Oversight changes considerably for credit unions once they surpass $10M in assets. NCUA exams are much more comprehensive above that threshold and, of course, the Consumer Financial Protection Bureau (CFPB) exams begin, too. Management at growing credit unions absolutely should know that that higher level of multi-agency oversight is coming, but they may not know just how long it takes to prepare for that level of oversight, argues Bridgeforce Director Bo Backerman.
Credit unions around or above $6M in assets with expectations for growth will have to create a Compliance Management System (CMS) designed to meet those new expectations well in advance of hitting that $10M threshold, and that can take two to three years, Backerman says. In this article, find out what credit unions need to do to prepare for this considerable compliance management shift.
This article was originally posted on the Bridgeforce blog and is republished here with permission
Credit unions with $6B and more in assets must invest time, effort and planning to become CFPB ready. Find out about what’s expected and actions to take to prepare for CFPB regulatory oversight.
Agencies who Oversee Credit Unions and What They Examine
The Consumer Financial Protection Bureau (CFPB), and NCUA ONES provide supervision for credit unions with assets over $10 billion. Preparing for a new supervision regime is essential.
The NCUA ONES are more thorough and comprehensive than the NCUA examination teams for credit unions under $10 billion. However, the NCUA is well on its way to increasing the threshold for NCUA ONES supervision to $15 billion in assets.
Some potential good news from the CFPB came this spring during the House Committee on Financial Services, when CFPB Director Rohit Chopra said, “The CFPB is shifting enforcement resources away from investigating small firms and instead focusing on repeat offenders and large players engaged in large-scale harm.”
For initial CFPB examinations, the starting point is almost always Compliance Management Review. This is an examination of the Compliance Management Environment that the CFPB calls the Compliance Management System.
Based on Bridgeforce’s credit union client experience, deposits are trending to be the default go-to initial business examination area. Because the CFPB’s focus is on the potential for customer harm, portfolio composition is also a driver for examinations.
The above notwithstanding, designing, developing, and implementing change for CFPB readiness requires significant planning, sequencing, time, effort and commitment.
What Being “CFPB Ready” Means
For credit unions at or approaching an asset level of $6B and more and who have expectations of additional growth, CFPB supervision and readiness are top-of-mind for boards, supervisory committees and executive management.
Expectations Across the CFPB’s Four Pillars of a Compliance Management System
The CFPB has defined four pillars of a Compliance Management System. Bridgeforce has mapped 98 requirements and expectations across the four pillars, but critical highlights include:
Board of Directors and Management Oversight
- Clear Compliance Expectations – “tone from the top” and performance management that includes regulatory adherence
- Board and Supervisory Committee regulation-specific training
- Clear Policies – communicated internally and to service providers (for vendor management purposes)
- Appropriate Compliance Staffing/Resources – in the business lines and functional areas, in the Compliance Department, and within Audit (be it in-house or third-party
Compliance Program
- Policies, Procedures and Processes – typically both Compliance’s own stand-alone and the compliance requirements and controls that are integrated into business and functional area procedures
- Compliance Training – enterprise-wide for broad regulations and focus areas such as Fair Lending, BSA/AML, and Complaints, to name a few, a comprehensive program (with all associated regulatory applicability), and role-specific regulatory training based on relevant regulatory requirements
- Monitoring – comprehensive, but also both periodic and risk-based
- Corrective Action – issues management and associated, appropriate governance/reporting
- A New Information Technology Examination Module (introduced in late 2021) – to assess an institution’s and service provider’s IT controls
Complaint Management
- Comprehensive Definitions, Procedures and Tracking
- Monitoring of complaints by type, volume, and compliance risk levels
- Analysis of complaints to determine trends and root causes
- Resultant change to business practices that is prospective to control for regulatory adherence shortcomings and poor member experiences
Independent Risk-Based Audit
- Comprehensive regulation applicability, policies, and procedures
- Transaction and control auditing and testing
- Corrective action tracking and completion timeliness
- Robust corrective action validation based on risk exposure
It is critical to note that third-party (vendors and service providers) compliance management is part and parcel of each pillar.
CFPB Expectations Change as Your Credit Union Grows Beyond $10B
As credit unions grow above $10B in assets, the CFPB will conduct examinations more frequently, in greater detail, and become highly focused on pockets of potential risk concern and the thoughtful evolution of the compliance management realm.
Staying ‘Ahead of the Curve’ with the CFPB’s Compliance Environment Expectations
Readying your credit union requires planning, resources (both headcount and appropriate systems), and robust change management. The Compliance Department and other compliance subject matter experts should always have a seat at the table and must sign-off on changes to standard run-the-business and new initiatives.
In our experience, it can take two to three years to develop a CFPB expected baseline Compliance Management System. You need time to design the program and get approval for headcount and systems resources. It takes even more time to develop procedures that are regulator friendly.
The emphasis on appropriate procedures cannot be made more strongly. Desktop procedures almost always tend to confuse and frustrate examiners. Operating procedures should be plain English, prose that includes specific information. Examiners need details to understand the relevant processes, including associated controls and ties to specific regulation requirements.
Finally, to ensure that you have a well-defined road map to share with regulators about where you have been, where you are currently, and where you are heading for a continuous improvement compliance management journey. Of great importance is that the CFPB and the NCUA ONES are remarkably appreciative of transparency.
Every Thursday, Collections & Recovery sends out an exclusive email packed with analysis on the newest trends in collections strategy, the shift to digital collections, best practices for vendor management, and deep-dives into regulatory and compliance issues that matter to you. The only way to get it is to subcribe.