Credit Union Readiness for the CFPB Dance

Credit unions with $6B and more in assets must invest time, effort and planning to become CFPB ready. Find out about what’s expected and actions to take to prepare for CFPB regulatory oversight.

Agencies who Oversee Credit Unions and What They Examine

The Consumer Financial Protection Bureau (CFPB), and NCUA ONES provide supervision for credit unions with assets over $10 billion. Preparing for a new supervision regime is essential.

The NCUA ONES are more thorough and comprehensive than the NCUA examination teams for credit unions under $10 billion. However, the NCUA is well on its way to increasing the threshold for NCUA ONES supervision to $15 billion in assets.

Some potential good news from the CFPB came this spring during the House Committee on Financial Services. CFPB Director Rohit Chopra said, “The CFPB is shifting enforcement resources away from investigating small firms and instead focusing on repeat offenders and large players engaged in large-scale harm.”

For initial CFPB examinations, the starting point is almost always Compliance Management Review. This is an examination of the Compliance Management Environment that the CFPB calls the Compliance Management System.

Based on Bridgeforce’s credit union client experience, deposits are trending to be the default go-to initial business examination area. Because the CFPB’s focus is on the potential for customer harm, portfolio composition is also a driver for examinations.

The above notwithstanding, designing, developing, and implementing change for CFPB readiness requires significant planning, sequencing, time, effort and commitment.

What Being “CFPB Ready” Means

For credit unions at or approaching an asset level of $6B and more and who have expectations of additional growth, CFPB supervision and readiness are top-of-mind for boards, supervisory committees and executive management.

Expectations Across the CFPB’s Four Pillars of a Compliance Management System

The CFPB has defined four pillars of a Compliance Management System. Bridgeforce has mapped 98 requirements and expectations across the four pillars, but critical highlights include:

Board of Directors and Management Oversight

• Clear Compliance Expectations – “tone from the top” and performance management that includes regulatory adherence
• Board and Supervisory Committee regulation-specific training
• Clear Policies – communicated internally and to service providers (for vendor management purposes)
• Appropriate Compliance Staffing/Resources – in the business lines and functional areas, in the Compliance Department, and within Audit (be it in-house or third-party)

Compliance Program

• Policies, Procedures and Processes – typically both Compliance’s own stand-alone and the compliance requirements and controls that are integrated into business and functional area procedures
• Compliance Training – enterprise-wide for broad regulations and focus areas such as Fair Lending, BSA/AML, and Complaints, to name a few, a comprehensive program (with all associated regulatory applicability), and role-specific regulatory training based on relevant regulatory requirements
• Monitoring – comprehensive, but also both periodic and risk-based
• Corrective Action – issues management and associated, appropriate governance/reporting
• A New Information Technology Examination Module (introduced in late 2021) – to assess an institution’s and service provider’s IT controls

Complaint Management

• Comprehensive Definitions, Procedures and Tracking
• Monitoring of complaints by type, volume, and compliance risk levels
• Analysis of complaints to determine trends and root causes
• Resultant change to business practices that is prospective to control for regulatory adherence shortcomings and poor member experiences

Independent Risk-Based Audit

• Comprehensive regulation applicability, policies, and procedures
• Transaction and control auditing and testing
• Corrective action tracking and completion timeliness
• Robust corrective action validation based on risk exposure

It is critical to note that third-party (vendors and service providers) compliance management is part and parcel of each pillar.

Staying ‘Ahead of the Curve’ With the CFPB’s Compliance Environment Expectations

Readying your credit union requires planning, resources (both headcount and appropriate systems), and robust change management. The Compliance Department and other compliance subject matter experts should always have a seat at the table and must sign-off on changes to standard run-the-business and new initiatives.

In our experience, it can take two to three years to develop a CFPB expected baseline Compliance Management System. You need time to design the program and get approval for headcount and systems resources. It takes even more time to develop procedures that are regulator friendly.

The emphasis on appropriate procedures cannot be made more strongly. Desktop procedures almost always tend to confuse and frustrate examiners. Operating procedures should be plain English, prose that includes specific information. Examiners need details to understand the relevant processes, including associated controls and ties to specific regulation requirements.

Finally, to ensure that you have a well-defined road map to share with regulators about where you have been, where you are currently, and where you are heading for a continuous improvement compliance management journey. Of great importance is that the CFPB and the NCUA ONES are remarkably appreciative of transparency.

How Bridgeforce Can Help

Bridgeforce has partnered with half of the top 30 US credit unions to help in CFPB readiness preparations. We have designed CMS programs, assessed existing programs, and worked across business areas/functions, the Compliance Department, and audit. In addition, Bridgeforce has partnered with credit unions to develop (in part or in full) and implement changes that have led to successful CFPB examination outcomes.