Compliance meets technology
Keeping up with compliance challenges now requires an assist from technology.
As credit unions spend a disproportionate amount of resources on excessive compliance requirements, it leaves less time to focus on members.
Credit unions have seen a tremendous amount of change in the regulatory arena over the past 10 years, says Jared Ihrig, CUNA’s chief compliance officer.
“Credit unions are subject to the rules of multiple federal regulatory agencies and, often times, state supervisory authorities,” he says. “The creation of the Consumer Financial Protection Bureau [CFPB] has brought more attention to compliance.”
The agency has introduced several thousand pages of regulatory changes since its formation in 2011, Ihrig says.
As burdensome as complying with these regulations may be, “it’s much less of a burden than the financial and reputation risk you can incur when compliance is disregarded,” says Tony Diaz, vice president, compliance, at $16 billion asset SchoolsFirst Federal Credit Union in Santa Ana, Calif.
As member-owned, not-for-profit financial cooperatives, credit unions pride themselves on doing what’s right for members, he adds.
“My credit union takes this mantra seriously,” Diaz says. “It’s embedded in our DNA, and it’s truly our brand differentiator. However, as a result of that member-centric philosophy, credit unions can easily forget that we are, in most instances, held to the same regulatory and legal standards as banks and other financial institutions.”
“Compliance can be burdensome, but it’s all in how you manage it,” adds Lisa Williamson, risk mitigation manager and compliance officer at $513 million asset Bayer Heritage Federal Credit Union in Proctor, W.Va. “Tools are available to assist you.”
NEXT: Meeting the challenge
Meeting the challenge
Williamson says her biggest compliance challenge is managing all of its different facets.
“You not only need to ensure your policies comply with regulations, but that you also tie procedures back to your policies and complete risk assessments,” she says. “You need risk assessments for everything.”
Diaz says the uncertainty of the regulatory landscape proves challenging. SchoolsFirst Federal, for example, is subject to the California Consumer Privacy Act, which has stringent data privacy rules.
While the law went into effect on Jan. 1, 2020, the attorney general didn't submit final proposed regulations until June 1, 2020. “This is a compliance officer’s worst nightmare.”
The same holds true for the Unfair, Deceptive, or Abusive Acts or Practices standard required by the Dodd-Frank Act, Diaz adds. “Other than through enforcement, the CFPB has never truly defined its rule.”
Ihrig suggests creating a culture of compliance from which you build your compliance program “because more compliance requirements are likely coming.”
Doing so involves conducting a compliance risk assessment that examines:
- Compliance and ethical procedures and standards.
- Board and senior management program oversight and governance.
- Communication and training.
- Monitoring and testing procedures, including misconduct reporting processes.
- Compliance incentives, enforcement, and disciplinary processes.
- Responsiveness to misconduct.
Diaz warns against complacency. Just because your credit union is small or has never incurred regulatory penalties doesn’t mean that it can’t happen.
“Many, if not most, consumer protection regulations have a ‘private cause of action’ as a remedy,” he says. “This means you could be sued for a violation, either by an individual plaintiff or as a class action."
“Check your management and professional liability insurance policy,” Diaz continues. “You may be surprised to learn some policies exclude coverage for certain ‘high-dollar’ items such as collections practices under the Fair Debt Collection Practices Act. It only takes one member to initiate a significant financial and reputational liability.”
He cites the cases of some credit unions receiving fines from the U.S. Department of Justice for repossessing vehicles without properly following the procedures of the Servicemembers Civil Relief Act.
“In one instance, it started with a single phone call to a hotline from the spouse of an actively deployed servicemember whose car had been repossessed,” Diaz says. “Bottom line: Don’t get lulled into a false sense of security.”
Ihrig says there’s a common misconception the Military Lending Act applies only to credit unions with a significant number of active-duty servicemembers in their field of membership. “If your credit union extends consumer credit to a covered borrower for a covered loan, you have to comply with the act’s provisions,” he says.
Fortunately, technology is available to offer a helping hand with these issues.
NEXT: Beyond the spreadsheet
Beyond the spreadsheet
Keeping up with compliance challenges now requires an assist from technology.
“It amazes me how much dependence credit unions have placed on spreadsheets and manual processes,” Diaz says. “This was the norm until just a few years ago. Many effective risk management software platforms are on the market that can be scaled up or down depending on the complexity of a credit union’s operations and risk tolerance.”
SchoolsFirst Federal employs several platforms to manage risk—from compliance to operations to member complaints.
“It’s difficult to pass muster with your regulator without having a robust, software-based compliance management system,” Diaz says. “Examiners frown on manual processes and single points of failure.”
Ihrig notes there’s been a shift in the supervision process. “It’s become more principle-based and less prescriptive,” he says. “But with this enhanced flexibility comes more attention to how your credit union is mitigating risk.”
SchoolsFirst Federal addresses compliance issues with a robust compliance management system (CMS) that takes a 360-degree approach to managing all areas of risk, Diaz says. “We have compliance involvement at all levels through both board and management risk committees. That approach has proven to be successful for us.”
Plus, addressing compliance during the idea phase of products and services prevents surprises and extra work on the back-end, he adds.
Bayer Heritage Federal uses a CMS to stay current with compliance changes and track audit and exam issues, Williamson says.
“I get email alerts when changes are on the horizon, and the CMS allows me to plan for change through a workflow process,” she says. “I can assign tasks to others, organize the change process, create training, and perform risk assessments.
“This allows me to see where we are in the process and what we still need to complete,” Williamson continues. “I can set up a timeline and get email reminders when items are coming due. The biggest benefit to me is peace of mind. I can see where I am and that I am making progress.
“It’s easy to get overwhelmed with compliance. It’s easy to get burned out. You need to know the little pieces are adding up to big results.”
Diaz recommends investing sufficient time in setting up the CMS to maximize its capacity and benefits right out of the gate. “Not doing so is tantamount to not reading the owner’s manual on your new car with its state-of-the-art technology—you’re not maximizing the value of what you are paying for.”
Once you understand the capabilities, use the system daily and work out of it, Williamson adds. “Utilization will bring a comfort level that you are on top of issues and are moving in the right direction.”
A good CMS automatically tracks regulatory implementations and the status of new rules and regulations, Diaz says. “Ideally, it’s set up to send automated milestone emails to relevant stakeholders at appropriate intervals.”
This is something credit unions can do internally, but using a third-party platform does have its advantages, he adds. “You can greatly increase efficiencies in your compliance area by incorporating vendor-provided executive summaries for regulatory changes, eliminating the need to spend time creating them in-house.”
NEXT: Mind the gap
Mind the gap
Whether combined into one platform or a separate system, you also need to track, manage, and address member complaints, Diaz advises.
“The CMS is an excellent channel for identifying regulatory gaps that may not have been found for months, if not years, using a standard regulatory review process,” he says. “For this reason, examiners are focusing on the member complaint piece and drilling into how this is managed in the credit union.
“The most important part of a successful compliance program is to obtain buy-in at all levels of the organization,” Diaz continues. “It’s easy to say ‘yes, of course we believe in being compliant.’ But the challenges arise where the rubber meets the road.
“When you have a disagreement with a business area as to whether a practice is permissible, is there an escalation process to determine risk acceptance? Are you empowered to take the matter to your risk or compliance committee for discussion? Is there a formal process for all of this to happen?”
If the answer to those questions is “no,” your credit union is exposing itself to risk that may not be commensurate with the board’s risk tolerance, Diaz says. “Compliance officers need to walk a fine line between member service and risk mitigation, but it’s achievable with proper buy-in at the top.”
Ihrig concurs. “The CEO must be fully engaged,” he says. “There’s no sitting on the sidelines.”
‘The CEO must be fully engaged.’
Williamson turns to CUNA’s resources to stay at the top of her compliance game.
“CUNA is a great supporter of compliance professionals through its community, blogs, trainings, schools, conferences, and other tools,” she says. “CUNA’s knowledgeable professionals are able to assist when needed.”
Williamson recommends reaching out for assistance and signing up for CUNA’s Compliance Community, noting “if you are new to compliance, CUNA offers a mentoring program.”
CUNA released the CUNA Compliance Management System™ (CCMS) as a membership benefit for all credit unions that are affiliated members of CUNA or their league.
The system, built with technology by Woodinville, Wash.,-based Quantivate, was designed with extensive input from credit unions. The web-based software offers opportunities to scale to the most complex compliance needs with a fee-based level, CUNA Compliance Management System PLUS™ (CCMS+), as well as Quantivate modules that can be added to create a full governance, risk management, and compliance management suite, reports Ihrig. “Credit unions tell us it’s easy-to-use, and they love that it’s centralized,” Ihrig says. “And it will help you sleep at night.”