On Compliance: Fewer Changes, More Enforcement Possible in 2019

By John Zasada

4 minutes

Pay particular attention to these six areas this year.

2019 will be an interesting year for regulatory compliance. Unlike the past couple of years, we are not facing major regulatory changes. At the same time, we could perhaps have a slight shifting in Washington toward more regulatory enforcement, although that is far from certain. In addition, there are indications credit union examiners may focus more on regulatory compliance during exams this year.  All told, I think it is important in 2019 to pay particular attention to the areas below.

1. BSA

I know this may seem redundant, but trust me, the Bank Secrecy Act still matters, maybe more so than ever. Examiners are looking deeper into it; expectations are increasing; and violations are being found. In fact, when the National Credit Union Administration laid out its supervisory priorities for 2019, the very first one it listed was BSA. NCUA specifically mentioned customer (member) due diligence and beneficial ownership rules as areas on which examiners will perform more in-depth reviews. Our compliance consultants are finding an increasing number of violations in both of those areas.

2. Website Compliance

The quality of website compliance is generally a great indicator of the quality of the overall compliance program. Website compliance is relatively easy. If a CU can’t get website compliance right, what does that say about its overall regulatory compliance program? Your compliance staff should either periodically test the website for compliance or have a third party perform the testing. Remember to focus on the most common website compliance violations--Regulation Z and Truth in Savings trigger terms and corresponding disclosures.

3. Regulation E Error Resolution Practices and Procedures

With increasing frequency, we see violations of Regulation E error resolution requirements. This is not all that surprising given that more and more transactions are occurring electronically, and the rules governing error resolution are quite complicated. A credit union must jump through several important hoops in processing error assertions by members. We find that the more detailed a credit union’s procedures for handling errors, the better the chance it has of complying with the requirements. Clearly define and train staff on what constitutes an error, how to conduct investigations and steps to be taken after the investigation is complete. Sometimes the violations we see are as simple, such as when a member notifies the credit union that an electronic funds transfer is incorrect or unauthorized, and the CU does not promptly begin an error resolution investigation.

4. Privacy Disclosure

Credit unions no longer have to provide an annual privacy notice to members if they only provide non-public personal information in accordance with certain exceptions in the rule and they have not changed policies and practices since the last notice was sent out. Importantly, this does not mean your work in complying with the privacy requirements has ended. It is still imperative that you track your information-sharing practices to ensure that you are operating within the parameters set by your privacy notice and policy. Now is not the time to stop periodically monitoring and testing for privacy compliance and instead make it part of your regular compliance testing schedule.


There is no area where we find more compliance violations than in real estate loan files. The integration of Truth in Lending and the Real Estate Settlement Protection Act has been in place for a few years now, but violations are still occurring all too frequently. The requirements are complicated, granted, but too often we see credit union real estate loan files with a high percentage of compliance violations. There are still timing issues with the Loan Estimate and Closing Disclosure, and the names for fees on the Loan Estimate and Closing Disclosure are not always consistent. Given all of the potential pitfalls, your compliance management program should include periodic testing of real estate loan files.


Unfair, Deceptive or Abusive Acts of Practices, if it is not already, should be a top priority for every credit union regulatory compliance program. UDAAP touches all products, services and departments. Be particularly aware of fees having slightly different names. Perhaps your initial disclosure calls a courtesy pay fee by one name, your periodic statement uses another, and your website uses a third. These types of inconsistencies are not looked at favorably by examiners or third-party plaintiff attorneys, especially when they occur in a hot-button area like courtesy pay programs. A compliance department and/or internal audit should be tasked with performing UDAAP reviews, and staff should be trained on UDAAP risks and how to spot and report them.

John Zasada is principal with CliftonLarsonAllen, Minneapolis.

CUES Learning Portal