When Should You Add New Policies at Your Credit Union?

In Compliance Land, a question that keeps resurfacing is, “When do I need a policy (or when do I need to write a policy)?” Most people that ask this question are hoping to hear that they have sufficient policies and can give it a rest. Unfortunately, no one rests in Compliance Land.

Today’s compliance officer is constantly reviewing policies to make sure that they are up to date and sufficient to cover operations. Updating policies is fairly straight-forward. When a change is announced by regulators or law-makers, we change policies as soon as we’re notified.

Adding policies takes somewhat more discretion. Once a policy is created, your credit union will live with it from now on. So, what events can you use as benchmarks or guidelines to know when to write a policy? Whenever a service, product or organizational change is made, in most cases, a new policy should be written.

New Services

With regard to services, the need for policies is very apparent. Any service a credit union offers needs to have direction and a platform for offering the particular service or services. Your policy should answer important questions such as:

• What is the service (specific) that we’re offering?
• Why are we offering this service?
• How will the service be offered?
• What’s the cost for the service (and how is that determined)?
• Who will be responsible for the new service?
• How will we control and monitor the service?

Services such as notary, check cashing, ticket sales and anything requiring employee time fall under this category. In most cases, these services can by written into a single policy. It’s important to remember that services requiring more complexity and additional steps or effort should be separated into an individual policy.

New Products

New products should immediately invoke the need for new policies. Rules here are simple: bigger products = bigger policies. From a litigation standpoint, clarity in the description of how a product works and should apply to our members can determine whether a case goes to court. 

In a situation such as implementation of remote deposit capture (RDC), your initial policy may result in changes to several other policies. With RDC, you might not only invoke a new policy for the product, but could end up with changes to policies such as Security, Audit, Availability of Funds, Bank Secrecy Act, and OFAC (for example). As with RDC and other similar products, a policy can also result in the need for a Risk Assessment (dependent upon the risk associated with that product).

Organizational changes are a definite red flag to alerting management that a policy is necessary.  The advent or social media (Facebook, Twitter, etc.) used as a marketing tool, in addition to use by employees, is a perfect example of the need to create a policy. As we’ve seen the use of social media vehicles increase, we’ve also seen more questions arise as to appropriate sue of social media by staff, professionally and personally, as well as the need to address both legal and compliance-related issues the go hand-in-hand with the changes social media imposes on the organization.

So, when do we need to create or write a new policy (or policies)?  As we’ve seen, the addition of services, products and organizational changes provide an excellent starting point. These are certainly starting points for that determination but in no way represent every instance when a policy needs to be developed. Above all, the compliance officer (or department) needs to be in agreement with management as to the necessity for the policy as well as its structure, applicability and any training associated with it.

By Steve Gibbs, CUCE, BSACS, AVP Shared Compliance, Credit Union Resources, Inc.