Credit unions striving to manage their compliance risk are well-served to consider its importance within the overall enterprise risk management (ERM) process of their entire organization. Those that view compliance management as one their most important obligations can positively affect their business strategy, and those that don’t may be putting their business at risk. Line-of-business leaders who understand the role that compliance management plays in strategy and the impact of compliance risk will be well-positioned to help their credit unions grow and prosper.
To better understand the importance of compliance to a credit union, it helps to put the compliance role in context. In the development of a business strategy, credit union senior leadership conducts strategic planning to determine the best approach to grow the business. As part of the planning, strategic objectives should take risk management into account. These decisions should not be made without an effective ERM framework. ERM is a process developed by an entity’s board of directors, management, and other personnel that is applied strategically to identify potential events that might affect the entity and help it manage risk within its risk appetite. ERM provides reasonable assurance regarding the achievement of the entity’s objectives,1 including an organization’s compliance risk.
Compliance managers, line-of-business leaders, and internal auditors share compliance responsibilities as the three lines of defense. The three lines of defense should understand the critical nature of their work to the credit union’s overall strategy. When compliance is done well, the entire business benefits.
Credit unions that lack formal procedures, should first conduct a risk assessment and then develop formal documentation, rather than relying on training or checklists alone. Once there is an understanding of all functions, products, services, and the applicable compliance requirements for each, a credit union should perform an evaluation to determine if there are processes and controls in place to confirm that the various transactions and activities consistently comply. Documentation of written procedures is critical, such as the handling of a loan application decision, whether the loan is denied, approved, or withdrawn.
Credit unions should identify all applicable laws and regulations with which they must comply, as well as prospective regulations that could affect them in the future. For example, rules such as the General Data Protection Regulation (GDPR), which requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within the EU, could apply to a credit union if it has members from international companies. If this is the case, a credit union must determine if data is being exchanged with the EU. Even if the GDPR is determined to not be applicable to its business, the credit union should include mention of the regulation and list it as “not in scope.”
In addition, the three lines of defense should take ownership of their respective areas, which means the first line of defense (the function or department management) must both understand the regulations and do what it is required to comply. The second line of defense (the compliance officer or team) must also understand the regulations and the controls needed to comply, as well as train personnel and monitor business-line activity to support the compliance system. The third line of defense (the independent internal team) must audit all compliance.
Another important way to mitigate compliance risk is to identify the organization’s strategic objectives while focusing on compliance. Once identified, key risk indicators (KRIs) should be formulated specific to the achievement of strategic objectives. For example, one strategic objective could be to comply with all applicable federal and state regulations, which may be an element of the compliance risk assessment. KRIs developed to assess this compliance could include audit findings from quarter to quarter or year to year.
A second strategic objective could be to add a new product or service, take on a new field of membership, or open a new branch. To identify KRIs for a new product, all the potential risks should be identified. Does the credit union have the right structure in place to add the product? Adding a lending product if the team doesn’t have the correct in-house operational expertise or an adequate monitoring function is a risk requiring KRIs.
A third strategic objective could be to grow mortgages. What are the risks associated with this objective? Does the credit union have the necessary testing and monitoring in place, and is it adequate? KRIs might include whether the organization has sufficient systems, personnel, and controls in place to manage this objective.
While such program-level KRIs are necessary, it also is important for credit unions to have KRIs at the transaction level. One type of transaction-level KRI might address fair lending practices. Transaction-level KRIs might include compliance audit findings that are unsatisfactory or show needed improvements. KRIs might address reasons for fee reversals or overrides of applications, or they might explore why certain branches are more likely to have fee reversals.
To better understand the importance of compliance to a credit union, it helps to put the compliance role in context. In the development of a business strategy, credit union senior leadership conducts strategic planning to determine the best approach to grow the business. As part of the planning, strategic objectives should take risk management into account. These decisions should not be made without an effective ERM framework. ERM is a process developed by an entity’s board of directors, management, and other personnel that is applied strategically to identify potential events that might affect the entity and help it manage risk within its risk appetite. ERM provides reasonable assurance regarding the achievement of the entity’s objectives,1 including an organization’s compliance risk.
Compliance managers, line-of-business leaders, and internal auditors share compliance responsibilities as the three lines of defense. The three lines of defense should understand the critical nature of their work to the credit union’s overall strategy. When compliance is done well, the entire business benefits.
The struggle to manage compliance responsibilities
A credit union’s compliance obligations include not only federal and state laws and regulations but also the expectations of regulators. Those expectations are a particularly critical aspect of the compliance role, yet the compliance leader (or team) at some credit unions relies on line-of-business leaders not only to ensure the credit union is meeting its compliance obligations, but also to determine which laws and regulations are applicable. Instead, the compliance leader should take the lead on these types of decisions, as regulators generally look for one person to be accountable.Credit unions that lack formal procedures, should first conduct a risk assessment and then develop formal documentation, rather than relying on training or checklists alone. Once there is an understanding of all functions, products, services, and the applicable compliance requirements for each, a credit union should perform an evaluation to determine if there are processes and controls in place to confirm that the various transactions and activities consistently comply. Documentation of written procedures is critical, such as the handling of a loan application decision, whether the loan is denied, approved, or withdrawn.
Credit unions should identify all applicable laws and regulations with which they must comply, as well as prospective regulations that could affect them in the future. For example, rules such as the General Data Protection Regulation (GDPR), which requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within the EU, could apply to a credit union if it has members from international companies. If this is the case, a credit union must determine if data is being exchanged with the EU. Even if the GDPR is determined to not be applicable to its business, the credit union should include mention of the regulation and list it as “not in scope.”
Mitigating compliance risk
There are several steps credit unions can take to minimize their compliance risk. First among them is to develop a compliance management system (CMS). This system includes multiple components: risk assessment, compliance policy, compliance processes and controls (including a review process), written procedures, checklists, a regulatory change management function, and a marketing review process. All of these components are designed to ensure compliance with applicable regulations. For example, if the credit union is developing a new marketing campaign involving interest rates, the compliance team should review it before it is offered to members. The CMS should include disclosure review, documentation of compliance and communication, and training for the lines of business. These are critical components of a CMS program, because a weak program could have an impact on a credit union’s entire ERM system.In addition, the three lines of defense should take ownership of their respective areas, which means the first line of defense (the function or department management) must both understand the regulations and do what it is required to comply. The second line of defense (the compliance officer or team) must also understand the regulations and the controls needed to comply, as well as train personnel and monitor business-line activity to support the compliance system. The third line of defense (the independent internal team) must audit all compliance.
Another important way to mitigate compliance risk is to identify the organization’s strategic objectives while focusing on compliance. Once identified, key risk indicators (KRIs) should be formulated specific to the achievement of strategic objectives. For example, one strategic objective could be to comply with all applicable federal and state regulations, which may be an element of the compliance risk assessment. KRIs developed to assess this compliance could include audit findings from quarter to quarter or year to year.
A second strategic objective could be to add a new product or service, take on a new field of membership, or open a new branch. To identify KRIs for a new product, all the potential risks should be identified. Does the credit union have the right structure in place to add the product? Adding a lending product if the team doesn’t have the correct in-house operational expertise or an adequate monitoring function is a risk requiring KRIs.
A third strategic objective could be to grow mortgages. What are the risks associated with this objective? Does the credit union have the necessary testing and monitoring in place, and is it adequate? KRIs might include whether the organization has sufficient systems, personnel, and controls in place to manage this objective.
While such program-level KRIs are necessary, it also is important for credit unions to have KRIs at the transaction level. One type of transaction-level KRI might address fair lending practices. Transaction-level KRIs might include compliance audit findings that are unsatisfactory or show needed improvements. KRIs might address reasons for fee reversals or overrides of applications, or they might explore why certain branches are more likely to have fee reversals.
Building a strong CMS
A strong CMS that supports a credit union’s ERM process should include several elements:
- Policies, a compliance risk assessment, written procedures, data analysis, a regulatory change management process, and marketing review process. One example is, a review process that prevents disclosures from being created by the line of business without signoff by the compliance leader.
- Compliance monitoring based on the risks identified. Deferred compliance obligations are approved by the advisory committee.
- Full accountability and responsibility by the compliance officer designated to talk to the regulators. If there is an accountable group designated to oversee compliance, which often is called “compliance by committee,” only one person on the committee is designated to be the contact with regulators.
- Ownership. Each of the three lines of defense takes ownership of its respective areas of responsibility.
- A centralized process for change management. One person or group (usually the compliance officer or team) takes responsibility for identifying new regulations, determining who needs to be updated, and communicating the news.
- KRIs based on the credit union’s strategic objectives. The KRIs are monitored monthly and communicated to the board of directors for insight into the compliance process. Risk and growth are considered concurrently.
Simple, but difficult
As a credit union’s senior leadership reviews and revises strategy, it should look at its enterprise risk. Since compliance risk is a key component of enterprise risk, those charged with compliance responsibilities must recognize the critical importance of their roles. If compliance isn’t treated with the care regulators require, the credit union may not achieve its strategic goals. Leadership’s role in compliance is of critical importance. It’s as simple – and as difficult – as that.
1 For more information about enterprise risk management, see https://www.coso.org/Pages/default.aspx
Originally published in Credit Union Times, https://www.cutimes.com/2018/06/15/lack-of-compliance-focus-puts-your-business-strate/.
