Address by Sharon Donnery, Registrar of Credit Unions, to CUMA Autumn Conference 03 September 2013 Speech Introduction Let me begin by thanking the Credit Unions Managers Association for asking me to speak at your autumn conference. I know that you are discussing a wide range of issues today and I commend you for your organisation of events such as these at what is a time of significant change for credit unions. I would also like to add my thanks to the members of your executive, particularly your Chairman John Hickey, for their on-going constructive engagement with me since I took up my interesting and challenging new post earlier this year. Credit unions continue to face significant challenges to their business model. Declining demand for credit is putting pressure on what are already weak loan to asset ratios. As at June 2013, the total assets of the sector were just under 14 billion euro. Loans to members have decreased by 11 per cent from June 2012 and currently stand at €4.6 billion euro, with the sector average loan to asset ratio being approximately 34 per cent. Average sector arrears were slightly over 20 per cent, which is broadly in line with the previous year. Although it is to be expected that loan loss experience will be amplified by the new debt settlement arrangements. Maturing legacy books are reducing interest income, and investment yields are on a downward sloping trajectory at a time when the investment portfolio continues to grow. Total investments have increased by 8.6 per cent year-on-year and stood at around €9 billion euro as at 30 June 2013. And all of this at a time when embedded costs continue to rise. While credit unions remain both popular with and trusted by members, the average dividend paid was below 1 per cent, based on the financial accounts for 2012 which we have analysed to date. It is in this context that the new legislative requirements, particularly those improving risk management and governance standards, need to be viewed. The new legislation should be seen as an important enabling support which can drive and enhance the ability of credit unions to address the rapidly-evolving market in which they operate. The retail financial landscape is undergoing significant transformation and credit unions must keep pace with this evolution, otherwise they will become less relevant in the future. We cannot let this happen. The key driving force behind successful businesses, including credit unions, is the quality of both governance and management, which includes how thinking and decision making is oriented. Strategic thinking requires a future orientation if decisions impacting viability are to be made and acted upon. But formulating an effective strategy is not enough unless its successful execution is enabled by the right business model with properly embedded risk management and governance framework. Successful businesses typically exhibit higher quality governance and risk management standards and are better positioned to react to market changes and to take advantage of opportunities that may arise. They have a realistic understanding of the strengths and weaknesses of their business model and demonstrate a better understanding and management of risks. They have a clearly articulated risk appetite and superior ability to evaluate whether certain opportunities are consistent with that risk appetite. Our PRISM supervisory engagement has illustrated that while some of you are already meeting most of the standards proposed in the new framework, those credit unions are currently in the minority. It is also evident to us that these credit unions have clear organisational leadership, tighter risk management and a better performing business model than their peers in the sector. The new legislation promotes key basic international standards and the challenge for you is to drive these standards within your respective credit unions. You will find my office to be supportive of this change process. For the purposes of my speech here today, I would like to reflect further on governance and the various roles we all play in securing the protection of members’ savings. I will also say a few words regarding the work program for the Registry for the rest of the year. Governance In considering our respective roles, I’m going to speak about the roles of managers, boards and board oversight committees, internal and external audit and finally regulators. A major focus in designing the new regulatory framework is to strengthen governance in credit unions individually and the sector overall. Governance has been highlighted as an area of concern in our onsite supervisory engagements and as you will be aware is something we, in the Registry, have been working on for a number of years now. We see proper governance as being a key element to bring about a financially strong and more sustainable sector which can continue to serve future generations of members. Good corporate governance is often discussed more in regard to its absence than its presence. With this in mind, it is useful to begin by considering what is corporate governance and how would we recognise it. In terms of definition, it relates to how authority and control are exercised within a firm or, for our purposes, a credit union. So, what would a credit union with good governance structures look like? Firstly, it would have a clear organisational structure with well-defined, transparent and consistent reporting lines and documented roles and responsibilities. It would likely have a strong and experienced board with a detailed understanding of the credit union and its key risks. Members of the management team would have the skill set required to manage the credit union in line with the strategies and policies set by the board. There would be a strong internal audit function, adequately resourced and effective in its operations. The credit union would have an open culture which encourages debate and challenge and the board would be actively involved in reviewing risk and ensuring its mitigation. Finally, the business strategy would be fully integrated with its risk appetite and risk analysis. Role of the Credit Union Manager The new governance framework emphasises the importance of a separation between the two distinct sets of roles in a credit union, that is the non-executive or governance roles (performed by the board of directors) and the executive or operational roles (performed by the manager, management team, staff and voluntary assistants), with the manager serving as the main link between the board and the executive. This separation allows for the respective roles and responsibilities to be clearly defined and distinct and this distinction is fundamental to good governance. The framework also requires the credit union to have a board oversight committee, an internal audit function, a risk management officer and a compliance officer. I will return to these functions later. As I alluded to when I spoke at a CUMA seminar earlier this year, managers play a key role within credit unions and this has been recognised by the inclusion of managers within the governance framework in the new Act. It requires the appointment of a manager to be responsible for the day-to-day management of the credit union’s operations and for the manager to be accountable to the board for the performance of his or her functions. In addition to carrying out any responsibilities assigned to them by the board, key priorities for managers will include preparing and proposing strategies for the board of directors and indeed implementing the strategy which is agreed by the board and implementing proper systems of internal control. Managers have a wide range of other tasks including: updating the board on the financial position of the credit union; appointing employees or voluntary assistants; and importantly managing and mitigating risk. Many of you may be undertaking these responsibilities already or have commenced preparing for them. Delivering on these tasks will be a central pillar in making decisions about the future development of your own credit union. In undertaking these tasks managers are effectively the first line of defence in ensuring the credit union is well-run in the interests of its members. The Role of Credit Union Boards The board of directors has responsibility for the general control, direction and management of the affairs, funds and records of the credit union. There are also a wide range of more specific responsibilities set out in the new Act including strategic planning, risk management, succession planning, and so on. In fulfilling these responsibilities, credit unions must have a clear organisational structure with well-defined, transparent and consistent reporting lines to the board. When establishing governance arrangements credit unions should take into account the nature, scale, complexity and risk profile of the business they do. This should be a key determinant in the level of oversight, extent of skills and expertise, and systems and control requirements. While boards may find it useful to obtain external advice and support in undertaking their role, they should be mindful of their responsibilities and ensure they remain proactively involved in all areas including for example, strategic planning, risk management and internal audit. We would expect credit union directors to have full ownership and understanding of all aspects of their credit union’s strategy. In developing strategy, boards need to understand and articulate the goals and objectives of the credit union and take into account the environment in which they operate, including considering economic, social and competition issues. Strategic plans must include a realistic appraisal of the business model, including analysis of income and expenditure and financial position as well as operational capabilities. The board of directors should also have full oversight of the credit union’s risk management system and should ensure that systems and controls are put in place to manage and mitigate risk. It is of concern that in a number of the credit unions we have visited as part of supervisory engagement, we have found a lack of strategic planning added to poor risk management frameworks and practices. Boards and management alike need to look on the strategic planning process and development of their risk management systems as an essential element of their business rather than a simple tick box exercise to fulfil a regulatory requirement. It is paramount that boards become more strategically focused and less involved in operational day-to-day matters and decision-making. It is also important that boards consider their own effectiveness, succession planning and skillsets. Developing programmes to involve members in running credit unions to ensure there is a supply of directors for the future is also an important consideration. I know that many credit unions are developing support programs for their board members, including future board members, and I welcome such initiatives. In a sense, developing a strategy and managing and mitigating risks and some of the other issues I have mentioned are the tasks which the board must undertake. Underlying these tasks, however, is something far more important, which is a culture of challenge. The board is ultimately responsible to protect those members who have entrusted the credit union with their money. Challenging the assumptions underlying strategic plans, mitigating risk and robustly discussing the issues which face the credit union is central to the board’s role. I can appreciate that delivering challenge in the boardroom can in itself be a challenge. When you meet regularly with people you know for many years and live and work with in a small community, it can be difficult to raise questions and doubts and to disagree. However, challenge is not about being aggressive, pushy or bad mannered but about thinking critically, being the pessimist about future problems, playing devil’s advocate and turning your thinking on its head. Central to a culture of challenge around the boardroom table is the role of chairperson. The functions of the chair include ensuring the meetings of the board operate in an efficient and effective manner and also to promote effective communication between members and between the board and the management team. The chair should also conduct a performance evaluation of each member of the board on an annual basis to ensure they are complying with their obligations under the legislation and the board’s objectives are set out in the strategic plan. It is important that chairpersons also encourage constructive discussions, critical thinking and that they challenge mindsets. So, in summary, by getting the focus on the right issues, that is the general control and oversight of the credit union, boards can ensure that they take the right decisions for their credit union and at all times act in their members’ interests. Clearly the interaction between managers and boards is also an important element of how they to carry out their respective roles. Looking back at the corporate governance failures in the past, both within financial services but also in other sectors, highlights many instances of unacceptable corporate governance. We have all heard stories of dominant CEOs and board members; stories of boards who were too complacent or failed to comprehend the risks associated with their business; and senior managers and boards who did not understand the basics of what was happening on the ground. So I would emphasise the importance of fulfilling your respective distinct responsibilities as either board members or managers and again encourage a culture of constructive challenge in how you manage your relationship with each other. Credit unions will also be required to have two other officers within the governance structures, namely the risk management officer and the compliance officer. While we are not prescribing how a credit union resources these positions, it is obviously crucial that those who fill them are competent for the role and can carry out the relevant functions. The role of the risk manager is to identify, assess, report and monitor all internal and external risks that could affect the credit union. They should also implement the risk management system approved by the board. It is important to understand the reasoning behind having a risk manager and risk management system, which is to promote a culture of risk awareness within the credit union to ensure risks are identified and mitigated. In a world of ever-increasing complexity, it is essential that boards of directors are aware of, understand and deal with the risks to their business. The role of the compliance officer is to ensure that the credit union complies with all statutory and regulatory requirements and indeed that there is monitoring of such compliance to ensure no conflicts of interest arise. Essentially the role of the compliance officer is to foster and encourage a culture of compliance in the credit union. To do this they will need to stay informed of emerging statutory requirements and notify other relevant officers and the board of these. The compliance officer should also provide reports on compliance to the board and manager on a regular, at least quarterly, basis. Significantly where compliance breaches occur, compliance officers must bring this to the attention of the board and the manager immediately and they should ensure that any matter is rectified a timely manner. The risk management officer and compliance officer support the board and management team in ensuring the credit union has an effective risk management system and a compliance programme. However, the roles are distinct and the board, manager, risk management and compliance officers must work together to form a further line of defence. The Role of Credit Union Board oversight committees The governance structure in credit unions is somewhat unusual in that in addition to the board there is also a supervisory committee which will shortly evolve into the board oversight committee. The role of the board oversight committee will be to assess whether the board of directors has operated in accordance with the specific requirements set out in legislation including, for example, strategic planning and risk management. The key element of fulfilling their role is to determine whether any deviation from the requirements is material. In doing this, they need to consider the circumstances of each individual case and the matter should be reported to the board as part of the regular engagement between the oversight committee and the board itself. The role of the board oversight committee is one which I welcome and which is clearly important. Up to now we have seen some instances where supervisory committees have raised issues with the board of directors. However, we have also seen many instances of limited oversight and no effective challenge. It is important that members of board oversight committees have a clear understanding of the new governance framework and have the courage of their convictions to raise material issues of non-compliance that are of concern to them. In doing so, they should focus on the facts and the evidence in relation to the concern and ensure the board of directors takes the matter seriously and takes the necessary steps to deal with any issues and mitigate risk. The role of credit union auditors – Internal Audit Moving now to the requirement under the new Act for the credit union to have an internal audit function. At a high level, the role of the internal audit function is to provide for independent internal oversight and to evaluate and improve the effectiveness of the credit union’s risk management system, internal governance and controls. An absolutely critical element of having an internal audit function is that it is separate from other functions and activities and capable of operating independently of management. There should be no undue influence over the activities of internal audit and it should report to the audit committee, where one exists, or directly to the board on a regular basis or at least quarterly. To ensure the effectiveness of the internal audit function, it is also important that the board regularly reviews its performance and effectiveness, and this should be done at least annually. The internal audit function should have a written plan detailing the scope and objectives of audits and particularly setting priorities regarding areas to be audited. Arising from its plan, the internal audit function should make recommendations to the audit committee or to the board on improving the effectiveness of the risk management, internal controls and governance processes. Of course, simply making recommendations is not an end to the matter. The internal audit function should follow up on the recommendations it makes to ensure effective remedial action is agreed by the board and indeed that such actions are taken. It is important that the internal audit function adheres to internal audit professional standards and benchmarks in relation to its approach to conducting its functions, for example, those established by the Institute of Internal Auditors. Again, the nature, scale, complexity and risk profile of the credit union is an important element in considering the time and resources devoted by internal audit to its various tasks. The Registry has received many questions regarding whether the internal audit function should be performed on an in-house basis; through sharing arrangements with other credit unions; or on an outsourced third-party service provider basis. While in general, I have a somewhat open mind on the approach that credit unions should take, I would emphasise that the board retains responsibility for the oversight of the internal audit function and for ensuring that the credit union complies with all requirements relating to the carrying out of its functions. An important element in this regard is the independence and objectivity of a third-party service provider as well as the fitness and probity requirements surrounding outsourcing this Controlled Function and boards should examine these before making a final decision on whether to outsource internal audit. As I said a moment ago, an absolutely critical element is that internal audit is separate from other functions and activities and capable of operating independently of management. Its job is to identify risk and ensure it is mitigated effectively to identify weaknesses that have been missed by the board and management team. It must have unrestricted access to records, personnel and property of the credit union and be free to report its findings and assessments through clear reporting lines to the board. For these reasons, the internal audit function should be at an appropriately senior level to ensure it has standing and authority within the credit union. The role of credit union auditors – External Audit As someone external to the credit union, the external auditor also has an important role to play including carrying out statutory duties under the Credit Union Act. The external auditor is required to report to members on the accounts examined by him or her. The external auditor also has important duties in terms of reporting to the Central Bank. For example, if they are concerned about circumstances which will affect the credit union’s ability to fulfil its obligations to its members or believes there are material defects in the accounting records or any material inaccuracies or omissions from returns made to the Bank, then they are required to report the matter to the Bank in writing. Of course, we fully expect external auditors to act on this requirement by informing us of any issues. We have recently issued our annual circular to external auditors in advance of the year end process which sets out some of our main concerns at present. A particular element of the external oversight brought by the external auditor is, of course, professional scepticism. Together, internal and external audit are the third line of defence with a responsibility to identify and report issues not identified by others within the governance structure. The role of regulators Effective regulation and supervision of financial institutions safeguard the stability of the financial system and protect the savings of its citizens. The World Council of Credit Unions, in its core principles underlying credit union supervision, recognises that legislation should set out a strong supervisory framework that is prudential, proportional and predictable. This framework should, according to them, establish minimum prudential, operational, administrative, governance, accounting and auditing requirements. This is very much in keeping with the model that we have in Ireland. Our statutory role as regulator is the protection of member savings and the maintenance of financial stability and well-being of credit unions generally. This role to safeguard stability and protect members drives our work and our approach to regulation. Our job is to provide a further line of defence, to bring professional scepticism and constructive challenge. In our supervision of credit unions we use various tools, including our on-site visits, meetings and other engagements and asset reviews. These form the basis on which we make supervisory judgements in individual credit unions. While we are always willing to enter into discussions with credit unions about the issues we have found and the actions we require, at the end of the day it is our job to make those supervisory judgements. It is not our job to make decisions that suit the firms that we regulate, but rather to make decisions that mitigate risk and protect members’ savings. I understand the concerns of credit unions and indeed other regulated firms who feel that regulation is burdensome and overbearing. However, we must all remember the responsibility that comes with handling money belonging to other people. Those people, members of your credit unions, have entrusted that money to your care and that places obligations on you: to be prudent in how you lend it; to be aware of risk when you invest it; and to have the systems and controls in place to protect it. And remember that, ultimately, it is your credit union who will pay for the failure of others, if for example a bank or credit union fails and the deposit guarantee scheme is triggered. The price that all regulated firms pay for access to deposit insurance for their customers or members is that they are subject to a strong regulatory regime. Before I conclude, I would like to mention briefly some current issues on our agenda in the Registry. Changing Regulatory Environment The new Act is designed to support the development of a strengthened regulatory framework. It provides for the development of a holistic regulatory framework for the credit union sector that incorporates prudential and governance requirements, addresses gaps in the existing regulatory framework and sets out clearly the requirements for credit unions, their boards and management. The first of August saw the introduction of the fitness and probity regime and the commencement of a number of sections of the new Act, in particular in relation to administrative sanctions and measures allowing credit unions the right to appeal certain decisions of the Central Bank to the Irish Financial Services Appeals Tribunal. The application of fitness and probity was a recommendation of the Commission on Credit Unions and is one of the first steps in the introduction of a strengthened regulatory framework. The regime is aimed at individuals that hold board, management and supervisory responsibilities in order to focus on improving overall governance standards within the sector. While the fitness and probity regime commenced on the first of August it was introduced on a phased basis with transitional arrangements. These arrangements will allow more time for smaller credit unions, essentially those with assets of less than €10 million euro, to comply with the regime. So those of you with assets over €10 million euro should now be well advanced in considering and implementing the new requirements. Extensive information on the regime is on the fitness and probity section of our website. The ability to take enforcement action is an important element of any regulatory regime. Those of you who’ve heard my colleagues from the Central Bank speak about regulation will have heard us talk about assertive risk-based supervision underpinned by a credible threat of enforcement. This sentiment encapsulates our approach to the supervision of the firms we regulate and, in our view, a robust enforcement threat assists in the creation and maintenance of high standards across all sectors. I know that many credit unions are concerned about the approach that we will take to the exercise of our enforcement powers. With this in mind, I would reiterate the comments I made at a CUMA seminar earlier this year regarding our approach to enforcement. Where there are breaches of regulatory obligations the Central Bank will consider all relevant facts before commencing enforcement action and ultimately the taking of an enforcement action under the administrative sanction process is discretionary. You can be assured that we will be proportionate in our approach, understanding the efforts that credit unions are making but where enforcement action is required, the Central Bank’s actions will be firm and robust. We appreciate that credit unions are working to ready themselves for the implementation of the new legislation and the new regulatory framework. If a credit union is well-run and diligent in respect of its regulatory compliance, and can demonstrate that it has taken clear steps to comply with its obligations, then this will be taken into consideration by the Central Bank in deciding whether to take enforcement action. Similar to enforcement actions, the right to appeal is an important element of any regulatory regime. The Irish Financial Services Appeals Tribunal, or IFSAT, was established under the 2003 Central Bank Act. The Appeals Tribunal is an independent tribunal which hears and determines appeals from regulated firms against certain decisions of the Central Bank. The Appeals Tribunal aims to provide an accessible, efficient and effective method of appeal in an informal and expeditious manner. A major focus of our work in the Registry over the coming months will be considering issues relating to the development of a tiered regulatory approach. This will allow us to apply regulation to categories of credit unions (based on the nature, scale, complexity and risk profile of the business undertaken) in certain areas where we have been given regulation making powers. This is in contrast to what might be considered a “one size fits all” approach for all credit unions regardless of size as currently exists. In particular, it recognises the additional risks that arise from larger, more complex businesses. You will recall that the Commission on Credit Unions recommended three tiers primarily based on asset size with the smallest credit unions operating a simple business model and larger credit unions being permitted to undertake a wider range of investment and lending activities. Obviously, under such a regime, larger credit unions would be subject to additional prudential requirements and would be required to have additional systems and controls in place appropriate to the complexity of the business model. It is important to emphasise however that certain minimum standards will apply to all credit unions regardless of the nature, scale, complexity and risk profile of the business. In the words of a credit union member which I read recently “Credit Unions might be voluntary institutions, but they are also financial institutions and have to expect going forward that they will be regulated as such”. So, for example, the requirements in the new Act in relation to governance, strategic planning, risk management and so on will apply to all credit unions. It is our intention to consult on the proposed approach to tiered regulation by the end of this year. The tiered regulatory approach will also be supported by the powers given to the Central Bank to make regulations in a number of areas. This moves us towards providing a more flexible and adaptable regulatory model whereby requirements can be changed over time, if appropriate, without needing changes to primary legislation. I know that restructuring will be on the minds of many of you during your conference discussions. Donal Coughlan will update us on ReBo later and I look forward to hearing his perspective. From my point of view, I would emphasise the need for credit unions to engage with ReBo and our expectation that we will start to see restructuring proposals set out in a clearly planned manner shortly. As you develop your strategic plan, you should be considering the viability of your business and examining the options available to your credit union. Really, the key question is where you want to be in three to five years and ensuring you put your plans in place to deliver on that strategy. While I understand many of you have questions about restructuring, and indeed concerns, I would urge you to see it as a positive with the potential to build a strong and relevant credit union sector for the future. Conclusion So in conclusion, we are in a time of great change and challenge for credit unions, as well as for your members. Credit union managers will play a central role in managing and leading the changes that are ahead. Credit union managers, and indeed board members, should avail of the various supports which are available to help them fulfil their roles. These include material available from the Central Bank, including the Credit Union Handbook, support and training from representative bodies, as well as support that is available from various education and training organisations. We will be publishing the revised Credit Union Handbook, updated following feedback received during the Information Seminars and in the subsequent consultation period, next week and sending a hard copy to all credit unions. As you are only too well aware, amongst CUMA’s objectives are enhancing excellence in the management of credit unions and promoting professional training for its members. I would encourage you to remain focused on these objectives over the months and years ahead, particularly in relation to training to ensure that credit union managers receive the support that they need to manage and lead on-going change. Thanks once again to CUMA for inviting me today and for your attention and I hope you have a thought-provoking and productive conference.