KINGSTON, N.Y.-Mid-Hudson Valley FCU's Internet sites are FFIEC compliant, no thanks to automation.
"Due to its very nature, you can't automate compliance," suggested Jessica Fox, VP-risk management at the $700-million CU here. To supplement its compliance efforts, Mid-Hudson Valley FCU (MHVFCU) takes advice from an outside compliance expert.
"Regulations are coming fast and furious now," Fox explained. "I don't have the time to research every compliance question that comes across my desk. To have a partner research a 450-page regulation and complete a thorough, formal risk assessment of our Internet sites is invaluable."
Although some vendors provide checklist tools that may help automate the compliance process, interpreting the content of those checklists is hairy, added Andrea Stritzke, VP-regulatory compliance, PolicyWorks, the firm that "interprets the gray areas" across MHVFCU business areas, she said.
"Our credit union clients need to talk to us and have us compare their very specific disclosures to the regulations, for example," said Stritzke. "You can't automate whether the credit union's online marketing is compliant."
Internet site compliance should be considered from three perspectives: disclosures, risk and security, she said.
Members Not Aware
Members lack awareness about Internet security-that's one of the biggest challenges credit unions confront as they work to comply with last year's FFIEC supplement to guidance on Internet banking authentication, according to Tony Schwarz, director, risk management, Affiliates Management Company, the PolicyWorks parent company.
"The end-users enable Internet banking transactions, so they need to be educated as to how to use anti-virus software and the types of sites and links they should avoid," said Schwarz.
MHVFCU is acting on PolicyWorks' recommendations by enhancing educational resources, adding security tips and solutions online in an attempt to inform a relatively tech-savvy membership about Internet security, Fox said.
"We hold a stake in educating the member in how to be safe with their computers," she explained. "We want to make sure they're doing what they need to do to protect their finances. If we lose member trust because of a security incident, we lose everything."
MHVFCU relies on PolicyWorks to provide an annual compliance review of its Internet banking platforms, said Fox. "When third-party vendors misinterpret a regulation, it's helpful to have supporting documentation from PolicyWorks to communicate what needs to change and why."
Assessing risk of Internet sites "doesn't have to be super complicated from a compliance perspective," said Schwarz. "You gather the information, including policies, documentation of online processes and vendors, the types of transactions permitted and the personal credentials available on the sites. You show how you identify and rank the risk and what controls are in place to make the risk tolerable to the credit union management."
When mobile banking debuts at MHVFCU in April, the service will also be scrutinized for compliance, Fox said. The best strategy is to integrate mobile banking policies and processes into existing compliance practices, Stritzke added.
"Make sure you've integrated your mobile banking into your BSA (Bank Secrecy Act) statement and risk assessment," she said. "Integrate it into your vendor due diligence. Examine disclosure issues regarding mobile marketing."
PolicyWorks also helps MHVFCU address annual compliance audits and daily questions that relate to the Bank Secrecy Act, Home Mortgage Disclosure Act and Fair Lending, said Fox. "PolicyWorks is a cost-effective way of solving regulatory issues that come up in the course of doing business."
