Lack of Compliance Focus Puts Your Business Strategy at Risk
If compliance isn’t treated with the care regulators require, the credit union will not achieve its strategic goals.
Credit unions striving to manage their compliance risk are well-served to consider its importance within the overall enterprise risk management (ERM) process of their entire organization. Those that view compliance management as one of their most important obligations will positively affect their business strategy, and those that don’t are putting their business at risk. Line-of-business leaders who understand the role that compliance management plays in strategy and how compliance risk affects it will be well-positioned to help their credit unions grow and prosper.
To better understand the importance of compliance to a credit union, it helps to put the compliance role in context. In the development of a business strategy, credit union senior leadership conducts strategic planning to determine the best approach to grow the business. As part of the planning, strategic objectives should take risk management into account. These decisions cannot be made without an effective ERM framework. ERM is a process developed by an entity’s board of directors, management and other personnel that is applied strategically to identify potential events that might affect the entity and help it manage risk within its risk appetite. ERM provides reasonable assurance regarding the achievement of the entity’s objectives, including an organization’s compliance risk.
Compliance managers, line-of-business leaders and internal auditors share compliance responsibilities as the three lines of defense. The three lines of defense should understand the critical nature of their work to the credit union’s overall strategy. When compliance is done well, the entire business benefits.
The Struggle to Manage Compliance Responsibilities
A credit union’s compliance obligations include not only federal and state laws and regulations but also the expectations of regulators. Those expectations are a particularly critical aspect of the compliance role. Yet the compliance leader (or team) at some credit unions relies on line-of-business leaders not only to ensure the credit union is meeting its compliance obligations, but to determine which laws and regulations are applicable. Instead, the compliance leader should take the lead on these types of decisions as the regulators generally look for one person to be accountable.
Credit unions might lack formal procedures, and those that do should first conduct a risk assessment and then develop formal documentation, rather than relying on training or checklists alone. Once there is an understanding of all functions, products, services and the applicable compliance requirements for each, an evaluation should be performed to determine if there are processes and controls in place to ensure that the various transactions and activities of the credit union consistently comply. Documentation of written procedures, such as the handling of a loan application decision whether the loan is denied, approved or withdrawn, is critical.
Credit unions also might not have identified all applicable laws and regulations with which they must comply. It is important to identify whether specific laws and regulations apply to their business, as well as prospective regulations that could affect it in the future. For example, some credit unions might not be aware that rules such as the General Data Protection Regulation, a regulation that requires businesses to protect the personal data and privacy of European Union citizens for transactions that occur within the EU, could apply to their credit union if they have members from international companies. If this is the case, a credit union must determine if data is being exchanged with the EU. Even if the GDPR is determined to not be applicable to its business, the credit union should include mention of the regulation and list it as “not in scope.”
Mitigating Compliance Risk
There are several steps credit unions can take to minimize their compliance risk. First among them is to develop a compliance management system (CMS). This system includes multiple components: risk assessment, compliance policy, compliance processes and controls (including a review process), written procedures, checklists, a regulatory change management function and a marketing review process. All of these components are designed to ensure compliance with applicable regulations. For example, if the credit union is developing a new marketing campaign involving interest rates, the compliance team should review it before it is offered to members. The CMS should include disclosure review, documentation to evidence compliance, and communication and training for the lines of business. These are critical components of a CMS program, because a weak program could have an impact on a credit union’s entire ERM system.
In addition, the three lines of defense need to take ownership of their respective areas, which means the first line of defense (the function or department management) must both understand the regulations and do what it is required to comply. The second line of defense (the compliance officer or team) must also understand the regulations and controls needed to comply, as well as train personnel and monitor business line activity to support the compliance system. The third line of defense (the independent internal team) must audit all compliance.
Another important way to mitigate compliance risk is to identify the organization’s strategic objectives with a focus on compliance. Once identified, key risk indicators (KRIs) should be formulated specific to the achievement of strategic objectives. For example, one strategic objective could comply with all applicable federal and state regulations, an element of the compliance risk assessment. KRIs developed to assess this compliance could include audit findings from quarter to quarter or year to year.
A second strategic objective is to add a new product or service, take on a new field of membership, or open a new branch. To identify KRIs for a new product, all the potential risks should be identified. Does the credit union have the right structure in place to add the product? Adding a lending product if the team doesn’t have the correct in-house operational expertise or an adequate monitoring function is a risk requiring KRIs.
A third strategic objective is to grow mortgages. What are the risks associated with this objective? KRIs might include whether the organization has sufficient systems, personnel and controls in place to manage this objective. Does the credit union have the necessary testing and monitoring in place, and is it adequate?
While such program-level KRIs are necessary, it also is important for credit unions to have KRIs at the transaction level. Examples of transaction-level KRIs are those that deal with compliance with fair lending practices. Transaction-level KRIs might include compliance audit findings that show needed improvements or are unsatisfactory. KRIs might address reasons for fee reversals or overrides of applications. They also might explore why certain branches are more likely to have fee reversals, for example.
Building a Strong CMS Program
A strong CMS that supports a credit union’s ERM process should include several elements:
- Policies, a compliance risk assessment, written procedures, data analysis, a regulatory change management process and marketing review process. For example, implement a review process that prevents disclosures from being created by the line of business without signoff by the compliance leader.
- Compliance monitoring based on the risks identified. Deferred compliance obligations are approved by the advisory committee.
- Full accountability and responsibility by the compliance officer to talk to the regulators. If there is an accountable group designated to oversee compliance, which often is called a designated “compliance by committee,” only one person on the committee is designated to be the contact with regulators.
- Ownership. Each of the three lines of defense takes ownership of its respective areas of responsibility.
- A centralized process for change management. One person (usually the compliance officer or team) takes responsibility for identifying new regulations, determining who needs to be updated and how the news is communicated.
- KRIs based on the credit union’s strategic objectives. The KRIs are monitored monthly and communicated to the board of directors for insight into the compliance process. Risk and growth are considered concurrently.
Simple, but Difficult
As a credit union’s senior leadership reviews and revises strategy, it looks at its enterprise risk. Since compliance risk is a key component of enterprise risk, those charged with compliance responsibilities must recognize the critical importance of their roles. If compliance isn’t treated with the care regulators require, the credit union will not achieve its strategic goals. Leadership’s role in compliance is of critical importance. It’s as simple – and as difficult – as that.
Eileen M. Iles, CPA, CGMA, CIA is Partner at Crowe Horwath LLP. She can be reached at 630-575-4376 or eileen.iles@crowehorwath.com.
Niall Twomey is Principal at Crowe Horwath LLP. He can be reached at 630-574-1806 or niall.twomey@crowehorwath.com.