside help with compliance: 

1. How do a vendor’s reports read? Clarity and conciseness are important. It shows that the vendor has thought through situations and wants to deliver clear guidance to the client.
2. Has the vendor done research on your company and learned something about you?
3. Do you feel comfortable with the vendor? Understand that chemistry is an important quality in any business relationship.

“Sometimes a credit union’s management can feel put off because they don’t understand compliance requirements,” Akenson says. “So, that makes our goal one of education as well as one of compliance software installation. A credit union’s staff, from teller to C-level, should be able to understand compliance risks. Keep in mind that even if the regulations we work under didn’t exist, there would still be rules to understand and follow.” 

Williams says PolicyWorks gladly customizes its solutions for each of its 1,200 credit union clients, through formats such as compliance reports, onsite training, and webinars. 

“Even big credit unions will outsource to us,” Williams says. “Smaller credit unions look to a third-party source like us for an even greater level of compliance support. What’s a sign of our success? Our client credit unions’ CEOs can sleep at night.”