Credit unions with inadequate enterprise risk management infrastructure must navigate a maze of vague and still unfolding government requirements in regard to the CARES Act landscape. But knowing their members helps.
Steven Minsky, the CEO and founder of LogicManager, which provides ERM systems, explained how financial institutions will find themselves at the center of two loan programs – both as distributors of the funds and potential borrowers – the Paycheck Protection Program and a second separate program allocating some $500 billion for mid-sized and large businesses, states and municipalities. He outlined steps they should follow to mitigate the risk involved.
Minsky, who served as a risk management expert during the 2007 Great Recession and the associated TARP bailouts as well as the 2009 H1N1 pandemic, suggested financial institutions with inadequate ERM infrastructure may spend their time trying to shift their liability from performing due diligence on companies to the government, not realizing the real risk of their own internal processes.
Weak ERM programs may also put financial institutions at risk of losing their customers without a merger or acquisition or find themselves driven by the pressure of contributing to the public good and finding new revenue sources in order to process as many loans as possible. Because of this, Minsky pointed out, when the dust settles, they may discover they have inadvertently directed enormous capital resources to professional fraud rings and terrorist organizations looking to fund their activities.
Recognizing their customers presents a challenge to financial institutions participating in PPP. However, not necessarily for credit unions. Minsky said, “Credit unions are extraordinarily good at knowing their members, its embedded within their community.”
Minsky laid out key strategic steps financial institutions can take now to strengthen their operational risk and fraud detection programs:
1. Risk identification. Engage the organization’s risk managers in the design of the loan application approval processes and provide an independent authority to perform a robust risk assessment to identify the operational risks of loan applicants. Do not outsource this authority to consultants or other third parties. “You can outsource the activity but you cannot outsource the risk.”
2. Risk assessment. Mobilize a cross functional expert team such as auditors and third parties through a common loan application and evaluation framework to assess potential PPP borrowers.
3. Mitigation transparency. Ongoing changes to the PPP rules and guidance require attention. Many financial institutions struggle to trace back a loan to a policy change.
4. Risk-based incident management. Providing a channel for members, employees and partners to provide anonymous tips for fraud dedicated to the PPP program – or even for member complaints in times of change – is really important.
“Credit unions are very well placed to actually manage the number one problem in this program, which is fraud detection and operational risks. The first thing is to embrace that,” Minsky said. “Credit unions may feel that this is a big banker’s game and feel overwhelmed potentially. They have to dig down in their roots of serving their community and knowing their customers. It is going to be a huge asset. The credit union may not even appreciate how much of a competitive advantage they actually have at this time.”