Holding the Line: Compliance for Nonprofits

This is a guest post from Dr. Heather Mark over at Sphere. Heather oversees internal compliance and security, building on the strong foundation to mature and evolve the program. Previously, she served in various senior leadership roles, most recently at a wholly-owned subsidiary of a global payment processor, card issuer, and merchant acquirer.

When those in the nonprofit sector consider “compliance” the first thing that often comes to mind, and rightly so, is maintaining nonprofit status with the Internal Revenue Service.  That makes sense, because failure to properly maintain nonprofit status has significant implications on taxes and can negatively impact fundraising.  But compliance for nonprofits shouldn’t stop there.  A comprehensive, documented compliance program, that includes privacy, security, marketing, donor and grantee diligence, and vendor management, for example, can go a long way to protecting the organization, its donors, and its constituents.

Myth #1: Nonprofits can fly under the radar

The first myth that needs to be laid to rest is the idea that a nonprofit or charitable organization can fly under the radar with respect to compliance obligations.  In fact, for the purposes of anti-money laundering practices, the Federal Financial Institution Examination Council (FFIEC), nonprofits and charities can pose a higher risk, simply due to their nature – raising funds from donors for the purposes of then disbursing those funds to other individuals or organizations.  Additionally, from an information security perspective, consider the types of data that charitable organizations often collect – from payment information for one-time donations to more sophisticated and sensitive donor files for those that make significant grants or contributions.  Exposure of that type of data can do significant reputational damage to an organization that is dedicated to the greater good.

The first myth that needs to be laid to rest is the idea that a nonprofit or charitable organization can fly under the radar with respect to compliance obligations.  In fact, for the purposes of anti-money laundering practices, the Federal Financial Institution Examination Council (FFIEC), nonprofits and charities can pose a higher risk, simply due to their nature – raising funds from donors for the purposes of then disbursing those funds to other individuals or organizations.  Additionally, from an information security perspective, consider the types of data that charitable organizations often collect – from payment information for one-time donations to more sophisticated and sensitive donor files for those that make significant grants or contributions.  Exposure of that type of data can do significant reputational damage to an organization that is dedicated to the greater good.

Myth #2: Compliance programs are restrictive

Now, let’s dispel the myth that compliance programs must be burdensome.  A compliance program, by way of a general guideline, should match the complexity of the organization itself. That means a small organization doesn’t need to overburden itself with administrative rules that aren’t commensurate with the size or sensitivity of its mission.  A compliance program that is overly bureaucratic will stifle growth and will ultimately be ineffective.  A good balance is found in a program that sets guardrails for organizational behavior – guardrails that keep the organization on the right side of regulation and ethical behavior – without derailing the important work of the nonprofit.

How nonprofits can start a compliance program

Now that the foundation has been laid as to why compliance programs are important for nonprofits, not-for-profits, and charities, the next question is often, “where do we start?” The answer for any organization trying to build a compliance program is to begin with a risk assessment.  What activities is the organization undertaking and in what demographic?  What geographic regions will be a focus?  How will the services of the organization be marketed and, likewise, how will fundraising campaigns be managed? All of these questions, and ones like it, help to determine what regulations or (as in the case of security of payment data) what industry standards must be maintained in order to remain compliant.

For example, if an organization is going to undertake telemarketing campaigns to raise funds, or to raise awareness of a fundraising event, specific telemarketing laws must be followed.  The Telemarketing Sales Rule, for example, originally had a carve-out for fundraising for charitable donations.  However, over the years, the TSR has expanded to regulate calls made on behalf of charitable organizations.  While charities are exempt from the Do Not Call Registry, there are still portions of the TSR that do apply to charities and to organizations that make calls on behalf of charities.  And that point dovetails nicely with the importance of vendor management.

For nonprofits, reputational risk is often more compelling than legal obligation.  A nonprofit relies on a good reputation to help raise funds and to support its ultimate mission.  Selecting vendors that enable and support a reputation can be critical to success.  Establishing rules for conducting diligence on vendors and for ongoing management and monitoring of those vendors can be critical.  In selecting vendors, it is advisable to work with companies that have experience in the nonprofit or charitable space.

Conclusion

In short, compliance is as important for nonprofits as it is for commercial businesses.  But building that compliance program does not need to be overly taxing. The compliance program is an important support to the overall mission of the organization.  Just as selecting the right vendors can help mitigate risk, a comprehensive compliance program can not only help in the behind-the-scenes operations of your organization, but it may even help create a solid reputation that donors appreciate.