Compliance for board members: Useful need-to-knows
Credit union board members, most often operating as volunteers, are tasked with providing input and guidance on a wide range of issues, including the all-important area of compliance. But with so many requirements to keep track of, which ones should they focus on?
We’re here to help.
Cybersecurity
Cyber threats represent significant potential operational risks to credit unions and are likely to increase in frequency as cybercriminals develop more sophisticated “hacking” methods. The Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity maturity. Boards should familiarize themselves with the assessment tool as the National Credit Union Administration (NCUA) will begin incorporating the tool into the agency’s exams in the second half of 2016.
However, boards should not solely focus on prevention. Credit unions also need an action plan for recognizing and responding to cyberattacks. Credit unions must be ready to respond when a data breach occurs, which requires agility and strong crisis management preparedness on the part of communications, technology and security teams. Board members should refer to NCUA Rules and Regulation’s Part 748 – “Guidance on Response Programs for Unauthorized Access to Member Information” — to educate themselves on the steps federally insured credit unions must take to respond to a data breach.
Bank Secrecy Act
The Bank Secrecy Act (BSA) requires credit unions to perform due diligence in detecting fraud, money laundering and other types of financial crime. This is one of the most important regulations in the credit union movement and failure to comply can result in significant penalties. In today’s NCUA exams, a BSA evaluation is all but assured.
While board members don’t need to immerse themselves in the gritty details of the BSA, they are ultimately responsible for BSA compliance, so some knowledge is necessary. Board members should know the general procedures and ask questions regularly so they can play a role in ensuring their operations meet BSA standards. Volunteers are also required to complete annual BSA training, which we offer here at CUNA.
Flood Disaster Protection Act
Board members should ensure that their mortgage lending operations are compliant with the Flood Disaster Protection Act (FDPA), which mandates the purchase of flood insurance on home loans secured by property in special flood hazard areas. The NCUA and federal banking agencies amended their flood insurance regulations last year to implement several statutory changes to the FDPA. Boards should make sure that their credit unions are complying with the amended rules, particularly the flood insurance force-placement provisions and the escrow requirements (unless exempt) for flood insurance payments.
Risk Areas
Along with their compliance responsibilities, board members must also do their part to mitigate risk at their credit unions. Credit unions should have in place a risk management program with the implementing policies, procedures, and internal controls necessary to manage the risks inherent in their operations. The NCUA places emphasis on the careful consideration of internal controls, which board members help shape and refine. Internal controls include informed board members, well-trained staff, and sound policies and procedures that address all of the credit union’s products and services.
In particular, indirect lending is an area where risk should be evaluated. Loan approval authority should not be delegated to a third party. It is the credit union’s responsibility to have a comprehensive due diligence program and establish effective controls and monitoring systems to mitigate any uncertainty to the credit union’s earnings and net worth.
These issues and many others were highlighted by NCUA speakers during sessions at CUNA’s 2016 Governmental Affairs Conference. Be sure to attend next year’s GAC to learn more from CUNA, agency staff and other compliance experts. In the meantime, see below for more compliance resources and information from CUNA.
Where to Turn for Compliance Tools
As your national trade association, CUNA offers a series of training and information resources on compliance issues:
- CUNA’s e-Guide to Federal Laws and Regulations is CUNA’s comprehensive online compliance manual that is available to affiliated credit unions and leagues at cuna.org/compliance;
- Featuring a variety of compliance-themed selections, the Volunteer Achievement Program (VAP) is a catalog of easy-to-use self-study books, vetted by experts and written for volunteers. VAP courses are a fast, easy, efficient way to build a working knowledge of specific regulations and their requirements. To browse our full course library, visit cuna.org/vap;
- By completing VAP courses, board members are that much closer to earning the Certified Credit Union Volunteer (CCUV) designation, an official volunteer certification offered exclusively through the CUNA Volunteer Certification Program. By earning the designation, volunteers demonstrate their breadth and depth of credit union knowledge, including regulatory, compliance and oversight issues. Learn more at cuna.org/vcp;
- For a deeper dive into credit union compliance, sign up for the CUNA Compliance Community, an online network exclusively dedicated to compliance issues. From a single hub, users can check out CUNA’s compliance blog (CompBlog), network, ask questions, share experiences and work together on strategies for the pressing regulatory challenges our movement faces. CUNA’s compliance blog registration is free for member credit unions. Learn more at cuna.org.
Additionally, the NCUA website has a variety of free resources that volunteers can use to help their credit unions stay in compliance. The agency offers questionnaires, a handbook on board guidance and a fair lending assessment, and plans to upgrade its Automated Integrated Regulatory Examination System (AIRES) software program and completely overhaul its examiner’s guide, which hasn’t been updated in many years.
