Risk Mitigation: Specific steps credit unions can take

Over the past several months, we have explored various aspects of risk mitigation with four experienced credit union professionals from across the U.S. In the most recent article (the third in the series), these credit union leaders identified and described some of the internal and external factors they monitor to assess risk within their institutions. They also told us about some of the actions they take in response to what they discover.

Here, let’s focus on a few of the specific comments our respondents made and take a deeper dive into some of the issues they mentioned.

From Article 2: The Many Faces of Risk

Background

• In 2018, hacking was the most used method of breaching data (482 data breaches with 17 million records exposed). Unauthorized access ranked second (377 breaches affecting 404 million records). Accidental exposure was third (114 breaches with 22 million records exposed).
• The banking, credit, and financial category continues to be the sector most affected. In the first 10 months of 2019, 100.4 million records in this segment were exposed — 62% of all records.
• Data analysis by Juniper Research estimates that cybercrime will cost businesses over $2 trillion in 2019.
• Malicious and criminal attacks are the leading root cause of data breaches, at 51%, but breaches caused by system glitches (25%) and human error (24%) are also serious threats.

One thing that has become glaringly apparent in the past several years is that it’s not enough to depend on your IT department to identify and root out security issues — data security awareness is now, by necessity, the responsibility of everyone in your organization.

What can you do?

• Conduct ongoing training and education of your employees and members.
  • NAFCU: New Staff Online Training
  • NCUA: Cybersecurity Resources
• Support NAFCU and the Federal Trade Commission (FTC) in their efforts to advocate for national data and cybersecurity standards.
  • NAFCU: Data Security
  • FTC: Data Security

• Follow rigorous standards and obtain stringent security certifications. For example, State National has a thorough and proactive Information Security Plan to constantly monitor for threats, SSAE 18 (SOC certification), and regular SAS 70 audits. We also keep our systems and data inhouse to avoid the possibility of information share transfer that can happen when technology is outsourced to third parties.

Dave Brydun

VP of Consumer Lending, BCU, Vernon Hills, IL:

“Over the past few years, we’ve increased the percentage of loans (auto loans, credit cards, unsecured loans) that are automatically decisioned, vs. manually decisioned by an underwriter, to roughly 60%. The next frontier for us in terms of growing this percentage entails the use of “on-us” data and incorporating it into our system decisioning. Having strong data quality within our organization enables this opportunity but also presents risk if the data isn’t managed properly.”

From Article 3: The Art, Science, and Mystery of Monitoring a World Full of Risk

Background

• From MWCUA’s report, Enterprise Risk Management: An Approach to Implementation in Credit Unions: “Enterprise Risk Management is a collaborative process to identify, manage and monitor organizational risks and opportunities, both internal and external, to ensure achievement of the credit union’s strategic objectives and continued financial stability and viability.” One of the benefits of ERM is that it establishes “a philosophy regarding risk and a risk culture, including aligning risk appetite and strategy, allowing for risk optimization within defined risk tolerance levels.”
• A comprehensive Enterprise Risk Management (ERM) approach can address myriad types of risk, both financial and non-financial: market risk, credit risk, asset and liability risk, liquidity risk, cybersecurity risk, conduct risk, third-party risk, reputational risk, operational risk, geopolitical risk, and more.
• Eighty-three percent of respondents surveyed by Deloitte in 2019 said their institutions have an ERM program in place, up from 73 percent in the previous survey, with an additional 9 percent saying they were in the process of implementing one.
• The issues cited most often as being an extremely high priority or very high priority were  enhancing the quality, availability, and timeliness of risk data (79 percent) and enhancing risk information systems and technology infrastructure (68 percent).
• Advanced digital technologies like Robotic Process Automation (RPA), machine learning, Business Process Modeling (BPM), cognitive analytics, cloud computing, and natural language processing can increase both the efficiency and effectiveness of risk management.

What can you do?

• Consider comprehensively training one or more employees at your institution as a specialist in Enterprise Risk Management.
  • NAFCU Certified Risk Manager (NCRM) Program
  • CUNA Enterprise Risk Management Solutions specifically designed for credit unions

• Use a systemic approach to implement capital and liquidity stress tests to continually monitor and assess risk levels in your credit union, including the involvement of your board of directors.
• Make researching and implementing advanced fintech solutions that analyze and address risk one of your institution’s highest priorities.
• Attend industry events and conferences centered around risk management and the latest best practices.

Henry Robaszewski

Director of Risk Management/Finance, BCU, Vernon Hills, IL:

“We’ve taken more steps, through both technology and data, in terms of analytical techniques. We’ve  started and economic value-added process as well as risk-adjusted return on capital. We’re trying to incorporate more of the potential risks that are out there all together in a holistic approach, and then build that into the pricing so we can adjust our pricing to accurately account for the risks.”

FROM ARTICLE 3: The Art, Science, and Mystery of Monitoring a World Full of Risk Continued

Background

• The Association of Certified Fraud Examiners (ACFE) found that financial institutions had the highest rate of internal fraud among the industries they analyzed — 17.8 percent, with the median reported dollar cost of $200,000.
• Internal control weaknesses are responsible for nearly half of frauds.
• In 2015, employee fraud was a key contributor to 69 percent of credit union failures.

What can you do?

• The #1 thing you can do in this area is to ensure your employees are well-trained.
  • Provide training and resources such as NCUA’s Fraud Overview video series and other learning opportunities:
  • NCUA Credit Union Resources & Expansion: Learning
  • NAFCU: Lowering the High Cost of Internal Fraud
  • Be sure all employees are aware of the Suspicious Activity reporting requirements in the Bank Secrecy Act.
  • Make all employees aware of NCUA’s fraud hotline available for reporting fraudulent or illegal activity; post this resource visibly, in multiple areas, to remind them that they can report any suspicious activity they observe confidentially and anonymously.

• Follow a rigorous data protection protocol as mentioned earlier in this article.

• Be vigilant about keeping a robust prevention program in place with strong internal controls, using best practices approved by regulators.
  • NCUA: Regulation and Supervision Manuals and Guides

• Ensure your institution has regular, comprehensive auditing processes in place, and keep up with compliance.
  • NAFCU: Compliance Guides & Manuals

Deborah McRae

VP Risk Management, Five Star CU, Dothan, GA:

“We are trying to develop an enterprise risk management approach to how we deal with risk. Internal to the credit union, we have to monitor our operations for any signs of internal fraud, and we also have to make sure we’re training our staff to watch for red flags that indicate any attempted member fraud.”

This article is the fourth in a special four-part series focused on various aspects of risk mitigation. If you missed any of the first three articles (“The Balancing Act of Risk Mitigation — With an Eye on Today’s Economy,” “The Many Faces of Risk,” and “The Art, Science, and Mystery of Monitoring a World Full of Risks”) and would like to receive them, contact info@StateNational.com.