The Changing Tides of Regulation: How Credit Unions Must Evolve

By Scott Johnston12.26.2018

In an industry where everything seems to be in a constant state of flux – from technology and operations to the member overall experience and branch formations – expectations from regulators are no exception. They have become stricter and more diligent in recent years and are adopting a more comprehensive approach to auditing credit unions and their internal controls.

These increasing regulatory pressures are necessary and intended to help better protect members’ sensitive data; however, they can pose a significant challenge to any credit union, especially the smaller institutions that often lack the necessary resources. Credit unions today must now dedicate more time and energy than ever before to meet these arduous demands, efforts that were previously spent on more strategic, member-facing or growth-oriented services and activities.  


Areas of Focus for Regulators

Regulators in the current environment are stringent when it comes to security and data protection. For example, they’ve placed a specific focus on stronger visibility of malicious activity, more sound prevention methods and having the ability to respond and remediate in a timely fashion.  

At a minimum, credit unions should have a solid patch management process in place to manage patches or upgrades for software applications to prevent vulnerabilities from being exploited by hackers. There are several solutions available for inventory and rapid deployment of necessary patches. If budget prevents the purchase of this type of software solution, Windows Update should be enabled to automatically update both the operating system and Microsoft Office suite as newer versions become available. Other applications such as Adobe should also be validated to ensure the patch level is current. In addition to leveraging technology solutions, credit unions should have proper operational procedures and internal audit controls in place.

Implementing an “inline” security tool to actively monitor and analyze network traffic is a more desirable practice. These tools create high visibility into malicious activity and enable staff to employ immediate remediation efforts. Proper staffing with qualified security personnel is critical to analyzing, identifying and effectively engaging when a malicious event is occurring; otherwise, an inline tool is virtually useless. Reflecting back on the Target breach that occurred in 2013, alerts were going off, but no action was being taken by employees. A February 2014 article in ComputerWorld by Jaikumar Vijayan explained, “The massive data breach at Target may have resulted partly from the retailer's failure to properly segregate systems handling sensitive payment card data from the rest of its network.” Technology is effective, but the human element cannot be overlooked.

Another closely monitored area for regulators is a credit union’s disaster avoidance and recovery plans. With the unpredictability in weather patterns, institutions must have a Business Continuity Plan (BCP) and Business Resumption Plan (BRP) detailing how they will continue to serve members and protect the sensitive member data and information should a natural disaster occur. This plan must be reviewed and systems should be tested at least annually to ensure the data can be recovered on an alternative system if needed. Testing documentation should be available to the auditor. Demonstrating the ability to recover in a reasonable amount of time is expected. When planning for an unforeseen disaster, all operational aspects must be considered. Even having a “reciprocal” partnership with another credit union to provide assistance in the event of a disaster could significantly help.

Both security and disaster avoidance pose a noteworthy challenge from a knowledge and cost perspective. Unfortunately, this is only exacerbated as some credit unions often lack the manpower, expertise and budget necessary to properly implement these solutions and programs.


Outsourcing Can Ease the Burden

Smaller credit unions can overcome these burdens by exploring an outsourcing relationship. Finding a provider that has the necessary infrastructure in place, security certifications, knowledge and experience that can handle these areas removes this challenge. This approach enables a credit union to reduce the regulatory burden, as they can now rely on their partner to monitor malicious activity, assist with testing and make constant system improvements to stay ahead of audit and regulatory requirements. Outsourcing providers also have dozens of talented individuals to provide more cost-effective access to necessary support. Additionally, outsourcing these functions can reduce the time and resources spent on constant software and hardware upkeep while also significantly boosting security and data integrity.

If a credit union determines this option is appropriate, due diligence is a vital step, as partners and methods of outsourcing operations can be vastly different. Being reactive toward security measures and disaster avoidance and recovery is unacceptable; having a partner that is proactive is necessary.

Credit unions must ask their outsourcing partner where their sensitive data will be housed as well as stored, what certifications they currently have, how information is protected in case of a disaster and how these services such as cybersecurity protection and disaster recovery are factored into the overall model and cost, just to name a few.  A partner should maintain a strong, proven security posture and provide state and federal regulatory audit findings, as well as maintain a clean SOC 2 that is completed annually. It is also important to strategically select a partner that aligns with the needs, culture and goals of their organization.

The changing tide of regulations and how they are being enforced won’t stop with the current crack down on data security practices; more dramatic shifts remain ahead. The NCUA recently announced its plans to eventually conduct all exams remotely, which will be a big adjustment for credit unions. As the regulatory environment continues to increase in complexity to keep pace with the current threat landscape, credit unions must evolve as well.

Scott Johnston is executive vice president and chief operations officer of Member Driven Technologies, a CUSO that provides technology solutions to credit unions.