What’s Happening on the BSA Front?

Highlights from the CUNA-NASCUS Bank Secrecy Act Conference.

January 13, 2012

I’ve just returned from sunny San Diego, where CUNA held its annual Bank Secrecy Act (BSA) conference. It’s sponsored jointly with the National Association of State Credit Union Supervisors (NASCUS) and, as usual, we had a great turnout.

Here’s a BSA update, highlighting recent actions by the Financial Crimes Enforcement Network (FinCEN), which oversees compliance with BSA/AML (anti-money laundering):


• SAR confidentiality rule. FinCEN’s final rule regarding the confidentiality of suspicious activity reports (SARs) went into effect January 2011. The BSA prohibits credit unions and their employees and/or agents from alerting the target of a SAR that a report has been filed. Further, any documentation that could reveal that a SAR has been filed should be kept confidential. Only those who “need to know” at the credit union should be aware that a SAR exists.

The rule also lists all categories of authorities that can receive a SAR or SAR information, e.g., FinCEN; federal, state or local law enforcement agencies; and any federal or state regulatory authority that examines an institution for compliance with the BSA. 

• Money services businesses (MSB) rule. FinCEN amended the MSB regulation to make clearer what activities subjected a “person” to the rule, and clarified that foreign-located MSBs with U.S. customers are also subject to the rule.
MSBs include check cashers, currency dealers or exchanges, money transmitters, and issuers, sellers’ or redeemers’ traveler’s checks, checks, money orders, or similar instruments.

These businesses fall under the BSA’s definition of “financial institution,” so they must implement BSA/AML (anti-money laundering) programs just like other financial institutions. 

• Final prepaid access rule. This rule, which was effective on July 29, 2011, generated a lot of questions from credit unions, mostly regarding who is considered a “provider of prepaid access” under the rule. The key here is that the rule amends some of the provisions within FinCEN’s MSB regulations. So, it doesn’t apply to credit unions and banks.

The rule requires providers and sellers of prepaid access to file SARs, collect and retain customer and transactional information, and maintain an AML program. The requirements are similar to those that apply to other categories of MSBs and to financial institutions. 

• E-filing proposal. Most of you are aware of FinCEN’s proposal to require the electronic filing of BSA reports not later than June 30, 2012. According to FinCEN, e-filing is free, easy to use, more secure than mailing paper, and it streamlines the reporting process and reduces errors. E-filing also provides a financial institution with an acknowledgement of FinCEN’s receipt of a SAR/currency transaction report (CTR) filing, which is something you can’t get with a paper filing. The comment period ended in mid-November, and CUNA’s comment letter is available at

• Proposal to add prepaid devices to CMIR. Last October, FinCEN issued a Notice of Proposed Rulemaking that would add certain tangible prepaid access devices to the list of monetary instruments to be reported when transported into or out of the U.S.

The proposal would add devices such as general use prepaid cards, certain gift cards, and potentially cell phones to the list of other monetary instruments that must be aggregated (to determine if they exceed more than $10,000) and included of a Currency and Monetary Instrument Report (CMIR).

Current regulations require that a CMIR be filed regarding the international transportation, mail, or shipment of currency or other monetary instruments (defined as coin or currency, traveler’s checks, checks, promissory notes, money orders in bearer form, and bearer bonds) in an aggregate amount that exceeds $10,000.

Common BSA compliance violations

No BSA update would be complete without a list of the common BSA compliance violations that NCUA has found during its examinations of credit unions. This list may look familiar to you, since it seems that the same violations keep cropping up year after year. They include:

• Training. Often, training isn’t conducted frequently enough, isn’t documented, and often doesn’t sufficiently cover the credit union’s BSA policies and procedures. Make sure you document your training efforts, e.g., maintain training materials, session dates, attendance records, and test scores (if you test staff). Otherwise, you have no proof that you trained your staff at all. Also, maintain a regular training schedule—don’t just train new employees, but all staff should receive training appropriate to their job duties. Conduct training annually at least, or more often if regulations or BSA policies and procedures change.

• Independent testing (audit). Examiners still find that for some credit unions, independent testing isn’t independent at all. Remember that the audit should be conducted by outside auditors, consultants, or other “qualified persons who aren’t involved in the function being tested.” Examiners also have found that audits aren’t being conducted often enough (every 12 to 18 months) and frequently don’t cover all aspects of the credit union’s operations.

• Internal controls. Examiners have found that some credit unions aren’t updating their risk assessments to adapt to changes in the institutions’ risk profiles (e.g., adding new products and services, expanding membership bases, relocating branches). Remember a risk assessment isn’t a one-time event, but should be a continuing process. Examiners also have found inadequacies in institutions’ suspicious activity monitoring systems, a key part of the credit union’s internal controls to ensure continuing BSA compliance. 

• Data quality errors in CTR/SAR filings. NCUA examiners report the usual BSA filing errors, such as invalid or missing information on CTRs and SARs, blank or inadequate narratives on SARs, etc. Both NCUA and FinCEN encouraged credit unions to make the transition to e-filing, which seems to reduce the likelihood of repeated errors and provides institutions with an acknowledgement of FinCEN’s receipt of a SAR or CTR filing. 

• Notification of SAR filings to boards of directors. NCUA’s regulations require federally insured credit unions to “promptly” (at least monthly) notify the board of SAR filings. NCUA reminded credit unions that this notification must appear in the board minutes, and noted that a generalized report to the board is sufficient to help maintain the confidentiality of SAR information.

• Information sharing—FinCEN 314(a) list. The most common violations cited regarding 314(a) compliance were failing to check the 314(a) list, or not documenting that the list was checked. A credit union should contact FinCEN if it has failed to conduct a required search of its records to obtain prior lists, and perform any necessary retroactive searches. As for documentation, self-certification forms are now available through FinCEN’s online 314(a) Secure Information Sharing System.

VALERIE Y. MOSS is CUNA’s director of compliance information. Contact CUNA’s compliance department at



• CUNA’s e-Gude

• FinCEN:

  1. BSA e-filing help desk: 888-827-2778 (option 6)
  2. Financial institutions hotline (terrorist activity): 866-556-3974
  3. Regulatory helpline: 800-949-2732