The Hidden Risks in Credit Union Regulatory Examinations — and How to Avoid Them
I recently was invited to give a talk at the Credit Union InfoSecurity Conference in San Diego. I shared five of the hidden traps for regulatory compliance and examinations for credit unions. What follows is the lightly-edited text of that presentation.

Good morning. My name is Brad Powell. I’m the founder of a company called Redboard, and I’m here today to talk with you about a necessary evil: credit union exams.

2017 06 20 a

Ok, not that kind of examination. Regulatory examinations.

My goal today is to help you identify the traps and pitfalls you might face with regulatory examinations. With any luck, I can help you navigate common credit union risks and the headaches that come with them.

Why We Created Redboard

Over the past two decades, Redboard has worked with credit unions tackling their biggest challenges. In fact, we’re probably best known for helping the nation’s largest credit union address its most complex issues.

We all know that credit union exams and audits are a headache, and it’s getting worse. Regulators are starting to make examples of the big players, including big fines and headlines. And from their statements, they are just starting with the big guys, and it’s about to flow downstream to credit unions like you.

That’s why we created Redboard. We talked with experts, including credit unions, attorneys, IT professionals and others. We discovered some common frustrations faced by credit unions, and we built Redboard to address those common frustrations.

And although we built Redboard as a secure system to address credit union exams, I’m not going to show you a demo or even a screen shot today. We’re just going to talk about the three most common frustrations, and how you can address them — with or without Redboard.

Are You Prepared for Your Credit Union Exams?

No one wants to be blindsided by what’s requested in credit union exams. But no matter what, examinations cause a lot of anxiety and stress for credit unions.

2017 04 24

There’s good news, though: this anxiety is easy to address. There are two simple things you can do to make sure your organization is prepared when exam times come.

1. Leverage NCUA exam resources

First, utilize the NCUA AIRES Questionnaires. The AIRES checklists are a great playbook for the examination process. It’s like having all the questions on the test before you take it.

You can use the AIRES checklists to perform mock examinations throughout the year. Exam time is always crunch time, but taking this step will allow you to spread your preparation out throughout the year. In the end, you’ll be better prepared and better utilize your staff.

(We wrote a bit about the NCUA Supervisory Priorities Letter, too.)

2. Learn from the past

The second way you can prepare for regulatory exams is to go back to your past examination materials. Credit unions often overlook this tool, and they shouldn’t.

Records of what examiners previously asked and how you responded can be a great preparation tool. A side benefit is it helps you identify the key players in your organization who should be involved in the current exam. It also helps you avoid providing conflicting answers to regulators, compared to what you provided in the past. If you’re not utilizing your past materials, you are missing a golden opportunity.

That’s how you can use AIRES and past exams to be better prepared. Now let’s talk about some trends we’re seeing with technology for exams.

Credit Union Risks: When Spreadsheets and Email Aren’t Good Enough

In the context of regulatory examinations, the question is: are spreadsheets and email good enough?

Unfortunately, not all things that work for credit union exams are the best ideas.

2017 06 20

Some of you might be surprised that I mention something so rudimentary as spreadsheets and email as tools for examinations. But the reality is, the vast majority of credit unions we’ve spoken with track exam activities and deliverables using spreadsheets and email. It is the most common toolset, and it’s not even close.

For some organizations, this may be good enough. Some credit unions don’t even realize the tremendous risk that it presents.

There’s no magic formula that determines whether these rudimentary tools are sufficient. But you can ask yourself a few questions to evaluate the risk of using these tools, and to evaluate whether the risk is manageable for your organization.

Evaluating risk in credit union exam tools

From what the experts have told us, there are two different types of risk credit unions face when using spreadsheets and email. The first is what I would call ‘quality risk.’

Quality risk is the risk that you’re not doing a good job preparing for or responding to regulatory examination questions. This is the risk that your examination responses have errors or omissions.

A few questions that you can ask yourself to assess what your quality risk might be:

  • Did I include the right people?
  • Did anyone anywhere in the process drop the ball and not do their job?
  • Who did what, and how can I prove it?
  • Does our process produce a lot of one-off emails?
  • How much transparency is there in our process?
  • If our regulator could see our entire process, what would they think?

The second credit union risk is ‘security risk.’ When I say security risk, I mean, do your exam response processes risk exposure of your information? Some questions to ask on this include:

  • How are we including outside counsel and other experts in our work?
  • How is that information being shared and transmitted? Is it secure?
  • Are we opening our email system to legal discovery?
  • Or, are we diluting the legal privilege or confidentiality of our materials because of the way we handle them?
  • Is access to our materials secure inside our organization? Because you know that many security problems come from the inside.

Those are some basic questions that you can use to evaluate whether your tools are up to the task. Every organization is different.

Better tools for credit union exams

If you determine that you need something more robust, what the experts have told us is that you’ll need tools that do these things:

  • Provide an effective and efficient process to manage the examination
  • Provide robust audit trails
  • Allow for secure document transfer—with outside counsel and examiners
  • Avoid the use of email for communication
  • Deploy rapidly without being an IT support headache
  • And of course, be affordable

Those are some guidelines the experts have told us are necessary. Hopefully it’s not a surprise that we built Redboard to provide all of those capabilities.

Do IT Departments Have Appropriate Resources for Credit Union Exams?

So far, we’ve covered preparation and capabilities. Now I’d like to talk about my favorite common frustration: making time for regulatory examinations.

By a show of hands, how many of you have heard this question or one like it: “can our IT department help us with our credit union exams and finish their other high-priority projects on time?”

I bet a lot of you feel like this guy:

2018 09 20 2Credit union exams always sound easy to the people who don’t have to actually test, secure, and deliver solutions. Add external users to the mix, and it gets dramatically more complex.

Of course, you’re also on the hook. You’re on the hook to deploy member-facing systems, introduce new products, and just generally keep the lights on. For most people, there just aren’t enough hours in the day to do it well. So, what can be done about it? In the context of regulatory examinations, you have three main options:

1. If it ain’t broke…

The first is to do nothing. Perhaps what you’re doing now is good enough, and if so, it doesn’t make sense to spend any effort on it.

2. Choose your own adventure

A second option is to build something, most likely using Sharepoint or a similar tool.

I know two specific stories about this. One organization has a system they’ve invested heavily in, and it’s robust. It was very expensive, but it also works very well for credit union exams.

Another organization attempted something similar, but it failed because it was just too costly. They underestimated the level of the detail and precision required, and they weren’t willing to spend the money to build what was required.

3. Avoid credit union risks with robust audit and exam tools

We built Redboard as a turnkey solution so you don’t have to build your own. However, the fact that we built it is evidence that it can be built.

But you need to ask yourself: do you want to be in the software development business or the credit union business?

As you walk through this process, key questions to ask include:

  • What’s the cost of not addressing this? The reality is if you do nothing, the world is not going to end. But there probably is some negative impact. What is that negative impact?
  • What’s it worth to the organization to solve this? If you were able to create a more effective and efficient examination process that reduced quality risk and security risk, what’s that worth to you?
  • And how much does it cost?

If your goal is to avoid common credit union risks during your next regulatory examination, any of the three above options may work for you. However, the second two are more likely to specifically fit your credit union’s pain points to address hot-button issues.

Redboard vs Credit Union Exam Risks

2017 06 20 b

We have covered three key issues for credit unions facing examinations: preparation, technology, and IT resources. If you aren’t experiencing problems in any of these areas, then I congratulate you. You are outperforming the vast majority of your peers. I’d love to talk with you to find out how you’re doing it.

However, if you are experiencing any of these issues, I’d like to introduce you to Redboard. Redboard is a secure, cloud-based platform that’s designed to remove the headaches associated with credit union exams.

Redboard allows you to:

  • Better prepare for exams
  • Do so with an efficient and effective process
  • Create a robust audit trail
  • Communicate securely, both inside and outside your organization, while avoiding email

And it comes in a package that:

  • Is simple to setup and administer
  • Requires almost no IT time

Thank you for your time this morning, and I hope you have a great conference.

audit checklist

FREE: Audit Checklist for Credit Unions

4 key principles and 9 questions to jumpstart your audit planning. From leading credit unions.

Next Steps for Credit Unions Facing an Audit or Exam

If you’d like to get a leg up on your next credit union exams or audit, we’ve compiled a few tools to help.

First, you can download our free NCUA Audit and Examination Checklist.

Then, if you’re interested in seeing Redboard in action, you can watch a demo of our software here.
Posted in:

Written By Brad Powell

Brad Powell runs Redboard, a company that helps credit unions better respond to regulatory examinations. He has 20 years of experience developing technology for credit unions and financial services companies.
icon linkedin icon twitter