Compliance School Recap by Amy Kleinschmit, Chief Compliance Officer
This week I had the opportunity to “geek” out with a room full of compliance experts from credit unions all over the country at the CUNA’s Regulatory Compliance Certification school. While three and a half days at a school, being out of the office, does get a little long – the opportunity to meet other compliance professionals (in person!), ask questions, compare notes, and hear the discussion among credit unions – what they are doing operationally - you know, all those additional compliance details that aren’t spelled out in rule/regulation, was well worth the time away.
I would encourage other compliance professionals to take advantage of these types of learning opportunities – because it is much more than just learning about a rule or regulation.
A few highlights from the earlier this week…
CUNA’s Colleen Kelly provided a three-year look back on all the regulatory changes and guidance that had been issued. There were a few, as so many things have happened over the last three years – which included the chaos of COVID (EIP, PPP, etc). Whenever there is regulatory change, it is always important to make sure policy and procedures, training materials, and processes are updated to be compliant with the changes.
But as important as reviewing the past, the conversation also looked to what might be coming in the future for regulatory changes and priorities. Among the things credit unions will be seeing in the future is rulemaking following the Anti-Money Laundering Act & Corporate Transparency Act. Watch for opportunities to submit comment letters as proposed rules from FinCEN are issued. Cybersecurity will continue to be a priority.
There was a lot of conversation surrounding fair lending, starting with the impact AI may have. Some related discussion included the point that credit unions need to ensure that if increasing approval rates, approval rates of protected classes need to also be increasing at the same rate as approval rates for nonprotected classes. Also, documentation, among other several other things, is essential to a compliant AI lending program – credit unions need to be able to track every step in the modeling process and incorporate changes instantly.
Discussion continued on fair lending to focus on what needs to be part of a fair lending program, including managing risks with third parties, due diligence in mergers, managing systems used to ensure updates are made when needed, monitoring member complaints – just to name a few components. It was recommended to do internal fair lending risk assessments – which should be done on an ongoing periodic basis. We also looked at HMDA data from various financial institutions (all publicly available info) to identify any fair lending red flags. The group discussion during this exercise was very insightful regarding identifying trends and red flags.
The conversation continued on the topic with UDAAP and discrimination. The main focus of this discussion was the recent updates CFPB made to the examination manual that provided discrimination may meet the criteria for unfairness under UDAAP. Which in turn means that UDAAP unfairness may encompass acts that are not covered by fair lending laws, such as the Equal Credit Opportunity Act.
Shifting gears – we also tackled business lending compliance issues, which included discussion on the importance of appraisals, and more importantly the review process – with emphasis given that the person doing the appraisal review must be knowledgeable on appraisals. Discussion regarding the Board of Directors and Management’s responsibility under NCUA 723 was explored, including a point that it may be a very good idea for the Board of Directors to have some high-level commercial lending training. Reminders were also given on Reg B requirements for business loans (including adverse action notices when required).
Operational risk assessments were tackled – including identifying the “what, who, how, when and why” of the process. NCUA directs that management must assess all risks in the credit union. Effective risk assessment helps determine the risks, needed controls, and management of those controls. Uncontrolled risk-taking can prevent the credit union from reaching its objectives and can jeopardize its operations. A point made was that in developing risk assessments, avoid the silo effect. Involve multiple staff/departments in the process – input/feedback from all relevant players is more beneficial. Perspective matters – it is good to see things differently. Another important point – don’t over complicate the process. Also, document, document, document. A recommendation that if the credit union hasn’t made signification updates to risk assessment in the last 26 months (after everything that has been going on) they need to get that done because there have been a lot of changes.
Cannabis banking was included in the line-up of topics, which started with a review of the FinCEN expectations. Knowing the people involved with the account requires time and lots of due diligence. You should be looking at state licensing compliance, but not just compliance with this state. If the owners of the cannabis business also have other businesses in other states – are those businesses also in compliance with those licensing requirements? Is there any adverse information relating to the business owner? Understanding the business is huge – not just expected activity, what is the actual activity, and the live data? Seed to sale tracking systems are important to monitor for “side sales.” This is an ongoing process to review statements, renewal license applications, sales/deposits, etc. Credit unions should be considering the institutional impacts – such as cash handling, which branches will the cannabis member be allowed to deposit cash at, extra security needs, cash pick up, etc. Also, consider the impact on liquidity, impact on insurance, and impact on shared branching relationships, just to name a few.
Fraud was a hot discussion topic, especially as it relates to payment apps. Credit union should ensure that there are good controls, including IT related controls. Deviations from policies/procedures can create opportunities for scammers to take advantage of the situation – be careful when making exceptions for that “emergency” transaction the member is trying to push through. Credit union attendees then shared what they had been seeing in their credit unions regarding the various scams their members had fallen victim to. Training is key, not just for staff, but also members. Some credit unions shared how they push out information on the trending scams so members are better educated and can protect themselves from falling victim.
Attendees gained valuable insights on litigation concerns, including proactive steps the credit union should consider. Finally, discussion turned to the latest lawsuits that credit unions are seeing. Another important topic covered related to information requests – including safeguarding member information and then the proper steps to take when receiving information requests received from the government, both state and federal, or in situations of private litigation.
If given the chance, I would highly recommend taking advantage of these types of learning opportunities. One of the most valuable takeaways is the networking and learning from other credit union professionals. Those things can’t be learned from just reading a reg!
As always, DakCU members may contact Amy Kleinschmit with any compliance related questions.
The Memo is DakCU's newsletter that keeps
Want the Memo delivered straight to your inbox?