I recently was invited to give a talk at the Credit Union InfoSecurity Conference in San Diego. I shared five of the hidden traps for regulatory compliance and examinations for credit unions. What follows is the lightly-edited text of that presentation.
Good morning. My name is Brad Powell. I’m the founder of a company called Redboard, and I’m here today to talk with you about a necessary evil for credit unions: examinations.
Ok, not that kind of examination. Regulatory examinations.
My goal today is to help you identify the traps and pitfalls you might face with regulatory examinations, and how to make them less of a headache.
Over the past two decades, my company has worked with credit unions tackling their biggest challenges. In fact, we’re probably best known for helping the nation’s largest credit union address its most complex issues.
We all know that exams and audits are a headache, and it’s getting worse. Regulators are starting to make examples of the big players, including big fines and headlines. And from their statements, they are just starting with the big guys, and it’s about to flow downstream to credit unions like you.
That’s why we created Redboard. We talked with experts, including credit unions, attorneys, IT professionals and others. We discovered some common frustrations faced by credit unions, and we built Redboard to address those common frustrations.
And although we built Redboard as a secure system to address credit union exams, I’m not going to show you a demo or even a screen shot today. We’re just going to talk about the three most common frustrations, and how you can address them — with or without Redboard.
Are You Prepared?
No one wants to be blindsided by what’s requested in an exam. But no matter what, examinations cause a lot of anxiety and stress for credit unions.
There’s good news, though: This anxiety is easy to address. There are two simple things you can do to make sure your organization is prepared when exam times come.
First, utilize the NCUA AIRES Questionnaires. The AIRES checklists are a great playbook for the examination process. It’s like having all of the questions on the test before you take it.
You can use the AIRES checklists to perform mock examinations throughout the year. Exam time is always crunch time, but taking this step will allow you to spread your preparation out throughout the year. In the end, you’ll be better prepared and better utilize your staff.
The second way you can prepare for regulatory exams is to go back to your past examination materials. Credit unions often overlook this tool, and they shouldn’t.
Records of what examiners previously asked and how you responded can be a great preparation tool. A side benefit is it helps you identify the key players in your organization who should be involved in the current exam. It also helps you avoid providing conflicting answers to regulators, compared to what you provided in the past. If you’re not utilizing your past materials, you are missing a golden opportunity.
That’s how you can use AIRES and past exams to be better prepared. Now let’s talk about some trends we’re seeing with technology for exams.
Now sometimes, we can use something that works, but it may not be the best idea.
Are Spreadsheets and Email Good Enough?
In the context of regulatory examinations, the question is: are spreadsheets and email good enough?
Some of you might be surprised that I mention something so rudimentary as spreadsheets and email as tools for examinations. But the reality is, the vast majority of credit unions we’ve spoken with track exam activities and deliverables using spreadsheets and email. It is the most common toolset, and it’s not even close.
For some organizations, this may be good enough. And some organizations don’t even realize the tremendous risk that it presents.
There’s no magic formula that determines whether these rudimentary tools are sufficient. But you can ask yourself a few questions to evaluate the risk of using these tools, and to evaluate whether the risk is manageable for your organization.
From what the experts have told us, there are two different types of risk credit unions face when using spreadsheets and email. The first is what I would call ‘Quality Risk.’
This is the risk that you’re not doing a good job preparing for or responding to examination questions. This is the risk that your examination responses have errors or omissions.
A few questions that you can ask yourself to assess what your quality risk might be:
- Did I include the right people?
- Did anyone anywhere in the process drop the ball and not do their job?
- Who did what, and how can I prove it?
- Does our process produce a lot of one-off emails?
- How much transparency is there in our process?
- If our regulator could see our entire process, what would they think?
The second risk is ‘Security Risk.’ When I say security risk, I mean, do your exam response processes risk exposure of your information? Some questions to ask on this include:
- How are we including outside counsel and other experts in our work?
- How is that information being shared and transmitted? Is it secure?
- Are we opening our email system to legal discovery?
- Or, are we diluting the legal privilege or confidentiality of our materials because of the way we handle them?
- Is access to our materials secure inside our organization? Because you know that many security problems come from the inside.
Those are some basic questions that you can use to evaluate whether your tools are up to the task. Every organization is different.
If you determine that you need something more robust, what the experts have told us is that you’ll need tools that do these things:
- Provide an effective and efficient process to manage the examination
- Provide robust audit trails
- Allow for secure document transfer — with outside counsel and examiners
- Avoid the use of email for communication
- Deploy rapidly without being an IT support headache
- And of course, be affordable
Those are some guidelines the experts have told us are necessary. Hopefully it’s not a surprise that we built Redboard to provide all of those capabilities.
So far, we’ve covered preparation and capabilities. Now I’d like to talk about my favorite common frustration. By a show of hands, how many of you have heard this question or one like it:
Can Our IT Department Help Us With This and Finish All of Our Other High-Priority Projects On Time?
I bet a lot of you feel like this guy:
It always sounds EASY to the people who don’t have to actually deliver the solution, test it, and ensure it is secure. Add external users to the mix, and it gets dramatically more complex.
Of course, you’re also on the hook. You’re on the hook to deploy member-facing systems, introduce new products, and just generally keep the lights on. For most people, there just aren’t enough hours in the day to do it well. So what can be done about it? In the context of regulatory examinations, you have three main options:
The first is to do nothing. Perhaps what you’re doing now is good enough, and if so, it doesn’t make sense to spend any effort on it.
A second option is to build something, most likely using Sharepoint or a similar tool.
I know two specific stories about this. One organization has a system they’ve invested heavily in, and it’s robust. It was very expensive--but it also works very well.
Another organization attempted something similar, but it failed because it was just too costly. They underestimated the level of the detail and precision required, and they weren’t willing to spend the money to build what was required.
We built Redboard as a turnkey solution so you don’t have to. However, the fact that we built it is evidence that it can be built.
But you need to ask yourself: Do you want to be in the software development business or the credit union business?
As you walk through this process, key questions to ask include:
- What’s the cost of not addressing this? The reality is if you do nothing, the world is not going to end. But there probably is some negative impact. What is that negative impact?
- What’s it worth to the organization to solve this? If you were able to create a more effective and efficient examination process that reduced quality risk and security risk, what’s that worth to you?
- And how much does it cost?
How Redboard Can Help
We have covered three key issues for credit unions facing examinations: preparation, technology and IT resources. If you aren’t experiencing problems in any of these areas, then I congratulate you. You are outperforming the vast majority of your peers. I’d love to talk with you to find out how you’re doing it.
However, if you are experiencing any of these issues, I’d like to introduce you to Redboard. Redboard is a secure, cloud-based platform that’s designed to remove the headaches associated with credit union examinations.
It allows you to:
- Better prepare for exams
- Do so with an efficient and effective process
- Create a robust audit trail
- Communicate securely, both inside and outside your organization, while avoiding email
And it comes in a package that:
- Is simple to setup and administer
- Requires almost no IT time
Thank you for your time this morning, and I hope you have a great conference.