As part of our “Ask an Exec” initiative, each quarter BCYL members are asked to submit questions to our featured executives. Questions are compiled and highlighted on our website with corresponding responses.
For this edition, Carl Lamoureux, Chief Risk Officer from First West Credit Union, and Harmolk Brar, VP of Risk and Compliance at Integris Credit Union, share their insights on risk and compliance within the credit union system.
Questions:
1. What are the most prominent emerging risks facing credit unions and what steps are you taking to prepare for them?
2. Credit Unions are heading into a future of open banking, payments modernization, and other industry changes. In terms of risk and compliance heading into this future, where do you see the greatest opportunities for collaboration within individual credit unions, and between them and their industry partners?
3. In an environment of continually changing and increasing compliance requirements, how do you continue to foster an effective and meaningful risk culture throughout your CU without overwhelming your people, and what role can those outside of risk and compliance play in supporting this culture?
Carl Lamoureux, Chief Risk Officer, First West Credit Union
What are the most prominent emerging risks facing credit unions and what steps are you taking to prepare for them?
Credit Unions are exposed to a variety of risks that require constant attention. Among the most prominent risks right now are 1) Credit risk, related to the macro-economic environment and 2) Cyber security risk.
Credit Risk
There is a lot of uncertainty with the economy. While no one can predict if a recession is on the horizon, we expect the recent and rapid increase in the Bank of Canada overnight rate will eventually impact the vast majority of households by increasing the cost to service their debt. We are starting to see a direct impact on variable rate mortgage holders, and over time, fixed rate mortgage holders will also be impacted when it becomes time to renew their mortgage. In addition, we are also seeing evidence that home prices in some regions are starting to decline. Finally, the central banks are increasing interest rates to curb the high inflation, which will slow down the economy and accentuate credit risk.
It’s difficult to model how all this will impact our lending portfolio. To prepare for this, we put in place various proactive and reactive measures to mitigate the potential increase in credit risk. The most important control is having sound and prudent underwriting. At First West, in 2019, we have adopted OSFI’s B-20 underwriting practices. This includes using a qualification rate that adds a 200 bps “buffer” to account for a potential interest rate increase. This is helping our members absorb the recent rate increase.
On the reactive front, we recently initiated various campaigns to reach out to our members who have been impacted by the increased debt payments. Different options are offered to assist them based on their unique situation. Finally, we increased the monitoring of our lending portfolio by following very closely metrics such as delinquency, LOC/HELOC utilization, credit score migration, etc. These early indicators will help us dictate our mitigation strategies going forward.
Cyber Security Risk
Cyber security is top of mind for every Chief Risk Officer. This is a type of risk that is very hard to forecast. An event such as a data breach or a ransomware normally happens without any advance notice, and it requires constant vigilance. While most organizations have cyber security insurance to offset the cost of remediation, the biggest impact that is difficult to mitigate is reputational risk. A series of controls are in place to mitigate cyber security across various dimensions: Identify security risk and data that requires protection; Defend by implementing multi-layer preventive controls such as patch management and access control; Detect malicious and unauthorized activity; and Respond, Recover and Learn from cyber security incidents.
Credit Unions are heading into a future of open banking, payments modernization, and other industry changes. In terms of risk and compliance heading into this future, where do you see the greatest opportunities for collaboration within individual credit unions, and between them and their industry partners?
There are many changes that will enhance the delivery of financial services. This is very positive for our members that expect the same efficiency and speed from their financial institutions, such as ordering from their favorite online store. While these changes are positive for the industry, they bring new risks or compliance issues that will impact all credit unions. There is a great potential for the system to combine effort to address these issues. Not only is this a more effective way to use our resources, but it also allows us to have a stronger voice at the table. For example, when we raise a concern with regulators or government officials through CCUA, it’s a voice that represents over 200 credit unions serving close to 6 million members. It is also in our DNA to share and collaborate among system members. This is not prevalent among Canadian banks. We are part of a system, are stronger when we work together with our industry partners.
In an environment of continually changing and increasing compliance requirements, how do you continue to foster an effective and meaningful risk culture throughout your CU without overwhelming your people, and what role can those outside of risk and compliance play in supporting this culture?
This is consistently on my mind as the list of regulatory requirements continues to grow longer every year. To keep everyone engaged and to keep our risk culture intact, I involve the business throughout the full life cycle: I.e., working to provide feedback to regulators on draft guidelines, keeping them updated on discussions with regulators, assisting them in performing self-assessment, gaps analysis, discussing potential controls, etc. As the second line of defense, Risk management needs to set the right balance between assisting the business in implementing new risk management practices and providing independent oversight.
Another critical element is to highlight the value of these requirements. These requirements are often imposed on us to protect our members, the credit union, and the financial systems as a whole. This is a good thing, and we should implement these requirements with this mindset.
Employees outside of risk and compliance play a key role in maintaining a good risk culture. They have a front row seat to many aspects relating to risk or compliance. They process transactions, they design processes or new products, and they interact with our members or third-party vendors. They are the ones that can quickly identify issues before it becomes a larger problem. That is why risk management cannot be the sole responsibility of the risk management and compliance group. This is why financial institutions operate under a three lines of defense framework. This is not the most efficient way to manage risk, but it is very effective. This is important when we deal with our members’ money.
Harmolk Brar, VP, Risk and Compliance, Integris Credit Union
What are the most prominent emerging risks facing credit unions and what steps are you taking to prepare for them?
I think the most prominent emerging risks facing credit unions today are:
- Economic uncertainty as a result of tighter monetary policy.
- A correction to housing prices.
- Increased competition due to open banking and digital innovation.
- Climate risk impact on credit union assets.
- Increased anti-money laundering (AML) requirements as a result of the findings from the Cullen Commission Report.
In order to prepare for / manage these risks, we are taking the following steps:
- As we head into a looming recession cycle, we are conducting different scenario modelling and stress tests to get a better sense of what type of impact we may see to our growth strategy and objectives in order to help us build specific action plans to target the goals we intend to achieve.
- A potential recession and a correction to housing prices could also set up the perfect storm for increased borrower defaults and / or credit losses. There are various actions we take to manage this risk such as conducting regular analysis of our lending portfolios to determine which borrowers may be at highest risk, stress testing portfolios for different risk factors, monitoring and managing delinquency on an ongoing basis, ensuring our practices for credit loss provisions take into consideration environmental risk factors, and ensuring we have sound underwriting practices (including the B20 stress test for borrowers) and updating them as needed.
- Developing strategies and road maps to help us compete in the open banking space and keep pace with digital innovation.
- Looking at processes and systems that we can use to better determine which assets are at various risk severities due to climate change.
- Participating in discussion with regulators as they consult industry on draft AML changes and guidelines.
Credit Unions are heading into a future of open banking, payments modernization, and other industry changes. In terms of risk and compliance heading into this future, where do you see the greatest opportunities for collaboration within individual credit unions, and between them and their industry partners?
I think digital transformation, open banking, ESG, and many of the potential regulatory changes that the BC Financial Services Authority has planned on their roadmap will provide great opportunities for collaboration not only within individual credit unions but also between them as well as their industry partners. Many of these initiatives may create opportunities for credit unions to collaborate with each other to leverage resources and achieve greater efficiency.
For instance, digital transformation and open banking initiatives will require a variety of credit union stakeholders at the table, including risk and compliance functions, to ensure various impacts across business areas and processes are understood and risks can be managed according to their risk appetite. These types of initiatives could also create opportunities for collaboration amongst credit unions who are also on similar paths when it comes to digital transformation and to leverage resources as they look to similar vendors to help them with their transformation needs. When it comes to open banking, the federal government is still working through the requirements for credit unions to participate in the open banking space. However, we do know that there will be some baseline requirements regarding accreditation, privacy, security, and liability. Again, this may create opportunities for credit unions to collaborate where they share the same banking system provider or are looking to partner with the same fintechs so that they can leverage resources to complete requirements, conduct due diligence on the same vendor, etc.
In an environment of continually changing and increasing compliance requirements, how do you continue to foster an effective and meaningful risk culture throughout your CU without overwhelming your people, and what role can those outside of risk and compliance play in supporting this culture?
Fostering a culture of risk awareness is important throughout all lines of defense especially in the wake of changing and increasing compliance requirements. In doing so, it is important to ensure that staff and management across the credit union understand their roles and responsibilities as the first and second lines of defense. It is also important that risk and compliance functions not work in silos but collaborate with business areas to socialize upcoming changes in compliance requirements and the related impacts to their processes. The longer the runway to help employees understand what is coming down the pike, the more resilient they can become to feeling overwhelmed with the changes. The rest relies on rolling out compliance changes with proper change management techniques, training, and providing knowledge refreshers / support where necessary.
Leaders outside of the risk and compliance functions can support this culture by ensuring that they understand the reasoning and intended purpose behind compliance requirements in order to better educate, train, and coach their staff. We often hear those in the business say that certain things have to be done because of compliance reasons. However, there is an ability to reframe the message so that compliance activities are not viewed as undue hardship.
The combined results of these activities by the first and second lines of defense can help to mitigate the fatigue of changing and increasing regulatory requirements and result in more knowledgeable staff who feel more confident and resilient in managing regulatory risk.