Emerging Risks in Credit Union Environment

48
Emerging Risks in the Credit Union Environment 2012 Experience the power of being understood. SM

description

Identifying credit risks in credit unions

Transcript of Emerging Risks in Credit Union Environment

Page 1: Emerging Risks in Credit Union Environment

Emerging Risks in the Credit Union Environment 2012

Experience the power of being understood.SM

Page 2: Emerging Risks in Credit Union Environment

Member of RSM International network, a network of independent accounting, tax and consulting firms.

McGladrey is the brand under which RSM McGladrey, Inc. and McGladrey & Pullen, LLP serve clients’ business needs. The two firms operate as separate legal entities in an alternative practice structure.

801 Nicollet Mall, Suite 1100 Minneapolis, MN 55402 O 612.573.8750 www.mcgladrey.com

____________________________________ Victor Howe, Partner McGladrey & Pullen, LLP

____________________________________ Dennis K. Lavin, Partner McGladrey & Pullen, LLP

Dear Supervisory Committee/Board Members and Management:

McGladrey celebrated its 85th birthday in 2011. During these 85 plus years that McGladrey has served the financial services industry, we have seen monumental shifts in the industry, the economy and politics. During good times and bad times, we have focused on your needs and tried to provide suggestions and ideas to manage risk and keep you up to date on financial and regulatory matters. This is the 11th year of publication for the annual “Emerging Risks in the Credit Union Environment” alert.

Your strategic actions taken in 2009 and 2010 provided a solid foundation for financial and operational performance in 2011. These actions included reduction in operating expenses, enhanced vendor management and spend programs, growth of internal mortgage banking operations and loan sales into the secondary markets, and many other improvements, including working more closely with your examiners.

As we enter into 2012 and look back on 2011, we see that retail credit unions have focused on loan growth, including member business lending, mobile banking opportunities and alternatives to the corporate credit unions, enhanced liquidity sources, enterprise risk assessment and regulatory compliance, just to name a few top line operating goals.

Our articles in this year’s Alert address financial and regulatory reporting, IT enhancements, corporate governance and some process improvement suggestions. As we are not economists or fortune-tellers, we cannot predict how 2012 will unfold, but we do have a few suggestions to monitor your credit union, based upon our understanding of the economic fundamentals.

In light of this, our latest “Emerging Risk Alert” is intended to continue to provide a broad and in-depth discussion of the credit union risk environment. We hope you will find this report useful, as you strive to prioritize your organization’s risks, achieve a well-balanced risk management program and keep pace with emerging issues.

Though every credit union is as unique as its membership base, our objective is to organize credit union risks in one report, so that when shared freely with leaders across your organization, each department can have key information about the risks most relevant to them. This report can also help to facilitate board-level discussions about organizational risks as you plan for the upcoming year.

As always, you are encouraged to bring any questions you might have about the information contained in this report to your McGladrey professional.

Best regards,

____________________________________ Mike Mossel, Principal McGladrey & Pullen, LLP

____________________________________ Tasha Kostick, Partner McGladrey & Pullen, LLP

Page 3: Emerging Risks in Credit Union Environment
Page 4: Emerging Risks in Credit Union Environment

Contents Section 1: Credit risk ...................................................................... 1

Concentration risk management ...............................................................................................................1 Risks in the real estate lending function ....................................................................................................3

Section 2: Accounting and finance risk ......................................... 8 New FASB guidance offers a simplified option for testing goodwill for impairment ...................................8 FASB offers guidance on Troubled Debt Restructurings ..........................................................................9 FHA and HUD Matters ............................................................................................................................ 10 The provision as a profit center ............................................................................................................... 11 Accounting and other merger implications: Lessons learned .................................................................. 12

Section 3: Compliance risk .......................................................... 15 BSA, AML and OFAC compliance: Penalties, changes and guidance .................................................... 15 The Secure and Fair Enforcement for Mortgage Licensing Act of 2008 .................................................. 21 Authentication in an Internet banking environment: Updated FFIEC guidance ....................................... 22

Section 4: Operations risk ............................................................ 25 Internal fraud prevention – Creating the right culture .............................................................................. 25 Critical strategy considerations for 2012: Business plan considerations for credit unions ...................... 28 How credit unions can control the growing risk of wire transfer fraud ..................................................... 31

Section 5: Interest rate risk .......................................................... 33 Interest rate risk: Is your credit union prepared for rising rates and increased regulation? ..................... 33

Section 6: Technology risk .......................................................... 35 Leveraging technology investments to improve efficiency ...................................................................... 35 Remote Deposit Capture......................................................................................................................... 37 Managing third-party information security risk – a cohesive approach .................................................... 39

Section 7: About McGladrey ......................................................... 42 Contact information ................................................................................................................................. 42 Authors and contributors ......................................................................................................................... 42 2012 McGladrey Supervisory Committee and Directors Conference ...................................................... 42 In Harmony with Success........................................................................................................................ 42

Page 5: Emerging Risks in Credit Union Environment
Page 6: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 1

Section 1: Credit risk

Loan portfolios and concentration risk Credit risk is one of the largest risks for credit unions. Over the last few years, losses stemming from various segments of credit union loan portfolios have eased in some cases–partly due to more proactive credit risk management initiatives, partly due to some external economic improvements, and partly due to increased scrutiny during the underwriting process, including enhanced documentation requirements supporting the sources of repayment. However, credit losses still pose significant risks to credit unions. Going forward, other issues may arise in seemingly sound portfolio segments, further exacerbating loan losses and putting credit unions back into reactive mode. While there is no panacea for credit-related losses, concentration risk management can highlight certain risks and help mitigate losses.

Concentration risk management isn’t a new concept. NCUA Rules and Regulations on concentration limits relating to one individual or group of individuals have been in place for years. Member business lending (MBL) is an area that can cause significant losses due to the magnitude of the loan amounts and the risks associated with construction, development and investment properties. NCUA Part 723 includes concentration risk considerations related to MBL, and limits MBL exposure as a percentage of net worth, with exceptions permitted only after a risk management review by the NCUA. Still, the NCUA Letter to Credit Unions 10-CU-03, released in March, 2010, caught many credit unions off guard and wondering “How do we do concentration risk management?”

Defining credit concentrations Regulators have long recognized that a large credit risk exposure to a single member or family of members, when measured as a percentage of net worth, poses a

potential threat to a credit union’s safety and soundness. Regulations have imposed a limit on such exposures for that reason. Because of that limit, individual loan transactions rarely cause material losses or credit union failures.

Concentration risk more commonly occurs as a result of pools of individual transactions that may perform similarly because of a common characteristic or common sensitivity to economic, financial or business conditions. If these common characteristics become a common source of weakness, loans in the pool could pose considerable risk to earnings and net worth, even when each individual transaction within a pool is soundly underwritten.

In most instances, loan concentrations arose during periods of rapid economic expansion, typically fueled in part by easy access to credit, and frequently exacerbated by a weakening of underwriting standards. At many credit unions, management didn’t fully assess the risk that these loans would not perform under stressed economic conditions and, therefore, did not implement risk mitigation strategies prior to the recent mortgage crisis. During the economic downturn, many correlated exposures deteriorated, resulting in a significant number of credit union problems, including diminished capital levels, low or negative earnings, additional regulatory scrutiny and, in some cases, failures.

Governance strategies to address concentration risk Credit unions should develop policies and procedures relating concentration risk management to the size and complexity of its lending operations. These processes, coupled with sound risk management, loan review and internal audit oversight, should form an internal governance function that effectively identifies, measures, monitors and controls risks to the credit union. Management may be hesitant to set “limits,” typically viewed as constraints, regarding portfolio loan concentrations. Yet, in order to ensure alignment between lending production and credit risk appetite, these limits should be set, as they are imperative for effective governance. Limits expressed as a percentage of net worth are not hard stops to lending. Rather, they should serve as warning signals to management and the board, which must consider if the credit union is comfortable with this level of concentration. If so, to what extent should the credit union adjust the limit? If not, what mitigation strategies must we employ to reduce this concentration exposure?

Management and the board often struggle to understand the relevance of concentration risk limits when they are first developed as many of the limits may exceed 100 percent of net worth, but developing and documenting these limits and calculations are vital steps in controlling concentration risk. For example, a 300 percent limit on indirect loans, when expressed as a percentage of net worth, indicates that if 1 in 3

Page 7: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 2

indirect loans result in complete loss, the credit union would entirely deplete its capital. Such a limit might be acceptable at a credit union that relies on heavy indirect lending volume, but would not align with the risk appetite at a credit union with more risk averse underwriting and loan loss philosophies.

Pools of transactions with similar risk characteristics No list can include all possible instances of concentration, but areas for consideration can include:

• Loans extended to any one borrower, counterparty or group of related borrowers or counterparties

• Loans dependent on the same source of repayment

• Loans originated within a geographic area that may be dominated by one single or small group of employers

• Retail products, including credit cards, home equity loans (HELOCs), residential first mortgages, auto loans, boat loans and manufactured housing loans. It should be noted that these pools may be further segmented by:

− Whether they are direct or indirect

− Their vintage, particularly when underwriting was changed or new product features were introduced

− Their credit scores

− Loan-to-value ratios

• Commercial products, which may be further segmented by industry, geography, and purpose

Traditional concentration measurement has focused on exposure size, and this remains a sound methodology. However, not all large concentrations represent the same level of risk or require the same level of supervision. Management needs to consider the underlying volatility of performance. Depending on how narrowly a credit union defines a concentration pool and the risk characteristics of that pool, a larger measured concentration may not necessarily point to a greater threat to earnings and net worth. Some pools may warrant relatively little attention, while other much smaller pools may merit significant risk mitigation tactics.

For example, a concentration of geographically diversified and soundly underwritten residential first mortgages equal to a large percentage of an institution’s net worth would generally yield predictable delinquency ratios and net losses. Although the level of problem assets would not be perfectly stable over time, the portfolio’s performance metrics (e.g., past dues and net losses) would likely remain within a reasonably narrow range. On the other hand, the performance of a geographically concentrated pool of construction and development loans heavily focused in a single property

type, and equal to a much smaller percentage of net worth, might be relatively unpredictable, with performance metrics falling within a very wide range. During periods of economic stability, the construction and development portfolio might yield a relatively low level of problem assets. But during periods of stress, those levels might spike and yield losses far in excess of those in the much larger residential first mortgage pool.

Portfolio size and performance volatility are both important variables. The difference in performance metrics between normal economic times and stressful times may vary widely and is a direct measure of risk. Generally, the greater the difference in portfolio metrics between normal and stressful times in conjunction with portfolio size, the greater the risk of that portfolio, and the more management attention it requires.

Correlation of pools Once an institution separates loans into pools of exposures with similar risk characteristics, the next issue is whether some of those pools might behave similarly. The identification of correlated pools of exposure is an extremely important, but difficult, part of managing credit concentration risk. Two pools that do not exhibit strong performance correlation (i.e., similar credit performance metrics) in a benign economic environment may show very strong correlation in a deteriorating environment. For example, many credit unions assumed that individual pools of residential mortgages, each representing a different geographic area, would not be highly correlated. While this was a reliable assumption during a benign economic environment, the performance of these pools became highly correlated when home prices declined broadly throughout the country. Accordingly, experience and judgment play important roles in helping institutions identify pools that might perform similarly in the future.

Credit unions should review all of their relatively larger and riskier pools—both those designated as concentrations and those not—to check for performance correlations between pools in varying economic conditions. While the list of all such combinations may be long, it is appropriate to focus on the relatively larger or riskier pools to determine if such a correlation exists.

Mitigating concentration risk In some cases, a pool of loans may represent a concentration of risk that is difficult to avoid or mitigate. For example, smaller credit unions may accumulate concentrations because of their limited geographic markets and the nature of their local economies. Larger credit unions may develop concentrations through mergers, or concentrations may develop as the result of implementing a strategic plan. In any case, a credit union must decide whether mitigation is desirable for a particular pool of loans. At some point, a credit concentration can become so large that, if the common factor influencing the pool deteriorates sufficiently, even a portfolio of well-underwritten loans

Page 8: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 3

can suffer losses that can deplete a credit union’s net worth. This is why the control and management of concentration risk is so important.

There are many useful strategies for managing concentration risk. Some are incremental, such as reducing risk over a relatively long horizon, while others have a more immediate impact. These strategies include:

• Modifying underwriting standards to increase exposure to higher quality transactions or to diminish exposure to weaker borrowers. Concurrently, management can increase the level of credit supervision while executing exit strategies from lower-quality relationships (e.g., increasing pricing or tightening terms and conditions)

• Expanding the portfolio by booking transactions that are not likely to perform in a similar manner with the existing portfolio

• Altering exposure limits or credit risk benchmarks, such as adjusting limits on commitment or outstanding amounts, or tightening constraints on special mention, substandard, doubtful or non-performing levels

• Selling loan participations, or whole-loan sales on a non-recourse basis, to reduce exposures

• Holding additional capital to compensate for the additional risk that may be associated with a concentration exposure

With concentration risk, the sum is riskier than the parts All financial institutions have credit concentrations. Concentrations may develop by choice as a credit union seeks to develop expertise in a particular segment. They may result from mergers or acquisitions. Concentrations may be unavoidable due to a smaller credit union’s limited geographic footprint and its market’s dependence on a relatively few employers or industries. However concentrations develop, it is incumbent on management and the board to ensure that the credit union has an effective process in place to identify, measure, monitor and control concentration risk. The board of directors also needs to ensure that the credit union maintains adequate capital relative to concentration risks.

Remember, with concentration risk, the sum is greater than the parts. Each individual transaction within a concentration may be prudently underwritten, but collectively, the transactions are sensitive to the same economic, financial or business development events. As the recent housing crisis has proven, a single negative development can cause an entire pool to perform like a single, large exposure.

Concentration risk management is not just another policy required by regulators and developed for the sake of examiner satisfaction. It is a vital part of any credit union’s risk management strategy. Using the

above tools to identify, measure, monitor and respond to concentrations will help ensure the credit union is poised to address unforeseen external factors. If left unaddressed, these factors may trigger a negative performance of pools of loans with a large exposure that could threaten the existence of your credit union.

Risks in the real estate lending function The solid financial start to 2012 continues, demonstrating the resilience of credit unions and their progress during the gradual economic recovery. A credit union usually derives its primary source of income, as well as a major source of risk to its solvency, from its loan portfolio. Therefore, credit unions should support this major balance sheet account with sound business planning, policies and procedures, and internal controls. While overall loan growth remains relatively flat, historically low-rate first mortgage real estate loans continue to grow. This trend could impact credit unions’ future earnings potential. Accordingly, the National Credit Union Administration (NCUA) is focusing efforts on credit unions with elevated levels of risk as described below.

Credit risk Credit risk continues to constrain the performance of many credit unions and remains a management concern. While overall loan delinquency and net charge-offs declined through mid-year, delinquencies in real estate, business and participation loans remain relatively high. Moreover, loan modifications are increasing. Modified loans, while offering troubled members an opportunity to avoid default, remain at risk for future delinquency, due to their high re-default rates. The NCUA has issued several guidance letters about prudent loan modification policies and procedures. Strong policies and appropriate analysis are needed to ensure each borrower is a suitable candidate for modification or other alternative to foreclosure. We encourage credit unions to modify loans where prudent. At the same time, we urge credit unions to closely monitor the performance of modified loans and ensure policies and procedures appropriately mitigate the inherent risk.

Page 9: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 4

Strategic risk Strategic risk impacts all aspects of credit union operations. Management’s philosophy, plans, decisions and actions are among our most forward-looking indicators of potential and emerging risk in a credit union. The ability to plan for the short and long term, determine product offerings, perform initial and ongoing due diligence over any third-party relationships, and set appropriate limits through policies and procedures mitigates strategic risk.

Liquidity risk The success of any lending program determines the level and type of liquidity risk involved. A credit union engaging in real estate lending should evaluate and understand the variability of mortgage cash flows and the corresponding effect on its balance sheet. When interest rates fall, mortgage cash flows increase; conversely, when interest rates rise, mortgage cash flows decrease. This could result in a credit union having either too much or too little liquidity. To control liquidity risk, management must understand the interrelationships of interest rates, mortgage cash flows, prepayment risk, extension risk, and the effect on the fair value of its assets.

Reputation risk Lending and the types of loan programs offered greatly affect reputation risk. Collection efforts, or the lack of such efforts, influence the members’ perception of the credit union, as do lending personnel and how they deal with the public. For example, if the credit union has an indirect dealer loan program, the reputation of the dealer can affect the reputation of the credit union and the program.

Compliance risk Each loan type has various degrees of compliance risk. Numerous NCUA regulations, state laws and federal consumer compliance laws apply to both consumer loans and real estate loans. Failure to comply with these laws and regulations exposes the credit union to fines, civil money penalties and diminished reputation.

Transaction risk Numerous transaction risks accompany lending. The strength of the credit union’s internal controls will determine the extent of the risk. Management may demonstrate their control of transaction risk through reviewing internal reports, such as “Paid Ahead Loans,” “Non-Amortizing Loans,” “File Maintenance,” “Supervisory Override” and “Accrued Interest Greater than Payment.”

According to the Government Accountability Office (GAO) report on credit unions released on Jan. 4, 2012, poor management was the primary reason 85 consumer credit unions failed over the past four years. In accordance with NCUA’s “Examiner’s Guide,” management’s identification and management of risks in lending should encompass the following areas:

• The quality of the loan portfolio and the extent of related risks in its lending activities

• Establishment of adequate lending standards and maintenance of proper controls over the lending program

• Adequate planning for all lending programs, committing the necessary resources in terms of technology and skilled personnel

• The credit union’s financial capacity to conduct lending safely, without undue concentration of credit and without overextending capital resources

• Periodic analysis of the loan portfolio’s performance, including profitability, delinquency and losses

• The credit union’s response to adverse performance trends, such as higher than expected delinquencies, charge-offs or expenses

• The credit union’s compliance program and management of the fair lending and consumer protection compliance risks

• Implementation of an effective internal loan grading system (if applicable) to identify credit risks

Despite the troubled times in the housing markets, banks and credit unions are continuing to make home loans to qualified borrowers and to refinance existing mortgages. They are also working with homeowners at risk of default to keep families in their homes. In light of the economic downturn and market conditions, the following lending issues have recently received considerable compliance attention.

1. Appraisals and collateral valuations

Credit unions should have policies and procedures in place to ensure compliance with recent appraisal and collateral valuation regulatory requirements, as follows:

A. Interagency appraisal guidelines

On December 2, 2010, the five federal banking agencies—the Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS) and National Credit Union Administration (NCUA) (collectively, the Agencies)—issued revisions to the Interagency Appraisal and Evaluation Guidelines (Guidelines). The Guidelines, applicable to all regulated banking institutions, identify the components of a safe and sound program for performing appraisals and evaluations for real estate-related financial transactions. The Guidelines apply to all real estate lending functions and real estate-related financial transactions originated or purchased by a

Page 10: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 5

regulated institution for its own portfolio or for assets held for sale. These Guidelines cover activities of commercial and residential real estate mortgage operations, as well as capital markets groups and asset securitization and sales units.

Highlights of the Guidelines include:

• Emphasizing the importance of having a collateral valuation process independent from other parts of the lending process

• Having effective quality controls over the appraisal process by recommending a periodic review of the work completed by the appraisers and for individuals selected to hold appropriate state certification or licenses

• An expanded Minimum Appraisal Standards section to clarify appraisals must contain an opinion of market value, as defined in the Agencies’ appraisal regulations

• In addition, the Minimum Appraisal Standards section clarifies that an Automated Valuation Model, by itself, is not an appraisal. This section also contains new guidance about having the appraisal report disclose the nature and extent of research performed to verify a property’s condition and support market value

• Greater detail about how appraisals should have appropriate adjustments to market value for factors such as prospective improvements, lease terms and market conditions. Furthermore, the guidelines clarify how appraisals should not incorporate factors such as favorable financing or special value to a specific property user into the market value

• Reinforcement of the Agencies’ expectations regarding the management of relationships with third parties as they pertain to real estate lending

• The need to develop policies for determining an appropriate collateral valuation methodology for various transactions

These Guidelines are intended to supplement existing regulations, and they provide a clear overview of the expectations regarding appraisal practices. This revised version supersedes the 1994 issuance and NCUA Letter to Credit Unions 03-CU-17. Federally insured credit unions also remain subject to the provisions of Part 722 of the NCUA Rules and Regulations relative to appraisal practices.

B. Home Valuation Code of Conduct (HVCC)

The Home Valuation Code of Conduct (the Code) became effective for single-

family mortgage loans originated on or after May 1, 2009. Fannie Mae agreed to adopt the Code for all conventional, single-family loans originated on or after May 1, 2009, that are delivered to Fannie Mae. For purposes of the Code, origination date means the date of the application. The Code does not apply to multifamily loans, or to loans insured or guaranteed by a federal agency. The Code only applies to 1- to 4-unit single-family loans sold to Fannie Mae. The Code does not apply to loans sold to Fannie Mae on or after May 1, 2009, that were originated prior to May 1, 2009. Among other requirements, the Code requires that an appraiser must be licensed or certified by the state in which the property to be appraised is located. The Code does not apply to loans that are insured or guaranteed by a federal agency, such as FHA and VA loans.

2. Residential mortgage foreclosures

According to NCUA Letter 11-CU-01, Residential Mortgage Foreclosure Concerns, there are key issues in the mortgage industry related to foreclosures. The letter urged credit unions to perform an in-depth review of their mortgage documentation and foreclosure management processes. In recent months, questions have arisen regarding the adequacy and legality of some residential mortgage foreclosures. Several large mortgage lenders temporarily suspended their processing of foreclosures because of documentation deficiencies and concerns that their foreclosure actions were flawed or may not comply with applicable state laws governing foreclosures.

While foreclosures reported by credit unions represent only a small percentage of foreclosures nationwide, recent developments disclosed certain issues that may impact some credit unions:

A. Mortgage Electronic Registration System (MERS) challenges

MERS is an electronic loan registration system designed to track the servicing rights and ownership of mortgages in the secondary market. All loans sold by a credit union to Fannie Mae or Freddie Mac were likely registered or transferred through MERS. Under the MERS process, county land records typically list MERS as the record owner of the mortgage but the MERS internal systems reflect the current beneficial owner and servicer. The first concern relating to the MERS process is whether MERS, as record owner of the mortgage, has the legal standing to initiate foreclosure in its own name. Recent court cases have

Page 11: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 6

challenged MERS’ standing, or brought MERS’ standing into question. In states holding this opinion, this issue may be resolved by MERS reassigning the mortgage to the credit union. The second concern is whether MERS reassigning its interest in the mortgage to the lender holding the note allows the lender to legally initiate foreclosure on its own. There was a question whether listing MERS as the mortgage owner of record irrevocably splits the mortgage and note, thus preventing anyone from legally foreclosing on the property.

Credit unions using MERS need to obtain proper legal counsel if they encounter any of these issues.

B. Missing or defective loan documents

As a result of the increase in residential mortgage loan activity over the last decade and a strong securitization market, some lenders failed to properly document and record mortgages. Fatal documentation flaws can prevent a mortgage from foreclosing on the property and may result in an unenforceable claim. Flawed documentation, missing notes and improper assignments of other necessary legal documents have also led to allegations of inappropriate action. MERS, along with other lenders and mortgage servicers, relied on missing document affidavits to allow a foreclosure to proceed quickly, thus limiting homeowners’ rights to due process under law. While this issue may delay the foreclosure process, absent evidence of fraud, most documentation flaws can likely be resolved.

C. Robo-signing

Robo-signing is the practice of executing foreclosure affidavits without verifying whether the information supporting the foreclosure is accurate. Overwhelmed by the volume of foreclosure actions, personnel or agents of many of the largest lenders and mortgage servicers were found to be executing flawed or untrue affidavits to speed up the foreclosure process. This led to (a) lenders and servicers temporarily suspending foreclosure actions until internal reviews were completed; and (2) MERS establishing stricter standards and suspending members that were using robo-signers until their personnel were trained and tested. While this issue may delay the foreclosure process, absent evidence of fraud, the documentation

flaws can likely be resolved if facts supporting foreclosure exist.

D. Contractual buy-back risks

Another concern relates to the practice of requiring the originating lender to repurchase a mortgage sold on the secondary market. Commonly referred to as “put-backs,” an investor or purchaser of a mortgage can by contract require the lending institution, such as a credit union, to repurchase the mortgage at face value if the loan did not conform to representations and warranties about the loan quality or documentation. It is unclear if this represents a material risk; however, in light of market conditions, many investors are considering this a useful tool to mitigate risk of loss. A significant put-back requirement could materially impact a credit union’s net worth, earnings and liquidity.

In accordance with the aforementioned NCUA Letter, it is imperative that the board of directors and management of every credit union review the credit union’s foreclosure process to ensure that the following elements are in place:

• Appropriate policies and procedures for all aspects of the foreclosure process, tailored to comply with the laws of each state in which the credit union does business

• Experienced and knowledgeable staff qualified to handle foreclosures

• Effective internal controls surrounding the foreclosure process

• Adequate oversight, due diligence and control of third-party servicers performing foreclosures on behalf of the credit union

• Legally compliant documentation to support foreclosure actions

• Appropriate reporting to the board of directors of the number and volume of foreclosure actions and their financial impact on the credit union

For each foreclosure action, there should be a documented evaluation of the feasibility of a loan modification prior to proceeding with foreclosure. Credit unions should also suspend foreclosure actions during modification negotiations and during the temporary modification period whenever legally possible. This process of pursuing a modification and a foreclosure simultaneously, known as

Page 12: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 7

dual tracking, causes unnecessary confusion and anxiety for distressed borrowers, and can result in unnecessary and costly errors.

3. Business lending risks

Business lending has unique characteristics and more complex variables than consumer lending. Risk management practices should be properly evaluated and be commensurate with the level and complexity of loans granted. In accordance with the NCUA Supervisory Letter, an attachment to NCUA Letter 10-CU-02, the adequacy of the credit union’s net worth position should be considered in concert with risk exposures from business lending to help ensure safe and sound growth of such lending. Credit unions actively involved in any business lending should perform ongoing risk assessments to identify concentrations. The credit risk assessment should identify potential concentrations by stratifying the portfolio into segments that have common risk characteristics or sensitivities to economic, financial or business developments.

Concentrations can be by loan type, industry, collateral, geographic area, individual or associational group of borrowers, business lines, etc. Stratification should be supportable and not divided into multiple segments simply to avoid the appearance of concentration risk. Credit unions should identify and monitor credit concentrations, establish internal concentration limits and report all concentrations to management and the board of directors on a periodic basis. Depending on the results of the risk assessment, the credit union may need to enhance its risk management systems.

4. Compliance management

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) established the Consumer Financial Protection Bureau (CFPB). Congress established the CFPB as an independent bureau with authority to regulate the offering and provision of consumer financial products or services under federal consumer financial laws. Congress gave the CFPB authority over two key federal fair lending statutes, the Equal Credit Opportunity Act, which prohibits discrimination against applicants in any type of credit transaction, and the Home Mortgage Disclosure Act, which requires lenders to report mortgage data to allow for better fair lending enforcement.

For the credit union industry, the CFPB has examination authority over large credit unions with assets over $10 billion. The Office of Consumer Protection (OCP) has been NCUA’s primary liaison with the CFPB and its implementation team. As CFPB becomes an established government agency, OCP will continue to ensure consistent enforcement of federal consumer

protection laws and regulations. NCUA continues to collaborate with the CFPB on supervision issues, including, but not limited to, the simultaneous and coordinated examinations of large credit unions, and procedures for the transfer of consumer oversight responsibilities for credit unions that become large institutions in the future.

Conclusion Managing the many types of risks inherent in a credit union’s real estate lending activities can appear to be overwhelming; however, recognizing, identifying and acting upon the risks outlined in this article can help a credit union avoid the pitfalls and adverse issues, and to maintain a strong and vital lending portfolio.

Page 13: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 8

Section 2: Accounting and finance risk

New FASB guidance offers a simplified option for testing goodwill for impairment The existing guidance under Accounting Standards Codification Topic 350 required companies, including credit unions, to test goodwill for impairment at least annually through a two-step process. First, they must compare the fair value of a reporting unit with its carrying amount, including goodwill. If the fair value of a reporting unit is less than its carrying amount, then the second step of the test must be performed to measure the amount of the impairment loss, if any. Nonpublic companies had expressed concerns to the Financial Accounting Standards Board (FASB) regarding the cost and complexity of performing this goodwill impairment testing.

In April 2011, the FASB issued an Exposure Draft of a proposed Accounting Standards Update (ASU) to address these concerns. In September 2011, after feedback from constituents was received on the proposed ASU and redeliberations occurred, the FASB issued ASU 2011-08, Intangibles - Goodwill and Other (Topic 350): Testing Goodwill for Impairment. This guidance gives companies, including credit unions, the option in their annual goodwill impairment test to first assess revised qualitative factors to determine whether it is more likely than not (that is, a likelihood of more than 50 percent) that the fair value of a reporting unit is less than its carrying amount (“qualitative assessment”). If it is more likely than not that the fair value of a reporting unit is less than its carrying amount, a credit union must still perform the existing two-step impairment test. Otherwise, the credit union would not be required to perform the existing two-step impairment as goodwill would not be considered impaired based on the qualitative assessment.

This guidance, however, does not change the current guidance for testing indefinite-lived intangible assets for impairment.

A key challenge for credit unions will be identifying the proper factors to drive the qualitative assessment. The guidance includes the following examples of factors to consider in conducting the qualitative assessment:

• Macroeconomic conditions—such as a deterioration in general economic conditions, limitations on accessing capital, fluctuations in foreign exchange rates, or other developments in equity and credit markets

• Industry and market considerations—such as a deterioration in the environment in which the company, including the credit union, operates, an increased competitive environment, a decline in market-dependent multiples or metrics (considered in both absolute terms and relative to peers), a change in the market for the company’s products or services, or a regulatory or political development

• Cost factors—such as increases in raw materials, labor, or other costs that have a negative effect on earnings and cash flows

• Overall financial performance—such as negative or declining cash flows or a decline in actual or planned revenue or earnings compared with actual and projected results of relevant prior periods

• Other relevant company-specific events—such as changes in management, key personnel, strategy, or customers; contemplation of bankruptcy; or litigation

• Events affecting a reporting unit—such as a change in the composition or carrying amount of its net assets, a more-likely-than-not expectation of selling or disposing all, or a portion, of a reporting unit, the testing for recoverability of a significant asset group within a reporting unit, or recognition of a goodwill impairment loss in the financial statements of a subsidiary that is a component of a reporting unit

These examples are not all-inclusive and only represent certain adverse events or circumstances that may exist (among others). All factors that would be relevant to a credit union should be considered. For example, a recent fair value calculation for a reporting unit also would be an important piece of information that should be considered. These factors should be considered in the context of the fair value of a reporting unit and greater emphasis should be placed on those that have the largest impact on the comparison of the fair value of a credit union’s reporting unit to its carrying amount. During the assessment, the credit union should consider each adverse event or circumstance, as well as the existence of any positive and mitigating events and circumstances. Once the credit union has assessed the totality of the events, if it

Page 14: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 9

is determined that it is more likely than not that the fair value of a reporting unit is greater than its carrying amount, no further testing is required.

Those reporting units in which fair value was greater than carrying amount by a substantial margin in the prior period would seem to be good candidates for the qualitative assessment. Conversely, for those reporting units in which goodwill was impaired or fair value was not greater than carrying amount by a substantial margin in the prior period, it may be difficult to support that it is not more likely than not that the fair value of the reporting unit is less than its carrying amount. The lack of a significant excess fair value or margin over carrying amount in the cases where previously the two-step quantitative goodwill impairment test was performed leaves the qualitative assessment highly sensitive to adverse changes in the factors impacting the reporting unit.

Management will need to prepare detailed documentation of its evaluation of all relevant events, circumstances, assertions and data used that could impact the fair value and/or carrying amount of the reporting unit when performing a qualitative assessment. Management should consider developing a process over this analysis to ensure all factors and circumstances are identified and evaluated. A sound process should include:

• Identifying the key drivers and changes

• Identifying the internal and external sources of information

• Comparing the various sources as to consistency

• Considering the results of the two-step quantitative goodwill impairment tests in the past

• Considering how often the credit union will be performing the qualitative assessment going forward

• Monitoring the market and its impact on the credit union’s industry

• Determining the weighting of the factors to conclude on the results

This process and its results should be documented in a robust memo, with the supporting information readily available.

The obvious benefit of a qualitative assessment is the potential reduction in costs and time associated with the impairment evaluation. The two-step quantitative goodwill impairment test typically requires a very detailed review of the credit union to obtain the current fair value of the reporting unit (down to an account level if Step 2 of the test is necessary), while the qualitative assessment allows the credit union to evaluate more global factors in the analysis. Credit unions may choose to work with specialized vendors on the goodwill impairment analysis. By utilizing resources internally within the organization, the credit union should be able to obtain the results that meet the

requirements without the complexities of the previous methodology. While the qualitative assessment may offer considerable savings in time and resources, credit unions must recognize that there will be instances where a unit will not pass the qualitative assessment, and thus, the more detailed quantitative test will be required.

The standard allows the credit union to move between the qualitative assessment and the two-step quantitative goodwill impairment test in future years without issue. In cases where a credit union suspects that a quantitative test will be necessary, it is not required to first complete the qualitative assessment. Instead, it can move directly to the two-step quantitative goodwill impairment test.

Regardless of the method followed, annual impairment testing for goodwill is still required. The impairment test can be performed any time during the fiscal year, but must be performed at the same time each year.

The trend of increased mergers in the credit union industry in recent years makes goodwill a significant issue in the industry. As a result, impairment testing is more common, as well. This amendment provides a more straightforward and practical method for evaluating goodwill for impairment in appropriate circumstances.

FASB offers guidance on Troubled Debt Restructurings The Financial Accounting Standard Board (FASB) has offered considerable guidance over the past few years in addressing Troubled Debt Restructurings (TDRs) and corresponding financial statement disclosures. First, starting with the calendar year ending Dec. 31, 2011, credit unions must prepare enhanced financial statement discourses related to the for Loan Losses (ALL), including the disclosure of TDRs. Second, in 2011, FASB issued Accounting Standards Update (ASU) 2011- 02, “A Creditor’s Determination of Whether a Restructuring is a Troubled Debt Restructuring,” which provides additional and clarifying language to assist creditors in determining if a debt restructuring represents a TDR. Credit unions should read the entire ASU, as it includes numerous carve-outs that are not discussed in this article (for example,

Page 15: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 10

non-TDR accounting would apply to the modifications of loans which were accounted for in a merger and that were acquired with deteriorated credit quality). The overarching definition of a TDR did not change. First, in order for a modification to be considered a TDR, the borrower must be experiencing financial difficulties; second, the credit union must grant a concession as a result of the borrower’s financial difficulties. The FASB guidance offers a more structured approach to those definitions.

Judgment plays a critical role in determining whether a borrower is experiencing financial difficulty, and whether the modification offered by the credit union is a concession. Default is not the only evidence of financial difficulty, and deviation from current market rates is not the only modification that would be considered a concession. Consider the example of a borrower who is not yet in default, but exhibiting indicators such as bankruptcy, going concern issues, cash flows or job losses. Any of these indicators could mean that the borrower could not get a loan from another creditor at current market interest rates. The borrower likely would only be able to secure new credit at a higher interest rate, at which rate the borrower could not afford to make future payments. In such circumstances, extending additional credit to the borrower at the existing loan rate, or even at a rate in excess of the current contractual rate that is still below the rates that a borrower in these particular circumstances would likely receive elsewhere, could be considered a concession.

The interest rate in the modified agreement is not the only attribute to be considered when evaluating whether a modification is a concession. Restructurings that allow delays in repayment may also qualify as concessions, but only if the delays are significant. The following factors, considered together, may indicate that a restructuring results in a delay in payment that is insignificant and that would not, therefore, be considered a concession:

• The amount of the restructured repayments subject to delay is insignificant to the unpaid principal or collateral value of the debt, and will result in an insignificant shortfall in the contractual amount due

• The delay in timing of the restructured payment period is insignificant relative to any one of the following:

− The frequency of payments due under the debt

− The borrower’s original contractual maturity

− The borrower’s original expected duration

As noted in the update, a previous restructuring needs to be considered as to the insignificant delay. There is no “guidance” from FASB as to an insignificant delay.

This ASU does not significantly change the core accounting issues associated with TDRs, namely:

• Income recognition methodology

• Expected cash flows needed to determine the allowance for losses

• Three methods for determining impairment

• Definition of an impaired loan and accounting—Accounting Standards Codification Section 310-10-35

At the end of the day, an impaired loan simply means that the credit union expects that it is not probable that it will collect all of the contractual amounts due it. “Probable” is a term of art, but essentially means a future event is likely to occur.

Credit unions should familiarize themselves with FASB’s ASU on TBRs to ensure that their judgments concerning such issues as financial difficulty, concession, significant delay, and probability are being made according to current standards, and that their financial statements correctly reflect the results of those judgments.

FHA and HUD Matters Has your credit union taken advantage of the Federal Housing Administration loan program? If so, beware of regulatory filing requirements In September 2009, the U.S. Department of Housing and Urban Development (HUD) issued notice of a Federal Housing Administration (FHA) loan program change as a result of “Mortgagee Letter 2009-31 titled, Strengthening Counterparty Risk Management (ML 2009-31).” Effective for fiscal years ending on or after Jan. 1, 2010, this policy changes audit requirements for supervised mortgagees (including credit unions) that participate in the FHA insured loan program. Among the changes are requirements to submit:

• Annual audited financial statements performed under Generally Accepted Government Auditing Standards (GAGAS, also referred to as the Yellow Book) to HUD within 90 days of their fiscal year-end

Page 16: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 11

• An opinion on certain supplementary information required by HUD (i.e. net worth calculation, schedule of loan fees)

• A separate compliance audit under the “Consolidated Audit Guide for Audits of HUD Programs” (the HUD Guide)

Further, under the new rules, HUD requires that financial statements and other financial and compliance data be submitted electronically through the FHA’s Lender Assessment Subsystem (LASS) for FHA review within 90 days of the institution’s fiscal year-end. The responsibility for this electronic submission rests with the credit union. Your independent auditor is then required to perform a separate agreed-upon procedures engagement related to the electronic filing.

In July 2011, HUD issued Mortgagee Letter 2011-25 (ML 2011-05), titled Revised Audited Financial Statement Reporting Requirements for Supervised Lenders in Parent-Subsidiary Structures and New Financial Reporting Requirements for Multifamily Mortgagees. This letter clarifies that supervised mortgagees (including credit unions) should be following all other requirements in the HUD Guide for non-supervised mortgagees (for example, independent mortgage banking companies).

This recent letter exempts supervised mortgagees below a certain threshold from the requirement to submit financial statements audited in accordance with GAGAS to HUD. These “exempt” supervised mortgagees are nevertheless required to engage an independent auditor to perform a program-specific audit over the HUD program under strict regulatory and auditing rules. According to the recent letter, the corresponding reports are required to be submitted to HUD within 90-days of year-end, along with a copy of the fourth-quarter Call Report. It is management’s responsibility to determine whether the provisions of the letter apply to them and to make financial statement and compliance audit arrangements. The Mortgagee Letter can be found at http://www.hud.gov/offices/adm/hudclips/letters/mortgagee/.

The letter indicates that the exemption generally applies to supervised mortgagees with less than $500 million in assets in 2010 and will expire on April 7, 2012. HUD has issued a Frequently Asked Questions (FAQ) document addressing submissions for mortgagees meeting the requirements of ML 2011-25.

Finally, ML 2011-05 establishes a new requirement for both supervised and non-supervised mortgagees to report loan fees earned that exceed 5 percent of the insured loan amount on each FHA-insured loan over $2 million endorsed during the mortgagee's fiscal year period covered in its audited financial statements. ML 2011-05 goes on to define loan fees and describes the requirements for a new separate schedule that is required to be included with the mortgagee's annual audited financial statements submitted to HUD.

In conclusion, if your credit union is originating, selling or servicing FHA loans, it is critical that your credit union be in compliance with the HUD rules.

The provision as a profit center Credit unions have been grappling with the issue of historical loss reserves. Just five years ago this was the primary driver of the allowance for loan losses (ALL)and the occasional large impaired loan that generally resulted from an isolated bankruptcy. Times were good. Losses in the commercial and residential real estate portfolio were unheard of, and as a result, a large number of credit unions had minimal loss factors associated with these loan pools. Loss histories of 3 to 5 years were the norm.

Then 2008 happened, which in turn led to record numbers of charge-offs in 2009 and into 2010. These charge-offs forced credit unions to reexamine their long-held polices related to loan loss history and its effect on building the ALL.

The failure of a few troubled credit unions spurned an a one-size fits all mentality in how loss histories are used to calculate the ALL. There was no such thing as an ALL that was too conservative in the minds of regulators. Financial institutions that had successfully managed their ALL exposure for years were now changing the key driver of their ALL overnight to weighted three-year, two-year, one-year or even six-month calculations, depending on the loan type. These calculations caused the need for ever increasing provisions with little thought put into what was actually driving the losses.

Theoretically, if management is properly monitoring it’s judgmental or qualitative and environmental (Q&E) factors, then there is no need to adjust loss histories.. Q&E factors are subjective pieces of information that allow institutions to adjust for changes in the underlying portfolio (both positive and negative) that are, as of yet, not quantifiable because a sufficient period of time to evaluate the impact of such change has not passed. Q&E factors are needed because loss histories by definition measure historical trends, which are often not reflective of current trends (i.e., significant

Page 17: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 12

improvement in loan quality after a painful period of losses or new loan programs, with no internal experience to measure losses). These factors work to adjust historical loss rates for current conditions that would impact the level of loan charge-offs, thus negating the need to constantly adjust the number of years to include in the loss history calculation.

There is no doubt that, for a number of financial institutions, the large increases in provision were warranted as underwriting issues were identified more easily when the rose-colored glasses of 2005 through 2007 were taken off. These financial institutions had taken on too much risk too quickly and were dealing with the ramifications of those decisions. However, these same financial institutions also caused regulators and auditors to take a one size fits all approach to loss histories for all credit unions—after all, the huge losses taken by one commercial bank in one region of the country/state must translate into similar losses for a consumer focused community credit union in another region of the country/state. As a result, a number of credit unions have changed their ALL policies in the last two years and are very hesitant to switch back to pre-recession loss histories for fear of a hand-slap by the regulators.

As we enter 2012 though, it is very similar to a football team entering the playoffs (as the last few years have illustrated, not everybody made the playoffs)—they know what they have and what they don’t have, and to focus on their strengths and manage their weaknesses in order to continue. In other words, the majority of credit unions have either:

• Exited businesses where large losses were taken (100% LTV home equity products and commercial real estate)

• Modified and improved underwriting standards and quality control

• Developed analytics which have enabled them to isolate the worst-performing pools (i.e. real estate loans originated in 2007) to not only gauge their risk portfolio but also to be pro-active with those borrowers to mitigate future losses

Financial institutions understand that regulators and auditors need more documentation and more objective evidence to support any changes to historical losses. Considering the trends in decreasing charge-offs and lower delinquencies nationwide at credit unions, there is no reason that a credit union could not begin to scale back the ALL through negative Q&E factors and fully be able to support it to their regulators and auditors. By showing this positive evidence as opposed to the negative factors in prior years, a financial institution could establish the directional consistency that auditors look for in evaluating judgmental items such as Q&E factors.

What’s next? Most in the financial institution community know enough about the current economic environment to

know that they really don’t know anything. There are too many unknowns and fluctuations based on whatever data the government has chosen to release that day, which seem to be based more on polling numbers than economic numbers.

These arguments do not advocate a wholesale reversal of the ALL methodology—rather, they ask those in the financial institution industry to realize that they now have the information available to them about what caused their losses during the downturn to reasonably support reversing certain ALL amounts through increased documentation for Q&E factors and historical loss pools. The ending result is reduced or negative provision amounts, which will allow the ALL to perform its intended function—accounting for losses inherent in the total loan portfolio.

Accounting and other merger implications: Lessons learned While mergers declined in 2011 when compared to recent years, there is still an active merger market in the credit union industry. The current guidance on accounting for business combinations, which is captured in Topic 805 of the Codification, has been in effect since 2009. We have gained some insights , including the following:

• The due diligence of the target credit union is a key factor in determining whether a transaction will meet the expectations of the acquirer and should go forward. A complete review of the loan quality, internal controls, segregation of duties and compensating controls, as well as key contracts that may require recognition of additional liabilities, is vitally important before any final decisions about a deal are made.

• The soft impacts on the credit union also should be considered, such as the culture fit and how to move forward as one combined institution. A strategic plan including such issues takes considerable time to prepare, execute and follow through on.

• The required use of a “fair value” model to account for business combinations has increased the involvement of valuation specialists – both in management’s accounting for a business

Page 18: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 13

combination and in the auditor’s testing of the amounts recognized.

• The accounting for contingent consideration (including measuring it at fair value initially, classifying it appropriately as either an asset/liability or equity, and subsequently adjusting it to fair value if classified as an asset/liability) is also one of the more challenging aspects of the business combination accounting guidance.

These observations and many others underscore the importance of the credit union familiarizing itself with the business combination accounting guidance before a business combination occurs.

Overall scope of the business combinations guidance A business combination occurs when the buyer obtains control of a business through a transaction or other event. The key elements in the definition of a business combination are the following:

• The acquired entity must meet the definition of a business. A business includes inputs and processes that are at least capable of producing outputs (i.e., outputs do not have to be part of the transferred set)

• The buyer must obtain control of a business. The usual condition for control is a greater than 50 percent ownership interest in the investee (i.e., a majority ownership interest)

Determining whether a transaction or other event should be accounted for as a business combination instead of an asset acquisition has significant accounting repercussions. For example:

• Goodwill is recognized in a business combination, but not in an asset acquisition

• Acquisition costs are generally expensed as incurred and when the related services have been received by the buyer in a business combination, while the same costs are generally considered part of the cost of the assets (or net assets) in an asset acquisition

• Assets acquired and liabilities assumed in a business combination are measured predominantly at fair value, while assets acquired and liabilities assumed in an asset acquisition are measured by allocating the total cost of the net assets based on the fair values of the individual assets acquired and liabilities assumed

Subsequent accounting The initial accounting for a business combination has been extensively written about over the past two years. However, we are encountering more and more questions from clients concerning post-transaction accounting.

Once an asset or liability is recognized in the accounting for a business combination, the subsequent accounting for that asset or liability typically follows the accounting guidance otherwise applicable to those assets and liabilities. A brief overview of certain subsequent accounting guidance that is relevant to credit unions is provided in the following table:

Item

Overview of subsequent accounting and reporting

guidance

Core deposit intangible

The core deposit intangible would be amortized over the estimated life through the other non-interest expense account on the statement of income.

Asset and deposit premiums/ discounts

When a premium or discount is established at the time of merger to properly record them at the fair value, these are amortized over an average life directly into the associated income or expense accounts. For example, if a premium or discount has been established for an investment account, the amortization or accretion would offset the investment interest income account.

Loan fair value adjustments

The adjustments to loan accounts at acquisition can be split into two types of accounts based on the nature of the fair value–the interest rate valuation component and the credit valuation component. The exact requirements of GAAP are complicated and many credit union systems do not allow these to be tracked on an individual loan basis. In general, the following pooling methods approximate the more detailed approach. The interest rate valuation account is amortized over an average life to the loan interest income account, while the credit valuation account is tracked separately, and subsequent charge-offs reduce the balance within the account until it is depleted. Once the credit valuation account is fully depleted, there may be a need to set up an allowance account for the remaining pool of acquired loans.

Certain assets and liabilities recognized in the accounting for a business combination merit unique subsequent accounting and regulatory guidance given their nature and the recognition and measurement principles applied to them in the accounting for the business combination. Those items for which unique subsequent accounting guidance exists as well as a

Page 19: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 14

brief overview of that guidance that is relevant to credit unions is provided in the following table:

Item

Overview of subsequent accounting and reporting

guidance

Contingent assets and liabilities

A systematic and rational accounting policy based on the nature of the contingent asset or liability should be used to subsequently account for that asset or liability.

Indemnification assets

Adjustments to the carrying amount of an indemnification asset follow any adjustments made to the underlying indemnified item. In other words, the same basis that is used to measure the indemnified asset or liability is used to measure the indemnification asset. Collectibility and contractual limitations of the indemnification should be taken into consideration when remeasuring an indemnification asset. Subsequent accounting adjustments to indemnification assets are reflected in income. Indemnification assets are removed from the books only upon collection, sale, or other loss of rights to the benefits provided by the indemnification.

Contingent consideration

The subsequent accounting for contingent consideration depends on whether the contingent consideration is classified as an asset/liability or equity. Contingent consideration classified as equity is not remeasured in subsequent accounting periods. Contingent consideration classified as an asset/liability is remeasured to its fair value at the end of each reporting period, and the change in fair value is reflected in income or expense, unless the contingent consideration qualifies as a designated hedging instrument for which the change in fair value would be recognized in OCI.

This covers some of the some key areas we have identified regarding mergers, from the initial consideration of the transaction to the subsequent accounting. Because of the increased complexity of the accounting for credit union mergers, it is recommended that you seek the expertise of accountants and valuation specialists experienced with the acquisition method of accounting. McGladrey & Pullen has updated the Guide to Accounting for Business Combinations in January 2012. You can download a copy of this guide on our website at A Guide to

Accounting for Business Combinations Second Edition .

Page 20: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 15

Section 3: Compliance risk

BSA, AML and OFAC compliance: Penalties, changes and guidance Regulatory compliance remains a key issue for credit unions, particularly as it concerns the Bank Secrecy Act (BSA), the Office of Foreign Assets Control (OFAC) and anti-money laundering (AML). Risks abound. For example, how does $7 million sound to you? In March 2011, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCen) issued a $7 million civil monetary penalty against a single bank for BSA non-compliance. How would such a penalty affect your credit union? Is your credit union’s BSA-AML-OFAC compliance program healthy enough to avoid such a penalty? And is it robust enough to keep up with the ongoing changes?

NCUA matters The National Credit Union Administration (NCUA) issued two cease and desist orders (C&D orders) to credit unions in 2011.

In June and November 2011, the NCUA issued separate C&D orders against two credit unions in Philadelphia. The C&D orders similarly required the affected credit unions to:

• Engage a CPA to conduct a balance sheet audit and financial statement audit, as well as a member-account verification

• Fully cooperate with the CPA and ensure that the CPA provided the NCUA with copies of all audit reports and progress reports

• Take appropriate measures to protect the integrity of all records

• Establish and oversee a BSA compliance program that meets all regulatory requirements

In both cases, the BSA compliance program deficiencies were a by-product of the examiners first finding significant deficiencies in the credit unions’

accounting and recordkeeping practices. Poor accounting practices led the examiners down the trail to a dead-end: a non-existent BSA compliance program.

Both credit unions were given very tight deadlines (just a few weeks) within which to establish BSA compliance programs. Both had to implement controls to identify and report suspicious activity, perform an annual BSA risk assessment, monitor business accounts based on the risk assessment, obtain a qualified third party to conduct an independent testing of the BSA program and obtain an independent testing on an annual basis.

The C&D orders can be found at http://www.ncua.gov/Legal/Administrative%20Orders/AO2011-0022-R2.pdf and at http://www.ncua.gov/Legal/Administrative%20Orders/AO2011-0049-R2.pdf.

Other enforcement actions • In March 2011, FinCEN issued a $7 million civil

monetary penalty against a bank because the bank failed to establish and implement an effective anti-money laundering program, which resulted in the bank’s violations of BSA suspicious activity reporting requirements. The bank failed to develop and implement an appropriate BSA compliance program, despite repeated enforcement actions from the Office of the Comptroller of the Currency (OCC) in 2005 and FinCEN in 2006. The long-standing systemic deficiencies included:

− Inadequate periodic enterprise-wide BSA-AML risk assessments

− Inadequate customer due diligence practices

− Inadequate transaction monitoring systems

− Delayed filing of suspicious activity reports

− Incomplete suspicious activity reports

− Inadequate independent testing

• In August 2011, FinCEN issued a civil monetary penalty against another bank in Miami, FL, which had previously been investigated by the Drug Enforcement Agency, IRS and FinCEN. The bank’s BSA-AML compliance program was determined to be deficient in three of the four core elements; namely, the bank:

− Failed to implement an effective AML program reasonably designed to identify and report suspicious transactions commensurate with the risks inherent with its business lines and geographical reach. This failure involved:

• Failure to adequately verify the identity and account opening documents for foreign customers, and failure to maintain complete and sufficient documentation to develop appropriate customer profiles

Page 21: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 16

• Failure to ensure it gathered and reviewed sufficient information on foreign and domestic account customers to adequately assess risk and potential for money laundering

• Failure to update or conduct periodic reviews of customer accounts and to perform adequate analysis of the money laundering risks associated with those accounts

• Failure to implement an adequate risk-rating methodology

• Failure to implement adequate systems and controls to monitor transactions conducted by higher-risk customers

• Failure to adequately staff the BSA compliance function with personnel to ensure day-to-day compliance

• Failure to file Currency Transaction Reports for all reportable transactions

• Failure to file Currency Transaction Reports with accurate information

− Failed to ensure staff were properly trained, experienced and supervised in reporting suspicious activity

− Failed to implement an effective independent audit function (both in scope and frequency)

− Additionally, the bank implemented an automated account monitoring system, but failed to effectively utilize the system. As a result of the inappropriate parameters, the bank had a backlog of over 100,000 alerts. Although the backlog of alerts was eventually cleared in 2009, the bank had failed to timely file Suspicious Activity Reports (SARs) that reported over tens of millions of dollars of reported activity. The lack of comprehensive information in SAR narratives impaired the usefulness of the SARs to law enforcement.

• In December 2011, FinCEN assessed a $25,000 civil monetary penalty against an individual who, as a bank employee, solicited a $25,000 bribe from a mortgage borrower on whom the bank had filed a SAR for possible mortgage fraud. This individual had informed the borrower that the bank filed a SAR and that a federal criminal investigation was imminent. He offered to “assist” the borrower during the investigation. Found guilty of solicitation of a bribe, in addition to the unauthorized disclosure of a SAR, the individual was also sentenced to 6 months imprisonment. The assessment emphasized that:

“All employees, agents and individuals who are privy to the information contained in a SAR should be aware of–and held to–the obligation to maintain confidentiality with respect to such information. This obligation extends beyond the SAR itself, to any information that

would reveal the SAR’s existence. FinCEN also urges that such persons subject to SAR confidentiality must be aware of the civil and criminal penalties for unauthorized disclosure of a SAR.”

The assessment can be found at: http://www.fincen.gov/news_room/ea/files/ASSESSMENT_without_consent.pdf

FinCEN • New codification

On March 1, 2011, FinCEN transferred its regulations from 31 CFR Part 103 to 31 CFR Chapter X as part of an ongoing effort to increase the efficiency and effectiveness of its regulatory oversight. 31 CFR Chapter X is organized by generally applicable regulations and by industry-specific regulations. There were no substantive changes made to the underlying regulations as a result of the transfer and reorganization. The re-codified BSA can be found at: http://www.fincen.gov/statutes_regs/ChapterX/.

• Mandatory electronic filing (proposed) In September 2011, FinCEN issued a proposed rule to require mandatory electronic submission of all currency transaction reports (CTRs), designation of exempt persons (DOEPs), and SARs. The original deadline was June 30, 2012. Mandating electronic submission of these reports will enhance the quality of electronic data, improve the analytic capabilities in supporting law enforcement requirements and result in a significant cost reduction to the U.S. government (and taxpayers). On December 20, 2011, FinCEN announced that it extended the mandatory e-filing deadline to March 31, 2013.

The press release summarizing the original proposed rule can be found at: http://www.fincen.gov/news_room/nr/html/20110914.html. The press release announcing the delayed deadline can be found at: http://www.fincen.gov/whatsnew/pdf/20111220.pdf

• New SAR form A new SAR Form (TD F 90-22.47) was released in March 2011. Previous editions were no longer effective as of September 30, 2011. The new SAR form can be found at: http://www.fincen.gov/forms/files/f9022-47_sar-di.pdf.

• New SAR form for e-filing (proposed) In 2010, FinCEN announced it was proposing to redesign the SAR form with new data fields that would support the proposed mandatory electronic filing of SARs. Because the deadline for the mandatory electronic filing of SARs has been delayed until March 2013, the redesigned SAR has not been released (and likely won’t be released in 2012). The notice in the Federal Register can be found at:

Page 22: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 17

http://edocket.access.gpo.gov/2010/pdf/2010-26038.pdf.

• Paper SAR corrections or amendments In October 2011, FinCEN announced that, as of December 1, 2011, corrections and amendments to previously filed SARs that were filed in paper format will no longer be accepted as previously filed. Instructions to the SAR Form (TD F 90-22.47) provide the following instruction for correcting a previously filed report:

− Check the box at the top of the report (line 1).

− Complete the report in its entirety and include the corrected information in the applicable boxes.

− Describe the changes that are being made in Part V (Description of Suspicious Activity), line k.

The notice can be read at: http://www.fincen.gov/whatsnew/pdf/20111031.pdf

• New CTR form A new CTR Form (FinCEN Form 104) was released March 2011. Previous editions were no longer effective as of September 30, 2011. The new CTR form can be found at: http://www.fincen.gov/forms/files/fin104_ctr.pdf.

• SAR confidentiality (final rule) On January 3, 2011, FinCEN’s amendment to the rule governing the confidentiality of SARs (issued December 3, 2010) became effective. Among other things, the final rule clarified the scope of the statutory prohibition against the disclosure by a financial institution of a SAR (including information that would reveal the existence of a SAR).

Under the final rule, any document stating that a SAR has not been filed must also be afforded the same confidentiality as a document that reveals the existence of a filed SAR. Documents that are silent as to whether a SAR has or has not been filed do not need to be afforded the same confidentiality. The final rule states:

“…with respect to the SAR confidentiality provision only, institutions may disclose underlying facts, transactions, and documents for any purpose, provided that no person involved in the transaction is notified and none of the underlying information reveals the existence of a SAR.”

The final rule does not prohibit a credit union from disclosing a SAR (or any information that would reveal the existence of a SAR) to FinCEN or any federal, state, or local law enforcement agency, or any federal regulatory authority that examines the institution for compliance with the BSA. In addition, credit unions are not prohibited from disclosing a SAR to any state regulatory authority administering a state law that requires the institution to comply with the BSA or otherwise

authorizes the state authority to ensure that the institution complies with the BSA (see 31 CFR 1020.320(e)).

The Federal Register with the final rule can be found at: http://www.fincen.gov/statutes_regs/guidance/pdf/SAR%20Confidentiality%20final%20rule_11-22-2010.pdf.

• MSB registration website FinCEN launched a new Money Service Business (MSB) Registration website the week of January, 23, 2012, to improve the availability of MSB registration information. The MSB Registration website replaces the current MSB Registration List.

The new website provides MSBs, banks, regulators, law enforcement and the general public the ability to access, search, verify, download and print MSB registration information 24 hours a day, seven days a week. FinCEN will update the MSB Registration website weekly. MSBs will be added to the website within two weeks of electronically filing their Registration of Money Services Businesses (RMSB) form.

The site can be found at: http://www.fincen.gov/financial_institutions/msb/msbstateselector.html

FinCEN’s FAQs about the new MSB Registration website can be found at: http://www.fincen.gov/financial_institutions/msb/pdf/msbfaq.pdf.

• Prepaid access (final rule) In July 2011, FinCEN issued a final rule amending BSA regulations applicable to Money Services Businesses (MSBs) with regard to “stored value.” The final rule amends BSA regulations by:

− Renaming “stored value” as “prepaid access” and defining that term

− Deleting the terms “issuer” and “redeemer” of stored value

− Imposing suspicious activity reporting, customer information and transaction information recordkeeping requirements on both providers and sellers of prepaid access (and, additionally, a registration requirement on providers only)

− Exempting certain categories of prepaid access products and services posing lower risks of money laundering and terrorist financing from certain requirements

Although most of the rule does not apply to banks or credit unions (since they are not MSBs), the final rule does provide a new definition of “prepaid access” that is important for credit unions to know. Under the final rule, “prepaid access” means:

Page 23: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 18

“…access to funds or the value of funds that have been paid in advance and can be retrieved or transferred at some point in the future through an electronic device or vehicle, such as a card, code, electronic serial number, mobile identification number, or personal identification number.”

The final rule became effective on September 27, 2011. The Federal Register with the final rule can be found at: http://www.gpo.gov/fdsys/pkg/FR-2011-07-29/pdf/2011-19116.pdf.

• Prepaid access (FAQs) Subsequent to the prepaid access final rule discussed above, FinCEN issued FAQs to assist providers and sellers of prepaid access with interpretive guidance on the final rule, including:

− What types of prepaid access arrangements are covered by the final rule

− How to determine if you are a “provider” or “seller” of prepaid access

− Requirements for effective policies, procedures and practices

The FAQs can be found at: http://www.fincen.gov/news_room/nr/pdf/20111102.pdf.

• Definition of “monetary instrument” (proposed rule) In October 2011, FinCEN proposed amending the definition of “monetary instrument” for purposes of the international transport of currency and monetary instrument reporting requirement. The proposed rule was issued in response to the emerging potential to substitute prepaid access for cash and other monetary instruments as a means to smuggle the proceeds of illegal activity into and out of the U.S.

Currently, the term “monetary instrument” includes currency and a variety of bearer negotiable instruments, securities and “similar items,” but does not specifically include any type of prepaid access device. The proposed amendment would expand the term “monetary instrument” to include tangible prepaid access devices. (Note: The term “prepaid access” was amended under a separate final rule, as discussed under the “Prepaid Access (Final Rule)” item above). Prepaid access devices are considered similar to other types of monetary instruments because:

− They can be used as a substitute for currency

− The funds they provide access to are accessible by the bearer of the device

− They can be transferred from person to person without a record of the chain of title

Comments were due 12-16-11. The proposed rule can be found at:

http://www.fincen.gov/statutes_regs/frn/pdf/FR_monetary_instrument.pdf.

• Elder financial exploitation In February 2011, FinCEN released an advisory to financial institutions on filing suspicious activity reports regarding elder financial exploitation.

The advisory contains examples of red flags based on activity identified by various state and federal agencies. It also provides a common narrative term that will assist law enforcement in better identifying suspected cases of financial exploitation of the elderly reported in SARs. Although abuse and exploitation of the elderly are statutorily defined at the state level, the advisory points out that the National Center on Elder Abuse offers the following definition of exploitation as a type of elder abuse: “the illegal taking, misuse, or concealment of funds, property, or assets of a vulnerable elder.”

FinCEN requests that financial institutions select the appropriate characterization of suspicious activity in the Suspicious Activity Information section of the SAR form, and include the term “elder financial exploitation” in the narrative portion of all relevant SARs filed. The narrative should also include an explanation of why the institution knows, suspects, or has reason to suspect that the activity is suspicious. It is important to note that the potential victim of elder financial exploitation “should not be reported as the subject” of the SAR. Rather, all available information on the victim should be included in the narrative portion of the SAR.

The advisory can be found at: http://www.fincen.gov/statutes_regs/guidance/html/fin-2011-a003.html.

• Account takeover activity In December 2011, FinCEN issued an advisory to assist financial institutions with identifying account takeover activity through cybercrimes (such as through malware, SQL injection attacks, spyware, Trojans and worms) that are intended to gain seemingly legitimate access to a member’s account and, ultimately, to remove, steal, procure or otherwise affect funds of a targeted member.

Through ongoing monitoring, the credit union may identify inconsistencies with a member’s normal account activity that indicates illicit intrusions (such as through ATM, ACH or wire transfer activity) into the member’s account.

When completing SARs on suspected account takeover activity, credit unions should use the term “account takeover fraud” in the narrative section of the SAR and provide a detailed description of the activity. The Advisory provides additional details on how to best complete a SAR that reports account takeover activity.

Page 24: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 19

The advisory can be found at: http://www.fincen.gov/statutes_regs/guidance/html/FIN-2011-A016.html.

• SAR activity reviews In May 2011, FinCEN released “SAR Activity Review: Trends, Tips & Issues” (Issue 19), which focuses primarily on foreign corruption, including identifying and reporting suspicious activities involving senior foreign political figures. Issue 19 includes three articles that share unique perspectives on the challenges of identifying and maintaining accounts for persons who are politically exposed persons.

In October 2011, FinCEN issued “SAR Activity Review: Trends, Tips & Issues” (Issue 20), which addresses a variety of topics, including:

− SAR filings related to international prepaid cards

− Risks associated with the growth in remote deposit capture (RDC) services

− SAR filings in relation to informal value transfer systems

− Efforts in combating bankruptcy-related mortgage fraud and mortgage rescue schemes

− SAR confidentiality

− Elder financial exploitation

− Money laundering risks associated with trading cash for gold

Issue 19 can be found at: http://www.fincen.gov/news_room/rp/files/sar_tti_19.pdf and Issue 20 can be found at http://www.fincen.gov/news_room/rp/files/sar_tti_20.pdf.

OFAC • Enforcement action

During 2011, OFAC issued 21 enforcement actions resulting in over $91 million in penalties. Three enforcement actions involved banks:

− January 2011‒$12,500 for initiating two separate wire transfers between September 2007 and March 2008 in violation of the Iranian Transactions Regulations. The bank did not voluntarily disclose this matter to OFAC. At the time of the transactions, the bank’s filtering system was not designed to detect references to sanctioned targets in the “Originator to Beneficiary Information” field, leading to both of these apparent violations;

− August 2011‒$111,359 for issuing two letters of credit and processing two payments under those letters of credit in violation of the Iranian Transactions Regulations. The value of the payments was $329,954. The bank voluntarily

self-disclosed the alleged violations, and OFAC determined that the alleged violations constituted a non-egregious case.

− November 2011‒$175,500 for presenting four sets of trade documents in violation of the Cuban Assets Control Regulations. The aggregate value of the trade documents was $884,157. The bank did not voluntarily self-disclose the matter, and the alleged violations constituted a non-egregious case.

OFAC’s 2011 enforcement action information can be found at: http://www.treasury.gov/resource-center/sanctions/CivPen/Pages/civpen-index2.aspx

• New SDN search tool In December 2011, OFAC released an online interface application to search the SDN list across several criteria (known as SDN Search). The application is designed to facilitate the navigation of the Specially Designated Nationals and Blocked Persons list (SDN List). Results are viewable on-screen, are printable and can be saved as a spreadsheet.

The new SDN Search tool can be accessed at: http://sdnsearch.ofac.treas.gov/

• Weak aliases (or AKAs) In January 2011, OFAC added to its list of FAQs guidance on identifying and relying on “weak aliases” (or AKAs), which OFAC defines as “a relatively broad or generic alias that may generate a large volume of false hits.” The FAQs give examples of weak aliases as shown on the different versions of the SDN list, and include a list of criteria OFAC used to determine whether an alias qualified as “weak” or not. The new FAQs state that, as a general matter, OFAC does not expect that persons will screen for weak AKAs, but expects that such AKAs may be used to help determine whether a “hit” arising from other information is accurate. OFAC will not issue a civil penalty against an individual or entity for processing such an otherwise unauthorized transaction involving an SDN, if (in general): (i) the only sanctions reference in the transaction is a weak AKA; (ii) the person involved in the processing had no other reason to know that the transaction involved an SDN or was otherwise in violation of U.S. law; and (iii) the person maintains a rigorous risk-based compliance program.

• The FAQs can be found at: http://www.treasury.gov/resource-center/faqs/Sanctions/Pages/answer.aspx#index

FATF • Designing AML/CFT measures for financial

inclusion In June 2011, the Financial Action Task Force (FATF) released its “Anti-money Laundering and

Page 25: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 20

Terrorist Financing Measures & Financial Inclusion” guidance that:

− Focuses on ensuring that AML/CFT controls do not inhibit access to well-regulated financial services for financially excluded and underserved groups

− Explores the initiatives to address financial inclusion within the AML/CFT context taken in developing countries

− Reviews the different steps of the AML/CFT process (CDD, record-keeping requirements, reporting of suspicious transactions, use of agents, internal controls)

− Presents how FATF Standards can be read and interpreted to support financial inclusion

The FATF guidance can be found at: http://www.fatf-gafi.org/document/4/0,3746,en_32250379_32235720_48294212_1_1_1_1,00.html

• Money laundering typologies In July 2011, FATF released a study (Laundering the Proceeds of Corruption) on the links between corruption and money laundering. This typology report drew from publicly available work undertaken by experts. The goal of the project was to better understand corruption, its mechanisms and vulnerabilities. The report identifies key vulnerabilities within the current AML/CFT framework and discusses some of the obstacles to the recovery of corruption.

• The FATF study can be found at: http://www.fatf-gafi.org/document/63/0,3746,en_32250379_32237202_48472703_1_1_1_1,00.html

The Wolfsburg Group • Anti-Corruption Guidance

In August 2011, the Wolfsburg Group released guidance on anti-corruption to describe the role of financial institutions in support of international efforts to combat corruption and to protect themselves against the misuse of their own operations in relation to corruption. The guidance posits that financial institutions may be used to further acts of corruption or to launder the proceeds of bribery, such as:

− A customer directing or collecting funds for the purpose of paying a bribe

− A recipient of a bribe placing proceeds of an illicit payment into the financial system

• The guidance makes the following general recommendations:

− Financial institutions should risk assess their own activities, products and services as appropriate for developing and implementing anti-corruption policies, procedures and processes

− Establish a culture in which bribery is strictly prohibited

− Implement mechanisms to monitor and review

Appendix 1 contains Guidance on an Internal Anti-Corruption Framework. Appendix 2 contains Guidance on Client Related Corruption Risks. The guidance can be found at: http://www.wolfsberg-principles.com/pdf/Wolfsberg%20Anti%20Corruption%20Guidance%20Paper%20August%2018-2011%20(Published).pdf

Conclusion How effective is your credit union’s BSA/OFAC compliance program? To answer this question, consider the following questions:

− Would your accounting and/or recordkeeping practices point examiners in the direction of a sorely deficient BSA compliance program?

− Would you struggle to demonstrate that your board members, your BSA officer and other designated BSA staff, or any other employees with knowledge of a filed SAR have been informed about the strict confidentiality of such information?

− Are you using an outdated version of the SAR and/or CTR forms, or are you failing to submit an amended or corrected paper SAR in accordance with the updated instructions?

− If you are not already electronically filing CTRs and SARs, will you be prepared to begin e-filing once the mandatory deadline (presumably in 2013) is reached?

− Have you avoided training on identifying elder financial abuse red flags, accounts owned by politically exposed persons, or account takeover through cybercrime because the credit union isn’t likely to encounter any such activity?

− Do staff who conduct OFAC screenings gloss over a SDN’s AKA instead of using the AKA to further determine whether a hit is a match?

− Is the credit union’s culture immune to employees who are being bribed or who engage in any corrupt activities?

In other words, could an examiner see in your BSA/OFAC compliance program any characteristics similar to those of the bank we referred to at the beginning of this article? Let’s hope not‒$7 million is a terrible thing to waste!

Page 26: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 21

The Secure and Fair Enforcement for Mortgage Licensing Act of 2008 The Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (the Act) mandated a nationwide licensing and registration system for mortgage loan originators (MLOs). The Act specifically prohibits an individual from engaging in the business of residential mortgage loan originations without first obtaining and maintaining, on an annual basis, registration as a registered mortgage loan originator and obtaining a unique identifier. The objectives of the registration include: aggregating and improving the flow of information between regulators, increasing accountability and tracking of MLOs, enhancing consumer protection, reducing fraud in the residential mortgage loan origination process, and providing consumers with easily accessible information regarding the employment history and publically adjudicated disciplinary and enforcement actions against MLOs.

An MLO is an individual who:

• Takes a residential mortgage loan application

• Offers or negotiates the terms of a residential mortgage loan for compensation or gain

An MLO is not an individual who:

• Performs purely administrative or clerical functions/tasks on behalf of an individual who is an MLO

• Performs only real estate brokerage activities and is licensed or registered as a real estate broker in accordance with applicable State law. However, this does not apply to an individual compensated by a lender, a mortgage broker, a mortgage loan originator or any agent of such lender mortgage broker or loan originator.

• Engages solely in extensions of credit related to time-share plans

The Act does not apply to any employee of a credit union who has never been registered or licensed within the Nationwide Mortgage Licensing System and Registry (Registry) as an MLO if, during the last 12

months, the employee acted as a mortgage loan originator for five or fewer residential mortgage loans.

The Registry contains identifying information on all MLOs, including:

• Fingerprints to the FBI for state and national criminal history background checks

• Personal history and experience, which includes authorization for the Registry to obtain information related to any civil, criminal or administrative findings

A credit union employing one or more individuals who act as a residential MLO must require those individuals to register with the Registry.

Credit unions are also required to implement and adopt policies and procedures to ensure compliance with the Act. The policies and procedures must be appropriate to the nature, size, complexity and scope of the institution’s mortgage lending activities, and must apply to those employees acting in their capacity as MLOs during employment at the credit union. The Act provides minimum standards for these policies and procedures.

The credit union should make the unique identifier of its registered MLOs available to consumers in a manner and method practical to the credit union. This identifier should be included in any written communication from the MLO to the member, such as the Good Faith Estimate (GFE) and disclosure statements. The unique identifier need not appear on written and/or promotional materials distributed for general use. Credit unions may, but are not required to, include the unique identifier on:

• Business cards

• Corporate stationary

• Notepads

• Advertisements

• Loan program descriptions

• Other comparable/similar materials

An MLO must provide the unique identifier to the consumer:

• Upon request

• Before acting as a MLO

• Through the MLO’s initial written communication with a consumer, if any, whether on paper or electronic means

The Nationwide Mortgage Licensing System and Registry provides a consumer access portal (http://www.nmlsconsumeraccess.org), where consumers can verify the credit union and/or mortgage loan professional by using the unique identifier, employee name and/or location that is authorized to conduct mortgage business in the applicable state.

Page 27: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 22

MLOs are responsible for maintaining registration with the Registry, which includes renewal of the registration during the annual renewal period (November 1 through December 31 of each year). Updates by the MLO to the Registry are also required when any of the following occurs:

• The MLO’s name changes

• The MLO discontinues employment with the credit union

• Information is inaccurate, incomplete or out-of-date

• The MLO is no longer engaged in the activity of a MLO

For additional information, refer to:

• NCUA 12 CFR § Part 761 (Credit unions, Mortgages, Reporting and recordkeeping requirements)

• OCC 12 CFR § Part 34 (Mortgages, National banks, Reporting and recordkeeping requirements)

Authentication in an Internet banking environment: Updated FFIEC guidance On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC), which includes the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision, issued guidance titled Authentication in an Internet Banking Environment (the 2005 Guidance). The 2005 Guidance provided a risk management framework for financial institutions (including credit unions) offering Internet-based products and services to their members. It stated that institutions should use effective methods to authenticate the identity of customers and that the techniques employed should be commensurate with the risks associated with the products and services offered, and sufficient to protect of sensitive customer information. The 2005 Guidance provided minimum supervisory expectations for effective authentication

controls applicable to high-risk online transactions involving access to customer information or the movement of funds to other parties. The 2005 Guidance also provided that institutions should perform periodic risk assessments and adjust their control mechanisms as appropriate in response to changing and external threats.

On June 28, 2011, FFIEC issued a supplement to the 2005 Guidance (the Supplement). The purpose of the Supplement was to reinforce the risk management framework described in the original guidance and to update the FFIEC member agencies supervisory expectations regarding customer authentication, layered security and other controls in the increasingly volatile online environment. The agencies were concerned that customer authentication methods and controls implemented in conformance with the 2005 Guidance had become less effective.

The Supplement stresses the need for performing risk assessments, implementing effective strategies for mitigating identified risks and raising member awareness of potential risks, but does not endorse any specific technology for doing so. The Supplement’s primary focus is on preventing rootkit-based malware, conducting stronger risk assessments and implementing layered security controls. The FFIEC member agencies have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012. Examiners will be charged with ensuring that a process is in place to detect and respond to suspicious activity at initial login to an electronic banking system and at the initiation of electronic transactions involving funds transfers.

The Supplement establishes specific supervisory expectations in three areas – risk assessments, layered security controls and member awareness and education.

Risk assessments FFIEC reinforced the expectations that credit unions should perform periodic risk assessments and adjust their member authentication controls as appropriate in response to new threats to members’ online accounts. To ensure compliance with the guidelines, credit unions cannot rely solely on any single control for authorizing high-risk transactions. Instead, they should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. Updated risk assessments should consider, but not be limited to, the following factors:

• Changes in the internal and external threat environment

• Changes in the how the member base is adopting electronic banking

• Changes in the functionality offered to members through electronic banking

Page 28: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 23

• Actual incidents of security breaches, identity theft or fraud experienced by the institution or industry

Layered security controls The updated guidance recognizes that the risks posed to retail/consumer banking are lower than the risks currently posed to business/commercial banking. However, layered security is required for both.

Layered security is characterized by the use of different controls at different points in a transaction process, so that a weakness in one control is generally compensated for by the strength of a different control. Layered security can substantially strengthen the overall security of Internet-based services. Layered security can be effective in protecting sensitive member information, preventing identity theft, and in reducing account takeovers and the resulting financial losses. Effective controls that may be included in a layered security program include, but are not limited to:

• Fraud detection and monitoring systems that include consideration of member history and behavior and enable a timely and effective institution response

• The use of dual member authorization through different access devices

• The use of out-of-band verification for transactions

• The use of positive pay debit blocks and other techniques to appropriately limit the transactional use of the account

• Enhanced controls over account activities, such as transaction value thresholds, payment recipients, a limit to the number of transactions allowed per day and allowable payment windows

• Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities

• Policies and practices for addressing member devices identified as potentially compromised and for dealing with members who may be facilitating fraud

• Enhanced control over changes to account maintenance activities performed by members, either online or through member service channels

• Enhanced member education to increase awareness of the fraud risk and effective techniques members can use to mitigate the risk

Layered security is expected to address the following two elements, at a minimum:

• Structure for the security of online accounts to detect and respond to suspicious activity at the initial login and during the initiation of any electronic funds transfers

• Enhanced security for administrative privileges to user setup, application configurations and limitations should include security controls

Each additional measure materially increases the level of difficulty for an attacker.

Member awareness and education A credit union’s member awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements.

• An explanation of protections provided and not provided to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access

• An explanation of under what circumstances, if any, and through what means the credit union may contact a member on an unsolicited basis in order to request the member’s electronic banking credentials

• A suggestion that commercial online banking members perform a related risk assessment and controls evaluation periodically

• A listing of alternative risk control mechanisms that members may consider implementing in order to mitigate their own risk; or, alternatively, a listing of available resources where such information can be found

• A listing of institutional contacts for members’ discretionary use in the event they notice suspicious account activity or experience security-related information events

An overview of threats and compensating controls are presented in the appendix to the Supplement. Key points identified in the appendix include keyloggers and man-in-the-middle (MIM) or man-in-the-browser (MIB) attacks, which are highlighted as threats, with the latter being used to circumvent strong authentication methods, such as one-time password (OTP) tokens.

The appendix also points out that out-of-band authentication or verification has taken on an increased level of importance, given the rising malware infection rates on member PCs, which can defeat OTP tokens, device identification, challenge questions and many other forms of strong authentication.

This discussion also includes a look forward to emerging security controls. Among these are: keystroke dynamics, biometrics, volume and value limitations, monitoring and alert on exception events, and establishing individual transaction and aggregate account exposure limits based on expected account activity and dual controls over high-risk functions performed online.

Page 29: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 24

Preparing for the 2012 Regulatory Examination According to Guardian Analytics, a provider of behavioral analytics-based fraud prevention solutions, just more than half of the financial institutions it surveyed are ready for the FFIEC guidance. Of the 300 U.S. institutions surveyed, 75 percent of banks and 25 percent of credit unions say they have spent the last six months on conformance action; however, only 50 percent say they fully understand minimum requirements for authentication conformance.

National Credit Union Administration examiners began monitoring the new guidance standards in January 2012. Examiners will expect credit unions to have a process in place to continuously monitor and update their compliance and risk management practices to adjust for new information and changes in the business, compliance and risk landscape. It is important that credit unions act now to complete the necessary steps to achieve compliance. These include the following:

• Review and update your IT risk assessment and consider new information that is detailed in the Supplement

• Work with your managed service provider, core provider or other online banking solution provider to begin evaluating stronger authentication techniques that can supplement weaker methods, such as basic challenge questions or simple device identification

• Consider whether you need to add additional controls throughout your security program, including controls on high-risk transactions, and remote employee access to customer data and business accounts

• Enhance customer awareness programs and educational programs

The Supplement is just the first step in the process, and many in the security industry expect to see additional refinements made in the future. The Supplement provides a solid baseline on which to focus authentication and security efforts and creates a need for credit unions to take a stronger look toward fraud and security. Making security a key element for all strategic plans protects both your members and your reputations from avoidable risks. Preparation is the key. Credit unions can never be too prepared when it comes to protecting their members.

Page 30: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 25

Section 4: Operations risk

Internal fraud prevention – Creating the right culture In previous editions of our “Emerging Risk Alert,” we provided some key elements for an effective anti-fraud program, which concentrated on hard controls, such as:

• Handling fraud investigations

• Reporting methodologies for fraud events

• Internal controls and procedures

• Fraud policies and guidelines

Our objective in this year’s edition is to concentrate on the soft controls of anti-fraud programs that deal with the overall cultural environment of a credit union. In many ways, the hard controls are much less effective without the right culture within a credit union to help combat fraud. The cornerstone of an effective anti-fraud environment is a culture with a strong value system founded on integrity. This value system often is reflected in a formal code of conduct document that all employees are expected to understand and follow. For a code of conduct to be effective, it should be communicated to all personnel in an understandable fashion, and should be developed in a participatory and positive manner that results in both management and employees taking ownership of its content.

This article can help credit unions of all sizes create and maintain a culture of honesty and high ethics. The information presented here generally is applicable to credit unions of all sizes. However, the degree to which certain programs and controls are applied in smaller, less-complex credit unions and the formality of their application are likely to differ from the approach taken at larger institutions. In any case, all credit unions must make it clear that unethical or dishonest behavior will not be tolerated.

It is the credit union’s responsibility to create a culture of honesty and high ethics and to clearly communicate

acceptable behavior and expectations of each employee. Such a culture is rooted in a strong set of core values (or value system) that provides the foundation for employees to understand how the organization conducts its business.

Fraud negatively impacts credit unions in many ways, including financial, reputational, psychological and social implications. There is an impact across all functional areas and departments, and most of the credit union’s business processes. Numerous studies have shown the significant dollar value lost to fraud. What is key for credit unions to understand is that most fraud is perpetrated by insiders, not by members and vendors. The full cost of fraud is not measured in dollars alone – it is also measured in terms of time, productivity and reputation, including member relationships. Depending on the severity of the loss, credit unions can be irreparably harmed due to the financial impact of fraud activity. Therefore, it is important for credit unions to have a strong cultural environment that promotes positive efforts toward preventing internal fraud.

The risk of fraud can be reduced through a combination of prevention, deterrence and detection. However, fraud can be difficult to detect because it often involves concealment through falsification of documents or collusion among management, employees or third parties. Therefore, it is important to place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals that they should not commit fraud because of the likelihood of detection and punishment. Moreover, prevention and deterrence measures are much less costly than the time and expense required for fraud detection and investigation.

A credit union’s management has both the responsibility and the means to implement measures to reduce the incidence of fraud. The measures an organization takes to prevent and deter fraud also can help create a positive workplace environment that can enhance the credit union's ability to recruit and retain high-quality employees.

Research suggests that the most effective way to implement measures to reduce wrongdoing is to base them on a set of core values that are embraced by the credit union. These values provide an overarching message about the key principles guiding all employees' actions. This provides a platform upon which a more detailed code of conduct can be constructed, giving more specific guidance about permitted and prohibited behavior, based on applicable laws and the organization's values. Management needs to clearly state that all employees will be held accountable to act within the organization's code of conduct.

Setting the tone at the top Research in moral development strongly suggests that honesty can best be reinforced when a proper example

Page 31: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 26

is set—sometimes referred to as the tone at the top. Directors and officers of credit unions set the tone at the top for ethical behavior within a credit union. The management of a credit union cannot act one way and expect others in the organization to behave differently.

In many cases, particularly in larger credit unions, it is necessary for management to both behave ethically and openly communicate its expectations for ethical behavior because most employees are not in a position to observe management's actions. Management must show employees through its words and actions that dishonest or unethical behavior will not be tolerated, even if the result of such inappropriate actions benefits the credit union. Moreover, it should be evident that all employees will be treated equally, regardless of their position.

Creating a positive workplace environment Research indicates that wrongdoing occurs less frequently when employees have positive feelings about a credit union than when they feel abused, threatened or ignored. The lower an organization’s morale, the more likely that fraud will occur. Factors that detract from a positive work environment and may increase the risk of fraud include:

• Top management that does not seem to care about or reward appropriate behavior

• Negative feedback and lack of recognition for job performance

• Perceived inequities in the credit union

• Autocratic, rather than participative management

• Low organizational loyalty or feelings of ownership

• Unreasonable budget expectations or other financial targets

• Fear of being punished for delivering bad news to supervisors and/or management

• Less-than-competitive compensation

• Poor training and promotion opportunities

• Lack of clear organizational responsibilities

• Poor communication practices

The credit union’s human resources department is instrumental in helping to build a corporate culture and a positive work environment. Human resource professionals are responsible for implementing specific programs and initiatives that can help to eliminate many of the negative workplace practices mentioned above and that support management’s strategies. Factors that help create a positive work environment and reduce the risk of fraud may include:

• Recognition and reward systems that are in tandem with goals and results

• Equal employment opportunities

• Team-oriented, collaborative decision-making policies

• Professionally administered compensation programs

• Professionally administered training programs and an organizational focus on career development

Employees should be empowered to help create a positive workplace environment, thereby supporting the credit union's values and code of conduct. They should be given the opportunity to provide input to the development and updating of the credit union's code of conduct, to ensure that it is relevant, clear and fair. Involving employees in this fashion also may effectively contribute to the oversight of the credit union's code of conduct and an environment of ethical behavior.

Employees should be given the means to obtain advice internally before making decisions that appear to have significant legal or ethical implications. They should also be encouraged and given the means to communicate concerns, anonymously if preferred, about potential violations of the credit union's code of conduct, without fear of retribution. Many credit unions have implemented a process for employees to report any actual, suspected or potential violations of the code of conduct or ethics policy on a confidential basis. For example, some credit unions use a telephone hotline that is directed to or monitored by an ethics officer, fraud officer, general counsel, internal supervisory director or another trusted individual responsible for investigating and reporting incidents of fraud or illegal acts.

Hiring and promoting appropriate employees Each employee has a unique set of values and a personal code of ethics. When faced with sufficient pressure and a perceived opportunity, some employees will behave dishonestly, rather than face the negative consequences of honest behavior. The threshold at which dishonest behavior starts, however, will vary among individuals. If a credit union is to be successful in preventing fraud, it must have effective policies that minimize the chance of hiring or promoting individuals with low levels of honesty, especially for positions of trust.

Proactive hiring and promotion procedures may include:

• Conducting background investigations on individuals being considered for employment or for promotion to a position of trust

• Thoroughly checking a candidate's education, employment history and personal references

• Periodic training of all employees about the credit union’s values and code of conduct. Most internal frauds at credit unions are committed by long-term employees because they have the experience, knowledge, responsibilities, access and trust to

Page 32: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 27

commit fraud. Therefore, it is vital to reinforce values and ethics throughout every employee’s career.

• Incorporating an evaluation of how each individual has contributed to creating an appropriate workplace environment in line with the credit union's values and code of conduct into regular performance reviews

• Continuous objective evaluation of compliance with the credit union’s values and code of conduct, with violations being addressed immediately

Training New employees should be trained at the time of hiring about the credit union's values and its code of conduct. This training should explicitly cover expectations of all employees regarding: (1) their duty to communicate certain matters; (2) a list of the types of matters, including actual or suspected fraud, to be communicated along with specific examples; and (3) information on how to communicate those matters. There also should be an affirmation from senior management regarding employee expectations and communication responsibilities. Such training should include an element of fraud awareness, the tone of which should be positive, but nonetheless stress that fraud can be costly (and detrimental in other ways) to the credit union and its employees.

In addition to training at the time of hiring, all employees should receive regular and consistent refresher training. Some credit unions may consider ongoing training for certain positions, such as purchasing agents or employees with financial reporting responsibilities. Training should be specific to an employee's level within the organization, geographic location and assigned responsibilities. For example, training for senior manager-level personnel would normally be different from that of nonsupervisory employees, and training for purchasing agents would be different from that of sales representatives.

Confirmation/acknowledgement Management needs to clearly articulate that all employees will be held accountable to act within the credit union’s code of conduct. All employees should be required to sign a code of conduct statement annually, at a minimum.

Requiring periodic confirmation by employees of their responsibilities will not only reinforce the policy, but may also deter individuals from committing fraud and other violations and might identify problems before they become significant. Such confirmation may include statements that the individual understands the credit union's expectations, has complied with the code of conduct, and is not aware of any violations of the code of conduct, other than those the individual lists in his or her response. Although people with low integrity may not hesitate to sign a false confirmation, most people will want to avoid making a false statement in writing. Honest individuals are more likely to return

their confirmations and to disclose what they know (including any conflicts of interest or other personal exceptions to the code of conduct). Thorough follow-up by internal supervisors or others regarding nonreplies may uncover significant issues.

Expectations about the consequences of committing fraud must be clearly communicated throughout the credit union. For example, a strong statement from management that dishonest actions will not be tolerated, and that violators may be terminated and referred to the appropriate authorities, clearly establishes consequences and can be a valuable deterrent to wrongdoing. If wrongdoing occurs and an employee is disciplined, it can be helpful to communicate that fact, on a no-name basis, in an employee newsletter or other regular communication to employees. Seeing that other people have been disciplined for wrongdoing can be an effective deterrent, increasing the perceived likelihood of violators being caught and punished. It also can demonstrate that the credit union is committed to an environment of high ethical standards and integrity.

Supervisory committee and board of directors The supervisory committee (in concert with the board of directors) should evaluate management's identification of fraud risks, implementation of anti-fraud measures and creation of the appropriate tone at the top. Active oversight by the supervisory committee can help to reinforce management's commitment to creating a culture with zero tolerance for fraud. A credit union’s supervisory committee also should ensure that senior management implements appropriate fraud deterrence and prevention measures to better protect members, employees and other stakeholders. The supervisory committee's evaluation and oversight not only helps make sure that senior management fulfills its responsibility, but also can serve as a deterrent to members of senior management engaging in fraudulent activity themselves. By creating an environment whereby any attempt by senior management to involve employees in committing or concealing fraud would lead promptly to reports from such employees to appropriate persons, including the supervisory committee.

As part of its oversight responsibilities, the supervisory committee should encourage management to provide a mechanism for employees to report concerns about unethical behavior, actual or suspected fraud, or violations of the credit union's code of conduct or ethics policy. The committee should then receive periodic reports describing the nature, status and eventual disposition of any fraud or unethical conduct. A summary of the activity, follow-up and disposition also should be provided to the full board of directors.

If senior management is involved in fraud, the next layer of management may be the most likely to be aware of it. As a result, the supervisory committee (and other directors) should consider establishing an open

Page 33: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 28

line of communication with members of management one or two levels below senior management to assist in identifying fraud at the highest levels, or to help in investigating any fraudulent activity that might occur. The supervisory committee typically has the ability and authority to investigate any alleged or suspected wrongdoing brought to its attention. Most supervisory committee charters empower the committee to investigate any matters within the scope of its responsibilities, and to retain legal, accounting and other professional advisers as needed to advise the committee and assist in its investigation.

Conclusion Everyone affiliated with the credit union has a certain level of responsibility to prevent and/or deter fraud, whether it is internal or external. The cultural environment has a huge impact on the success of any fraud program. Developing and maintaining the right cultural environment and attitude throughout the credit union will go a long way toward preventing fraud, or at least reducing the likelihood of it occurring at your credit union.

Critical strategy considerations for 2012: Business plan considerations for credit unions Lewis Carroll once made the astute remark, “If you don't know where you are going, any road will get you there.” This maxim holds true for managing credit unions, as well as our personal lives. Success is achieved only when the path is clearly marked and the goal is well-defined. Whether we’re talking about people or companies, the most successful ones share the common characteristic of good planning and execution.

It is vital to develop a strategy, a business plan that will decisively improve the performance of your organization. First and foremost, take the time to develop a plan. As we come out of the challenges of the last five years, there are critical strategy considerations for credit unions that should be explored and exploited for 2012 and beyond.

The years between 2007 and 2011 were challenging ones for financial institutions. Over the last few years, we have seen deterioration in the political and

economic climate affecting credit unions. We have seen federal regulators define tougher standards affecting all parts of credit union structure and organization. Higher capital requirements create new challenges, while lending to qualified members has become more daunting than ever. Finding talented credit union leadership is increasingly difficult, especially in operations. Financial institutions of all sizes and capital structures have been affected.

After all these momentous changes in the financial services industry, credit unions must ask themselves three key questions:

• How will these watershed events affect our business?

• Does our business plan address these new market realities?

• Is our present plan adequate to meet the regulatory, market and competitive challenges of 2012?

The beginning of each year is a good time to revisit your business plan. Consider using this period to bring it up to date. At a minimum, you should have plans developed for both a one-year and a three- to five-year time horizon. Below are some important strategic planning issues that all credit union plans should consider.

Major components of your master plan

Operational Improvement

Many financial institutions have been forced to reduce costs to improve earnings. However, this is a time to recommit to an ongoing culture of business process improvement, along with operational cost reduction. A few considerations for the coming years include:

• Spend analytics— “Spend” is the common name for the organization’s purchases. Most credit unions have little experience in advanced procurement practices. Consider launching an initiative to evaluate such things as sourcing, pricing, alternatives and volume procured. A related initiative is Demand Management, a process for evaluating the costs, benefits and overall value of organizational purchases. The goal is to rationalize buying patterns and procurement requirements. This should be a cross-departmental effort.

• Shared services—Many organizations have multiple facilities and/or multiple entities. Credit unions should continue to investigate ways to consolidate non-client facing functions across facilities. Many internal processes could be aggregated, including accounting, accounts payable, payroll, human resources, internal audit, compliance, information technology (IT), item processing, marketing, loan administration, mortgage underwriting and credit analytics.

Page 34: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 29

• Marketing justification—Marketing expenses have grown substantially over the years. Yet it’s not always clear if marketing purchases are improving the bottom line. Many marketing programs focus on general branding and creative initiatives that have little direct connection to growth in sales or revenue. To address this, credit unions should analyze every marketing campaign to see how it affects overall business, sales and member satisfaction benchmarks. The litmus tests for determining the viability of any marketing program should be: “Does this program lead to deeper market penetration and increased wallet share?,” and “Did a particular marketing campaign increase auto loans, mortgages, credit/debit cards, deposits or other investments?”

• Product management—Who are the product managers? A common organizational problem is a lack of alignment and accountability in product management functions. Frequently, a credit union will have certain employees carrying out such tasks as reviewing product financials, modifying product features, launching marketing plans and training personnel on origination and new accounts. However, accountability for product performance is often vague and undefined. For instance, if the annual budget indicates that auto loans will increase by 12 percent, and, after eight months, growth is only 6 percent, who will be accountable for ensuring that programs focus on attaining the 12 percent target?

• Business process improvement—To root out inefficiencies in internal processes, credit unions should track the performance of each process. IT is one function that can benefit significantly from performance tracking. A performance baseline and goals against that baseline should be established for functional managers so their performance can be quantified. These operational metrics can help reduce costs and improve member service. Metrics can also be used to identify non-value added tasks, which can then be earmarked for elimination. Examples of these tasks include excessive handling of documents, ineffective use of functions available in computer applications, creation of reports and statistical data that are not producing operational changes, and superfluous, poorly managed meetings.

• Technology enablement—Technology can help credit unions operate at optimal efficiency and reduce risk. Evaluate your technology platform and applications to determine what steps should be taken to improve security, cost effectiveness, process performance and product management. As one of the most expensive items in the budget, IT costs can be reduced by having network, applications and security procedures assessed periodically by an independent consultant.

Locations and Channels

As some organizations have evolved, they have lost clear focus on the geography and type of client that they want to serve, or to target for future growth. Consider the locations of offices, branches, kiosks and ATMs. Consider online banking, credit card use, and call center capabilities. Is there a one- to five-year plan to align with operations with current and prospective members? Consider these topics within your strategic plan:

• Geographic locations—Assess your market to determine the future locations and the functional expectations of those physical locations. Offices, branches, kiosks and ATMs are different functional models. Each has different costs and provides different levels of service to members. Develop a long-term plan that considers these models as chess pieces. Place or acquire the physical capabilities to best serve your long-term member needs, and your expectations for customer market share growth.

• Channels—In addition to analyzing geographic locations, you should also assess the evolution of other channels used by your members. Determine next steps, investments, targeted members and measureable expectations for your aggregate go-to-market infrastructure, including electronic banking (mobile, online, Internet and phone), call centers, merchant card services, indirect loans, ATMs, and other alternatives to branch locations (full-service, less-than-full service and kiosks). What is the purpose of each channel type? What is the expected use of the channel? What is an appropriate investment into each channel?

Organizational effectiveness

Organizations don’t stand still. They are always in a state of flux. This is all the more reason why a credit union should periodically re-evaluate its organizational framework. Here are some considerations:

• Structure—Periodically, it is prudent to evaluate the leadership structure, roles and responsibilities, and span of management. Over time, the organizational responsibilities of select individuals become less than optimal, as vice presidents, senior vice presidents and executive vice presidents create levels of management that result in inefficient decision making and operational management. Proper organizational alignment allows the organization to plan, monitor, manage and execute effectively. Assess past and current roles and your overall organizational structure to create the momentum for an effective, future organization.

• Building a legacy—Efforts should focus on planning for future leadership. Identify people in the organization that show promise for management. Develop plans to provide mentoring, coaching and experience with ever-increasing

Page 35: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 30

responsibilities. Organizations that become comfortable with the current management team sometimes realize too late that turnover and retirement can erode the continued strong performance of the financial institution. Are you building your next generation of leaders?

• Culture—Culture is a set of shared attitudes, values, goals and practices that characterize an institution, organization or group. Culture manifests itself in the behaviors of your employees, in the decision making processes, and eventually in the financial performance of the credit union. Culture is one of the most important aspects of any credit union, and can be a strong determinant of corporate success or failure. As you plan for the future, identify how to build on the desired behaviors, communication styles and attributes that create a more prosperous, congenial and effective cultural environment.

Competitive differentiation

Today, it is challenging to attract and sell lending products. Industry consolidation means there are fewer but stronger competitors. Competing in today’s market is also complicated by increased credit risk, low interest rates and lackluster economic conditions. To compete effectively, credit unions must differentiate their products, services and brand. There is an all-out war on attracting qualified members. This is a time to differentiate yourself, increase market share and expand lending revenues. Here are some suggestions:

• Research the market to identify products that are expected to sell well in the next 12 to 24 months. Simultaneously, assess the competitive strengths of direct competitors in these product categories.

• Create a robust selling architecture that includes an assessment of loan officers, client service representatives, product features and pricing. Define tactics to improve selling effectiveness and product attractiveness.

• Analyze marketing programs to ensure that campaigns and budgets are aligned with the products with the best sales potential.

• Who are your best members? Identify existing members that have three or more products. From a business perspective, these are likely your best members. Define tactics to increase usage and volume for these members. Also, define tactics to retain these key members.

• Define member service tactics that can help to strengthen loyalty and longevity.

• Develop tactics to increase and improve employee networking.

• Initiate or expand Internet messaging and marketing campaigns.

• Create a list of key referrals, and define tactics to create positive traction from those sources.

Credit union planning in the age of Dodd-Frank As of January 2012, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) has been law for nearly 18 months. However, the law has proved to be contentious, with many issues still ambiguous and subject to further debate. The new law will not be in its final form until regulatory agencies have completed writing the rules and regulations that will implement the law.

Even without the final details in place, all financial institutions need to incorporate Dodd-Frank into their business planning process. Strategic planning should include awareness of the new law and how it may affect different parts of your organization.

Here are a few key ways that Dodd-Frank may affect credit unions.

• Debit interchange—There will be new interchange rates for debit card issuers with more than $10 billion in assets. Although smaller credit unions are exempt, these rules are expected to sizably reduce debit interchange income.

• Source of strength obligation—Dodd-Frank stipulates that bank holding companies (or any company that controls an insured depository institution, whether or not the company is a bank holding company) serve as a "source of strength" for their subsidiary depository institutions.

• Deposit insurance assessment base—The assessment base for deposit insurance has been modified. This change could result in deposit insurance premiums dropping by up to one-third.

• Deposit insurance limits—The federal deposit insurance limit has been increased from $100,000 to $250,000.The unlimited federal insurance on the net amount of noninterest-bearing transaction accounts under TAGP (Transaction Account Guarantee Program) has been extended to December 31, 2012.

• Compensation disclosures and practices—Credit unions with at least $1 billion in assets will be required to disclose incentive-based compensation arrangements. They will also be required to prohibit compensation arrangements that encourage inappropriate risks.

• Affiliate transactions—The definition of transactions covered by the rules restricting transactions with affiliates is being expanded to include repurchase agreements, derivatives transactions and securities’ borrowing and lending.

Page 36: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 31

Conclusion Management is being measured, tested and challenged every day. Strategic planning is a foundation for the future. The saying "It's not what you know, it's what you do with what you know" sets the tone for success in 2012. This checklist of topics, tactics and suggestions can lead you to improved planning, improved execution and improved financial results in 2012.

How credit unions can control the growing risk of wire transfer fraud There are few places where a financial institution can lose as much as it can via wire transfer. Wire transfers represent a significant risk exposure to credit unions, which continue to experience losses from unauthorized wire transfers. In the first three months of 2011, $1.2 million in losses from wire transfers were reported to CUNA Mutual Group by credit unions. Annualized through 2011, CUNA estimates losses will reach approximately $4.8 million, which would exceed the 2010 reported losses of $4.0 million.

In years past, wire transfer fraud was often perpetrated by insiders who forged documents to wire money to foreign accounts. More recently, however, transfers are being initiated by perpetrators who have stolen identities, stolen confidential information and/or hacked member Internet banking accounts. Fraudsters often obtain confidential information using a variety of social engineering techniques. In addition, fraudsters hijack member home phone numbers from telephone companies by impersonating the member and then request the telephone carrier forward all calls to the fraudster's untraceable cell phone.

Fraudsters have also been successful in having credit union personnel change a member's phone number on the account in the credit union's own system. If a member uses online banking, a fraudster can use compromised login credentials to initiate transfers via the credit union online banking system. All the effort by the fraudsters is dedicated to passing member identification questions from credit union personnel during callback verification. With a wealth of information on hand to compromise accounts and

deceive credit union staff, fraudulent wire transfer requests are often being approved and processed.

HELOCs as a favorite target Large dollar advances against a member’s home equity line of credit (HELOC) have become a favorite target. In some cases, conspirators used fee-based web databases to search for potential victims with large balances in HELOC accounts. Starting in December 2008, credit unions began identifying suspect attempts to wire transfer money from members who owned HELOC accounts. As reported by the Credit Union Information Security Professionals Association (CUISPA), fraudsters, armed with extensive personal information for verification purposes–including all necessary authentication information, such as most recent transactions, family member names, account information, addresses and phone numbers–made successful telephone wire transfer requests. Through these frauds, funds were transferred to banks in the United States and overseas, often to accounts with the words “title” or “construction” in the account name. In addition, with the hijacked or transferred home phone numbers discussed earlier, fraudsters used caller-ID spoofing services, prepaid cell phones and PC wireless cards in order to impersonate the member and avoid identifying themselves.

Loss mitigation While security measures have certainly increased over the years, credit unions still fall victim to wire transfer fraud. This changing environment for wire transfer fraud indicates a need for credit unions to change loss control policies and procedures, especially for large-dollar wire transfer requests. Using simple security questions to verify a member’s identity over the phone can no longer be considered completely reliable.

In order to protect all parties in the transaction, credit unions should consider requiring members to request large dollar wire transfers in person, at a branch office where proper identification can be verified. Depending on the risk appetite of a credit union, a monetary threshold could be established for this purpose. This threshold should incorporate the credit union’s tolerance in accepting wire transfer requests by phone, fax and email. A review of the credit union’s wire transfer history can aid in establishing the threshold. For wire transfer requests below the established threshold, credit unions should still attempt to verify the authenticity of the request by performing a call-back using out-of-wallet, member- or account-specific questions.

Below is a list of wire fraud risk mitigation recommendations that credit unions should consider:

• Do not process wire transfers drawn on HELOCs over the phone.

• Establish a monetary threshold for requiring wire transfer requests to be made in-person.

Page 37: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 32

• Establish a wire transfer password for members.

• Review member account details to determine if large dollar wire transfers are reasonable for the member. If not, require the member to make the wire transfer request in-person.

• Check the member's account to ensure the phone number has not been changed in the past 30 days before performing the callback. This step should be added to the callback verification section of the credit union's wire transfer form, or any other form used to document callbacks made.

• Adopt a series of strong out-of-wallet questions to be used during callback verification; examples include confirmation of the interest rate on a current loan (if not included on the account statement), confirmation of the middle eight digits of the debit or credit cards, and confirmation of make and model of vehicle collateral.

• Adopt a written wire transfer agreement with both consumer members and business members, in which both the credit union and the member agree to a commercially reasonable security procedure that verifies request orders submitted by the member. The written wire transfer agreement with business members should identify employees at the business that are authorized to submit payment orders to the credit union.

• Consider adding a fraud-monitoring tool capable of monitoring transactions in real-time across all payment channels, including those initiated through the online banking system.

• Discuss CUNA alerts and risk alerts with staff on a regular basis.

Credit unions should also conduct frequent training on the loss control procedures for processing wire transfer requests for all employees involved in the wire transfer process. Among other issues, training should include learning to listen for audible clues (hesitation, stutter, and clicking sounds) that suggest the caller on the line is not the member. Credit unions should make sure that all staff understand risks and fraud types, are confident wires are legitimate before sending funds, and can provide support should they decide not to send a wire transfer.

The threat of wire transfer fraud poses a delicate balancing act between convenience, member service and risk mitigation. While convenience to members is a priority for many credit unions, it must be balanced with the obligation to protect member accounts from unauthorized access, and to protect the credit union from financial loss and damage to its reputation.

Page 38: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 33

Section 5: Interest rate risk

Interest rate risk: Is your credit union prepared for rising rates and increased regulation? Financial institution regulators, including the National Credit Union Administration (NCUA), have expressed concerns that many federally insured banks, thrifts and credit unions may experience decreased earnings and erosion of capital if interest rates rise from current levels. Specifically, regulators are alarmed at the amount of fixed-rate mortgage loans on the balance sheets of many institutions. At some banks, thrifts and credit unions, fixed-rate mortgage loans (with stated maturities from fifteen to forty years) are coming to represent an ever-increasing percentage of total assets and an increasingly larger multiple of capital. On the liability side of the balance sheet, the over-reliance on non-core and non-maturity deposits is worrisome.

The level of concern over interest rate risk (IRR) has prompted the NCUA to propose a regulation that would require credit unions to develop a written policy on IRR and to develop a program for effectively mitigating that risk.

IRR defined IRR has been defined variously since it was first widely acknowledged as a significant risk to financial institutions. The NCUA’s definition is representative of most others: “The risk that changes in market rates will adversely affect a credit union’s net economic value and/or earnings. Interest rate risk generally arises from a mismatch between the timing of cash flows from fixed rate instruments, and interest rate resets of variable rate instruments, on either side of the balance sheet. Thus, as interest rates change, earnings or net economic value may decline”.

IRR generally manifests itself in one of four forms:

• Re-pricing risk is the most obvious and most widely discussed form. It stems from timing differences between coupon changes or cash

flows from assets, liabilities and off-balance sheet instruments. The classic example of re-pricing risk is the funding of long-term assets (loans or securities) with short-term (or no stated term) shares or deposits.

• Basis risk stems from a weak correlation between coupon rate changes for assets, liabilities and off-balance sheet instruments. For example, in a rising rate environment, LIBOR-based deposit/share rates may increase by 50 basis points, while prime-rate based loans may change by only 25 basis points. (LIBOR refers to the London Interbank Offered Rate - the interest rate at which banks can borrow funds in marketable size from other banks in the London interbank market. It is the world’s most widely used benchmark for short-term interest rates. LIBOR is to borrowing what the Wall Street Journal prime rate is to lending.)

• Yield curve risk is very similar to basis risk, but results from changing rate relationships between different maturities of the same index, and is affected by the slope (steep, flat or inverted) of the yield curve. In a rising rate environment, for example, a 30-year Treasury bond’s yield may increase by 200 basis points, but a three-year Treasury note’s yield may increase by only 50 basis points over the same time period.

• Option risk results when a financial instrument’s cash flow timing or amount changes as a result of a decision exercised by a borrowing or lending counterparty, typically in response to market interest rate changes. For most credit unions, option risk is present in the fixed-rate mortgage loan portfolio. Since most such loans do not include a prepayment penalty, members have the option to shorten the maturity (by paying early or refinancing when rates are falling, or by slowing prepayments when rates are rising). On the liability side, members have the option of withdrawing most shares (except for time deposits) if they feel that they can receive a better rate of interest elsewhere.

IRR measured To effectively manage IRR, management and the board must ensure that timely and accurate information about exposure to changing interest rates is obtained, reported and reviewed. Three accepted methods for measuring IRR, each with its own strengths and weaknesses, can be part of an effective IRR management program:

• Gap analysis—This approach measures the timing difference of interest-sensitive assets and interest-sensitive liabilities that will re-price (contractual maturities) during a given time period. The “gap” (difference between the amount of interest-sensitive assets and interest-sensitive liabilities) is generally measured over a one-year time horizon on a cumulative basis. If a credit

Page 39: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 34

union has a negative cumulative one-year gap, it means that more liabilities than assets will re-price during the period. As a result, earnings and capital will decrease as funding costs increase more quickly and to a greater extent than do yields on loans and investments. This approach to measuring IRR is limited, however, as it does not measure the effects of embedded options, yield curve twists or basis risk. Gap analysis is particularly weak in evaluating IRR associated with fixed-rate mortgage loans, since, as noted earlier, borrowers may prepay, refinance or otherwise change the contractual maturity of these assets. Despite its shortcomings, gap analysis can give management and the board an overall sense of exposure to a rising or falling interest rate environment.

• Earnings simulation—This approach measures the effects of interest rate changes on net interest income (NII). Simulation models reflect a credit union’s financial performance over time (usually over a one-to-two-year time frame). More sophisticated models can accurately capture and measure the four forms of IRR mentioned earlier. The results of earnings simulations can be influenced greatly by underlying assumptions (primarily concerning prepayment speeds and non-maturity deposit decay rates). Income simulation models do not capture cash flows beyond the one–to-two-year time frame, and thus, do not measure IRR long term. Thus, this type of model does not measure the effect of IRR on the underlying economic value of the balance sheet.

• Economic value of equity—Sometimes referred to as Net Economic Value (NEV), this approach seeks to measure the net present value of the credit union’s assets, liabilities and off- balance sheet cash flows. This approach measures the long-term effects of IRR, well beyond the one-to-two-year time frame that is considered under the first two approaches.

IRR regulated As noted earlier, the NCUA has proposed a regulation that would require credit unions to develop written policies and implement programs to effectively manage IRR. This regulation would be an Appendix to NCUA Part 741, “Appendix B to Part 741 - Guidance for an Interest Rate Risk Policy and an Effective Program.” Section VII of the proposed regulation outlines NCUA’s expectations regarding the content of the written policy and the attributes of a successful program.

Regardless of whether the proposal becomes a regulation, management and the board should review it as part of an evaluation of their credit union’s existing IRR mitigation process. Specifically, they should evaluate internal controls, including independent review of key assumptions, used in measuring IRR.

Evaluate IRR now to prepare for rising rates Credit unions should continue to measure and monitor their IRR exposure and evaluate the effects on NII in the likely event of rising interest rates. Concentrations of longer-term assets (fixed rate mortgage loans) funded by short-term (or no-term) shares and borrowings can result in financial stress, in the form of lower earnings and capital erosion, should interest rates rise significantly from current historical lows.

Page 40: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 35

Section 6: Technology risk

Leveraging technology investments to improve efficiency You may be wondering what an article about efficiency is doing in the emerging risk alert. Beyond the obvious answers regarding ongoing industry pressure to show positive financial results and careful spend strategies, our experience indicates that leveraging technology to automate routine processes can also reduce errors and provide positive member interactions – both of which increase consumer confidence in the credit union and help the credit union manage the associated risk in an appropriate manner. With consumer confidence in financial institutions continuing at historical lows, boosting your members’ confidence and generating positive buzz may be the only way to attract and retain business.

The “2011 World Retail Banking Report” echoes what we have seen in the credit union environment. Based on a survey of nearly 14,000 consumers around the world, the report found that, “In the aftermath of the financial crisis, retail banks around the globe are struggling to make a positive impression on customers.” The analysis went on to conclude that with regulatory and competitive pressures making it almost impossible to differentiate on price or product innovation, “Delivering a positive customer experience is one of the few levers banks can use to stand out in today’s market.”

So, how do you translate technology investments into increased efficiency, and increased efficiency into positive member experiences? We have identified two key areas in which the right technology investments can have a significant impact in operational efficiency and member experience:

• Contact management

• Document management

Whether you already have one or more systems in place or are considering technologies to help you in these areas, we’ve provided guidance to help you leverage your investments and avoid common pitfalls.

Contact management Contact management is one of the building blocks of a solid customer relationship management (CRM) program. After all, you can’t build an effective, lasting relationship with your members if you don’t know their history with the credit union. A contact management system can be as simple as a series of notes attached to a member’s account, or as sophisticated as a service tracking application that assigns case numbers, automatically escalates issues that aren’t resolved within specified time frames, and generates reports that help you track trends over time. In either case, the goal is the same – to track member issues and requests, and make sure that they are addressed appropriately and in a timely manner.

Many of us have had the frustrating experience of having to explain a situation multiple times to various representatives of an organization. As a consumer, how often do you actually think to write down the names and titles of the people you talk to, so that you can reach them again if you have follow-up questions or if your issue isn’t resolved? At its most basic level, a contact management system allows credit union representatives to record their interactions with a member, in a way that allows other representatives to access the information and assist the member without requiring the member to repeat the issue. This alone can provide the member with the confidence that the credit union is listening, and demonstrates that the credit union values the member’s time. At the next level, a contact management system will allow a credit union representative to forward an issue, question or opportunity to a specialist within the organization who can provide further assistance or follow-up. Providing proactive follow-up enhances the member’s experience with, and regard for, the credit union. Additional system features may allow the credit union to set time frames for certain types of issues, escalate issues to managers, automatically generate workflows and forms and categorize issues for analysis.

Regardless of the technology you select, the most critical success factor for contact management is consistent staff adoption. Even the most sophisticated technology will fail to produce results if issues aren’t logged on a consistent basis. The following tips and techniques are designed to facilitate consistent adoption among credit union staff:

• Keep it simple. If your staff has to sign into another system and enter a lot of extra data, the chances of failure are high. To get the most out of any investment in contact management technology, it has to be easy for the user to log an issue as part of their normal workflow. Determine the minimum amount of data to collect and use drop-downs and defaults to simplify data entry. Use single-sign-on (SSO) technology to avoid

Page 41: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 36

having to remember and enter multiple user names and passwords. Then, start with the basics to give staff members the opportunity to see how useful a contact management tool can be. Your staff will drive the most valuable enhancements once they see the benefits to themselves and their members.

• Integrate. All credit union representatives with direct member contact need to be able to access the contact management system from whatever application they spend the most time in – whether it’s the loan origination system, new account application, teller platform or call center system. At a minimum, create links from each of these systems to the contact management application. The ability to pass data from these applications to the contact management system is also worth an extra investment, as it reduces opportunities for error and makes it easy for users to log issues.

• Build the process from the member’s perspective. It should always be easy for the member to interact with the credit union. After the member, the needs and perspective of the credit union’s member service staff should be a close second. Although management information is important, and IT’s time is valuable, those considerations are secondary. You won’t get good management information if the data isn’t getting into the system to begin with, and IT’s expertise is well-invested if applied toward improving member service. Work with your member-facing staff to develop real-life scenarios based on their experience. Then, build the contact management process around making the interaction seamless for the member and easy for the member service staff.

• Make sure it works. This may seem obvious, but if your staff has to live through the pain of working out bugs in the system, it’s very difficult to get them to trust the system, even when the issues are corrected. If they don’t trust the system, they will revert to old processes, making the system, at best, inconsistent. So, make sure the system is thoroughly tested by subject matter experts, and then pilot it with a small group of people before rolling it out to the full staff.

• Track and adjust. Track usage throughout the credit union – as often as daily or weekly in the early stages of implementation. If certain groups or individuals appear not to be using the system, find out why. It’s likely that you can identify ways to improve the system to make it easier or more valuable to the staff. Investments that facilitate adoption are the most valuable investments you can make in a contact management system. It might be tempting to make use of the system part of job performance requirements; but, if the system isn’t being adopted, there is probably a good reason.

There are many other ways that contact management technologies can provide value to the organization. The information you collect helps you to know your members better, and it can be leveraged for marketing, risk management and product management. Cross-channel access into the system can provide 24/7 member service and connect members even more closely to the credit union. Fraud systems may, in the future, be able to use contact management data to track member behaviors and identify anomalies and red flags. Finally, analyzing common member service issues can identify staff education needs, help with product and service design and give the credit union insight into member preferences. Starting with the basics and focusing on full and consistent staff adoption will create a foundation for getting the most out of your contact management investment.

One more thing – if you are concerned about making the capital investment required to implement contact management technology, consider outsourcing or cloud technologies to reduce your initial investment.

Document management Many, if not most, credit unions have made some level of investment in document imaging. Documents such as loan files and signature cards are typically sent to a centralized group of credit union staff who scan and index those documents, so that they can be viewed by credit union representatives from their workstations. These imaging systems reduce risk by providing backup of important documents, increase efficiency by eliminating the need to send paper documents or fax documents to branch offices or other departments from the records vault, and enhance member service by making documents immediately available for duplication or review.

Document management technology builds on the document imaging concept to provide even greater risk management, efficiency and member service gains. Whether you are just getting started with digital document capture, considering an investment in document management technology, or wanting to improve your return on investment in your current document management system, here are some important considerations for leveraging your investments and managing risk:

• Security. Documents and reports often contain sensitive member data. The security of your document management system–both internal and external–is as critical as that of your core share and loan processing system. Make sure that you evaluate and test the imaging or document management system security with the same frequency and rigor as your core system. Manage internal access privileges to provide security without creating unnecessary member service barriers.

• Integration. Investing in integration can pay off greatly in ongoing efficiency, member service and risk mitigation. When a document is created

Page 42: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 37

digitally in one system, and then printed so that it can be scanned into the imaging or document management system, risks and inefficiencies are introduced. First, there is the delay in making documents available online. Our experience shows that many documents, such as receipts and loan origination documents, are most valuable in the first 24 hours. That’s why many branches make duplicate copies of documents before sending them to centralized imaging, so that they can reference them while waiting for scanning and indexing to take place. By integrating operational systems with the imaging system, you can often bypass the need to print the documents by making them immediately available for digital retrieval. Efficiency is improved by eliminating printing, copying, logging, scanning and filing tasks. Paper and courier costs can be reduced. Finally, documents aren’t lost in transit.

• Decentralization. While many documents can be electronically transferred to the imaging system without being printed, some documents, such as titles or powers of attorney, are originated outside the credit union. For some credit unions, decentralization of scanning stations can provide additional efficiency and risk mitigation. Decentralization requires that credit union branches and other departments have access to a scanning workstation. Some credit unions are fully decentralized, meaning that documents are scanned, indexed and truncated at the point of collection. Others are more comfortable having scanned documents sent to a queue for centralized quality control and indexing. Either way, the credit union achieves many of the same benefits provided by integration, including increased efficiency and reduced risk.

• Signature capture. The ability to digitally capture signatures on documents provides additional efficiency, as it reduces the number of documents that need to be printed and scanned. Check with your legal council to determine which document types the credit union can safely switch to electronic signature capture. State legal precedents and regulations may vary, so be sure you obtain an expert opinion. Some credit unions start electronic signature capture with less risky documents, such as address changes, while others are comfortable collecting signatures on loan notes and disclosures electronically. Electronic signature collection not only provides increased efficiency, but it also positions the credit union to offer greater member convenience by allowing document signing remotely via the Internet. Be sure to evaluate the ability of the signature capture solution to securely attach signatures to documents. Users should not be able to alter a document once a signature is attached or copy a signature from one document to another.

Some document management solutions can go even further to improve the credit union’s operations through capabilities like automated document generation, document tracking and document retention guidelines. These features, especially when integrated tightly with other automated workflows within the core system and with ancillary applications, such as loan origination systems, establish a foundation for the paperless office – reducing costs, improving turnaround times and providing increased convenience for members.

Conclusion These are just two of the emerging and evolving technologies that can, if implemented properly, increase efficiency, improve member service and help reduce inherent risk issues. As with all technology investments, it’s important that the credit union determine its specific business needs and requirements before purchasing or implementing new solutions. Evaluate potential solutions based on your specific needs. Set measurable expectations, such as reduced staff needs or faster turnaround time, before deploying new software, so that you can measure success and make necessary adjustments. Finally, keep up with enhancements and new features, so that you are fully aware of the capabilities of your solutions. Even if you don’t use them right away, you may have a need for them in the future, as your business model and your members’ expectations change.

Remote Deposit Capture Remote Deposit Capture (RDC) refers to the digital transmission of paper check images to a financial institution for posting and collection. RDC allows users to scan checks at their own location and send them to their bank for deposit using nothing more than a PC, an Internet connection and a check scanner. RDC is also used within financial institutions to gather check deposit information from branch offices, ATMs and other outlets for electronic submission of cash letters to a federal reserve bank, corporate credit union or other processor. Credit unions can offer RDC to both business and consumer members

RDC was enabled by the Check Clearing for the 21st Century Act (Check 21) in 2004, which allowed banks

Page 43: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 38

to clear checks based upon images of the original items, instead of having to transport the original checks back to the paying banks. RDC reduces transportation costs, speeds the availability of funds, improves processing efficiency and consolidates banking relationships. One issue that must be addressed when commencing an RDC relationship with a member is the fact that remotely transmitted checks are not deposited at a location specified in Reg CC. Therefore, the hold period and amount of funds made available must be agreed upon by the credit union and the member.

The National Credit Union Administration (NCUA) and the Federal Financial Institutions Examination Council (FFIEC) have issued considerable guidance for credit unions to follow when offering RDC services:

• Letter to Credit Unions 09-CU-01, Risk Management of Remote Deposit Capture (January, 2009)

• Evaluating Risk Management of Remote Deposit Capture Questionnaire 09-CU-07 (March, 2009)

• Letter 10-RA-07, the Retail Payments Systems Examination Handbook (May, 2010)

The receipt and processing of checks is a core activity for credit unions, which makes effective management and mitigation planning key elements of any RDC program. Credit unions engaging in RDC must address strategic, legal and compliance, credit, operational and fraud risks. Underscoring this need is the fact that, in 2010 and 2011, two large banks were fined millions of dollars for failing to identify and assess compliance risks prior to RDC implementation, and for subsequent reporting lapses concerning suspicious activity related to RDC services, in addition to other deficiencies. A credit union’s RDC risk assessment, therefore, should be comprehensive and should include a determination of the risks to the security and confidentiality of nonpublic personal information. Most recently, due to heightened concern over breaches in electronic data, FFIEC issued publication 01-CU-10, containing electronic banking authentication guidelines, which also apply to RDC delivery services.

RDC status today According to the 2010 Federal Reserve Payments Study, approximately 13 percent of checks being deposited were captured as images at the bank of first deposit. Another report issued by Celent in 2010 states that the commercial RDC market was nearing maturity, because an estimated 75 percent of U.S. banks and 50 percent of all U.S. financial institutions offered at least one RDC service. This would imply that future growth in RDC activity will be generated by retail consumers.

The primary risk with RDC is fraud. In the 2010 “Payments Fraud and Control Survey,” only 3 percent of the total respondents reported experiencing fraud with RDC, but almost 70 percent of the same respondents reported an increase in fraud. A similar assessment of RDC fraud recently emerged from the Financial Crimes Enforcement Network (FinCEN).

FinCEN analysts identified 1,017 Suspicious Activity Report (SAR) RDC-related filings related from banks and credit unions between January 1, 2005 and July 31, 2011. More than half of these reports were filed after the start of 2010. These 1,017 RDC-related SARs account for only about 0.1 percent of all bank-filed, check-fraud-related SARs. FinCEN found no real differences between the RDC channel and traditional check depositing channels when it came to fraud schemes (like check kiting, or counterfeit or altered checks).

In an article on RDC dated Nov. 22, 2011, entitled “If you expand it, will fraud come?” the author indicated that, despite the growth in volume and outlets, fraud reported to date in RDC services has been negligible. The presumption is that services have only been offered to the best customers, and limits have been placed on the amount of remote deposits accepted. When RDC services are offered more broadly to all consumers, it is reasonable to expect the potential for fraud losses to increase. Clearly, controls over the amount of deposits accepted electronically and the timing of funds availability provided are the primary safeguards against potential fraud losses.

Observations Based on our experience in reviewing RDC implementations in both large and smaller (less than $300 million) credit unions, losses due to operational errors or fraud have been in line with traditional paper check deposited items. Some of the most common issues identified related to program management, member due diligence and operational controls:

• Program Management—Inadequate documentation of a risk assessment as recommended in NCUA letter 09-CU-01 and lack of complete program documentation covering administrative, operational, information technology and due diligence of third-party vendors. We recommend that a separate RDC service agreement be created for member business accounts, since businesses contain additional exposures, such as employees with access to nonpublic information (on checks), or multiple usernames and passwords for accessing the credit union’s RDC software. The credit union has a right to audit or request a self-assessment of the business’s RDC controls pursuant to NCUA guidelines.

• Member Due Diligence—Incomplete policies and procedures for setting and adjusting deposit limits, which results in ad hoc decisions and inflated exposures, due to inadequate information available to analyze member deposit volumes. Also, the use of one-size-fits-all deposit limits for all accounts, which greatly increases operational and fraud loss exposure.

• Operations—The lack of monitoring mechanisms and written guidelines for discontinuing RDC service, due to inactivity or when members fail to

Page 44: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 39

properly maintain their relationship, (i.e., in the case of overdrafts, NSF, loan delinquency or charge-offs). Also, the lack of documentation and assigned authority for approving deposit limit exceptions, on either a temporary or permanent basis. In addition, access to the RDC system should be limited to those employees who need it to perform their job responsibilities.

Conclusion Credit unions should evaluate the full range of risks inherent in RDC by involving management and staff responsible for member services/sales, accounting, legal, information technology, deposit operations, business continuity, compliance (including BSA/AML), and internal audit. The assessment needs to focus on both the internal and external resources deployed to RDC, and more than likely, will include third parties in the risk assessment to provide additional expertise. Since the board and senior management are ultimately responsible for safe and sound operations, including that for RDC, they should approve plans policies, and significant expenditures. They should also receive periodic reports explaining the operation of the RDC service.

Sources: • Association for Financial Professionals. 2010

Payments Fraud and Control Survey. www.afponline.org/pub/pdf/2010_Payments_Fraud_Survey.pdf.

• Douglas A. King, payments risk expert, Retail Payments Risk Forum, Atlanta Federal Reserve Bank, 2010

• 2009 FFIEC Guidance on Remote Deposit Capture Risk Management

• 2010 FFIEC Examiners Guide, Financial Regulators Release Updated Retail Payment Systems Booklet

• State of Remote Deposit Capture 2011: Signs of a Maturing Market, Celent Corp. by Bob Meara, November 7, 2011

• FINCEN, SAR Activity Review, October, 2011

• 2010 Federal Reserve Payments Study, April 5, 2011, sponsored by the Federal Reserve System

Managing third-party information security risk – a cohesive approach Newspapers, trade journals and online blogs feature a growing number of stories detailing instances in which organizations have entrusted their most sensitive information and data to a vendor or other business partner, only to see that information compromised because the vendor failed to implement appropriate information security safeguards. Worse yet, those same organizations are frequently found to have performed little or no due diligence regarding their vendors. Or, they have failed to adequately address information security in their vendor contracts, in many instances, leaving the organization without a meaningful remedy for the substantial harm they suffer as a result of the compromise. That harm can take a variety of forms: damage to business reputation, loss of business, potential liability to the breached data subjects, and regulatory and compliance issues. Recent studies by the Ponemon Institute have shown that, on average, a company will pay about $202 per record compromised, an average of $6.6 million if it experiences a security breach.

Since many credit unions focus their attention on core competencies, and since strategic outsourcing of non-core services has become almost the norm in the industry, how can credit unions continue to remain vigilant and protect themselves against the apparent necessary risk undertaken when sensitive information is shared? Two specific key tools can help substantially reduce these information security threats by ensuring that proper due diligence is conducted and documented, and by providing remedies in the event that a third-party vendor fails to live up to their data security obligations:

• A due diligence questionnaire

• Key contractual protections

Page 45: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 40

The right answers start with the right questions: the due diligence questionnaire On the whole, credit unions have gotten better in conducting information security due diligence prior to entering into contractual agreements with third-party service providers. However, this success has not been uniform and is often not clearly documented. This ad hoc approach is no longer appropriate in today’s operating environment. Developing a standard due diligence questionnaire has multiple, immediate benefits:

• It goes beyond simply requesting SSAE 16 (SAS 70) testing documents, which were never intended to be used to assess a vendor’s information security controls, but rather as a communiqué from auditor to auditor, as it relates to transaction processing information integrity

• It ensures a uniform, ready-made framework for due diligence

• It provides for an apples-to-apples comparison between multiple vendors

• It provides an easy way to incorporate security information directly into the contract, as it can be attached as an exhibit to the final executed contract

• It can and should be used for all vendors with whom sensitive member information is shared. Too often, credit unions risk rate their vendors, using a blend of mission criticality and whether or not the vendor has access to sensitive member information. Some instances may arise whereby vendors are not mission critical, but have direct access to sensitive data – in these cases, many credit unions forgo the due diligence requirement, since the vendor is not considered high risk. Yet, while the vendor may not be high risk as concerns mission criticality, it could be high risk in relation to sensitive information.

Key areas for consideration in a due diligence questionnaire for vendors who have access to sensitive member information include:

• Compliance with GLBA, PCI, HIPAA, HITECH or any other industry standard requirements for the particular vendor

• Information security controls in general (policy, procedures, audits, etc)

• Financial condition

• Insurance coverage

• Corporate responsibility

• Subcontractors

• Organizational security procedures

• Physical security

• Encryption

• Destruction of sensitive documents or information

• Technological security

• Contingency plans

• Software development concerns (if applicable)

Within each one of these areas, multiple questions can be developed to help get an understanding of the vendor’s controls and protocols for securing sensitive information.

Key contractual protections In the majority of engagements we conduct that include reviews of third-party vendor contracts, there is little to no specific language protecting the credit union’s sensitive member information. At most, there are passing references to undefined security requirements set forth in the agreement and a basic confidentiality clause.

Any agreement should contain language requiring the vendor to comply with provisions of GLBA (NCUA Rules and Regulations Part 748 Appendix A), including a requirement to implement reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of sensitive member information. However, today’s best practices in contracting suggest that far more specific language is required.

Credit unions should include information security provisions in their business services agreements, and should clearly incorporate those agreements into the underlying contracts themselves. The underlying contract and business services agreement should read in concert with one another and all ambiguities should be eliminated. Common sources of problems we’ve noted include:

• Generic confidentiality clauses, with no specific expectations outlined or contractually obligated

• Contract requirements written to protect only the vendor, with the credit union agreeing to safeguard the vendor’s sensitive information (source code and trade secrets), but no similar requirement that the vendor safeguard the credit union’s sensitive information

• Vendor liability for lost storage medium is limited to the cost of replacement, but makes no provision for the value of the data contained therein

• Contracts that fail to address notification requirements in the event of an actual or suspected data breach, which is required under NCUA Rules Part 748 Appendix B, to be included within the contract

• Contracts that define sensitive member information in ways that do not align with the credit union’s internal definition of “sensitive member

Page 46: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 41

data” (i.e. requiring that only those documents stamped “confidential” be treated as such)

• Contracts that do not include state-specific nuances for the state in which the credit union conducts business. It should be noted that 47 of the 50 states have enacted specific data breach laws, which require anywhere from no changes from federal law, to changes in definition, to changes in specific technical controls. Examples include Wisconsin, which defines sensitive member information to include DNA profile, and Massachusetts, which requires all laptops which store sensitive information to have whole disc encryption. A list of state-specific information can be found at http://www.ncsl.org/default.aspx?tabid=13489)

Other considerations for inclusion within a contract or subsequent addendum could include specific language addressing the following:

• Warranties

• Specific information security obligations

• Indemnity

• Responsibility for costs associated with security breach notification

• Limitation of liability

• Confidentiality

• Audit rights

It’s important to remember that the vendor is seeking the credit union’s business. Credit unions must take tougher stances when it comes to contract term negotiations, in order to ensure contractual protections are afforded in accordance not only with the state and federal law, but also in the best interest of the members and their information.

Managing data security risks is a key management duty As the news continues to mount about data breaches (as this article was going to press, online shoe retailer Zappos disclosed a 24 million-record breach of a server in Kentucky), credit unions are going to feel the pain, directly or indirectly, as data itself becomes the target of cybercriminals throughout the world. By ensuring due diligence is performed in an adequate, uniform manner that is commensurate with the level of risk involved in information sharing, and by ensuring that contracts legally protect the credit union’s rights and outline obligations, risks associated with the theft or loss of sensitive data are minimized. While the risk of a data breach will never truly be eliminated, the likelihood and impact of a breach can certainly be reduced to a more acceptable level.

The due diligence questionnaire will enable the credit union to ask the right questions and obtain critical information – before entering into a contract –

concerning the ability of a third-party service provider to adequately safeguard nonpublic personal information. The contractual provisions establish the credit union’s expectations, with respect to privacy and security requirements, provide the basis for mandating that the service provider complies with those requirements, and give the credit union remedies to assert a claim against the service provider in the event of a failure to provide adequate privacy and security measures. Credit unions that fail to adequately protect sensitive data against third-party failures are failing their members and, in the end, themselves.

Sources • Ponemon Institute, “Ponemon Study Shows the

Cost of a Data Breach Continues to Increase,” www.ponemon.org/news-2/23

Page 47: Emerging Risks in Credit Union Environment

© 2012 McGladrey & Pullen, LLP. All Rights Reserved. Page 42

Section 7: About McGladrey

McGladrey & Pullen, LLP operates under the McGladrey brand as the fifth largest U.S. provider of assurance, tax and consulting services, with nearly 6,500 professionals and associates in more than 70 offices nationwide. McGladrey & Pullen is a licensed CPA firm.

It is the U.S. member of RSM International (“RSMI”). RSM International is the sixth largest network of independent accounting, tax and consulting firms worldwide, with 714 offices in 90 countries, and more than 32,000 people. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.

Contact information

800.274.3978 www.mcgladrey.com/cu

Authors and contributors Chris Fisher, director, Los Angeles, Calif.

Chris Giovanniello, manager, Boston, Mass.

Bob Glynn, director, Schaumburg, Ill.

Arnie Green, manager, Boston, Mass.

Joe Harrington, director, New York, NY

Victor Howe, partner, Boston, Mass.

John Keyser, partner, Las Vegas, Nev.

Julie Kim, director, Los Angeles, Calif.

Tasha Kostick, partner, San Francisco, Calif.

Jim Lamb, principal, Kansas City, Mo.

Dennis Lavin, partner, Irvine, Calif.

Matt Leapaldt, senior associate, Minneapolis, Minn.

Linda Mackey, director, San Francisco, Calif.

Loridette Miclat, manager, Los Angeles, Calif.

Mike Mossel, principal, Los Angeles, Calif.

Tonette Santillan, manager, Los Angeles, Calif.

Sharon Schmidt, senior associate, San Diego, Calif.

David Zavatti, supervisor, Dallas, Texas

2012 McGladrey Supervisory Committee and Directors Conference In Harmony with Success September 13 & 14, 2012, Gaylord Opryland Hotel, Nashville, TN

Join us for some education in Music City USA and experience for yourself what makes Nashville special. It’s a town that sizzles with American music, Southern hospitality, unbelievable cuisine and a boundless spectrum of nightlife.

This is our 36th annual educational conference for supervisory committee members and directors. We will explore important issues and opportunities that directly affect credit unions and their service organizations. You will come away with fresh ideas, as well as an understanding of the risks you face and how you can improve your credit union.

Visit www.mcgladrey.com in the future for more registration details.

Page 48: Emerging Risks in Credit Union Environment

RSM

31

McGladrey is the brand under which McGladrey & Pullen, LLP serve clients’ business needs.

McGladrey & Pullen, LLP is the U.S. member of the RSM International (“RSMI”) network of independent accounting, tax and consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.

McGladrey, the McGladrey signature, The McGladrey Classic logo, The power of being understood, Power comes from being understood and Experience the power of being understood are trademarks of McGladrey & Pullen, LLP.

© 2012 McGladrey & Pullen, LLP. All Rights Reserved.

Power comes from being understood.SM

When you trust the advice you’re getting, you know your next move is the right move. That’s what you can expect from McGladrey. That’s the power of being understood.

800.274.3978 www.mcgladrey.com