The pace of new regulations appears to be slowing slightly in 2016, but that does not mean the regulatory burden on credit unions is lessening.
That was the message from four compliance experts, who noted that CUs have faced a breathtaking number of regulations promulgated by many sources in the past eight years.
Gaye DeCesare, president and CEO of COMPASS 4 CUs, LLC, Woodbridge, Va., said regulators are calling attention to rules that have been in effect for a while.
"If a credit union has just one compliance officer, that person is probably overwhelmed," she said. "Fair Lending Reg B has not changed since the 1970s, but there are still violations — in part because compliance people have been putting out so many fires in recent years."
Jim Hanisch, EVP, network operations and corporate development for CO-OP Financial Services, Rancho Cucamonga, Calif., was quick to point out that "fewer" new regulations is not the same as "no" new regulations. Hanisch noted the Consumer Financial Protection Bureau has been investigating the possibility of generating overdraft rules for many months now, and also is taking a closer look at prepaid plastic cards.
"These are issues credit unions need to be mindful of," he advised. "There is a massive set of rules, up to 800 pages, relating to prepaid cards that is imminent. Any credit union that issues prepaid cards needs to be aware of this. The regulations are not aimed at credit unions — they are focused on issuers of prepaid cards, including non-financial institution players — but it still applies to all who are involved."
Hanisch said the potential for a new set of overdraft rules is frightening simply because the CFPB has not been clear on the subject.
"We like to see regulation that is practical and can be implemented with reasonable cost. At one point there was a conversation that if a consumer was about to make a purchase that was about to cause an overdraft and trigger a fee, that should require notice and acceptance. But from a card-processing perspective, that is a very expensive proposition."
Vendor Due Diligence
One hot-button issue with the National Credit Union Administration is vendor due diligence, according to Hanisch, noting CO-OP serves 3,500 credit unions, and is credit union-owned, but still is subject to the same vendor due diligence rules.
When an examiner comes to a credit union to perform an examination, and he/she notices CO-OP is a "significant" vendor and asks for information, the CU has on hand financial reports, audits and other information to fulfill the request, he explained.
CUs need to have "high expectations" from all vendors, Hanisch declared. When it comes to data processors, all should be PCI Certified and able to demonstrate how they deal with data breaches.
"Having sound fundamentals in place helps examiners not have concerns about the credit union doing business with the vendor," he said.
Oft-Overlooked Regs
DeCesare said two examples of regulations that frequently get overlooked are UDAAP, or Unfair Deceptive and Abusive Acts and Practices, and the new Military Lending Act.
UDAAP existed for years as Unfair and Deceptive Acts and Practices, she noted, until the Dodd-Frank Act added the word "abusive" to make it UDAAP. However, the CFPB has not issued any regulations to define or clarify what is an act or practice that violates the law.
"There are some general descriptions, but no examples have been provided," DeCesare pointed out. "The CFPB has kept overbroad and vague, which makes it a challenge to comply with UDAAP."
There is the possibility of consumer complaints relating to UDAAP, according to DeCesare, but it is difficult to determine if acts or practices are acceptable. "Usually we tell clients to have compliance policies in place, but in this case we do not know what is enough."
The new Military Lending Act can ensnare unwary CUs that are not used to serving military members, DeCesare warned. She said a CU might have one military member, and if that person asks for a loan there are additional protections that non-defense credit unions often overlook.
Mortgage Rules Aplenty
DeCesare said that so many new mortgage rules have been issued in recent years, some CUs are having trouble reaching full compliance. Even though TILA/RESPA Integrated Disclosures, less affectionately known by mortgage providers as TRID, were instituted with great fanfare on Oct. 3, 2015, some CUs still are using the old forms in early 2016.
The new disclosures were mandated by the CFPB to "streamline" the home loan experience for consumers, but early returns show they have resulted in a great deal of extra effort by credit unions and their vendor partners.
"There have not really been horror stories with TRID, but there are a lot of questions regarding calculations and how the new forms work," DeCesare said. "Many smaller credit unions that do not do a lot of mortgages are still catching up."
After TRID, the next biggest mortgage regulatory issue is HMDA. CFPB finalized the Home Mortgage Disclosure Act in October 2015, saying lenders do not have to begin gathering the additional data until January 2018, but DeCesare said credit unions should not delay in getting started.
"HMDA will require significant data changes that need to be addressed now," she counseled.
NCUA has instituted a continued focus on cybersecurity, DeCesare noted. The federal credit union regulator, along with other financial services regulators, last year issued a toolkit — really a checklist with guidelines for IT personnel — that they expect FIs to start using by June of this year, to be asked about during examinations in the second half of 2016.
And as if there was not enough on the plate of credit union compliance folks, DeCesare said they cannot forget to keep an eye on the Bank Secrecy Act.
"BSA never goes away, the focus just changes," she quipped
This year, NCUA is looking at credit unions' relationships with money services businesses during exams. DeCesare noted NCUA has not stated CUs cannot serve MSBs, but "they have to do it right and identify risk."
"This includes businesses that transmit or convert money, including check cashers, that might be at risk for money laundering," said DeCesare. "There was no amendment to the BSA to cover money services businesses; it is a refocusing on the part of the regulators."
Hanisch of CO-OP said people at the CUSO feel they have a responsibility to help with compliance and, where possible, advise and shape regulations.
"We do that through our associations," he said. "The regulatory burden on credit unions continues to grow. It is a challenge. CO-OP tries to make sure its products are in compliance and we work with our credit union clients to help them with the compliance process."
CUs Need Break After Punishing Q4
Community financial institutions collectively spent $300 million on compliance in the fourth quarter of 2015, according to New Haven, Conn.-based financial institution compliance advisory firm Continuity.
The company compiles a Banking Compliance Index, of BCI, each quarter. BCI measures the incremental burden on FIs to keep track of regulations, in both time and money. In Q4 2015 the BCI score was 2.23, which translates to the number of full-time employees needed to deal with the regulatory burden.
Pam Perdue, EVP of regulatory insight for Continuity, said the fourth quarter typically sees the most activity in a given year, but Q4 2015 was especially busy with 125 regulatory pronouncements affecting banks and CUs — with 4,309 pages of rules to review, consuming 968 person hours and an estimated cost of $52,317 for an average-sized institution.
"The fun just keeps on coming," Perdue said with no small amount of irony. "I do not know how compliance professionals are doing it."
As for the spurt of regulations in Q4, Perdue observed, "Washington likes to finish strong. There is a typical bell curve with pages of regulatory changes peaking in Q4, then declining in Q1. Keep that in mind for staffing purposes."
BSA violations continued to be the most frequent enforcement action in Q4. Perdue said the number of regulatory actions each quarter has been at or below 75 in recent years, but in Q4 2015 that figure shot up to 125.
Donna Cameron, Continuity's director of regulatory I/O, said the biggest "monster" of the fourth quarter was the CFPB's amendments of HMDA, or Reg C. She said the CFPB changed and modified data collection requirements, and changed the way FIs report data.
"There were some very significant changes," she assessed. "There will be a lot more work for everybody."
One positive development during the fourth quarter, Cameron noted, was a privacy notice amendment that was inside a major transportation spending bill. Congress gave FIs what they had been asking for for years — they no longer have to distribute a privacy notice annually if no provisions have been changed and consumers do not have to opt out.
In the months leading up to TRID becoming effective the industry clamored for a "hold-harmless" period if an institution could demonstrate it tried its best to comply. While not official, CFPB indicated it will not levy serious sanctions right away.
"We will see how it goes," Cameron said dryly.
