Bank Secrecy Act (BSA) and anti-money laundering (AML)-related crimes are evolving, and members expect you to protect them from these threats while providing the services they need.
You need a thorough understanding of illicit financial activities to keep your members safe and your credit union compliant.
The 2022 CUNA BSA/AML Certification Conference with NASCUS brought to light many insights into BSA compliance that still hold true. Here are several insights I gained.
According to NCUA BSA Officer Andrew Bludorn, these are the five most frequent BSA violations examiners see:
1. 314(a) searches aren’t completed in a timely manner. NCUA urges credit unions to ensure that the U.S. Patriot Act contacts listed in their online profiles are current, and that they certify these profiles when contacts are updated.
Plus, credit unions must ensure that their policies and procedures designate a point of contact. They also must describe steps for when the primary contact is unavailable, how to ensure information confidentiality, how to respond to Financial Crimes Enforcement Network (FinCEN) requests, how to determine if and when to file a suspicious activity report (SAR), and the process for independent testing of 314(a) compliance.
2. Inadequate BSA training for appropriate personnel. Credit union board members and BSA officers don’t always receive the appropriate BSA training for their roles. NCUA reminds credit unions to train new staff as soon as possible.
BSA training should include examples of money laundering and suspicious activity monitoring that are tailored to each operational area. It also should provide officials with sufficient understanding of the credit union’s risk profile and BSA regulatory requirements. Further, credit unions must document all training, including the testing materials, attendance records, employees that fail to participate, and the corrective actions taken to address employees who fail to attend training.
3. Lack of independent testing. NCUA recognizes it can be difficult to find in-house staff that meet both the “qualified” and “independent” criteria for independent testing. The agency encourages credit unions to take advantage of BSA resource sharing as permitted by the Interagency Statement on Sharing Bank Secrecy Act Resources (Final 10-3-18).
4. No written and approved BSA compliance program. Credit unions’ BSA/AML compliance programs must be in writing, approved by the board, and documented in board meeting minutes. Additionally, the programs must include internal controls, independent testing, a designated BSA officer, training for appropriate personnel, member due diligence, and a customer/member identification program.
5. Noncompliant SAR and currency transaction report (CTR) filings. Examiners have found that CTRs often aren’t filed within 15 calendar days, or for every cash transaction above $10,000. Additionally, SARs often aren’t filed within 30 or 60 days, and aren’t complete or accurate, particularly SAR narratives.
According to NCUA, the next update to the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (phase five) is in the works. Bludorn shared an anecdote of a BSA officer asking how he could determine whether the credit union’s BSA compliance program was sufficient. Bludorn suggested that the BSA officer “pretend to be an examiner” and use the FFIEC exam manual to “start working through the compliance program.”
State regulators cite other potential “land mines” to avoid before a BSA exam. They include:
Tailor your BSA/AML training program to employees’ specific responsibilities, advises Timothy Behunin, compliance officer at $17.5 billion asset America First Credit Union in Ogden, Utah.
Some examples of this requirement:
New staff also should receive a BSA/AML overview during orientation. For positions that require the performance of BSA/AML and/or OFAC duties, new staff must receive thorough training prior to starting the position.
COLLEEN KELLY is senior federal compliance counsel at Credit Union National Association. Contact CUNA’s compliance team at cuna.org/compliance.