Compliance and litigation trends

It is critical that you have a formalized data and compliance governance program in place to assist as well as to provide to examiners, regulators and auditors the plan you’re following.

A CMS demonstrates the board and management’s commitment to compliance oversight. There are various vendors that provide a platform in which you can partner with based on the size, complexity and risk profile of your organization.

In addition, the consumer and regulatory expectations to keeping data secure continues to grow more than ever. Knowing the threats to data privacy and security can help with strengthening protection practices and prepare for threats less known or thought of.

As organizations of all sizes continue the expansion of products and services to membership, the more likely data is being gathered subjecting you to compliance regulations.

All employees should be knowledgeable, empowered and accountable for regulatory compliance specific to their job function. For example, lending staff should be well versed on fair lending compliance, including Equal Credit Opportunity Act (ECOA), the Fair Housing Act (FHA) and the Home Mortgage Disclosure Act (HMDA).

Many organizations designate a compliance officer or governance team to monitor the regulatory climate for changes that will have a direct impact on operations. In addition, you should partner with industry experts to extend your organization’s reach in the financial services space.

Additionally, regulatory agencies often expect your organization to self-monitor operations for regulatory compliance, data governance and take corrective action as necessary. Examples of self-monitoring include Fair Lending Compliance, Reg E compliance and the Bank Secrecy Act (BSA).

You should have the requirement to provide an adequate and prompt response to any member complaint or allegation. The response should include:

• Acknowledgement of the complaint.
• A thorough investigation, including account review, interview of relevant staff, policy/procedure review and research of applicable regulations.
• Resolution/restitution as applicable.
• Documentation of the complaint, credit union action and resolution.
• Provide employee training, as needed, to mitigate the risk of reoccurrence.

Unfortunately, several data breaches have spawned multi-plaintiff or class action lawsuits by customers whose personally identifiable information (PII) was accessed by unauthorized third parties as a result of the breach.

If your organization suspects, receives an indication of, or discovers any actual or potential data breach incident, including incidents involving vendors, it is important to immediately contact your cyber insurance carrier. Providing prompt notice may aid with investigation, remediation of cyber risks and notification requirements through the assistance of an experienced breach coach.

Many data breaches have spawned multi-plaintiff or class action lawsuits by customers whose PII was accessed by unauthorized third parties as a result of the breach. A recent example of litigation targets organizations for their use of digital tracking and web analytics technologies such as session replay tools, chats and pixel tracking technologies which violate certain state and federal privacy laws.

As states continue to lead the way with enacting state data protection laws, coupled with unsettled data breach case law, keeping abreast of this emerging legal area is important to understand the varying legal risks and emerging trends in this litigation space.

By having a data governance program in place, you will usually be better able to lower costs with other areas of data management; will have more accurate and consistent procedures around regulatory and compliance activities; will increase the value of an organization’s data; and have improved monitoring and tracking mechanisms for data quality. Having a sound vendor management process can also help you assess these events before they occur.

As third, fourth and Nth-party vendor cyber attacks continue to grow in frequency and severity, so do the obligations for a credit union to understand their third-party and Nth-party risks in all facets of its relationship. Unfortunately, vendor due diligence and contract safeguards mean nothing if third-party data privacy and security requirements are an afterthought.

Vendor risks can evolve from any relationship including auto dealers in an indirect lending program, third-party debt collectors, peer-to-peer payment platforms and any type of processor.

Establishing processes to evaluate, re-evaluate and manage associated vendor risks before entering, during, and even after the vendor relationship ends. Remember, vendor risk management is an ongoing process. Knowing that your vendor is making cybersecurity and compliance a constant priority and that they are committed to identifying and remedying problems is critical.