Until now, credit unions have been exempt from the public company albatross known as Sarbanes-Oxley. This may be about to change. NCUA has proposed that credit unions adopt processes for ensuring the integrity of internal controls—processes very similar to those outlined in the dreaded Section 404 of the Sarbanes-Oxley Act.
Section 404 requires documentation and testing of the minute details of a company’s internal financial and operational controls. Corporate America, which has been struggling for two years to implement Section 404, has had this to say about its requirements:
- “A dagger aimed at the heart of the economy”
- “The worst affliction visited on public companies in the last 70 years”
- “Illustrates the folly of Congress trying to legislate risk- and error-free business operations”
I have nothing against regulation in general, and believe that Sarbanes-Oxley and other regulation inspired by it in many areas works very effectively. However, I do have concerns about regulation that is designed not to address existing weaknesses but instead to synchronize regulation across disparate types of organizations. As cooperatives, credit unions already have a level of shareholder (i.e. member) oversight and involvement that is unheard of in public companies, and it is difficult to see benefits from this regulation that come close to outweighing the costs.
Here are some of the questions you should be thinking about as you formulate your comments to NCUA (due on April 24):
- What projects will you have sideline or delay because resources must be reallocated to compliance? How important are those projects to your strategic plan and to your members?
- What new skills will you need on staff to manage the process? What will you have to pay them?
- Do you have existing relationships with experienced outside resources to get this project done?
- Can you pay the costs of compliance out of cash flow, or will you need to dip into capital? How will these expenditures affect your dividend and loan rates?
- What software or systems will you need to purchase in order to comply?
- How will the proposed standard affect your future systems decisions? Are your IT systems sufficiently flexible?
- How will the standard affect your willingness to take measured risk?
- How will this standard affect or complicate merger activity?
It is essential for credit unions to educate themselves on this process, estimate the direct and indirect costs of compliance, and respond with comments by the deadline.