Should Credit Unions Outsource Their Compliance?
As the pace of new government regulations continues unabated, an increasing number of credit unions are seeking to outsource their compliance operations to third-party vendors as a means of cutting costs and relieving the burden of immense paperwork and man-hours.
However, outsourcing comes in all shapes and forms — depending on the size, needs, strengths, weaknesses and culture of a specific credit union, the institution may outsource part of their compliance duties to an outside firm, while keeping some compliance activities in-house.
According to various experts, including compliance officers at credit unions as well as third-party vendors, credit unions of all sizes have outsourced part or all of their compliance requirements. In many cases, CUs simply do not have qualified personnel within their staff to handle the mountain of regulations coming down from Washington, while others have determined that hiring a third-party vendor to handle such work would free the credit union to concentrate on its core competencies.
Costs related to compliance do not end with simply the salaries paid to compliance officers. JiJi Bahhur, NAFCU director of regulatory compliance said compliance costs also encompass such items as training of staff and enacting changes and upgrades in technology and compliance infrastructure — and all of these expenses can pile up.
Indeed, according to a May 2013 Economic & CU Monitor survey on Regulatory Compliance by NAFCU, a whopping 88.1% of credit union respondents said their compliance costs had increased since the passage of the Dodd-Frank Act in July 2010. That rising cost burden has forced some credit unions to raise their fees and offer fewer services, the report noted.
So, what are the pros and cons of outsourcing compliance?
On the plus side, outsourcing presents a cost-savings to a credit union, said Gaye DeCesare, the chief compliance officer of Belvoir Federal Credit Union, a $327 million institution based in Woodbridge, Va. "Instead of hiring a full-time staff of well-trained compliance officers and other experts, a credit union can spend about half as much by transferring their compliance operations to a third party," she told Credit Union Journal.
And in a climate of tight margins, cutting expenses on salaries and benefits by half presents quite an attractive option.
Amanda J. Smith, a partner at the law firm of Messick & Lauer in Media, Pa., who has a particular focus on representing credit unions and credit union service organization [CUSOs] on compliance-related issues, said she knows of a mid-size credit union that spends $300,000 annually on compliance issues alone.
"Some credit unions have a strong compliance-oriented environment in their culture, while others do not," Smith said. "It's critical for credit unions to properly choose the right vendor to do their compliance through due diligence."
She also noted that compliance costs are rising — in just the past five years, such expenses have jumped significantly. Even worse, regulations are becoming ever-more complex and draconian, leading to the necessity for better-trained compliance officers who can keep up-to-date on the changes.
The "final straw" for credit unions, Smith cited, may have occurred in January 2014, when new regulations related to mortgages under the Dodd-Frank Wall Street Reform and Consumer Protection Act were implemented.
"Since that time, I think credit unions have realized that getting on top of compliance has become an urgent matter," Smith said.
In addition, DeCesare said, a third-party vendor that specializes in compliance would likely have specialists in various fields of compliance, giving the credit union easy access to their valued expertise.
DeCesare knows compliance from both sides of the fence — not only does she serve as the chief compliance officer of Belvoir FCU, but she is also president and chief executive officer of COMPASS 4 CUs LLC, a CUSO that focuses exclusively on compliance issues for credit unions.
"Compass is wholly-owned by Belvoir, so to avoid any potential conflict-of-interest issues, there are certain activities we cannot perform for them," she said, adding that Compass currently has about 24 credit unions as clients, including Belvoir itself.
"In most cases, we offer supplemental compliance services for particular things they either don't have the time or expertise for," she explained. "Typically, when we sign a contract with a credit union, it is for a one-year time period, and renewable at the discretion of both parties."
But outsourcing compliance matters can present a number of headaches and challenges to a credit union, as well.
"For one thing, by outsourcing, the credit union doesn't have a person on-site who it can quickly reach if it has any problems or questions," DeCesare said.
Of greater consequence, when a credit union unloads its compliance responsibilities onto a third-party vendor, it is the credit union itself (not the vendor) that remains vulnerable to all risks and penalties that may arise if compliance is not performed to the regulators' satisfaction (which could lead to substantial financial fines or even prison).
"This is why it's so important for a credit union to find a good, competent and trustworthy vendor and to negotiate a fair contract with them," DeCesare cautioned.
Smith explained that the credit union must answer to both its members and regulators in the event that a third-party vendor fails to properly complete compliance and prepare disclosures.
But she also noted that a credit union might reserve the right to file legal action against a vendor through a well-negotiated contract in the event the vendor commits any wrongdoing, But that still wouldn't relieve the credit union of its own liabilities as a result of the vendor's missteps.
Alas, Smith put it succinctly: "You can't 'outsource' risk."
The credit union is ultimately responsible if something goes wrong, concurred Bahhur of NAFCU.
"By outsourcing, you are basically giving up control of an important segment of your operations to a third-party entity," said Edward Kramer, executive vice president of regulatory affairs at Wolters Kluwer Financial Services and former Deputy Superintendent of Banks in charge of the Consumer Services Division of the New York State Banking Department. "That arrangement might be hard to manage and may put the credit union in a rather vulnerable position."
Kramer suggests that if a credit union doesn't really need to outsource its compliance activities, it shouldn't. However, there are many times where it is better, and more efficient, he notes, to outsource to a reliable third party.
In some cases, it would make sense for a credit union to outsource only some of its compliance responsibilities, and perform the other duties in-house.
"It would depend on the specific credit union and its strengths," DeCesare said. "If a credit union has a strong mortgage lending business, then it would probably be advantageous for someone on staff to deal with the related compliance issues. On the other hand, if the credit union in question has no one in personnel who is familiar with BSA [Bank Secrecy Act] and AML [Anti-Money Laundering] issues, then it would behoove them to work with a third party."