On Compliance: When Following the Rules Pays Off

female bicyclist follows the rules by walking her bike across a bridge
By Ken Lynch

4 minutes

Protecting CUs’ data is a must-do that isn’t going away. Attending to regulations and internal controls can help.

The last thing you want as a credit union leader is for your organization to make headlines for exposing or losing customer data. Should this happen, you not only suffer a blow on your CU’s reputation but also accrue financial and legal jeopardy arising from non-compliance with federal regulations designed to protect such data. 

Cyber threats like the Equifax breach, which affected over 143 million people, have changed the way security is viewed in organizations. Security professionals concluded that this attack was an efficacious intelligence operation targeting to spy on U.S. citizens. The breach served as a wakeup call for the financial industry’s risk profile, highlighting the need for financial institutions to shift focus from risk mitigation within the institution to addressing risk profiles with a broader perspective and implement comprehensive security reaching beyond the walls of the institution.

Credit unions and other financial institutions can use various levels of technology and compliances to counter cyber-attacks and ensure they are maintaining compliance and keeping customer data safe. Effective security checks to implement in your CU should be focused on data-at-rest defense, application encryption, tokenization, security event, information management systems and privileged user access management.

The National Credit Union Administration is charged with ensuring that federally-insured credit unions establish secure programs that address the privacy and protection of customer records and information. CU compliance officers are required to take a closer look at the risks posed by third-party relationships and manage the risks incurred while tackling regulatory uncertainties and such complex threats as ransomware, which advances by the day.

  • Maintaining an active and informed supervisory committee;
  • Performing quality interim and annual audits;
  • Ensuring independent member account verification; and
  • Reporting regularly to the board on findings and areas requiring additional control measures.

Your CU must design and implement an information security program to control identified risks commensurate with the sensitivity of the information as provided for by the COBIT framework, discussed later in this article.

The Sarbanes-Oxley Act

Many people believe that the Sarbanes-Oxley Act of 2002 only applies to publicly-traded companies. This is not exactly true. 

Two provisions clearly apply to non-profits. These are Section 802 (document destruction) and Section 1107 (whistle-blower protections). 

SOX indeed guides CUs on document destruction and potential legal risks, making it necessary to ensure documents cannot be destroyed maliciously or by accident. It also acts as a shield for employees who provide vital information to law enforcement agencies regarding possible crimes in institutions against such retaliatory actions as discharging from dusty, demotions, suspensions, and any forms of discrimination. 

In addition, SOX Sections 302 and 404 are useful for CUs to consider with regard to data security, data management and financial reporting. Compliance with the act has proven beneficial to institutions. The key benefits of compliance can include:

  • Efficient financial reporting: The main goal of SOX is to provide transparency in financial reporting. Although the process of compliance with the act can be overwhelming at the start, it benefits the CU’s financial reporting system for more than two years by making financial data easier to access and audit. This saves the institution time and resources in correcting mistakes on financial reports. 
  • Strengthening organizational structures: Sections 302 and 404 require the documentation of controls, including operational manuals and policies. Compliance ensures that management teams integrate internal controls with business strategies.
  • Building corporate relationships: SOX compliance requires deeper and frequent collaboration with various stakeholders in the market. This fosters an integrated framework through which organizations can address potential risks. The C-suite creates an environment that creates benefits for CUs that communicate with each other in identifying the changing landscape of risks and threats. 

Here are NCUA’s guidelines regarding the act.


Control Objectives for Information and Related Technologies is an integrated IT management framework developed by the Information Systems Audit and Control Association in 1992 to help businesses develop, organize and implement strategies for information management and governance. Regular updates to the COBIT system ensure increased security checks for modern enterprises by addressing new market trends, security needs and advancing technologies. The latest version of COBIT can be applied in your CU, making it an umbrella framework that unifies processes across the entire organization. The major goals of COBIT include:

  • Providing support for decision-making on new online collaborative features to integrate with your overall business strategy;
  • Ensuring better alignment of organizational goals with global standards, frameworks and best practices regarding security; and
  • Acting as a guided platform for your CU when developing a best-fit governance system. 

Risk Management and Internal Controls

In today’s market place, credit unions cannot claim to have enough control to safeguard their data. Internal security breaches occur in organizations through unauthorized access to company information or employees clicking on links sent via emails. Risk management and internal controls provide an avenue for CUs to safeguard their premises and assets. The use of advanced technology within institutions has a lasting impact on ensuring the security of data. Data encryption tools prevent hackers from decoding data in the event of a security mishap. A key internal control measure is to educate employees on practices of spotting fraud regularly. Also, enforcement of routine security policies and procedures ensures that company assets are always safe.

Protecting CUs’ data is a must-do that isn’t going away. Keeping an open dialogue by sharing tips and best practices is the best way to enhance compliance and hedge existing and potential risks.

The founder of Reciprocity Labs, Ken Lynch is an enterprise software startup veteran who has always been fascinated about what drives workers to work and how to make work more engaging. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their companies to create more socially minded corporate citizens.

CUES Learning Portal