On Compliance: Do More Than Check the Box

Credit Union Management magazine’s Web-only “On Compliance” column runs the fourth Thursday of the month.

Many credit unions view compliance as a necessary evil.They spend money on compliance reluctantly, as a means of passing an exam. If they do not get penalized, the credit union assumes everything is fine. But when compliance is handled in this fashion, neither the results of a safety and soundness exam nor a compliance exam can provide any guarantee of safety or that the credit union is operating appropriately.

If a man was going to see his doctor to get his heart examined, one might expect him to eat sensibly the day before. In contrast, it would seem very inappropriate for the man to take a pill right before the exam. Instead, most people who see a doctor want to learn new information—in particular if there is a problem. With this new information, they may change their behavior and live longer. Credit unions need to view their compliance exams with the same mentality; they should go into exams with the idea of gathering information and using it to make their business safer and more profitable.

A few key questions: In addition to wanting to able to check the box “compliant,” would the personnel at your credit union perceive themselves as responsible for the security of protected information? Does the credit union promote a culture that respects the interests of customers, shareholders, and other constituents? Would the credit union’s senior management team provide a good example in their activities regarding the importance of privacy and security? Does senior management seek out and identify potential gaps?

If the answer to any of these questions is no, then the credit union staff is putting themselves and members at risk. If the only motivation is to avoid a write-up or fine, then the true exposure is not properly understood.

For example, a data breach includes loss of members and their trust, exposure to lawsuits, and monetary losses.

One indicator that a credit union has a check-the-box mentality is the presence of large spreadsheets or review forms completed by line level managers. Emailing these spreadsheets or forms filled with complex jargon to be completed by your team will typically result in staff checking the box without accomplishing the broader view for safety

Another danger of having a check-the-box mentality is the static nature of the lists used, whether they’re generated internally, at conferences, or using third-party software. The regulatory and competitive environment is constantly changing, a fact not appreciated by the check-the-box mentality. Information technology security deals with cyber-attacks that make items obsolete quickly.

In 2013, many organizations dealt with socially engineered trojans, unpatched software exploits, phishing attacks, network traveling worms, and distributed denial of service attacks. Planning with checklists for such items becomes an insurmountable task if an organization does not establish systems for governance and risk that take a broader view to handle systemic issues instead of the latest trend. When all of a CU’s employees are aware of the compliance issues that impact their jobs, a CU will be poised to shift away from the check-the-box mentality to a process that achieves systemic compliance.

In an industry that has traditionally focused on credit risk, operational risk and market risk, most credit unions are not prepared for the regulatory demands of considering vendor risks as well. As a result, many leading credit unions have adopted our best practices approach to vendor management which includes:

• writing a vendor management policy;
• developing an inventory of all third-party service providers, including how they interact with members;
• risk-rating all service providers, using a system as simple as “critical,” “high,” “medium,” and “low” to allocate time and resources to regularly conduct thorough due diligence;
• reviewing all existing contracts (Most institutions can provide at least one horror story about a contract that rolled over unintentionally, or an addendum that was signed and extended the term of the original agreement, or an unauthorized employee who signed a contract. As the industry continues to change, it is important to know what you or your predecessors have agreed to); and
• revisiting existing internal processes. With increasing regulatory oversight, third-party management should incorporate such functions as procurement, compliance, operational risk and ongoing monitoring.

Bottom line: Create compliance processes that encompass the spirit of the regulations to prevent costly breaches, massive fines, and lost members, not just check a box.

Michael Berman is CEO of Network Contract Solutions, LLC, Nashville.