By Roy Urrico
Credit unions rarely, if ever, encountered the challenges they did earlier this year when COVID-19 first struck. More recently, as branch lobbies started re-opening, they faced new risk management tests not as readily apparent.
In April and May, credit unions with inadequate enterprise risk management infrastructure had to navigate a maze of vague and unfolding government requirements in regard to the CARES Act landscape, according to Steven Minsky, CEO and founder of Boston-based LogicManager, which provides ERM systems.
Now in addition to overseeing funding, credit unions have the double task of ensuring both employee and member safety in physical locations.
Minsky, who served as a risk management expert during the 2007 Great Recession and the associated TARP bailouts, as well as the 2009 H1N1 pandemic, explained this past spring financial institutions found themselves at the center of loan programs, both as distributors of the funds and potential borrowers.
To process as many loans as possible many credit unions had to depend on weak ERM systems unable to detect the hazards. Minsky pointed out, when the dust settles, maybe six months to a year later, they may discover they inadvertently directed enormous capital resources to fraud rings and terrorist organizations looking to fund their activities.
With more stimulus funds possibly on the way in late-2020, Minsky laid out key strategic steps financial institutions can take to strengthen operational risk and fraud detection programs:
1. Risk identification. Engage the organization’s risk managers in the design of the loan application approval processes and provide an independent authority to perform a robust risk assessment to identify the operational risks of loan applicants.
2. Risk assessment. Mobilize a cross-functional expert team, such as auditors and third parties through a common loan application and evaluation framework to assess potential borrowers.
3. Mitigation transparency. Ongoing changes to evolving government programs and the rules and guidance that apply require attention (many financial institutions already struggle to trace a loan back to a policy change).
4. Risk-based incident management. Providing a channel for members, employees and partners to provide anonymous tips for fraud dedicated to the government programs – or even for member complaints in times of change – is important.
Minsky advised credit unions to dig down to their roots of serving their community and knowing their members. “Credit unions may feel that this is a big banker’s game and feel overwhelmed potentially. But the credit union may not even appreciate how much of a competitive advantage they actually have at this time.”
At same time, credit unions need to practice safe lending during the pandemic, Minsky suggested. Such as making sure the organization follows through on certain protocols, making sure they utilize good judgement, vet properly, take advantage of knowing members, and properly conduct credit reviews. “Operating in COVID times that’s a good thing, but you have to have policies, evidence collection, and audit over the process. You need make risk assessment part of your process.”
As credit unions and banks reopen brick-and-mortar locations, the complexity level linked to developing safe and sound procedures — such as tracking and capturing documented evidence of the precautions — increases as well. Credit unions, as with any organization during this pandemic time, need to consider the consequences of lawsuit, liability and reputational damage for not following safety protocols for members and employees, explained Minsky. “If the organization is not doing the best from a governance standpoint to provide evidence of following safety practices consistent with reasonable COVID-19 guidelines, the credit union could leave itself vulnerable.”
All industries share common liabilities growing from employee and customer lawsuits over negligence in preventing the spread of COVID-19. Minsky has recommended a series of mitigation questions all organizations should prepare to answer, including:
How will your organization provide evidence they followed policies and procedures?
How will your organization connect this evidence to controls and risks and policies?
How will your organization address identified risks?
How will your organization prioritize how much investment to make?
How will your organization track these efforts over time and connect back to changes in legislation, which is evolving every week, to demonstrate following commercial reasonable practices based on the information available at that time?
Credit Unions Tackle Lobby Access
Extraordinary times call for extraordinary measures, Minsky said, suggesting COVID-19 precautions are essential to mitigate the risk of negligence as companies reopen or expand reopenings.
“There are differences between operating in COVID times versus non-COVID time,” Minsky said; things like a having a janitorial log, and a record of member appointments. How does a credit union show that on a specific date they actually disinfected door handles, bathroom facilities, desks and counters?
“That's another challenge to think about. Not only that you did it, but how do you prove you did it six months from now, a year from now?” Minsky said. He added that organizations have to prove it engaged in a reasonable commercial practice at the time, and that's where enterprise risk management comes into play. “Just like you would in all other areas of your business, you have to keep your documentation in order.”
This additional complexity increases the necessity of not only developing sound processes and procedures, but tracking and capturing documented evidence of followed procedures.
What do extra precautions mean for credit unions?
ATMs: “Have you disinfected your ATM – even if they have not come in contact with a person? It's your property think about it,” suggested Minsky. “There is an expectation of care there. And you have to show that you did your best. Also, are employees protected while wiping down the equipment or stocking the equipment?”
Servers: “If you're going to ask an employee to go into the office to reset your server, have you set up a policy of expectation of what the employee is supposed to do (even if they are going in just for an hour, have you warned them to wash their hands)?” Minsky asked.
Shifts: “Have you scheduled employees so they do not randomly show up at the same time and interact? Have you made protocols on how many employees can be in your financial institution office at the same time?” Minsky questioned.
“You have to think through the standard of care,” Minsky said. “Can a credit union show it gave employees the appropriate equipment and proper procedures, and do you have actual evidence of having followed through and all those procedures?”
Risk Management as a Differentiator
Minsky observed, “We've noticed once you start being thoughtful about your branch operations, in terms of concerns and risk management, you actually start awakening and become thoughtful in all your areas of your operation. In the credit union world, apply risk management to everything we do.”
ERM software, like LogicManagers’, helps create an evidence chain with time and date stamping that includes collecting documentary proof of signed off polices and tasks showing followed procedures. Minsky noted if any organization contemplates re-opening without the support of ERM software, they are playing Russian roulette with their financial, reputational and career future.
In a recent blog, Minsky also pointed out businesses returning to work while attempting to address these issues may create new difficulties including unlawful employment practices, invasion of privacy, and failure to comply with workplace safety requirements. Similarly, customers could unleash a number of common law torts and statutory claims against businesses should they contract COVID-19.
The liability of lawsuits and penalties due to negligence over the next year warrants a sustainable approach to risk management. Hunton Andrews Kurth LLP, which maintains a comprehensive database of state and federal litigation involving COVID-19 claims, tallied more than 4,600 complaints filed through Aug. 31 with almost 100 relating to the banking/financial services industry. While most claims seem to involve such matters as companies’ disputes with insurers, there are also a number of small businesses taking financial institutions to court over missing out on rescue loans, students seeking refunds from universities, and personal injury, wrongful death, inadequate safety measures and workplace health and safety claims. Those figures are likely to grow.