The NAFCU Journal: Compliance Risk and Compliance Culture

By Alma Calcano

Compliance failures can lead to catastrophic consequences for a credit union. Regulatory violations can result in costly fines and civil penalties, which could — in the worst-case scenario — take an institution out of business. The implementation of a successful compliance program tailored to each individual credit union, which effectively addresses management of risks, is fundamental. Even though compliance does not eliminate risk, it can reduce the likelihood that violations of rules and regulations occur. Compliance risk management and a credit union’s culture of compliance at first glance may seem to be the same or to have some similarities. Understanding these concepts and the relationship between them is crucial for the successful operation of a credit union.

Compliance Risk

Compliance risk, one of the seven areas of risk the NCUA expects credit unions to manage, is “the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures or ethical standards.” (See NCUA Online Examiner’s Guide, Chapter 1, “Risk Categories.”) Put more simply, it is the threat that noncompliance can harm a credit union. From the NCUA’s perspective, the scope of possible compliance risk is very broad, as it can come from laws, rules and regulations, internal policies or procedures and contractual obligations. The NCUA expects credit unions to manage this risk through risk identification, measurement, control and monitoring.

Properly identifying sources of compliance risk requires giving attention not only to various external sources of law to ensure that a credit union is in compliance with the law’s requirements, but also to all credit union business activities. A strong culture of compliance plays an important role in measuring and monitoring compliance risk in all business activities and in ensuring these activities fit within the credit union’s identified risk appetite. It also promotes a culture of “see something, say something” within the credit union’s staff, which helps management identify areas where additional controls may be necessary or where compliance violations exist.

Culture of Compliance as a Risk Management Tool

Establishing a culture of compliance can also be a tool for managing this area of risk. While many regulators have openly spoken about the need for a “culture of compliance,” none, including the NCUA, has articulated a formal definition of the phrase. A culture of compliance could be defined as the attitudes and behaviors exuded by leadership and staff within a credit union as related to compliance.

While the NCUA may not have formal guidance, FinCEN issued guidance on promoting a culture of compliance around the Bank Secrecy Act in its Advisory FIN-2014-A007, released Aug. 11, 2014. The guidance outlines ways a credit union can strengthen or reinforce a culture of compliance. These ideas can be applied in general, and they include the following actions:

  1. Leadership should be engaged, using a top-down approach.
  2. Compliance should not be compromised by revenue interests.
  3. There should be open communication, with information shared throughout the credit union.
  4. Leadership should provide adequate human and technological resources and training.
  5. The effectiveness of the culture of compliance should be tested or assessed.

A strong buy-in from all levels of a credit union — from the board of directors and senior management to staff members on the front lines — is critical when managing compliance risk. A strong compliance culture aids in ensuring that a credit union operates safely and soundly, as it can facilitate addressing and controlling the specific risks the credit union identifies. For example, in some situations laws and regulations are lacking, which can leave a credit union operating in a gray area, as when a new technology is not anticipated in the existing rules. An employee operating in a culture of compliance would make an informed decision, taking into account existing rules and internal policies and procedures, so that the credit union appropriately manages the risk presented.

The Role of Training in Building Organizationwide Compliance

When implementing a compliance strategy, it is important to include all units and departments of a credit union and consider training as part of establishing a culture of compliance. Everyone in the credit union, including management, must be aware of compliance requirements and given regular training and education tailored to address the specific risks the credit union faces.

Regulators generally expect compliance training to be comprehensive, timely and specifically tailored to the particular responsibilities of the staff receiving it, including those responsible for product development, marketing and customer service. Conducting training in advance of the introduction of new products or new consumer protection laws and regulations ensures that all staff are aware of compliance responsibilities before the rollout or effective date. Including senior management in training sessions may help demonstrate the importance of compliance.

A strong culture of compliance reinforces proper behavior by holding employees accountable when they deviate from following the rules. Some credit unions have implemented disciplinary and incentive programs as part of their culture of compliance to ensure employees have a clear understanding of expectations, to acknowledge unacceptable behavior and to reward compliant behavior. Embedding compliance into everyday workflow sets the foundation and expectations for individual behavior across the credit union. Credit unions with a strong culture of compliance cultivate an environment in which adhering to laws and regulations is an important priority.

Alma Calcano is NAFCU’s regulatory compliance specialist.

This article was published in the January-February 2020 edition of The NAFCU Journal magazine. Want to receive The NAFCU Journal in your inbox? Update your email preferences.

Related Content