Recent issues, including terrorist threats and identity theft, have resulted in a flurry of additional information-security regulations over the last decade. As credit unions walk a fine line between protecting their members' data and ensuring they have the necessary resources to comply with regulations, the high cost of compliance continues to climb year after year. With the NCUA and state regulators' shift toward a risk-focused examination program, the Bank Security Act and IT security compliance are two areas in which IT service providers receive a high volume of questions and provide a great deal of assistance.
Because most CUs do not have a full-time compliance officer on staff, they leverage their local league's resources for guidance and assistance on regulatory requirements. However, CUs often reach out to IT service providers for assistance during the implementation phase of critical IT initiatives.
Credit Union On-Line is subject to some of the same regular examinations and audits that CUs go through, so we are well-versed in CU regulatory requirements, a unique point of view on the key tools and best practices that enable organizations to successfully mitigate risk. CUs need BSA and general information security compliance programs that effectively monitor daily operations to assure compliance with rules and regulations. In our experience, it's relatively easy for single common bond sponsor CUs to work with their memberships more intimately in order to develop a better understanding of their business transactions. This type of personal relationship with their memberships helps make BSA compliance a bit easier.
But, it is an IT service provider's role to assist both community charter, as well as single common bond sponsor CUs, in simplifying the compliance process. Whether providing enhanced reports to identify activity and details required to produce a Suspicious Activity Report, expanding Office of Foreign Assets Control reporting to include other data sources--including Internet banking bill pay vendors or the introduction of various tools such as an anti-money laundering application, compliance is a constant strain for CUs. IT service providers are always looking for strategies to supplement and assist their CU business partners in their compliance efforts.
According to the NCUA, most violations of the BSA fall under three categories: inadequate written policies, insufficient member ID program or deficient currency transaction reporting procedures. With the help of an IT service provider, CUs can take advantage of sample templates and personal assistance to help them develop accurate and effective policies and processes to avoid noncompliance. Through their partnerships with third-party service providers, CUs will be able to automate the member identification process, as well as the creation of currency transaction reports, streamlining their member ID and CTR procedures.
CUs also face the significant challenge of implementing the requirements laid out by the Gramm-Leach-Bliley Act compliance program. Initially, the privacy portion of the regulation appears easy to meet. However, with limited expertise on staff, in many cases it is up to the CU's IT service provider to offer the guidance and assistance necessary for implementing the extensive requirements including: a robust staff training program, vendor management program, corporate information security program and security standards policy, incident response program and risk mitigation controls, as well as a sound validation strategy. Further, the sharing of risk assessment tools and templates can assist CUs with completing the risk assessment exercises that are so critical for the safety and soundness of their organization.
In the area of information security, many CUs find it helpful to have an IT provider review their network architecture and implement security strategies--including user group policies through Active Directory, router configurations and tools such as ManageEngine Firewall Analyzer (which can be used as an IDS to monitor activity at the firewall). CUOL, for example, helped several CUs who used a third party to perform a network security assessment by reviewing the findings and helping formulate their management response, as well as a strategy to address some of the more complex issues.
A final area where CUs may require assistance is with business continuity and disaster recovery planning and testing. While IT providers are responsible for recovering the computer room and their support channels in the event of a disaster, CUs still need to implement and test sound business recovery strategies, which should always be customized to fit their specific needs.
There are a number of data processing providers that CUs can choose to help them meet various compliance challenges. Adding value to the overall relationship and providing a true partnership that's mutually beneficial are particularly critical as CUs face increasing compliance demands and new regulations that require ever advancing technology.
Barbra L. Lowman is chief operating officer and compliance officer for Credit Union On-Line. She can be reached at 800-884-2865 x552 or firstname.lastname@example.org