Compliance Uncertainties Abound for Credit Unions
2019 appears to be heading into another year with little compliance clarity for credit unions.
Many of the same compliance issues that bedeviled credit unions in 2018 appear likely to continue to haunt them in the coming year.
From cybersecurity and data security, to Bank Secrecy Act/Anti-Money Laundering efforts, and controversies over how to handle website compliance with the Americans with Disabilities Act, all remain unresolved.
And chances that they can be quickly resolved may be slim at best.
Take an issue like ADA guidance from the Justice Department. Well, there is no permanent Attorney General in place, so it’s unclear how that issue may be resolved.
“There is a lack of permanent leadership,” Carrie Hunt, EVP of government affairs and general counsel at NAFCU, said. She added that Justice Department staff may be unable to issue the guidance needed to help protect credit unions and others from predatory lawsuits over their websites.
And any changes or details that must be handled by Congress will likely have to wait, as the House and its committees organize themselves after the Democratic takeover.
But there appears to be a consensus that Congress should do something about data breaches and cybersecurity.
Financial institutions have a strict compliance regime for handling such issues as data breaches, but they complain that retailers do not.
“The technological challenges in preventing and mitigating data breaches are formidable, and unfortunately, credit unions still can’t look to the government for much help,” John McKechnie, senior partner at Total Spectrum, said.
“Cybersecurity is the most vexing because there is no ‘right’ way to comply,” Bruce Jolly, an attorney with Reed & Jolly, added. “Compliance is always judged with 20-20 hindsight – after the breach.”
However, the battles that have kept Congress from settling the issue are likely to flare up again. The House Financial Services Committee traditionally has taken the side of financial institutions, which want retailers to be held as accountable as they are for data breaches.
The House Energy and Commerce Committee traditionally has taken the side of the retailers.
“Congress has continued to show no real fortitude in standing up to a retailer lobby that is all too happy to let financial institutions pay the freight for breaches, regardless of who is responsible,” McKechnie said. “[The] NCUA and state regulators are right to try to raise the bar on compliance during the exam process, but frankly that doesn’t help much when a credit union has to respond to the next, unseen cyberthreat.”
In addition, states are enacting their own cybersecurity statutes, attorney Kathy Winger said.
“Credit unions are not immune from regulation in this area and may be directly or indirectly affected by these new cybersecurity laws and/or regulations,” she said. “Thus, they will need to increase their focus on cybersecurity to insure that their practices and procedures pass muster.”
This year, the NCUA began using the Automated Cybersecurity Examination Tool for cybersecurity examinations of credit unions with more than $1 billion in assets.
That is likely to provide the agency with a baseline for the minimum expectation it will have for effective compliance, so credit unions should prepare for increased scrutiny, according to Jared Ihrig, CUNA’s chief compliance officer.
BSA/AML enforcement continues to be an issue for credit unions, which have said the compliance costs are too great.
Credit unions are reporting they are being cited for “very small violations,” Hunt said.
“The Bank Secrecy Act is long overdue for reform, particularly when it comes to a misplaced expectation by the federal government to have financial institutions act as cops,” McKechnie said. “That needs fixing.”
Compliance with the BSA and ensuring that financial institutions do not violate foreign economic sanctions laws continue to weigh heavily on credit unions, Jolly said, agreeing with the others.
“Both cost real money – operations – but don’t improve the bottom line,” he added.
Senate Banking Chairman Mike Crapo (R-Id.) recently said the BSA/AML laws need updating, but Treasury Department officials contended the laws work well.
The NCUA and other financial regulators recently announced they will allow financial institutions to test innovative ways to comply with the financial crimes laws without the risk of being punished for violations.
Credit union attorneys cited several other compliance hot spots for credit unions in the coming year.
“We are seeing a growing focus on mortgage compliance with an increased number of fair lending exams,” former NCUA Chairman Dennis Dollar said.
He noted even though credit unions have a long record of approving mortgages to diverse groups of people, there is an enormous compliance cost to demonstrate a history of non-discriminatory lending.
He added structuring a response to a fair-lending exam can be a daunting task.
“As the number of fair lending exams by [the] NCUA and the state regulators increase each year, this is growing into a major compliance issue that – although it can be dealt with – carries a lot of headaches with it,” he said.
Any fair-lending exam is going to be affected by a credit union’s field of membership, Dollar said.
“If we are going to expect credit unions to serve more persons from all walks of life, it is essential that their FOM allow them to serve more of them,” he added.
Ihrig said credit unions continue to struggle with Home Mortgage Disclosure Act requirements since the rule is so complex and requires a myriad of system changes for credit unions.
And in states where cannabis is legal, regulatory issues will continue to confound financial institutions, Winger said.
“Cannabis-related businesses desperately need banking services and credit unions are uniquely well-positioned to provide those services,” she said.
But since cannabis continues to be illegal under federal law, any credit union efforts to provide services to cannabis-related business will create compliance headaches, she said.
Another headache for credit union compliance officers is the Military Lending Act, according to trade group officials.
“There are a lot of questions about the military lending act,” Hunt said.
Ihrig said credit unions are anxiously awaiting changes to MLA that the Defense Department is expected to make.
Credit unions can expect the de-regulation priorities of Congress to change next year, since Democrats are taking over the House.
“The reg relief climate on Capitol Hill that credit unions enjoyed over the last two years is bound to change, given the Democratic takeover of the House,” McKechnie said. “Credit unions are already rightly voicing concern over some of the ‘re-regulatory’ rhetoric coming from some in Congress.”
Former NCUA Chairman Michael Fryzel agreed. “While [there] will probably be no reversal of what has been done since the Republicans will still control the Senate, additional relief will not be forthcoming,” he said.