Credit Union Client Alert – Year-End Housekeeping for Credit Unions – Is Your “House” in Order?

    By Lisa Hudson Kim, Credit Union

    Credit unions should take the time to ensure your house is in order and fully compliant in every area before the year’s end. This will help prepare for new developments, rulings, guidance, settlement actions, and anything else regulators may raise, as well as mitigate the constant barrage of lawsuit threats. Do not procrastinate and proactively tackle these tasks to start off 2023 on strong footing.

    Your credit union should consider concentrating on reviewing account agreements, applications, forms, and other membership materials, all of which are becoming so important in your defense of lawsuits; your website, which is a very public forum for all to see and critique; service provider arrangements; cybersecurity; cryptocurrency; London Inter-Bank Offered Rate (LIBOR); and all other regulations to which your credit union is subject.

    Account agreements, applications, forms, and other membership materials. The account agreement is a legal agreement between the credit union and its members that governs the use of products and services and frames the terms and conditions to which members must adhere. Often times, a credit union becomes a defendant in and is subject to individual or class action lawsuits due to the language contained in the account agreement. A credit union’s account agreements, applications, forms and the miscellaneous membership materials must be clear, concise and reasonably understandable. Legal terminology should be minimally used. Simple layman’s terms are preferred. To determine whether these documents meet the clear, concise and reasonably understandable test, ask staff unfamiliar with the product or service to read them. If your staff does not understand the account agreement or other documents, consider revising. It is also important to review these documents to ensure that you are fully compliant with regulations, such as Truth in Savings Act (Part 707), Electronic Fund Transfers Act (Regulation E), Privacy (Regulation P), Customer Identification Program (CIP), and Office of Foreign Assets Control (OFAC). Remember that regulatory changes occur often so your documents need to be reviewed frequently and revised accordingly.

    Website. Having a fully compliant website is a challenge. There are many moving parts with a website, from updated webpages, to weblinks, new product or service offerings, marketing-related regulation changes, and Americans with Disabilities Act (ADA) requirements that can cause a fully compliant website to become just the opposite in a blink of a cursor. Staying on top of these changes all year will make it much easier than reviewing it annually or even semi-annually. The credit union’s website is probably the most public forum a credit union has. If ignored, it is vulnerable to reputation risk, regulatory risk and the risk of trollers looking to bring a lawsuit against you. Realize that in the fine print, the date of the website and its updating is able to be viewed by the public.

    Service Provider Arrangements. This is a topic that should always be on a credit union’s radar. Credit unions use service providers for a myriad of services from information technology, documents and forms creation to credit card servicing, collections activities, marketing, and beyond. Credit unions simply cannot be expected to offer many services without the assistance of a service provider. However, managing many service providers causes risk. The National Credit Union Administration (NCUA) sets out three (3) major concepts that should be addressed in evaluating third-party arrangements: risk assessment and planning; due diligence; and risk measurement, monitoring and control. Credit unions should negotiate these arrangements to ensure you are fully protected. Business continuity and incident response provisions should be addressed as well as confidentiality and privacy provisions. Understanding the service provider’s liability or the credit union’s enforcement rights is also vital. It is highly recommended that credit unions seek legal counsel to review service provider arrangements prior to entering into them. Once an agreement is executed, credit unions must review the service provider’s performance periodically, not just at the time the contract is scheduled to expire to ensure that the service provider meets the credit union’s expectations and service level agreements. This will also ensure better member service.

    Cybersecurity. Cyberattacks continue to rise. Credit unions and the financial services industry is one of the top U.S. critical infrastructure sectors targeted by ransomware and cyber criminals. Cyberattacks have the potential to alter, delete, or otherwise render a credit union’s data and systems unusable. It is critical credit unions utilize prevention measures to mitigate the risk of a cyberattack. Implement multifactor authentication, ensure all software is updated to the latest versions, require strong passwords that must be periodically changed, be diligent, and train staff. If your credit union experiences a cyber incident, it is important to contact law enforcement, the NCUA, and your state authorities within the timeframes required as soon as possible. The sooner issues are addressed, the more options are available and perhaps the harm can be contained.

    Cryptocurrency. Using the NCUA’s incidental powers rule, federally insured credit unions (FICUs) have the authority to offer digital asset services/cryptocurrency to members by establishing relationships with third-party providers which offer these services. The NCUA warns FICUs must consider the following before offering cryptocurrency to their members: 1) FICUs must exercise sound judgment and conduct the necessary due diligence, risk assessment, and planning when choosing a third party, just as you are required to do before considering any other third-party service provider (the NCUA will evaluate these relationships and the actions credit unions performed prior to engaging with the provider); and 2) adequate due diligence must be conducted to ensure FICUs comply with all applicable laws and regulations to ensure safety and soundness; with consumer financial protection; investor protection; and anti-money laundering and terrorism finance laws. FICUs should also remember that some activities fall within the jurisdiction of other regulatory agencies, such as the Securities and Exchange Commission, Commodity Futures Trading Commission, Financial Crimes Enforcement Network, and individual state agencies. FICUs looking to begin offering digital assets/ cybersecurity should do so cautiously given the fraud related to these assets and the recent collapse of cryptocurrency exchange, FTX.

    LIBOR. The one-week and two-month U.S. dollar LIBOR settings ceased after December 31, 2021. The overnight and one-, three-, six-, and 12-month USD LIBOR settings will be extended through June 2023, providing additional time for credit unions to wind down or renegotiate contracts that reference LIBOR settings. Credit unions should be well under way to transitioning from LIBOR settings and ensuring contracts contain adequate fallback language.

    Action Required. It is prudent not to wait until an event happens before you review what you could have done better to prevent the incident. Act now and you will be in a better position to provide quality service to your members while protecting your organization from damage caused by not being proactive. This article highlights just a few of the many topics you should consider reviewing before the end of the year. The credit union group at Kaufman & Canoles is poised to assist with questions, conducting compliance reviews, and any other assistance your credit union needs.

    The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2024.