Regulation has a long reach. Technology solutions must also reach so far.
While compliance may be a strategic function rooted in risk management, complying with regulations often comes down to details that vary with each rule. So technological solutions often focus and specialize.
Overall Disaster Recovery Compliance Tool
The complex business continuity compliance area may require credit unions to implement a specialty tool.
That’s the niche of Infinite Blue, a CUES Supplier member based in Audubon, Pennsylvania, which specializes in “enterprise resilience,” including business continuity and disaster recovery.
“CUs have to adhere to regulations,” notes Michael Jennings, director of advisory services. “They have to follow a methodology, do risk and business impact analysis, [and] have a detailed plan for what they would do during a disaster and how they’d recover from it. They’d have to test those plans and shore up the weak spots. They’d have to be able to demonstrate that they’ve done this for the examiners. That’s what we help them do.”
Traditional disasters were fires and floods, but now disasters are more likely to be security breaches.
“We’ve evolved digitally,” Jennings notes. “That’s great for convenience, but it creates new vulnerabilities that have to be anticipated and planned for. Cybersecurity is now a big part of regulatory compliance.”
He uses a hypothetical example of two CUs that are preparing to merge. An in-depth investigation shows that member data from one of them is for sale on the dark web. That’s a problem to resolve before systems are merged, he points out.
As data get ever more portable and consumer applications get ever more convenient, IT infrastructures change, Jennings reports. Often. And significantly. Recovery plans have to change in step with the infrastructure.
A ransomware attack is now a disaster that CUs have to be prepared for and able to recover from, from detection through clean-up, Jennings adds. Ransomware drills are now part of a good compliance program.
Flood Insurance Compliance
Sometimes compliance related to disasters gets even more granular. And again, technology must meet credit unions where their needs are.
Take, for example, flood insurance regulations. When a creditor makes a loan that is secured by real property, explains Henry Umney, governance risk compliance managing director at Mitratech, Austin, Texas, the Flood Insurance Protection Act requires that the creditor determine whether the property is located in a designated flood hazard area. If it is, the borrower must obtain flood insurance before the loan can close.
The regulations are very specific, Umney points out, about the amount of insurance that is required, an amount that can vary depending on the type of collateral—single-family dwelling, commercial property, condominium, cooperative, detached structure, etc.
In addition, he continues, if at any time during the life of the loan the insurance lapses or becomes insufficient, the creditor must “force place” coverage. Again, the rules are specific and complex.
“The regulatory agencies,” he notes, “recently published 144 Q&As to help clarify the regulations.”
Failure to understand the twists and turns can put a CU in violation and trigger monetary penalties as well as lead to having inadequate collateral, Umney warns. An automated compliance management system, he claims, can ensure compliance more efficiently while helping mitigate risk.
The right CMS, Umney explains, can:
- Notify the CU when rules change, ensuring that nothing is missed.
- Provide pre-built automated workflows that include:
- Calculating the amount of insurance needed in all scenarios;
- Documenting and tracking force-placed coverage so that regulatory timing and notification requirements are met, and the credit union’s collateral is protected; and
- Conducting reviews of private flood insurance policies as well as all required forms and notices, which can present their own challenges.
- Assess risk through pre-built key risk indicators and associated pre-built control processes to ensure that the credit union can respond quickly if risk increases.
- Generate automated reports for examiners, documenting the CU’s compliance efforts and results
Richard H. Gamble writes from Grand Junction, Colorado.