7 top BSA issues
Bank Secrecy Act compliance touches challenges ranging from elder abuse to human trafficking.
BSA and AML laws are in place to identify illicit transactions ranging from gun running to drug dealing to tax evasion, says Colleen Kelly, CUNA’s senior federal compliance counsel. More than 500 law enforcement agencies use the information credit unions share.
Over the past five years, these agencies have made more than 10 million inquiries for BSA/AML data from U.S. financial institutions.
While CUNA and its membership fully support law enforcement’s ability to track financial criminal activity, it’s important to strike a balance between compliance costs and benefits to the government.
“CUNA continues to work with Congress and the U.S. Treasury for feedback on all the information we share,” Kelly says. “We want to gain a better understanding of how the information is used and how often it leads to combating terrorist financing to sufficiently balance the cost to credit unions with the benefit to law enforcement.”
Kelly and Valerie Moss, CUNA’s senior director of compliance analysis, identify seven top issues related to BSA/AML compliance.
1. Elderly financial exploitation
The Economic Growth, Regulatory Relief and Consumer Protection Act (S. 2155), passed in 2018
with CUNA’s support, included a measure to combat senior financial exploitation and abuse. The new provision provides immunity for those reporting the abuse as well as the financial institution that employs the individual.
The provision states the individual will not be liable in any civil or administrative proceeding for sharing member information with a regulator or adult protective services as long as the reporting individual served as a supervisor or in a compliance or legal function with the credit union at that time and made the disclosure in good faith with reasonable care.
For credit union immunity, the provision further states the credit union will not be liable, including in any civil or administrative proceeding, for the disclosure of the senior’s financial information as long as the individual was employed or affiliated with the credit union at the time of disclosure, and before the time of the disclosure each individual involved in reporting the senior abuse received appropriate training.
Training is required for each employee or officer who serves as a supervisor in a compliance or legal function, who comes into contact with a senior members, or who may review or approve documents, senior members’ records, or transactions.
Senior abuse training must be appropriate to employees’ job responsibilities and include how to identify and report suspected senior exploitation, and how to protect and respect members’ privacy and integrity.
2. Virtual currency
A virtual currency exchanger is a money service business (MSB) under Financial Crimes Enforcement Network (FinCEN) regulations. But a “user” who obtains virtual currency and uses it to purchase real or virtual goods or services is not an MSB, Moss says.
The definition of “money transmission” in FinCEN’s MSB regulation covers the acceptance and transmission of value that substitutes for currency, including virtual currency, Moss explains.
Compliance with BSA requires virtual currency transmitters to:
- Register with FinCEN as MSBs.
- Develop, implement, and maintain a BSA/AML program designed to prevent the MSB from being used to facilitate money laundering and terrorist financing.
- Establish recordkeeping and reporting measures, including filing suspicious activity reports and currency transaction reports.
“Convertible virtual currency” (CVC) refers to a medium of exchange that can operate like currency but doesn’t have all the attributes of “real” currency, including legal tender status. Bitcoin is an example of CVC.
“A recurring theme throughout FinCEN’s 2019 advisory on CVC is the issue of unregistered MSBs that may be operating illegally, attempting to evade supervision, and failing to implement appropriate controls to prevent their services from use for illicit activities,” Moss says.
An obvious red flag would be transactions involving an unregistered MSB such as a CVC kiosk (Bitcoin ATM) or an unregistered peer-to-peer exchange. Also, using a CVC exchanger located in a foreign location or high-crime area would warrant closer investigation.
3. Email compromise fraud schemes
These crimes occur when criminals compromise victims’ email accounts to send fraudulent wire transfer instructions to financial institutions to misappropriate funds.
Criminals continue to perpetrate these schemes to the tune of more than $9 billion in losses to U.S. financial institutions since FinCEN issued its initial guidance in 2016.
Fraudsters employ two types of email compromise, Moss says. Business email compromise (BEC) targets accounts of financial institutions or members that are commercial, nonprofit, nongovernmental, or government entities. Email account compromise (EAC) targets individuals’ personal accounts.
FinCEN encourages financial institutions to assess the vulnerability of their business processes to compromise and consider how they can “harden” or increase the resiliency of their processes and systems against email fraud schemes.
Also, a multifaceted transaction verification process, as well as training and awareness-building to identify and avoid email phishing schemes, can protect financial institutions against BEC and EAC fraud, Moss says.
NEXT: Opioid trafficking
4. Opioid trafficking
In August, FinCEN issued an advisory to alert financial institutions to illicit financial schemes involving opioid trafficking. Among the most prevalent types of trafficking is the movement of fentanyl and other synthetic opioids.
Fentanyl trafficking in the U.S. typically follows one of two pathways: direct purchase from China by U.S. individuals for personal consumption or domestic distribution, or cross-border trafficking of fentanyl from Mexico by transnational criminal organizations and small criminal networks, FinCEN reports.
Opioid trafficking funding mechanisms include purchases from a foreign source of supply using MSBs, financial institution transfers, or online payment processors; purchases from a foreign source of supply using convertible virtual currency; purchases from a U.S. source of supply using an MSB, online payment processor, CVC, or person-to-person sales; and other money-laundering mechanisms associated with procurement and distribution.
Red flags of opioid trafficking include:
- Account owners structuring cash deposits at branches nationwide into the same account with outgoing wire transfers to Mexico.
- Suspicious physical condition of deposited cash.
- Transactions out of pattern for members or business type.
- Transactions with no apparent business purpose.
- Noncorroborated source of funds.
“No single red flag signals suspicious activity conclusively,” Moss says. “Credit unions should also consider the surrounding facts and circumstances, such as the member’s previous account activity and whether he or she exhibits other red-flag indicators before determining whether a transaction is suspicious.”
5. Cannabis banking
While nearly three dozen states have legalized marijuana in some form, federal law still lists it as a Schedule 1 narcotic.
“Financial institutions are pivotal in any ongoing discussions because marijuana businesses need access to financial services,” Kelly says. “This issue has become a public safety concern because where there’s a lot of cash, there’s a threat of crime and violence.”
Even credit unions that don’t operate in states with legalized marijuana or those that decide not to serve marijuana-related businesses aren’t immune from compliance issues related to the drug, she adds. They still should develop policies that define such businesses, as well as whether to include ancillary businesses.
“Some businesses may not touch the plant but provide services that support marijuana dispensaries,” Kelly says. “These might include irrigation or packaging businesses. If you accept these ancillary businesses as members, you’re likely accepting money from marijuana-related businesses into your credit union.”
Additionally, credit unions that serve marijuana-related business must also define the types of businesses they will serve, she adds.
6. OFAC guidance
The Office of Foreign Assets Control (OFAC) published “A Framework for OFAC Compliance Commitments” in 2019 to provide guidance on the essential components of an effective sanctions compliance program.
These components include management commitment, risk assessment, internal controls, testing and auditing, and training.
The guidance outlines how OFAC may incorporate these components into its evaluation of apparent violations and resolution of investigations resulting in settlements.
The guidance also identifies some root causes of apparent violations, including:
- Failing to implement an OFAC sanctions compliance program.
- Misinterpreting or failing to understand the applicability of OFAC regulations.
- Facilitating transactions by non-U.S. persons, especially through overseas subsidiaries or affiliates.
- Processing financial transactions that involve an OFAC-sanctioned country, region, or person.
- Failing to update sanctions-screening software.
- Failing to centralize compliance functions and the inconsistent application of a sanctions compliance program throughout branches and business units.
“Credit unions also need an effective OFAC training program, a formal escalation process, and the consistent application of OFAC policies and procedures across the entire organization,” Moss says.
7. Human trafficking
This disturbing crime enslaves more than 40 million people across the world, 71% of whom are women and children, according to research developed by the International Labour Organization and the Walk Free Foundation.
“Because this industry generates $32 billion a year, this money has to flow through financial institutions,” Kelly says. “Consequently, credit unions can play a critical role in combatting this human suffering.”
Traffickers are turning to payment tools that allow them to remain anonymous, such as prepaid cards and cryptocurrency. “Some activity also comes through credit cards,” Kelly adds.
But traffickers have to intersect with legitimate industries at some point.
“They need financial institutions to store their earnings; they need buses or trucks to move their victims; and they need hotel rooms, which are integral in the operations of some sex traffickers,” Kelly says.
Although financial institutions must delete copies of identification (ID) after online account opening, a provision of Senate Bill 2155 allows for the storage and retention of copied IDs to:
- Comply with federal BSA laws.
- Verify the authenticity of the ID.
- Verify the identity of the individual.
- Comply with a legal requirement to record, retain, or transmit the information in connection with the opening of an account or obtaining of a product or service.