BSA and AML laws are in place to identify illicit transactions ranging from gun running to drug dealing to tax evasion, says Colleen Kelly, CUNA’s senior federal compliance counsel. More than 500 law enforcement agencies use the information credit unions share.

Over the past five years, these agencies have made more than 10 million inquiries for BSA/AML data from U.S. financial institutions.

While CUNA and its membership fully support law enforcement’s ability to track financial criminal activity, it’s important to strike a balance between compliance costs and benefits to the government.

“CUNA continues to work with Congress and the U.S. Treasury for feedback on all the information we share,” Kelly says. “We want to gain a better understanding of how the information is used and how often it leads to combating terrorist financing to sufficiently balance the cost to credit unions with the benefit to law enforcement.”

Kelly and Valerie Moss, CUNA’s senior director of compliance analysis, identify seven top issues related to BSA/AML compliance.

1. Elderly financial exploitation

The Economic Growth, Regulatory Relief and Consumer Protection Act (S. 2155), passed in 2018

with CUNA’s support, included a measure to combat senior financial exploitation and abuse. The new provision provides immunity for those reporting the abuse as well as the financial institution that employs the individual.

The provision states the individual will not be liable in any civil or administrative proceeding for sharing member information with a regulator or adult protective services as long as the reporting individual served as a supervisor or in a compliance or legal function with the credit union at that time and made the disclosure in good faith with reasonable care.

For credit union immunity, the provision further states the credit union will not be liable, including in any civil or administrative proceeding, for the disclosure of the senior’s financial information as long as the individual was employed or affiliated with the credit union at the time of disclosure, and before the time of the disclosure each individual involved in reporting the senior abuse received appropriate training.

Training is required for each employee or officer who serves as a supervisor in a compliance or legal function, who comes into contact with a senior members, or who may review or approve documents, senior members’ records, or transactions.

Senior abuse training must be appropriate to employees’ job responsibilities and include how to identify and report suspected senior exploitation, and how to protect and respect members’ privacy and integrity.

2. Virtual currency

A virtual currency exchanger is a money service business (MSB) under Financial Crimes Enforcement Network (FinCEN) regulations. But a “user” who obtains virtual currency and uses it to purchase real or virtual goods or services is not an MSB, Moss says.

The definition of “money transmission” in FinCEN’s MSB regulation covers the acceptance and transmission of value that substitutes for currency, including virtual currency, Moss explains.

Compliance with BSA requires virtual currency transmitters to:

• Register with FinCEN as MSBs.
• Develop, implement, and maintain a BSA/AML program designed to prevent the MSB from being used to facilitate money laundering and terrorist financing.
• Establish recordkeeping and reporting measures, including filing suspicious activity reports and currency transaction reports.

“Convertible virtual currency” (CVC) refers to a medium of exchange that can operate like currency but doesn’t have all the attributes of “real” currency, including legal tender status. Bitcoin is an example of CVC.

“A recurring theme throughout FinCEN’s 2019 advisory on CVC is the issue of unregistered MSBs that may be operating illegally, attempting to evade supervision, and failing to implement appropriate controls to prevent their services from use for illicit activities,” Moss says.

An obvious red flag would be transactions involving an unregistered MSB such as a CVC kiosk (Bitcoin ATM) or an unregistered peer-to-peer exchange. Also, using a CVC exchanger located in a foreign location or high-crime area would warrant closer investigation.

3. Email compromise fraud schemes

These crimes occur when criminals compromise victims’ email accounts to send fraudulent wire transfer instructions to financial institutions to misappropriate funds.

Criminals continue to perpetrate these schemes to the tune of more than $9 billion in losses to U.S. financial institutions since FinCEN issued its initial guidance in 2016.

Fraudsters employ two types of email compromise, Moss says. Business email compromise (BEC) targets accounts of financial institutions or members that are commercial, nonprofit, nongovernmental, or government entities. Email account compromise (EAC) targets individuals’ personal accounts.

FinCEN encourages financial institutions to assess the vulnerability of their business processes to compromise and consider how they can “harden” or increase the resiliency of their processes and systems against email fraud schemes.

Also, a multifaceted transaction verification process, as well as training and awareness-building to identify and avoid email phishing schemes, can protect financial institutions against BEC and EAC fraud, Moss says.

NEXT: Opioid trafficking