Vulnerable Marketplace Brings CUSOs Together to Create Compliance Force
Nearman, Maynard, Vallez CPAs, a 30-year-old accounting firm with more than 120 credit uanion clients, and CastleGarde Inc., a provider of credit union information security and regulatory compliance program services, have partnered to create a cross-pollination force to ensure the industry is prepared to meet compliance scrutiny and industry breaches.
Tampa, Fla.-based CastleGarde specializes in both the policy and technology risk assessment aspects addressing the controls, access, management, and safeguarding of member information as defined by NCUA Reg. 748 appendix A and B. Other services include information security policy and procedure reviews, external penetration testing, and onsite vulnerability assessments such as physical security to measure information security compliance and effectiveness. Meanwhile, Nearman in Coral Gables, Fla., has built its business on developing accounting systems and resolving management problems all in the midst of constantly changing compliance regulations.
"We thought about our goals and saw that there was a focus on audits, the Bank Secrecy Act and other areas," said Chris Vallez, a partner with Nearman and chairman of the firm's accounting and auditing standards committee. "This alliance will give our clients a deeper well of services to draw from."
The discussion to form a strategic partnership goes back to Nearman reassessing its goals, said Vallez. The company had an IT department for years, however, as the "complexity of regulations" increased, it started exploring the idea of forming a joint venture. Vallez would run into CastleGarde executives Jon Bebeau, president/CEO, and Alan Ropes, chief operating officer, at various conferences. After some discussions, in June 2008 the decision was made to move forward with the alliance. Together they serve more than 225 credit unions nationwide.
"We found ourselves being challenged with things like [certain types of] audits; credit unions wanted to know if they were processing certain things correctly," Bebeau said. "That wasn't our expertise so we would have to say 'no, we can't help you.' After we mutually went through the vetting process, we found out what our core strengths were."
Now, Nearman and CastleGarde's clients have a link up for IT and internal audit services. Ropes said that's a plus given all the recent focus on third-party due diligence.
"You have two firms that are familiar with each other. More importantly, it's a huge positive when we tell people that we work exclusively with credit unions," Ropes said.
Bebeau said there is a litany of regulations coming down the pike that are interwoven. Once upon a time, information technology and security were in the back office. Today, a holistic approach has led to practically everyone in a credit union working on a PC or database.
"As we moved out away from mainframe into the entire credit union, we kept bumping up against the financial side. At the time, we certainly weren't capable of going there but now, we have somewhere to go," Bebeau said.
With NCUA pushing for more internal audits, Nearman is seeing an increase in demands for the service, said Jennifer Hoskins, a partner with the accounting firm, who oversees all phases of audit engagements. And those requests are coming from credit unions of all sizes ranging from $5 million to more than $100 million in assets, she pointed out. The CastleGarde and Nearman linkage now allows for the expertise to hone in on the IT side.
"Credit unions were asking the supervisory committee to do that and most people didn't have the time so they farmed it out," Hoskins said.
Loan losses and loan portfolio management are other areas Nearman is seeing more of. Hoskins said the occurrences have been triggered by members losing their incomes because of job layoffs and others turning their cars in unable to make the payments. Vallez said this has all put pressure on determining the right amount in loan loss allocation. With job cuts coming at an even more rapid pace, it's very possible that a credit union is experiencing more losses than it actually knows about, he said.
"As much as we can do on the audit side, there's not much more we can do," Hoskins said. "A lot of our clients have experienced huge loans and negative incomes. All we can do is the due diligence."
The strategic partnership is also timely as NCUA deploys more examiners to keep pace with industry fallout, Ropes said. While credit unions are supposed to do ongoing risk assessments, they sometimes "let them sneak by," mainly because of tightened budgets. CastleGarde has received a number of "emergency calls" lately and the firm is "literally slammed" with requests to meet NCUA Reg. 748, which deals with security programs, suspected crimes, suspicious transactions, catastrophic acts and Bank Secrecy Act compliance.
"It's the type of thing that people are asking 'how can you get here fast and get it done,'" Ropes said. "Our calls come right when NCUA just arrived or immediately after. Regardless of the size of the credit union, [compliance issues] have an impact on their CAMEL rating."
Ropes said six months ago, credit unions held back on implementing certain services. Now, "the dam has been released and we're getting a proposal a day," Vallez said Nearman is not seeing that kind of ebb and flow because certified audits are an annual task. The firm has noticed credit unions switching auditors and comprehensive risk management analysis rather than piecemeal, another move [Vallez said that is]being pushed by the NCUA. Loan participations, for instance, have undergone more stringent risk examination, he noted.
Another area of focus is business continuity planning, which saw a renewal after Hurricane Katrina in 2005, Bebeau said. It's not enough to have policies and procedures in place, he advised, but to actually know what to do with them should a disruption occur. Identity theft, IT controls and the changes in standards for certified audits are expected to be hot button issues for the foreseeable future, all agreed. Attacks on consumer account information at banks, supermarket chains and other retail outlets have put credit unions in a more vulnerable position, Ropes said. All the more reason the Nearman and CastleGarde partnership can provide the ammunition to offer protection for credit unions.
"The bad guys look at credit unions as being one-off. If you try to go at a Bank of America, they're a monolithic," Bebeau said. "But something coming at a credit union big and strong, that's another story."
Ropes added "All you have to do is look at Heartland [Payment Systems]. There's plenty to keep us all busy."