Credit Union Compliance Checklist

Credit unions are financial institutions at the core, so they are still subject to many of the same financial regulatory obligations that other FIs are. However, being owned and managed by their members means credit unions operate somewhat differently than banks. So some of the regulations that apply to them can vary from those of traditional banks.

‍

This credit union compliance checklist will give a brief overview of what credit unions need to do to comply with relevant regulatory obligations. It will also point out, when appropriate, when these obligations diverge from those of other financial institutions.

‍

‍

‍

‍

Credit unions can have different licensing requirements than other types of financial institutions depending on where they’re located. In addition to being officially supervised by regulatory bodies, they often partner with mentor individuals or organizations to give themselves a greater chance of success when first starting up.

‍

• Obtain proper licensing: Like other financial institutions, credit unions need special licensing to operate because of their fundamental socio-economic importance. In some places, this is the same as other FIs. In other places, specific organizations oversee chartering for credit unions. In the US, the main federal regulator is the National Credit Union Administration (NCUA), but there are other state-run regulators as well.

‍

• Cooperate with a supervisory regulatory agency and (optionally) a mentor: In addition to being supervised by a credit union regulatory agency, credit unions are strongly encouraged to seek mentorship from people or groups with financial experience. Ideally, these are other credit unions, credit union trade associations, or banks. But they can also be other companies, individuals, or government agencies.

‍

‍

Credit unions have a bit more flexibility than other types of financial institutions in creating compliance programs, as they often don’t face as much risk. There are still risks involved in running them, though, so credit unions still need clear plans for how employees must conduct operations in order to minimize these risks.

‍

• Conduct a risk assessment: Risk assessment for credit unions involves several different facets. One is market analysis: what other institutions are competing with the credit union, how the union will differentiate itself with its services (i.e. why create it in the first place), and what the overall economic situation of the union’s membership is. It’s also critically important how employees—especially upper management—will be trained on how to identify and control the credit union’s inherent and operational risks.

‍

• Get input and guidance from executives and management: Since a credit union’s members own and operate the union itself, it makes more sense for them to be involved in compliance management from the start. In fact, all senior officials and senior management employees must complete an NCUA 4012—Report of Official and Agreement to Serve form for review. This form is a declaration that these people will serve in the best interests of credit union members and the public, including understanding compliance risks and the controls meant to limit them.

‍

• Establish clear policies and procedures for teams to follow: As part of its application, a credit union must outline written policies related to several facets of its operations. It must also adopt credit union bylaws, though there is some flexibility in doing so regarding selectable options and variable amounts.

‍

• Document policies and make them easily accessible: Like other financial institutions, a credit union should have its policies formally documented—including any choices made and variables set regarding its bylaws. They should be available in a place that’s easy to access for both employees (to be aware of their compliance responsibilities) and auditors (for operational transparency).

‍

‍

Credit unions don’t have shareholders to be accountable to, which can be an advantage in some areas of risk management. But this can also prove to be a disadvantage in that it can be harder for credit unions to get startup capital, and so there can be a smaller margin for error at first.

‍

• Meet capital and reserve requirements: A credit union has to secure enough start-up capital to cover operational costs and losses until it becomes profitable. The amount differs depending on where the credit union is operating, who its likely members will be, and what products it will be offering. However, the NCUA estimates the amount to be around $500,000 US. The credit union may also have to hold a portion of its funds in reserve as liquidity if it handles sums within certain ranges.

‍

• Follow new Current Expected Credit Loss (CECL) guidelines: As of April 2016, the new CECL accounting standards in the US require financial institutions to measure expected asset losses more conservatively. These include not only losses that are “probable” based on circumstances but also losses that can be reasonably expected based on historical transaction data and future economic forecasting. The point is to help credit unions be better prepared for losses by having more capital available and/or in reserve.

‍

• Adopt adequate deposit insurance: Like regular banks, credit unions need to have their member asset deposits insured in case the union fails. In the US, most credit unions are covered by the National Credit Union Share Insurance Fund (NCUSIF).

‍

‍

Credit unions are still financial institutions. That means they have to be transparent about their own finances, so both prospective and current members can make informed decisions about how to manage their money.

‍

• Disclose finances for the credit union through financial statements: US credit unions serving natural persons must submit financial reports quarterly to the NCUA using Form 5300—Call Report. Corporate credit unions—credit unions that serve other credit unions—have slightly different reporting requirements; they must submit a Form 5310—Corporate Credit Union Call Report monthly.

‍

• Obtain a credit rating and disclose it to members: Like other financial institutions, a credit union should obtain a credit rating to indicate its overall financial health. This lets the credit union’s members know how well the credit union is able to meet its financial obligations without defaulting.

‍

• Restrict disproportionate exposure to high-risk investments: One of the main advantages of credit unions is that, unlike banks, they aren’t publicly traded companies. That means they only have to make enough money to stay in business, as opposed to making money for shareholders on top of that. This gives credit unions the luxury of taking fewer risks in investing. Still, a credit union needs to have a policy outlining how it will manage risks related to investments, as outlined by NCUA regulations.

‍

‍

As credit unions are run by their members, it’s in their best interests to be as transparent as possible about how their services work. That way, members can make clear, informed choices about how they manage their money. Members should also be able to expect that the credit union will safeguard their identifying and financial credentials from being stolen or otherwise used without their consent.

‍

• Protect customers’ financial information: Credit unions must have policies for protecting both employee and customer information from theft or destruction, as well as keeping it private. These include policies on when (and to whom) personal information will be disclosed, as well as concrete steps on how a credit union will guard against identity theft.

‍

• Use clear messaging for financial products, including interest rates and fees: Credit unions have similar regulations to other financial institutions regarding the Truth in Savings Act. That is, they must disclose certain information about their products such as terms of use, interest rates, maturity periods, and any applicable fees.

‍

• Follow limits on check holds: Credit unions, like other financial institutions, are also subject to the Expedited Funds Availability Act. That means they must disclose their policies on withholding funds from deposited checks (for example, in case of a fraud investigation) to customers. This includes the maximum amount of time checks can be held for, which may be less than the EFAA’s stated limits if a credit union has efficient anti-fraud and AML programs. Shortening check hold limits can help a credit union offer better customer service.

‍

‍

As financial institutions, credit unions are subject to the Bank Secrecy Act just as traditional banks are. That means they must also implement programs to combat money laundering and terrorist financing.

‍

• Develop an AML program as part of your credit union regulatory compliance framework: AML programs at credit unions must address five factors at minimum. They must designate who is responsible for the program; develop a system of internal controls; train employees on how to implement these controls practically; schedule regular independent tests of these controls; and develop systems for identifying and assessing customer risks.

‍

• Perform customer due diligence: A credit union must have a Customer Identification Program and a Customer Due Diligence policy with certain facets. First, they must explain the specific steps the credit union will take to verify customer identities. Second, they must outline the credit union’s procedures for identifying and evaluating the risk of beneficial owners of corporate clients. Third, they must explain the credit union’s risk-based approach to performing ongoing monitoring and risk assessment of customers. Finally, they should specify who will be responsible for managing information-sharing requests from regulatory bodies (such as FinCEN in the US).

‍

• Perform enhanced due diligence: A credit union must also have Enhanced Due Diligence processes in place for clients who fit certain risk criteria or surpass certain risk thresholds. That is, it must have procedures for gathering more risk-related information about the client. This can include their income sources, occupation, and home location (relative to the credit union). For business customers, a credit union might look into the client’s business type, financial statements, headquarters location (relative to the credit union), main geographical areas of business, and details on business operations (sales, suppliers, clients, etc.).

‍

• Perform sanctions screening: Credit unions also need to ensure that none of their clients or sponsors are listed on sanctions lists. In the US, for example, credit unions must have a policy addressing how they will deny or stop transactions with entities on sanctions lists from OFAC. The policy should include a plan for reacquiring OFAC’s lists consistently in order to be aware of any changes made to them.

‍

• Monitor transactions and other customer activity: Due diligence can serve as a guideline for how closely each customer should have their activities tracked. But the only way to know if a credit union customer is currently involved in financial crime is to look directly at their transactions. All customers should be monitored in some capacity to tell whether or not they’re doing anything illegal definitively.

‍

• Submit suspicious activity reports (SARs): As per NCUA guidelines, a credit union has to file a suspicious activity report (SAR) when it reasonably believes a transaction within the institution has criminal intent. That includes any suspicious transactions to which a member of the credit union’s management is a party, as well as transactions suspected to be money laundering (i.e. intending to hide or disguise the origin of funds; intending to evade laws or reporting requirements; or otherwise has no discernable purpose or justification). Reports must be submitted to FinCEN within 30 days, or within 60 days if a suspect (or group of suspects) is not initially identified. Additionally, they must keep records of any submitted SARs for at least five years.

‍

‍

‍

Credit unions can face threats internally from employees who abuse their positions. And even if staff compliance neglect is accidental, it can still expose a credit union to outside actors looking to take advantage of weak compliance operations. It can also result in fines and other penalties from regulatory agencies.

‍

That’s why it’s important for a credit union to keep its compliance program strong. It can do so by setting standards for conduct, as well as reviewing the system occasionally for facets that may need to be fixed or improved.

‍

• Establish internal controls that guide team members: Credit unions need systems of internal controls to protect assets; preserve the integrity of their financial data; operate efficiently; and comply with both union-set bylaws as well as external laws and regulations. Such controls include: establishing a compliance-based corporate culture; assessing risk regularly; implementing policies to hold employees accountable; developing timely and secure communication systems for sensitive information; and monitoring controls for their effective operation and any needed updates.

‍

• Perform internal audits: A credit union should perform regular and thorough internal audits to evaluate the current state of its compliance risk. This should include how well it’s managing that risk through its policies and other internal controls. Doing so can help a credit union identify deficiencies in its processes or training programs, and then swiftly correct them. This limits both operational risk and the chance that a credit union will be penalized for being found non-compliant during an external audit.

‍

• Have external audits conducted: In the US, the NCUA will periodically evaluate the compliance programs of federally-insured credit unions. These audits judge how well a credit union’s compliance policies align with specific risk-based criteria. These criteria fall under three categories: effective management oversight of regulatory compliance and risk control; the overall practical effectiveness of the compliance program’s operations; and the ability of the compliance program to limit law/regulation violations and customer harm.

‍

‍

Many credit unions choose to partner with third-party vendors to increase their product offerings, especially regarding non-traditional lending. While doing so can provide efficient services at lower costs, it comes with legal, budgeting, and asset risks (to name a few). Credit unions must be prepared to mitigate these risks with proper internal controls and due diligence before entering into such partnerships.

‍

• Develop a vendor approval and adoption process: A credit union must create policies for forming partnerships with third-party vendors. These policies must outline how the credit union will plan to apply for the partnership, including what additional internal controls will be needed and what sort of due diligence processes will be used to vet vendors. It is up to the credit union to decide how strictly to apply these policies, based both on the nature of its relationship with a particular vendor and its overall risk appetite.

‍

• Verify all vendors meet the regulatory requirements of the credit union: In the US, the NCUA has resources on how credit unions can form partnerships with third-party vendors while conforming to regulatory obligations. These include guidelines to internal controls and due diligence reviews, as well as a checklist for NCUA officials in evaluating the quality of partnerships between credit unions and third-party vendors.

‍

‍

A credit union’s Internal controls for compliance risk management are only useful if employees consistently follow them. That’s why rigorous compliance training should be a priority, for both onboarding new employees and for when product offerings or overall regulations change.

‍

• Establish training and reference materials: A credit union should have a comprehensive employee training program, ideally including specific material for certain functions within the credit union. Training materials should be updated regularly to cover any upcoming product offerings or regulatory changes so that all employees know their responsibilities before anything new is implemented.

‍

• Perform training at onboarding and refresh training periodically: All onboarded credit union staff should undergo complete basic compliance training. Also, additional training should be provided for employees based on their roles within the credit union (and thus their specific compliance requirements). And training should be readministered when it’s updated to cover new product offerings or changes to regulations.

‍

‍

‍

Help Your Credit Union Maintain Compliance with Unit21

Whether handling regulatory compliance for a traditional bank or a credit union, it’s a tough job—especially if trying to do it without the help of Regtech. Luckily, Regtech is exactly what Unit21 specializes in. Transaction Monitoring allows for overseeing customer activities beyond just money moves, making it easier to detect unusual patterns that could indicate financial crime. Complementing that is our Case Management solution, which allows for visual analysis and automated reporting so suspicious activity investigations take less time. 

‍

To see how our tools work in action, contact us for a demo.

‍

‍