Three Shockingly Common Consumer Compliance Slipups
Consumer financial protection—a top NCUA supervisory priority—is high on the list of key initiatives for today’s credit unions. The following three aspects of consumer compliance are increasingly important to examiners, yet consistently overlooked by credit unions.
The former head of Cisco Systems recently told McKinseythat with the high number of variables in today’s business environment, “the speed of change with agility is very important.”
In no area of credit union business is this truer than fraud prevention. New schemes, scams and attack vectors are springing up daily, putting consumers and credit unions at increased risk. Every credit union must be on its toes, able to pivot away from ineffective strategies or repair broken systems at a moment’s notice.
Of course, to pivot effectively, a credit union must first detect the need to course correct. This is where governance, risk and compliance (GRC) teams can be invaluable. By running frequent internal audits of fraud monitoring and internal control systems, GRC pros can illuminate the most pressing areas of vulnerability.
In addition to validating that external fraud monitoring systems are indeed catching suspicious transactions and alerting the right individuals when they do, GRC teams should also check on internal controls. During COVID-19 lockdowns, credit unions made changes to many standard processes, such as dual-control vault access, for example. How many procedures that had been relaxed for limited staff during the pandemic are still in place?
Some credit unions may have discovered that changes made during COVID-19 actually work pretty well under normal circumstances and that they should stay in place permanently. In that case, the decision must be documented by way of updated policies and procedures. Those updated policies must be reviewed by the board of directors to be considered current.
Conversely, if staff need to be retrained to adhere to pre-pandemic procedures, GRC teams will want to verify the existence of a training roadmap and monitor the plan to ensure it’s being executed as planned.
Ensuring that policies and procedures are an accurate reflection of what is occurring daily is paramount. It’s one of several reasons that fraud and GRC teams must stay in close communication, especially as the threat landscape—both internal and external—is so fast-changing.
Remember, a documented procedure, even if not specifically required by law, must still be followed to the letter. Examiners will flag staff and processes that do not adhering a credit union’s written procedures.
Credit union members want elegant, modern banking experiences. Employees want easy-to-use technology. Executives want to control costs. What’s more, each of these stakeholders wants their needs met yesterday.
All this demand has led to creation of the indominable credit union tech stack, growing at an unprecedented pace and chock full of complexity.
Behind that remarkable tech stack is an equally impressive number of fintech vendors. Along with the rewards each vendor delivers is a set of distinctive new risks.
The issue is obvious enough that it sparked the NCUA to ask for supervisory authority over third-party vendors that provide services to federally insured credit unions. Although that ask has so far been denied, credit unions should not take that as a sign of implied safety. In fact, credit unions may want to view this as a warning signal that NCUA examiners will be paying careful attention to credit unions’ vendor due diligence processes.
Among the most significant threats third-party vendors pose to credit unions is non-compliance with consumer protection regulations. The fact of the matter is, the regulatory buck stops with credit unions. If a glitch in a third-party loan origination system (LOS) is found to be denying applications in a certain zip code, the credit union—not the LOS provider—could be flagged for redlining.
Other common consumer compliance oversights include:
• Outsourced credit and debit card disputes not being handled properly, particularly when it comes to provisional credit and final determination letters.
• Third-party mortgage brokers failing to follow TRID requirements, such as not sending timely disclosures.
People tend to think of vendor due diligence as a front-end process, something a credit union does before deciding to acquire services or onboard a new vendor. In actuality, vendor due diligence is an ongoing initiative that goes beyond annual check-ins on the “usual suspects” of PII compliance and cybersecurity protections. Indeed, frequent spot-checking or sampling of vendor processes is a vendor due diligence best practice and something we expect examiners to pay closer attention to in 2023.
Anyone with an ear to the ground in the credit union movement has likely heard the worried whispers about audits. From the dramatically declining number of them to the inadequacies of those still happening, audits and their shortcomings are on a lot of minds within the industry. Especially today, with consumer financial protection high on examiner’s list of priorities, no credit union can afford to neglect compliance with member-facing regulation.
From the Great Resignation to the Great Reshuffle, labor challenges appear to be the root cause of deficient auditing initiatives. Whether inexperienced or overwhelmed, the team members who credit unions typically rely on to organize routine audits are less equipped to live up to expectations.
Aside from scheduling fresh audits and making sure they happen, short-staffed credit unions are also having trouble following through on audit findings of the past (a major red flag for examiners watching closely for consumer-reported violations).
For many of these credit unions, a lack of institutional memory has created something of a Groundhog Day culture, with stressed team members failing to remediate audit findings in a timely fashion. No surprise, the same findings appear in the following year’s report.
Staff challenges stemming from the pandemic are beginning to abate. However, employee turnover will always be an issue for credit unions, particularly within the governance, risk and compliance (GRC) disciplines, which have been wading in a shallow talent pool for years.
Fortunately, technology is solving for several the issues within this highly nuanced problem. Digital record keeping, for instance, is giving newer employees access to the institutional knowledge they wouldn’t otherwise have. Workflow automation, too, is helping overwhelmed employees better manage and delegate the many tasks assigned to them.
By removing a lot of the manual back-and-forth duties that often characterize a compliance effort, credit union GRC pros can focus on the more strategic elements of their responsibilities, not the least of which is getting their credit union’s auditing initiatives back on track.
Carrie Helmle is senior director of audit services for ViClarity, a global provider of governance, risk and compliance (GRC) technology and regulatory compliance consulting solutions for credit unions. She can be reached at email@example.com.