Comply or Die

Don't skimp on compliance, especially as it relates to security.

August 27, 2010
/ PRINT / ShareShare / Text Size +

Compliance needs drive purchases

Vendors wish it were otherwise, but pressure from auditors is often what it takes to make credit unions address security issues. “What drives most credit unions to buy our solutions is compliance,” says Prince. “We get a tremendous number of calls along the lines of, ‘The auditor is coming,’ or ‘The auditor has just arrived,’ and they need to be compliant.”

On average, credit unions spend 6% of their technology budgets for IT security, and 3% for online security/fraud prevention, according to the Credit Union National Association’s (CUNA) 2008 Technology and Spending Report. The most common security measures credit unions have in place are firewalls (95%), antivirus protection (94%) and spam filters (75%).

Andrew King, vice president of customer relations at Verafin sees the same thing. “Some credit unions will only change or adapt when they see examinations looming, or afterward, when they come to us and say, ‘We’ve been audited and we need new technology to help us meet regulatory requirements.’ Security and compliance are a cost, and most credit unions have limited resources.”

Complicating the issue, King says, is the perception that anti-money laundering efforts, Office of Foreign Assets Control checking, case management, and fraud detection are all separate issues, therefore separate distractions. “Our response has been to roll all those tasks into one package, converting them from worrisome cost factors into a whole new capability. When an employee who has been doing paper reports suddenly has the capability to create value-added data and deep analysis, everybody wins.”

Still, says Stickley, in too many cases policy compliance is a mess. “Many credit unions have outdated or unwritten policies. Sometimes credit unions have no policy about how they deal with vendors onsite. Do they check drivers’ licenses? Provide escorts? Allow access to only certain sites or rooms?

“A computer may have a virus that was picked up unknowingly by an employee browsing in the wrong place,” he continues. “That’s why former suggestions, such as ‘Don’t go to such-and-such sites,’ now must become firm policies. It used to be that you could cut and paste policies you found online. But now policies have to be so specific and granular that you can’t get away with not writing your own.”

The newest compliance requirements involve “red flag guidelines,” regulations that call for policies to protect member data and other sensitive information. “Most regulations don’t say what technology to deploy,” says Prince. “They’re more about policies and procedures—what you’re going to protect and do to protect it.”

He says credit unions must be able to answer these questions:

  • Do we have policies in place?
  • How are we detecting incidences of red flag activity?
  • What are we doing in response?
  • How are we training staff? Are employees prepared to deal with someone who comes in with a false ID, and do they know how to look for fraudulent elements in a loan application?

Next: What to ask vendors

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory ( will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive