This fall has brought an unprecedented number of credit union enforcement actions touching on issues ranging from excessive overdraft fees to vendor management and fair lending risk. While actions taken against these credit unions focused on different types of risk, the message is clear: credit unions must remain compliant in an evolving regulatory environment. If they don’t, the repercussions are severe.
Let’s break down these cases and explore the lessons learned from each.
On October 31, 2024—and what will surely go down as a "spooky" day in history for the nearly $15 billion asset credit union—the CFPB issued an order against a Jacksonville, Florida-based credit union with almost 1 million members.
The credit union launched a new online and banking platform in May 2022, but it crashed soon after. The system was temporarily taken offline and returned with limited functionality that lasted for months, resulting in significant issues for its members, including late payments and restricted fund access.
What led to the operational damage? The credit union’s vendor risk management failed on multiple levels because it lacked adequate risk management controls. Its policies and procedures were deficient, out of date, and not followed by senior management, resulting in a poor compliance culture that affected the entire organization. Moreover, despite using a new and untested vendor for the platform, the institution never provided proper vendor oversight.
While the CU's development team warned about the risks of pushing the conversion too quickly, the institution continued the launch. The CFPB says the botched implementation resulted in financial and non-financial harm to its members, a violation of the Consumer Financial Protection Act of 2010.
The Bureau's order requires the CU to establish a governance committee for better project oversight, compensate affected consumers, and pay a $1.5 million civil penalty to the CFPB's victim relief fund.
The National Credit Union Administration (NCUA) Board Member Tanya F. Otsuka supported the enforcement action, calling it a "victory for consumers harmed by [the credit union's] irresponsible actions." NCUA Chairman Todd M. Harper said, "These management failures resulted in consumer harm over the course of not just weeks but months, as well as safety and soundness problems like strategic, reputational, legal, and compliance risks."
Poor vendor management can lead to significant operations and compliance problems. While the risks were foreseeable and avoidable, the CU decided to use a new vendor and bring a new service to market without proper testing. Ultimately, the institution prioritized the promise of a shiny new platform over its members’ needs. While the civil penalty, compensation, and compliance costs will continue to add up, the institution’s reputational damage is arguably just as bad.
It’s tempting to bring new products and services to market as quickly as possible, but your credit union must follow the vendor due diligence process. Vendor issues can quickly snowball and cause many problems, from threats to business operations and financial stability to compliance, operational, and reputation risk.
Related: Your Vendor Talks Risk Management Talk, but Does It Walk the Walk?
A $171 billion-asset credit union with more than 13 million members collected nearly $1 billion in overdraft fees from 2017 to 2021. The CU charged fees to customers even when their accounts had sufficient funds at the time of purchase, as fees were applied when transactions were later processed – a practice known as “authorize positive, settle negative” (APSN) overdrafts. Additionally, the institution did not disclose that peer-to-peer payments from services like Zelle, PayPal, and Cash App might not be posted until the next business day, leading to unexpected fees.
The CFPB found that the credit union’s confusing overdraft program violated the Consumer Financial Protection Act. As a result, the CU will pay more than $80 million in consumer redress and a $15 million civil penalty to the CFPB’s victims relief fund. The institution is also banned from charging certain overdraft fees, including APSN overdrafts. The Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the National Credit Union Administration (NCUA) have joined the CFPB in taking a strong stance against ASPNs, which apply when a consumer's account shows a positive balance at the time of a transaction, but subsequent payments cause it to go negative.
Regarding the enforcement and the use of ASPNs, NCUA Chairman Todd M. Harper said, "APSN practices and an overreliance on overdraft and non-sufficient fees are counter to the credit union system's statutory mission of meeting the credit and savings needs of their members — especially those of modest means. Credit union member-owners have the right to know about any fees and practices that affect their hard-earned savings and credit unions owe it to their members to be transparent."
Related: Risk Assessing Overdraft Programs: Is the Fee Income Worth the Risk?
No financial institution is too large (or small) to face the consequences of its actions. As regulators continue to examine organizations’ overdraft fee programs, it’s more important than ever for FIs to review their fee structures and systems. Does your overdraft program help or harm consumers? Do your disclosures fulfill regulatory expectations? These are just a few questions to ask as you update your overdraft fee risk assessments.
As regulation around overdraft fees continues to evolve, it’s also important to stay updated. The NCUA provides regulatory and supervisory updates, which can be a helpful resource for compliance officers. CUs can also use a compliance management system to help navigate regulatory changes, boost their team’s effectiveness, and consolidate all compliance tasks in a single platform.
Related: Expert Q&A: How to Build a Risk Assessment
On October 10, the Department of Justice (DOJ) settled its first-ever redlining case with a credit union, highlighting the issue of lending discrimination. The Pennsylvania-based CU, with $5.8 billion in assets, agreed to pay more than $6.5 million after allegedly redlining majority-Black and Hispanic neighborhoods in and around Philadelphia from 2017 to 2021.
The DOJ cites a pattern of lending discrimination, violating the Fair Housing Act and the Equal Credit Opportunity Act, as the CU lagged behind its peers in mortgage applications and loans. Moreover, the CU failed to open branches in underserved areas and enhance community outreach despite its commitment in 2009. While a risk assessment revealed the CU’s lending disparities, it did not address these findings.
As part of the historic settlement, the CU must invest $6.5 million in loan subsidies, establish new branches, hire a community lending officer, and revamp its fair lending compliance systems.
It’s important to note that the case began with a referral from the NCUA to the Justice Department. The NCUA sent six ECOA matters to the DOJ in 2023, according to the Fair Lending Report of the Consumer Financial Protection Bureau published in June 2024. So far, in 2003 and 2004, those referrals have impacted more than 75,000 consumers.
In response to the settlement, Chairman Harper underscored the NCUA’s “strong relationship” with the DOJ’s Civil Rights Division and the department’s Combat Redlining Initiative, which investigates potential fair lending violations and aims to end discriminatory lending practices.
“[The settlement] signals to all communities that discrimination through redlining will not be tolerated. And, it brings communities who have been discriminated against a step closer to an equitable opportunity to access safe, fair, and affordable financial services and to closing the wealth gap,” said Harper.
Related: Compliance for Mortgage Companies: How to Avoid Top Violations
The case reminds us that credit unions are not immune to fair lending violations and must actively evaluate their practices to avoid unintentional discrimination. Credit unions must assess and address their fair lending risk.
In addition to fair lending risk, analyze your data for other issues, including potential HDMA, redlining, and 1071 risk. If you need help knowing where to begin or you're overwhelmed by your institution's data, lending compliance software can help simplify the process.
Related: Everything You Need to Know about Fair Lending Risk Assessments
As the regulatory landscape continues to evolve, credit unions must remain vigilant, adopt best governance practices, and foster a culture of compliance to better serve their members and protect the integrity of their institutions. By doing so, they can avoid penalties and reputational loss while building trust among their members.
Want more insights on how your institution can stay compliant
Get the Compliance Management Buyer’s Guide