AUX Blog

Compliance Horror Stories

October 26, 2020

compliance horror

By Gaye DeCesare, VP Compliance

The compliance landscape is like a haunted burial ground where millions of dollars go to die every year at the hands of organizations that fail to abide by regulations. And like the apparitions that float through those desolate grounds, compliance specters keep credit union executives awake at night, feeding fears of what might be uncovered at their next supervisory exam.

Your Aux compliance team has heard all the horror stories and witnessed the gore of compliance gone bad. Here are some favorites that are guaranteed to send shivers down spines.


My credit union outsources first mortgages to a Credit Union Service Organization (CUSO). In turn, that CUSO uses another CUSO for titles and closing. When I refinanced my mortgage, I was horrified to see that the ECOA notice directed me to send any allegations of discrimination to the FDIC, not NCUA. Nobody at any of the three credit union centric organizations involved had noticed the error. And they didn’t seem overly concerned when I pointed it out!

Why is this horrifying? Because the FDIC doesn’t administer ECOA compliance for credit unions and can’t help a member who believes they’ve been treated unfairly. Federal credit unions are required to provide contact information for the NCUA Office of Consumer Protection.

Old letter read by candle light from 1800's
During a loan review, it was noted that Adverse Action Notices (AANs) were being mailed without any denial reason(s) listed. The credit union was surprised, because the letters are automatically generated, and denial codes should have been pulled in from the system. An investigation revealed that an update to their core system three years prior had shifted some fields in the loan record, including the field for denial codes. Apparently, nobody checked after that (or any other) system update to ensure no operations had been impacted. They had been mailing non-compliant AANs for three years!

Why is this horrifying? Because Regulation B requires you to provide the specific reason(s) for the action taken. Failing to provide at least one reason for denial is a violation, and failure of this magnitude exposes the credit union to a potential class action lawsuit.

Silhouette of zombies walking over cemetery in night. Horror Halloween concept of group of zombies at night
A credit union’s Chief Lending Officer was furious when an examiner wrote up the credit union for inaccurate risk-based lending (RBL) disclosures. She argued that the disclosures had been written by their attorney, so they had to be correct! As it turns out, the credit union’s RBL policy had changed over the years but the loan disclosures had never been updated. After consulting with their attorney, the credit union ended up reissuing hundreds of loan disclosures and adjusting finance charges on all those loans. A very costly mistake!

Why is this horrifying? Because Truth in Lending laws require you to accurately disclose the terms of the loan, so members can make informed decisions. Failure to do so may limit your ability to enforce the contract. And again, a failure of this magnitude just screams class action suit.

A credit union asked us to review their lending policies for compliance. The policies hadn’t been updated in several decades, and still said things like “if the applicant doesn’t qualify on her own, her husband needs to co-sign the loan.”

Why is this horrifying? Because it’s a blatant violation of Regulation B, which prohibits discrimination in lending on the basis of sex and marital status, among other things.

Branch Operations

Some of our favorite horror stories come from reviewing branch signage to ensure every branch has the correct compliance-related signs. At one credit union. a branch was using a “Your deposits insured by the FDIC” sign they had printed from the internet, instead of the required NCUA insurance sign.

Why is this horrifying? Because, as noted above, the FDIC is not a credit union regulator, and it does not insure credit unions. Requirements for credit union signage can be found in NCUA Regulations, Part 740.

Scary vintage china doll behind window of old house at dusk.At another credit union, branch managers were covering up the required USA PATRIOT Act notifications that had placed in Plexiglass sign holders at each station and replacing them with their own marketing messages.

Why is this horrifying? Because the credit union must provide notice that it is requesting certain information to verify the member’s identity pursuant to USA PATRIOT Act regulations. A lobby notice is not specifically required, but if that’s how the credit union has chosen to meet the requirement then covering it up is a violation of the USA PATRIOT Act.

Once I deposited a rather large check at the credit union where I was the Compliance Officer. The teller leaned in and whispered, “We’re supposed to put a hold on checks over $1000, but I won’t do that since it’s you.” Ummmm… if you’re going to break the rules, the Compliance Officer is the last person you want to tell about it!

Why is this horrifying? Because check holds are placed to protect both the credit union and the member. The Compliance Officer depositing the check couldn’t know the check was good any more than the teller could.

At my credit union, there was an elderly teller who had been there for years and was friends with everybody. Whenever anyone brought in a cash deposit over $10,000, she would say “Now I know you don’t want me to have to fill out a bunch of paperwork on this, honey. Take some back and bring it in another day!” I also knew of a branch manager who, when presented with a member who was clearly structuring to avoid reporting, would say “Okay, we won’t file a CTR now, but I can’t say we won’t file any other reports!”

Why is this horrifying? Because both instances are blatant violations of the Bank Secrecy Act, which carries the highest penalties of any federal banking law. The first instance is an example of structuring to avoid filing a CTR. In the second, the branch manager is essentially saying that a (highly confidential) Suspicious Activity Report will be filed.



We hoped you enjoyed this spooky collection of compliance no-nos. Each member of our compliance team has specific credit union experience (some of us decades-old veterans), and over the years we’ve seen the good, the bad, the ugly…and the terrifying. Thinking you might need an extra hand in your compliance function? Check out what we have to offer here.

Related Blog Posts