Good Governance: 2024 Compliance Topics for Boards

four small blocks that when placed together show an illustration of a human head and the scales law symbol
Contributing Writer

6 minutes

Credit union directors need to understand these 4 regulatory topic

The regulatory landscape requires board members to have knowledge of the most pressing compliance topics. We highlighted several regulatory topics in “A Culture of Compliance.” Here are additional regulations to watch.

Open Banking Rule

The proposed open banking rule by the Consumer Financial Protection Bureau, formally titled “Required Rulemaking on Personal Financial Data Rights,” is premised on enabling consumers to share their financial data with third-party providers, but attorney Michael Edwards explains that it would really legalize so-called “open banking,” which Investopedia defines as “a banking practice that provides third-party financial service providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions through the use of application programming interfaces.”

The European Union has already implemented an open-banking mandate for European banks through legislation known as the Payments Services Directives, which allows third-party non-bank financial institutions like financial technology companies to transact on consumers’ checking accounts without the permission of the institution holding those accounts. And in Canada, the move to open banking is going slow.

In addition to competition concerns related to this proposed rule, Edwards points out that there’s concern that it will make financial institutions more vulnerable to hacking and fraud.

“If this does become law, it opens up a whole new realm of third parties getting direct access to your core banking system, which could potentially wipe out the credit union in an hour or so if the hackers are able to get through enough controls,” says Edwards, whose law office in Upper Marlboro, Maryland specializes in business, regulatory and compliance law for credit unions, CUSOs and fintechs. “And the way it’s proposed is that the credit union would have to pay for the implementation, so there’s an expense component to it too.”

The open banking rule would negate the necessity for fintechs to partner formally with a financial institution to offer banking services. “The rent-a-bank model is common now with fintechs, where essentially they have a relationship with one bank that holds all the accounts that are going through the app,” Edwards explains. “But if this consumer right-to-data regulation becomes final, the fintechs wouldn’t have to do that anymore. Instead, they would use your credit union’s infrastructure without having to pay for that service. They would essentially be riding the rails of any bank or credit union in the country for free.”

Stephanie Lyon, VP/regulatory content strategy for Ncontracts, a risk and compliance management software provider headquartered in Brentwood, Tennessee, concurs that the open banking rule would burden financial institutions. “It’s a massive undertaking from a digital systems capability because it’s going to require institutions to connect to third parties and give their member data to someone else who might want to them,” she says.

Another downside of the proposed rule is that it will be easier for consumers to “break up” with their financial institution, Lyon says. “A big thing the CFPB is pushing for is competition, so if the consumer doesn’t like their institution, they can quickly move on to the next.”

Succession Planning

It’s been two years since the National Credit Union Administration approved a proposed rule that would require federal credit union boards to implement processes for succession planning. “A lot of smaller credit unions have unfortunately failed due to not having a strong succession plan, and that’s why NCUA is addressing it,” Lyon says. “My best advice is you should always have a plan. We’re expected to have a plan to respond to any number of incidents, from a cyber event or a breach to a flood or a disaster, so why wouldn’t you have a plan in place for the most valuable asset you have—your people?”

ViClarity identifies succession planning as an area ripe for board involvement, noting that CEOs, senior leaders and other key roles are turning over faster than ever. Though CEOs and other C-suite leaders are typically the priority in succession planning ViClarity stresses that it’s important not to overlook identifying successor candidates for compliance and risk functions.

“I think that succession planning for compliance and risk often fall by the wayside,” says Jovilyn Herrick, senior director of client solutions for ViClarity, a provider of governance, risk and compliance management software solutions and consulting services based in Des Moines, Iowa, and Kerry, Ireland. “Imagine if you have a compliance officer who has been with you for 20 years. What will you do if that person leaves unexpectedly?” 

Artificial Intelligence 

There’s considerable concern that AI could cause job displacement, unintentional bias, security risks and other potential threats. “For credit unions, artificial intelligence is most relevant right now as an IT security threat,” says Edwards, citing the possibilities of both text-based and video-based misuse by fraudsters. “AI programs are able to mimic people’s voices and appearances fairly well, so if somebody has a YouTube channel or is frequently interviewed on TV, they’re more at risk.”

Herrick notes there is some potential liability if a CU is using AI to pass on incorrect information. “If AI provides inaccurate information and there are not guardrails in place to limit what the team member might use or not, then you could see credit union reputational risk and potential liability if it causes a loss. I recommend that credit unions implement a policy on internal use that outlines what is acceptable.”

Lyon stresses that the risks associated with using AI shouldn’t make it off-limits if it has value to the organization. “I’ve seen several credit unions say, ‘We’re going to stay away from it,’ but there’s a lot of operational benefits you can gain with the technology if you use it responsibly,” she says.

Financial Innovation 

In September 2023, NCUA approved a final rule that modernizes regulations regarding indirect lending, the purchase of loan participations, and the purchase, sale and pledge of eligible obligations and notes of liquidating credit unions. Edwards explains that the rule provides flexibility for federal credit unions to take advantage of advanced technologies and other opportunities offered by fintechs, citing apps like Upgrade and Upstart as examples. The rule also codifies several long-standing supervisory guidance letters on third-party due diligence, indirect lending and loan participations.

“The rule does not necessarily break new ground because many credit unions already engage in indirect lending with fintech companies,” Edward says. “However, it will make it easier for credit unions to partner with financial technology companies in indirect lending relationships.”

In announcing the rule, NCUA cautioned that managers and boards of directors choosing to use this new rule must ensure their third-party due diligence and vendor management policies are “updated, followed and reflect the size and complexity of their activities and risk levels.”

Lyon concurs with NCUA’s emphasis on due diligence, cautioning CUs from entering into fintech relationships without appropriate risk mitigation—no matter how attractive the potential income might be.

“Everyone has to get creative right now with the crackdown on junk fees and the disappearance of overdraft programs,” she says. “We have to be savvier about other income opportunities. Fintechs offer opportunities but not without risk, and you definitely need to be managing that risk for the reward.”

Based in Missouri, Diane Franklin is a longtime contributor to CU Management magazine.

Compass Subscription