BY CINDY WILLIAMS
The increasing integration of technology into credit unions’ compliance efforts is opening CUs to greater scrutiny by examiners. What exactly are they looking for? CUB’s compliance expert breaks it all down to make IT-centric questioning during exams less stressful and intimidating for your staff.
If you rely on software to comply with Bank Secrecy Act, Anti Money Laundering or Office of Foreign Assets Control regulations, BSA/AML examiners are likely to want a peek under the hood of your technology. This demand could challenge credit union staff who are not accustomed to answering IT-centric questions during exams.
Credit unions use a large and growing number of tech solutions, such as Verifin or Bankers Toolbox, to apply risk scores to members and to monitor transactions for suspicious activity. Tirelessly scanning transactions for volume and velocity, unusual wire activity, even red flags like common addresses between members, this highly sophisticated technology doesn’t miss much.
However, the accuracy and effectiveness of these solutions and the outcomes they produce are paramount to a financial institution’s compliance with regulations. That is why examiners are increasingly asking to see evidence of data validation audits and/or regular software reviews.
Examiner attention to these practices has been around for many years in the big-bank world, but it is beginning to pick up steam among credit union examiners as well. This is because more of the credit unions they examine are integrating technology into their compliance effort.
Much of the BSA/AML/OFAC software available to credit unions today is more than a decade old. At one time, it was deployed by only the largest banks and credit unions. Over time, however, the technology has trickled down to more community-based financial institutions, many of which have a good three to five years of experience with the technology under their belts – long enough to have become proficient with its use.
Although the use of technology often greatly improves on the manual process of reviewing reports from the core processor or internal employees, it also dictates attention to the systems and software computing the data.
What Do Examiners Want to See?
Examiners are interested in how the software calculates the output. However, they are just as interested, if not more so, in how data is put into the tools. In other words, how does the capturing of data impact the technology’s output? Further, are policies and procedures in place to govern a consistent, timely and sound collection of input of and response to the data?
A common circumstance uncovered by a software review is faulty integration. For instance, a credit union’s BSA software may not be bringing all transactions over from the core system, setting staff up to miss unusual activity. Another frequent issue is reliance on default settings. It can be tempting for credit union staff, particularly employees not used to or comfortable with technology integration, to simply use pre-coded settings instead of customizing them to their member base, products or activity.
Training is another area examiners will be interested in. How has your credit union ensured the individuals using, maintaining and upgrading the software are aware of the cooperative’s evolving needs? You will want to be able to demonstrate staff participation in frequent and comprehensive software training activities.
Along those same lines, examiners may also want to see that your credit union has reviewed access to the systems and the data files they contain. Especially in this era of heightened awareness around cybersecurity and internal threats, who is reviewing alerts, who is responding to them and who has the rights to delete or ignore them will be under scrutiny.
Are We on Our Own?
Credit unions are given leeway in the execution of data validation audits and software reviews. They are allowed to perform these activities on their own or partner with a third-party resource. Many find the latter to be the most effective approach because the outside perspective tends to more closely match that of an examiner.
As in nearly every aspect of banking, the introduction of technology to the compliance effort is warranted and welcomed. I have seen many circumstances in which software identified issues human policies and procedures would not likely have found. At the same time, technology is not a magic bullet for protecting the cooperative or its members. Examiners know this and want to see that your team understands it as well. With the right partner and a good set of policies and procedures, your credit union will have no problem meeting this exam requirement.
Cindy Williams is vice president of regulatory compliance for PolicyWorks. She will be speaking on the topic of data validation reviews at the upcoming CUNA/NASCUS BSA Certification Conference, scheduled for November 12–15, 2017 in Las Vegas.