Try Out These New Year’s Compliance Resolutions

Kathy Thompson, Credit Union National Association
January 24, 2005

Below you will find 10 New Year resolutions that will help ensure that your credit union has a top-notch compliance program in place. And this is one list where “losing weight” doesn’t appear—unless you decide to add “cleaning out those old files!”

1. Create an identity theft response program at your credit union. The Fair and Accurate Credit Transactions (FACT) Act mandates that the federal agencies require financial institutions to have formal ID theft response programs. There will also be agency “red-flag guidelines” to assist in the development of good programs by showing areas vulnerable to ID theft. Regulations and guidelines have yet to be issued in even proposed form, so actual requirements can’t be effective much before the end of 2005, at best.

But why wait to put an ID theft response program in place at your credit union? You probably know someone who has been a victim of identity theft. (In fact, it happened to me just before Christmas with my primary credit card.) I’m told that the regulators are expected to issue very general requirements for an ID theft program with suggestive guidelines, so any program you develop now should only have to be tweaked later this year to be in compliance. And when a proposal is issued, a credit union with an ID theft response program should, hopefully, participate in the comment process, by describing its program and asking that the program comply with the regulatory requirements. Such practical input is what assures that reasonable regulatory requirements are adopted.

2. Make sure that your credit union institutes all new requirements for handling member complaints about their information on their credit reports. Most of the FACT Act regulatory requirements are yet to be put into place. Credit unions and other furnishers of information to credit bureaus will have to maintain policies and practices to assure the accuracy and integrity of information provided to credit bureaus. Moreover, credit unions will have new responsibilities to investigate directly members’ inquiries and complaints about the accuracy of information given to credit bureaus. Again, why wait to have procedures in place to address these directives?

1. If your credit union is subject to the Home Mortgage Disclosure Act (HMDA), make sure that you’re complying with the new reporting requirements and will meet the March 1, 2005 filing deadline. I’ve been expecting to see a Regulatory Alert about HMDA from NCUA for at least a month, so maybe it’s not coming. NCUA has said publicly that it plans to start fining credit unions on a case-by-case basis for late filing of HMDA data, and that timely filing requires a confirmation from the Federal Reserve that good data has been received by March 1. When I heard there was going to be a Reg Alert, I told NCUA that this information should be in it, since I had seen neither of these points in writing.

New HMDA information required in 2004 includes new racial and ethnic designations (asking about race and national origin in telephone applications was effective January 1, 2003), new loan pricing information regarding rate spread and HOEPA loans, preapprovals on home purchase loans, separate information on purchase of manufactured homes, revised definition of refinancings, and revised definition of home improvement loans, etc. CUNA’s e-Guide has all the details about which credit unions are subject to HMDA reporting (and the reporting threshold has gone up to $34 million in total assets for 2005 reporting, by the way).

The banking industry and the Fed are worried about public relation concerns this summer because new HMDA data may be subject to misinterpretations. The Fed is working on a white paper to be released in late summer, and agency officials are urging financial institutions to have a good grasp of their HMDA data and be ready for inquiries later this year.

1. Make sure that your credit union is complying with all aspects of the Bank Secrecy Act. I don’t think I need to tell you the obvious – BSA compliance is a BIG issue for examiners. NCUA the other federal financial agencies entered into an agreement with the Financial Crimes Enforcement Network last fall that requires it to report to FinCEN quarterly about its BSA examination and enforcement efforts. So make sure that you not only have an on-going training program but also you are documenting who is being trained and on what.

Several specific things to double-check: Make sure the training for suspicious activity reporting happens throughout the credit union and make sure that the “customer identification program” requirements are fulfilled not only by staff opening new accounts but staff dealing with non-member co-applicants on loans. And re-evaluate if the “independent testing” requirement is being met by your credit union’s procedures.

1. Make sure the appropriate people at your credit union understand the disclosure and recrediting rules of the new Check 21 law. Contrary to all the hoopla surrounding the build-up to the October 2004 effective date, there are a finite number of things that credit unions have to do in order to be in compliance with Check 21. One is to be prepared to give the required notice in the occasional situation when a member receives a “substitute check.” The other is to understand the recrediting rights provided under Check 21. See CUNA’s e-Guide for more information about Check 21 compliance.

1. If your credit union is considering offering the new health savings accounts, make sure the all the operational requirements are met. The health savings accounts haven’t taken off, which is expected. It’s going to take a few years, but with the re-election of President Bush, expect the administration to continue to push the accounts as a key way to address the health insurance problem in this country. The 2004 contribution by eligible taxpayers can be made up until April 15, 2005. See January’s Credit Union Magazine (www.creditunionmagazine.com) for an article providing an overview of the HSAs.

1. Provide oversight so that there aren’t illegal conflicts of interest at the credit union, and make suggestions for improved governance practices. Yes, there is an important role to be served by staff charged with compliance to address sensitive issues involving conflicts of interest and good governance. Prohibition on conflicts of interest is a recurring theme throughout NCUA’s regulations. (See CUNA’s e-Guide for a comprehensive listing of all the regulations addressing conflicts of interest.) And NCUA’s Letter to Credit Unions “Guidance on Selected Provisions of the Sarbanes-Oxley Act of 2002 for Federal Credit Unions” (October 2003) can serve as a starting point for a board assessment by evaluating ways to improve auditing practices. Does your credit union have a code of ethics? Why not in this day and age of scrutiny? If not, CUNA’s Code of Ethics would be a good starting point.

1. Make sure that your credit union has a due diligence program in place to properly evaluate and monitor third-party vendors that the credit union relies upon for delivering products and services to your membership. I’ve been surprised since NCUA’s Letter to Credit Unions “Due Diligence Over Third Party Service Providers” (No. 01-CU-20) was issued in November 2001 that examiners haven’t made more of a deal of looking at credit unions’ due diligence efforts. In fact, I think in every compliance presentation I’ve made since the end of 2001, I have cited this letter as being extremely important one.

If you’ve been spared until now, consider regulators very serious about the need to conduct a due diligence review before contracting with a third party. NCUA’s Letter to Credit Unions No. 04-CU-13, “Specialized Lending Activities,” issued in September 2004 on subprime lending controls, indirect lending controls, and outsourced lending relationships, reiterates the steps credit unions are expected to take before contracting, which include: planning, background check, legal review, financial review, evaluation of the return on investment, and assessment of insurance requirements. The second phase after entering into the agreement include such follow-up controls as appropriate policies and procedures, staff oversight, and reporting.

Although last fall’s letter addresses certain lending programs, consider these steps essential for all third-party agreements, regardless of the size of your credit union and whoever else uses or endorses the vendor. As a resource to help you evaluate your program, see Credit Union Magazine’s two-part article on vendor management (September and October, 2003).

1. Make sure that your credit union’s recordkeeping passes muster. Good recordkeeping is obviously a necessity for any well-run credit union. The regulators, however, recently have been expressing increasing concern about the quality of recordkeeping at some credit unions – I assume smaller credit unions, but I haven’t heard size mentioned.

NCUA says that credit unions should expect the agency to move with much more speed in demanding that recordkeeping problems be addressed. So if your credit union knows, or the board suspects, that there is some lax recordkeeping, don’t wait until the examiner shows up – ask for help from your league, another credit union, or from your regulator now.

1. Keep up with legislative and regulatory developments, and this year make it your New Year’s resolution to participate in the process! Be part of the process – don’t assume that some other credit union will “take care of it” or that it’s not your role at the credit union to comment on regulatory proposals and participate in letting your elected representatives know credit union concerns.

You are in the best position to assess the operational challenges and regulatory costs of agency proposals. And the banking industry’s attacks on credit unions are very real! The American Bankers Association has successfully challenged NCUA’s procedures on granting community charters in Utah. This is the year that the banking industry is launching a multi-front attack on credit unions’ tax-exempt status, both in Congress and in a number of states. Check out the information in the “Boxing Gloves” on CUNA’s homepage www.cuna.org and be prepared to answer the call to action. Kathy Thompson is senior vice president for compliance with CUNA. Contact her at cucomply@cuna.com.

Related Links: http://www.cuna.org/compliance/member/eguide/eguideregc.html http://www.creditunionmagazine.com/ http://www.cuna.org/cuna/codeof_ethics.html