Sign in Subscribe
Risk Management

Compliance Roundup: 4 Critical Areas to Review

Cindy Hagan

5 min read
Compliance Roundup: 4 Critical Areas to Review

If you feel like 2025 has been moving at light speed, you’re not alone. Somehow, we’re nearly halfway through 2025 already. With time passing so quickly and the events of this year throwing a veil of uncertainty over every aspect of credit union operations, now is a good time to review your compliance practices to ensure everything is up-to-date, accurate and well…compliant.

Here are four areas that should be on your radar to review as part of your mid-year compliance roundup:

Record Retention Standards

Earlier this year, in March 2025, the Office of Foreign Asset Control – our OFAC friends – made a change to the length of time required for record retention from five years to 10 years. This change was made in response to the extended statute of limitations for U.S. sanctions violations through the International Emergency Economic Powers Act (IEEPA) and Trading With the Enemy Act (TWEA).

As the updated regulations code 31 CFR 501.601 states, the 10-year recordkeeping standard applies to parties that perform transactions and/or hold blocked property (aka, frozen assets) that are flagged within the OFAC process. That means for every suspicious or potentially fraudulent transaction that flows through your credit union and produces a match on the OFAC list, your credit union must retain records on that specific case for a minimum of 10 years from the date of origination, as of March 12, 2025.

Keep in mind that the new requirement does not include backdating, so any applicable transactions/assets encountered prior to the March 2025 date will still be beholden to the previous five-year retention period.

As we all know, record retention is a big job that includes large amounts of data and information. With this new requirement that doubles the amount of time for credit unions to keep OFAC records on hand, you may want to consider updating your procedures to account for extra file storage, simplified data structures and naming conventions, etc.

Policies and Procedures

Periodic review of your institutions’ policies and procedures is always recommended, as it reflects changes in your systems, deals with identified risks and accounts for updates in regulatory requirements. That’s always true, particularly for credit unions that encounter high levels of risk and operate under a large number of regulations.

However, it’s especially true this year, as we’ve seen rapid change with executive orders by the incoming administration, not to mention a great deal of technological advancements (does AI ring a bell?).

As such, a mid-year review of your policies and procedures may be a good idea to stay on top of the many changes we’ve seen and address challenges posed by some of those directives and prepare alternative strategies for potential reversals.

In order for policies to be effective, they need to be fluid, meaning they aren’t a once-and-done, forget-about-it piece of the compliance puzzle. They must align with what you actually do on a day-to-day basis, as well as your overall mission and values, so when things change, so should your policies.

During policy and procedure reviews, consider the following:

  • Changes within your organization – Has the employee structure changed? Have you made any updates to your operations because of staff changes?
  • Legal/regulations updates – Do changes need to be made to your policies and procedures for things like the increased record retention requirements posed by OFAC, executive orders or other legislation?
  • Findings and/or violations – Have any of your recent exams included findings or even explicit violations? How could changes to policies or procedures address those problem areas so they don’t happen again?
  • Increased or newly-identified risks – Has your credit union encountered any new or increased risks in the past few months? Have you implemented new service offerings? How can you utilize policy to tackle those issues?

System Access and User Updates

Just like with policies and procedures, updates should be made to your systems and their users when people move positions or leave the organization. Keeping user access for individuals who should no longer have it poses undue risk to your credit union, which is why it’s important to review this information frequently – even more than annually or bi-annually.

Here are a few tips to help you stay on top of access and user permissions:

  • Implement a process to delete user access when an employee leaves a role. For example, as part of the departure process, ensure department managers complete change management information to remove individual access from certain drives, email addresses, systems, software, etc.
  • Actively look at user lists for each system on a semi-frequent basis to determine if users and permissions are still current and appropriate.
  • Coordinate teams to confirm there are designated backup people for handling tasks within each system, particularly for transaction-based tasks. You don’t want to find out that an employee’s wire limit hasn’t been updated in two years and can’t complete processing when their backup is unavailable.

Remember, access and permissions aren’t just a threat to your security – they can have greater repercussions than you think. Consider how they could impact your operations and even members if there are delays. Think about the findings they could uncover during an exam. On a bigger scale, imagine the hit to your reputation if poor control over access ends in a data breach.

It's easy to get in your head and think that periodic reviews of your system and user access are more of a chore than they’re worth, but keeping an eye on these updates can help avoid issues in real time – a decision you’ll be thankful for down the road.

Additional Records Cleanup

For certain things, as with the OFAC records, you need to retain information. But for others, that data you don’t really need can have the opposite effect – exposure. The last thing any credit union needs is more risk, so clean up your files and records to keep just the data you need and nothing more.

If you want more insight on what is expendable and what isn’t, ask for guidance from your regulators. They’ll be able to pass on recordkeeping requirements for different areas of operation and record types.

Compliance Roundup Wrap-Up

Compliance isn’t ever going to be a simple task. As a long-time compliance professional, I can say that with utmost certainty, even in a year that has been overwhelmingly uncertain in many ways. With that in mind, maintaining control over your compliance standards is more important than ever.

From recordkeeping to policy and procedure review (and a lot in between), a mid-year compliance roundup will allow you to focus on accomplishing tangible results, while also helping your credit union remain strong and agile, regardless of the noise and uncertainty in the world today.

Cindy Hagan works as the VP of compliance and fraud risk for Vizo Financial Corporate Credit Union. In this role, she administers and coordinates the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) program within the organization to ensure compliance with federal regulations, the NCUA and the industry standards of the FFIEC’s BSA/AML examination manual. She also provides compliance consulting and training services to credit unions.

 

 

Sign up for more like this.

Enter your email
Subscribe