Risk Management

Credit unions manage their exposure to risk through a comprehensive compliance program, often referred to as a CMS. The following components are essential to a comprehensive CMS:

A credit union’s CMS should address all of its compliance responsibilities. The depth of detail for each component will vary based on a credit union’s size and complexity. Conclusions about the adequacy of a credit union’s CMS should be based on the effectiveness of the system as a whole.

Governance

A credit union’s board of directors is ultimately responsible for developing and administering a CMS to comply with consumer financial protection laws and regulations and prevent associated risk of harm to members and consumers. The board of directors and senior management should:

  • Demonstrate clear expectations about compliance

  • Adopt policy statements regarding compliance

  • Establish compliance responsibilities

  • Allocate resources to the compliance function commensurate with the size and complexity of the credit union’s operations, the consumer financial protection laws to which the credit union is subject, and the potential harm to consumers associated with violations of such laws

  • Appoint a qualified and experienced compliance officer with authority and accountability

  • Address consumer compliance issues and associated risks to consumers throughout product development, marketing, account administration, and the handling of member complaints

  • Require periodic audits of compliance matters, and review the results of all compliance audits

  • Require appropriate reporting systems and regular reviews of such reports to identify compliance risks, issues, and resolution

Policies and Procedures

Consumer financial protection compliance policies and procedures should be documented and sufficiently detailed for the size and complexity of a credit union. Policies and procedures should:

  • Be consistent with other board-approved policies

  • Address compliance with applicable consumer financial protection laws and regulations to prevent and detect violations and the associated risks to consumers

  • Cover all products, services, and third-party compliance arrangements

  • Be updated to remain current

  • Serve as a reference for employees in their day-to-day activities

Training

Education of a credit union’s board of directors, management, and staff is essential to maintaining an effective compliance program. The board members should receive sufficient information to understand the credit union’s responsibilities and resource requirements. Management and staff should receive specific, comprehensive training that reinforces and helps to implement written policies and procedures. Requirements for compliance with consumer financial protection laws, including prohibitions against unlawful discrimination and unfair, deceptive, and abusive acts and practices should be incorporated into training for all relevant employees, including audit personnel.

Management should maintain documentation of training completed by employees and volunteers. This documentation should include the subject of training, the individuals participating, and the materials reviewed during the training.

Effective consumer compliance training should be:

  • Current

  • Commensurate with the size of the credit union and the risks to consumers presented by its activities

  • Provided to appropriate individuals based on their roles and responsibilities

  • Consistent with, and designed to reinforce, policies and procedures

Monitoring and Corrective Action

To fully comply with consumer financial protection laws and regulations, a credit union must promptly identify and correct weaknesses. Monitoring should be risk-focused and seek to identify procedural and training weaknesses timely.

Monitoring and testing are generally more frequent and less formal than a compliance audit and may be carried out internally. It does not require the same level of independence from a credit union’s compliance function as an audit. Monitoring and testing should:

  • Be prioritized based on the results of risk assessments

  • Be completed as scheduled

  • Aid in the determination that transactions and other member contacts are handled according to board-approved policies and procedures

  • Address deficiencies identified in internal or external audits in accordance with management’s directives for resolving such deficiencies

  • Escalate findings to management and the board of directors if appropriate

  • Lead to timely corrective actions, as appropriate

Member Complaint Response

Information gathered from member complaints should be organized, retained, and used as part of a credit union’s CMS. A credit union can identify weaknesses in its CMS based on the nature and number of substantive complaints from members.

Effective member complaint response procedures should:

  • Record and categorize the resolution of member complaints and inquiries from all sources

  • Escalate legal issues involving potential member harm from unfair treatment, discrimination, or regulatory compliance issues

  • Use complaint information to adjust business practices as appropriate

  • Provide summary data reporting the type of member complaints received to the supervisory committee or the board of directors

Compliance Audit

A compliance audit should include a review of a credit union’s adherence to all applicable consumer financial protection laws and regulations and to internal policies and procedures. The audit should also identify any significant gaps in credit union policies and standards. The audit program should:

  • Operate independently from a credit union’s compliance program and business functions, including member sales and service

  • Provide timely reporting to the board of directors or a committee of the board of directors

  • Require that the schedule and coverage of audit activities is commensurate with the size of the credit union, its member financial product offerings, and the way it conducts its consumer financial products business

  • Provide timely copies of audit reports to all appropriate compliance and business unit managers

  • Use audit results to guide appropriate and timely corrective action

Last updated on June 05, 2023