TMCnet News
Automating Compliance [Credit Union Management](Credit Union Management Via Acquire Media NewsEdge) A practical guide. Almost every credit union automates some part of its compliance l process. Much of compliance is, after all, record-keeping-being able to prove to examiners that a financial institution follows its own rules and the regulations of its state and federal governing bodies. So if a credit union is doing anything more high-tech than filing paper documents in its records room, it has started down the path. But Annemaria Allen, president/CEO of The Compliance Group (www.thecompli ancegroup.net), Carlsbad, Calif., a mortgage compliance strategy firm, says many CUs are taking, at best, a piecemeal approach to automating compliance. They've been making loans for a long time, they have old systems in place, and they may only recently have started exposing themselves to certain regulatory issues, such as seeking Fannie Mae and Freddie Mac approvals. "They have [automation], but it's almost like they have three or four different components of technology and none of them really talk very effectively with each other," she says. "It's often a matter of sitting down and analyzing what they have and how they can make it more efficient, and how they might be able to get rid of all of this and have maybe one or two systems that can do everything for them." Allen says many credit unions will have some automation surrounding calculation of annual percentage rates, and some have also implemented calculators for demonstrating compliance with the ability to repay/qualified mortgage rule. But they could be doing more to make the process easier. "With some of the credit unions that we've been dealing with, we've been going in and doing some gap analysis with them, just to see where some of their deficiencies are," she says. "Often some of their HMDA (Home Mortgage Disclosure Act) data gathering is a little cumbersome, so we'll recommend companies out there that do some HMDA data collecting, and where they can actually do some fair lending testing and things like that." Ken Hoang, CEO/co-founder of Strevus (www.strevus.com), a San Francisco-based provider of risk and compliance management software for financial service institutions, would also like to see credit unions streamline their compliance efforts by automating with a more noseto-tail solution. "We believe in order to solve the problem well, you really need to automate the whole lifecycle, not just part of the process," he says. "It really is two types of lifecycle-the lifecycle of your customer or client, and then the lifecycle of the actual regulation itself. "Post-2008, there have been a lot of new regulations coming in. So we talk first about the episodic event of bringing on a new regulation, and then the ongoing process of keeping up with that regulation: How do you continue to onboard new customers and monitor for changes with those customers while following those regulations? I absolutely do think that it is viable for one vendor to offer the regulatory capture of the required information, especially when it comes to the client data." Piece by Piece While a very broadbased compliance solution may be ideal, any system that automates workflow and collects data about some part of the credit union's offerings will help with the compliance process. That's even true if those systems are nominally "about" something else, such as loan origination or customer relationship management. nCino (www.ncino.com), based in Wilmington, N.C., provides a solution that manages commercial lending throughout its lifecycle, from the first member interaction to portfolio tracking over time. "An audit trail and a timestamp is created at every stage," explains CEO Pierre Naudé. "That helps with compliance. Examiners don't look at a single paper file-they get a login, and the credit union can allow them to see a subset of the files. They can see everything about that loan, the documents, the processes, every person who has touched that loan in the history of the loan. They can see the original underwriting criteria, because it's documented right there. They can see who approved what at what stage. They can see the full process." This same workflowand-documentation approach enables compliance in other areas, too, so nCino is expanding its offerings beyond commercial origination software. Naudé says the company is moving into consumer and retail lending, deposits, governance risk and compliance, and vendor management. The price of some large-scale compliance solutions can make them less appealing for smaller credit unions, say providers. "We normally look at an asset size of $300 million and above," says Naudé. "So there are about 200 to 250 credit unions that we target, and about 2,200 banks. It's actually a very, very low cost of entry, because we charge per employee who uses the system per month. But if you only do two of these [commercial] loans every year, it's difficult to justify putting a system in place." Allen says that's true of mortgage-related compliance systems, too, especially if CUs are looking at fully outsourced solutions. "Pricing [on APR, high-cost mortgage, and ATR/QM calculations] is generally per-unit, and the more units you run through the system, the better price you get," she explains. "We also do vendor management on the servicing side. If credit unions are sending out their servicing, we'll monitor that servicer and do audits. It can be $3,500 to $5,000 annually just to monitor the servicer, because of all the documentation we have to look at just to demonstrate to Fannie and Freddie, let alone CFPB [Consumer Financial Protection Bureau, www.cfpb.gov] stuff. So as a result, I would probably say more to the midto large-sized credit unions probably have a little bit easier time digesting some of those fees." To make it more affordable, Hoang recommends starting out incrementally. He says credit unions should find the area where compliance is costing them the most and tackle it first. "Let's take KYC [Know Your Customer]," he says. "If you're doing institutional KYC, your costs could start anywhere from $200 to $2,000 per customer. If your customers have associations with high-risk areas (such as where there is little or no public information available to help assess the risk they pose to your organization), then your risk profile goes up, and hence your cost of doing the diligence goes up. We can cut it, generally, either by a fourth, or by as much as a(n order of) magnitude-and give you better results." And as much as providers recommend finding broad-based solutions that tackle compliance on a large scale, it's also possible to cobble together a fairly efficient compliance automation strategy from disparate parts. Frankly, it's what most smaller CUs do. "I'm not sure that we really have a true enterprise compliance solution in place," says Murray Voight, VP/compliance at $502 million El Paso Area Teachers Federal Credit Union (www.tfcu.coop) with 50,000 members, and 180 employees. "What we use is our core system that's tied into the OnBase imaging system that we have. From the account signature cards to loan documents, along with various other types of documents for regulatory purposes, we're trying to keep everything imaged in that system. So when NCUA comes in, and they need to look at something, we provide them with laptops so they can access that system and view those documents." The CU also uses PolicyPro from League Infosight (www.leagueinfosight.com), Plymouth, Mich., for centralization and standardization of policies. It uses a solution from Verafin (www.verafin.com), St. John's, Newfoundland, for Bank Secrecy Act and fraud monitoring. The latter doesn't integrate as fully with the core system as Voight would like, so the front office still has to generate some documents manually. But it's a good start, and it makes life easier at exam time. The Real Gains Despite all the tools available, Allen says there's no such thing as fully automated compliance. At some point, human beings have to step in. "Let's say you have a loan in your loan originating system, and you have [a compliance solution] like ComplianceEase (www.compliancease. com), Burlingame, Calif., or Mavent from Ellie Mae (www.elliemae.com), Pleasanton, Calif., running in the background, pulling in the proper fields and doing calculations and spitting out a pass or fail," she says. "Who's putting data into the system in the first place? Human beings. So there are going to be errors, and you have to double-check. "Say you get a better automated solution for HMDA reporting. You're still going to need a compliance officer to analyze the data and fix the errors that are happening in that report before they submit to whatever regulator they have to submit their HMDA data to. You still need your compliance people." At the end of the day, she says, credit unions don't necessarily save a lot of person-hours with automated compliance solutions. Even if they got rid of a processor or two, they'd probably have to pick up those hires on the IT side. But where they do realize gains is in the ability to make more loans and to reduce compliance risk at the same time. Outsourcing to a provider of an automated solution has the potential to reduce risk even further, because it's another set of eyes. "We will double-check the automation systems just to make sure that they're calculating properly," says Allen. "You still have to have that human element and that human touch going through the files and double-checking, because CFPB will ask how you're monitoring your vendors. If your answer is, 'We run everything through this system,' they're going to ask, 'Well, how do you know they're doing it right?'" Automation, then, isn't necessarily a way of removing the human component from compliance. Rather, it's another layer, another way of demonstrating diligence. "I think generally, when you have a better process, there's no doubt that it is going to result in a better outcome," says Hoang. "And the more eyeballs that you can get detecting when there's a problem, the better." Some Automated Compliance Solution Providers The Compliance Group (www.thecompliancegroup.net) ComplianceEase (www.complianceease.com) Compliance Tech (www.compliancetech.com)* Continuity Control (www.continuity.net) LEVERAGE (www.myleverage.com)* League Infosight (www.leagueinfoinsight.com) nCino (www.ncino.com) Policy Works (www.policyworksllc.com) Quantivate (www.quantivate.com) QuestSoft (www.questsoft.com) EMC Corp. (www.emc.com) Strevus (www.strevus.com) Verafm (www.verafin.com) * CUES Supplier members Shopping for Solutions Recently, Seattle-based BECU invested in an RSA Archer GRC platform from EMC Corp. (iviviv.emc.com), Hopkinton, Mass., to help manage governance, risk management, and compliance across the credit union. It's a huge application that the CU is deploying module by module, building in workflows and capturing data in first one department, then another. The platform fits VP/Compliance Mark Thompson's philosophy: "For us, it's more about managing the risk around compliance and other areas than it is about really streamlining the exam process," he says. Thompson says when it came to choosing a vendor, there were several factors at play. "We wanted something that would allow us to share information, but that also gave us flexibility and the power to be able to design our own workflows," he explains. "In my business unit, if we need to add another field to a table or another question to a checklist that we use for monitoring home equity loans, I can do that and not have to go through some central authority. I thinkthis particular solution was a good mix of having breadth in a lot of different areas where the credit union could use it, and then also having some flexibility and power for us at the individual business unit level." Pierre Naudé, CEO of the Wilmington, N.C., software company nCino (www.ncino.com), says the breadth of a solution is a very important factor to consider, but so is time to market. How long will an automated compliance solution take to deploy? These systems often have to interface with a variety of legacy applications, so the implementation can take awhile. The best way to know for sure whether a product will be worth the investment is to actually try it out, says Ken Hoang, CEO and co-founder of St revus (www.strevus.com), a San Francisco-based provider of risk and compliance management solutions for financial services institutions. "Most Web-based tools, you can try it out, and you should be able to take advantage ofthat on a free basis," he says. "With compliance, you might just put a couple of records through and see if it can manage that whole lifecycle. That's the best way to get a holistic perspective of what a product can do." Resources Using automated compliance systems is a way to capitalize on the "silver lining" of having to comply with governmental regulations. Read more in "Embrace the Moat" on p. 16. Get our monthly "On Compliance" column (and all of our monthly columns) delivered to your email inbox by signing up for the CUES Advantage weekly e-newsletter at cues.org/enewsletter-subscribe. It's not too late to register board members from your credit union for Director Risk and Compliance Seminar. The event will be held Sept. 15-16 in Williamsburg, Va. See cues.org/drcs. Jamie Swedberg is a freelance writer based in Georgia. (c) 2014 Credit Union Executives Society |