Compliance Blog

Posted by Anthony Demangone

NCUA issued a very interesting legal opinion yesterday, Letter to Credit Unions 10-0842.   Here's a snippet:

You inquired whether federal credit unions (FCUs) can provide identity theft protection services programs to their members where:

• • FCUs automatically enroll their members, without the members’ request or express consent, to receive their services on accounts advertised as free checking;
  •  FCUs deduct periodic fees from the members’ checking accounts unless the members opt out of receiving the services; and
  • the FCUs’ account agreements with the free checking accountholders include a truth-in-savings fee disclosure, listing a one dollar monthly fee for the services, but describing the fee as “optional.

”While we would look at each specific program to determine its permissibility, a program providing these services to “free checking” accountholders, without their request or express consent, charging them a dollar a month, and disclosing the fee as optional, while using an opt out only option, appears to be an unfair or deceptive practice and may present problems under NCUA’s truth-in-savings and advertising regulations. (Emphasis added.)

In its letter, NCUA doesn't come out and say that such program is a de facto violation of UDAP and Truth in Savings, as it hadn't seen all of the applicable disclosures.  But the tone of the letter is obvious - NCUA sees a lot of red flags.  Here are two take-aways from this letter.

• If your credit union has such a program, you'll need to read this letter closely and address the regulatory concerns outlined by NCUA.  
• This is a classic example of how something that looks contractually solid can start shaking like a leaf when the words "unfair and deceptive" are uttered by a regulator.  Guess who has the right to say those words beginning in late July? That's right, the CFPB.

***

Felix Salmon at Reuters has another interesting post on the financial industry. It is worth a read, but I focused on a supervisory letter within Salmon's post that was issued by the OCC to Citgroup in February 2008.  The letter pounded Citi for weak risk management practices.  I understand the letter was written in 2008, and that credit unions are not international mega-banks.  But the letter would be useful to see how the OCC expects its institutions to implement risk management. And I think that is very useful for our industry.  Here are some findings: 

• The Board and senior management have not ensured an effective and independent risk management process is in place. Risk management had insufficient authority or failed to exercise its authority to constrain business activities.
• The Board and ARMC were not provided meaningful or systematic information on. material risk and compliance with limits, controls, or concentrations. The Citibank, N.A.Board had no effective oversight role specific to the risk profile of the bank.
• (Citi must) Raise the stature of risk management in the organization. Perform a thorough, top-down,assessment of the risk management function, its roles and responsibilities, staffing levels,management competencies, and risk tools to ensure it can be effective as a control function.
• Review the content of information provided to senior management and directors to ensure it is meaningful and relevant. It should include a strengthened and systematic discussion of sensitivity to various risk factors across business segments, compliance with limits and controls, and the evaluation of risk versus allocated capital.

Again, this letter is roughly two years old, so Citi may have addressed these concerns already.  But I think there is always value to be found in failure analysis, especially when that failure happens over there.  Take a look at those findings.  I would argue that they could apply to many organizations, including some credit unions.  Warning, I'm hopping on my soap box.  Risk management is not sexy.  Risk management will never be a revenue producer.  But perhaps some have focused too much on revenue and growth in the past.  Sometimes, the best decision an organization can make is to say no, especially when it has determined that it cannot manage the risk that comes with the reward.