As dry subjects go, there aren’t many topics more arid than regulatory compliance. It’s virtually the Mojave Desert of subject matter. Just like a real desert, though, it isn’t wise to try to navigate the compliance landscape without knowing what you’re doing or where you’re going.
The unprecedented volume of regulatory changes that were generated during the past decade has financial institutions of all types looking for a break in the action, for a chance to get their bearings. So, when serious talk of regulatory relief holds out hope that help may be forthcoming, it’s only natural for those shouldering the burden to breathe a sigh of relief, and to take time to attend to other matters. However, just because efforts are underway to ease the regulatory load, it’s not the time for credit unions to drop their guard.
Between the alphabet soup of federal regulations overseen by the CFPB and the regulations issued by the NCUA and other state and federal regulators, credit unions are subject to dozens of complex regulatory requirements that are designed to shape the way they conduct business. The federal Truth in Lending Act and Equal Credit Opportunity Act, together with the CFPB’s Regulations Z and B, are just a few of the regulations that dictate how credit unions meet their members’ credit needs. As for share accounts and other deposit products, the federal Expedited Funds Availability Act and the federal Truth in Savings Act have given us Regulation CC and the NCUA regulations in 12 C.F.R. Part 707, and the Electronic Fund Transfer Act has spawned Regulation E. Of course, there’s also the federal Bank Secrecy Act, the Flood Disaster Protection Act, and the SAFE Act, all of which have been implemented through NCUA regulations. Other NCUA regulations govern business operations and naturally, state laws and regulations are also in the mix. Together, these laws and regulations create a complex web of requirements that must be taken into account by credit unions to effectively manage both operational and reputational risk, and to safeguard against potentially costly civil liability.
Over time, each credit union has developed a variety of policies, procedures, systems, and tools that establish the framework for the way that credit union does its business. Whether developed in response to regulatory changes, business objectives, or as new products have been added to the mix, this “compliance management system” (CMS) is itself a system that needs monitoring. To better manage the compliance risks that every credit union faces, senior management and the credit union’s board of directors must periodically revisit each of the policies and procedures that comprise that credit union’s unique CMS. To think of it another way, if each credit union is a dynamic and evolving operation, then it only makes sense that the CMS policies and procedures that guide that credit union’s day-to-day operations must also adapt and change over time to ensure they remain appropriate for the way that credit union conducts its business.
Compliance violations happen, and stale policies and procedures are often the culprit. There’s no getting around the fact that when employees focus on the day-to-day business of running the credit union – making loans to members, assisting them with their share accounts, and providing the ever-expanding range of financial products that seem to develop overnight – every employee is constantly making real-time decisions about what to do and how to do it. Although wandering off the path of strict compliance is rarely a conscious decision, without careful consideration of the compliance implications of a particular process or procedure, what may seem like an expedient solution to a day-to-day operational problem may turn out to be a shortcut to a compliance violation. Like an impulsive decision to leave the trail on a desert hike, not understanding the compliance implications of a policy change or an adjustment to a longstanding procedure can be fraught with risk.
This common dilemma, faced by credit unions and financial institutions of all sizes and types, has been the subject of recent efforts by the Federal Government to stay abreast of the changing compliance landscape. As part of a joint project with other federal financial regulators under the auspices of the Federal Financial Institutions Examination Council (FFIEC), the NCUA recently released Supervisory Letter No. 17-01, Evaluating Compliance Risk – Updated Compliance Risk Indicators. It discusses the recently updated criteria that NCUA examiners will use when assessing how well a credit union meets its compliance obligations.
The updated list of compliance risk indicators makes it clear that regulators will be looking not only for compliance with specific regulations, but also at the overall effectiveness of each credit union’s compliance management system. Examiners assessing compliance risk will evaluate each credit union’s CMS with respect to:
- Oversight Commitment – How well does the credit union’s management and board of directors understand all aspects of compliance risk; and how strong a commitment do they show to providing sufficient compliance resources, staff, and training to ensure that the credit union will meet its due diligence obligations?
- Change Management – How well does the credit union’s management anticipate and respond to changes in applicable laws and regulations; how well does it react to changes in market conditions; and how thoroughly does it consider compliance implications when it implements changes to its products and services?
- Comprehension, Identification and Management of Risk – Does the credit union have a strong culture of compliance management designed to minimize the likelihood of serious compliance violations; does management effectively identify compliance risks posed by the credit union’s products, services and other activities; and does management effectively manage those risks through comprehensive self-assessments?
- Corrective Action and Self-Identification – Does the credit union proactively identify and promptly respond to compliance risk management deficiencies and violations of laws and regulations, including taking corrective action?
The Supervisory Letter outlines other key factors that examiners will look at when evaluating a credit union’s compliance program:
- Policies and Procedures – Are the credit union’s compliance policies and procedures and third-party relationship management programs adequate to manage the compliance risk posed by the credit union’s products such as forms and disclosures, services and activities?
- Training – Does the credit union’s compliance training adequately outline staff responsibilities, and is training provided in a timely manner in connection with changes in laws and regulations and the rollout of new products and services?
- Monitoring and/or Audit – Are the credit union’s compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems adequate to address compliance risks throughout the credit union?
- Consumer Complaint Response – Are the credit union’s processes and procedures for addressing and monitoring consumer complaints adequate, and does the credit union conduct consumer complaint investigations promptly and thoroughly?
Examiners will also determine the extent to which compliance violations result in harm to consumers. Compliance violations will be evaluated in terms of:
- Root Cause – To what extent are violations the result of weaknesses or deficiencies in the credit union’s CMS?
- Severity – Do the violations cause serious and considerable harm to consumers?
- Duration – How extensive is the time frame during which a violation occurred?
- Pervasiveness – How widespread and numerous are the violations?
Effective March 31, 2017, the FFIEC updated its Uniform Interagency Consumer Compliance Rating System. The five-level rating system that has long been used to rank a credit union’s compliance with consumer compliance regulations evaluates three broad categories, the first two of which are focused on the credit union’s CMS:
- Board and Management Oversight
- Compliance Program; and
- Violations of Law and Consumer Harm
The consumer compliance rating (CC Rating) that a credit union receives is a critical measure of that credit union’s health. Compliance is measured on a scale of 1 to 5, with a CC Rating of 1 being the most coveted. A poor rating in the 3 to 5 range is a red flag that will not be ignored, and will result in a credit union having to expend considerable time, effort, and resources taking the necessary measures to correct the problems revealed by the examination.
Obviously, this renewed emphasis on compliance by federal regulators means that any efforts that a credit union takes to identify and correct compliance issues in advance of a consumer compliance examination will be beneficial. But waiting until an examination has been announced may be too late to do anything about it. The best approach is to instill a culture of self-assessment, and to regularly evaluate each of the credit union’s products, policies, procedures and processes for compliance. Like being properly prepared for a hike through the desert, it only makes good sense. Call us at (800) 537-9598 or chat with us at www.OakTreeBiz.com for forms and disclosures compliance questions.