As with a variety of organizations, credit unions are subject to anti-money laundering compliance, as well as the Bank Secrecy Act. Recently, their BSA/AML compliance has come under increased regulatory scrutiny, underscoring credit unions’ obligations not only to adhere to the rules and regulations, but also to possess a sufficient compliance program of policies, training and reporting.
The Financial Recordkeeping and Reporting of Currency and Foreign Transactions Act of 1970, aka the Bank Secrecy Act, its amendments and accompanying regulations such as the USA Patriot Act, establish various requirements upon financial institutions with respect to anti-money laundering compliance. Primarily, affected institutions, including credit unions, are required to maintain appropriate records, have appropriate programs in place and file certain reports involving currency transactions and customer relationships. The required reports include currency transaction reports (CTRs) and suspicious activity reports (SARs).
CTRs are required for currency transactions over $10,000. This requirement also applies to activity that aggregates to be over $10,000 in a single day. Institutions will typically be on the lookout for incidents of “structuring” in which a party or parties break up a single transaction into smaller amounts in an attempt to avoid triggering an alert on the $10,000 threshold. The report contains personal information of the individual conducting the transaction such as Social Security number and government-issued identification.
SARs are required reports through which institutions report suspicious activity that might signify money laundering, tax evasion or other criminal activities. The aforementioned structuring activity might also be reported in a SAR.
The Financial Crimes Enforcement Network, a bureau within the U.S. Treasury Department, has the stated mission “to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis and dissemination of financial intelligence and strategic use of financial authorities.” As part of the execution of this mission, FinCEN has the responsibility to implement, administer and enforce compliance with the BSA.
The obligation of credit unions to abide by the BSA is no different than other financial institutions, and FinCEN has the authority to investigate credit unions for compliance with the BSA. Additionally, the National Credit Union Administration (NCUA), as the regulator, also examines credit unions for compliance with the BSA and its implementing regulations.
BSA Enforcement in the Credit Union Industry
While the applicability of the BSA to credit unions is not a new development, there has been more of a focus on BSA/AML compliance in recent years.
2015 FinCEN Report
In 2015 the media aired a “confidential” FinCEN report discussing the vulnerability of credit unions to potential money laundering, in particular increased exposure from dealings with money service businesses (MSBs). FinCEN defines an MSB as “any person doing business … in one or more of the following capacities: (1) Currency dealer or exchanger, (2) Check casher, (3) Issuer of traveler’s checks, money orders or stored value, (4) Seller or redeemer of traveler’s checks, money orders or stored value, (5) Money transmitter, (6) U.S. Postal Service.” One potential cause of increased exposure cited was the de-risking by banks wherein banks have limited or stopped providing services to MSBs. Since MSBs are viewed as higher-risk customers, major banks, including those that have endured large penalties for BSA/AML deficiencies, have moved away from banking them. In looking for alternative avenues into the financial system, MSBs have in some instances gravitated toward credit unions.
As a result, scrutiny of credit unions and their BSA/AML compliance programs and monitoring by regulators, including FinCEN and the NCUA, has increased.
NCUA 2017 Focus
In January 2017, the NCUA stated its “primary areas of supervisory focus in 2017.” In addition to areas including cybersecurity, internal controls and fraud prevention, interest rate and liquidity risk, commercial lending and consumer compliance, the NCUA has specifically called out BSA compliance. Within that focus area, “NCUA field staff will focus on credit unions’ relationships with money services businesses (MSBs) and other accounts that may pose a higher risk for money laundering.” The administration has provided guidance regarding risk mitigation when dealing with MSBs.
In addition to understanding priorities announced by regulators, credit unions can also gain valuable insight from examining recent enforcement actions, when making important decisions about the focus and resource allocation for risk-based compliance approaches.
The Federal Financial Institutions Examination Council’s four “pillars” are often noted as the foundation for an adequate AML program. The FFIEC is an interagency body that prescribes uniform standards and principles for the examination of financial institutions by federal regulators including the NCUA. The FFIEC’s BSA/AML Examination Manual sets forth these pillars as involving:
• Designation of a BSA compliance officer
• Development of internal policies, procedures and controls
• Ongoing and relevant training of personnel
• Independent testing and review
In July 2016, FinCEN expanded this list to five, with a customer due diligence (CDD) requirement. By May 2018, financial institutions are to comply with this CDD rule, which includes specific CDD requirements and also requires the identification and verification of beneficial owners of legal entity customers.
Recent Enforcement Action Against New York Credit Union
A relatively recent example of BSA enforcement in the industry occurred in 2016, involving a Bronx-based federally insured credit union. The case resulted in a $500,000 civil penalty by FinCEN, and the NCUA liquidated the credit union as insolvent following a conservatorship. The penalty came about as a result of the institution’s “significant violations of anti-money laundering (AML) regulations.”
The violations surrounded specific areas of BSA/AML compliance and the details described below of the case laid out by FinCEN can serve as a checklist for other institutions evaluating their own programs and operations to appropriately deal with the attendant legal, operational and reputational risks.
In this case, the credit union historically had a membership client base of low to moderate-income customers in the New York City area, and maintained controls specific to that type of clientele. Around 2011, this institution began to take on commercial MSBs, (part of the aforementioned migration of MSBs from traditional large banks to credit unions) but appeared to have failed to adequately assess or mitigate the risks of money laundering and terrorist financing, such as conducting appropriate risk assessments and enhancing their BSA/AML programs. These MSBs were considered to carry more risk due to their presence in high-risk jurisdictions and activity such as wiring large amounts of funds monthly to countries known for money laundering activity.
Various failures and deficiencies cited by FinCEN in the civil action led to the determination that this credit union “willfully violated the BSA’s AML program and reporting requirements.” In this context, to establish that the conduct was willful, it needed only to be established that there was reckless disregard or willful blindness.
The specific violations can be categorized into two primary categories of failures and discussed in turn: failure to implement an adequate AML program, and failure to detect and adequately report suspicious transactions.
Category 1: Adequate AML Program
The first category, establishing and implementing an effective AML program, is required of all federally insured credit unions under the BSA and the regulations of the NCUA. Per those requirements, credit unions must establish and maintain a written AML program that provides for: a system of internal controls to assure compliance; independent testing for compliance; a designated, qualified compliance officer to coordinate and monitor day-to-day compliance; and training for required personnel. This echoes the previously noted four pillars, and it can be presumed that the “fifth pillar,” or CDD rule, will be integrated soon. Of these requirements under the first category, this credit union failed both to implement adequate internal controls and to designate a qualified compliance officer.
The internal control deficiencies included a failure to make the updates and enhancements required to adequately account for the influx of MSBs and the attendant money laundering and terrorist financing risks posed by these businesses. Instead, the institution maintained an AML program geared toward their original membership base of primarily low and middle income New York-based individual account holders. The institution also failed to conduct a risk assessment to address the new MSB clients and their wire transfers to jurisdictions known to be high-risk for money laundering, including Bangladesh, China, Ghana, Mexico, Pakistan and South Korea. In its findings, FinCEN noted that MSB transaction activity for this institution increased greatly, from $1.3 billion in 2010 to $4.0 billion in 2012.
Other internal control failures included a lack of necessary due diligence being performed on these MSBs, which the institution appeared to have outsourced to a third party without appropriately verifying or inspecting the third party’s activity. Furthermore, the institution failed to implement an effective suspicious activity monitoring system commensurate with the volume of funds transmission activity related to the client MSBs, and also failed to maintain sufficient staff necessary to monitor the increased transactions.
The other failure under the first category related to the credit union’s deficiency in its designation of an appropriate BSA compliance officer. Per the applicable regulations, a credit union must designate someone “responsible for ensuring day to day compliance with BSA requirements.” The person designated by this institution wore multiple hats in addition to the BSA officer role, including serving as business manager for MSB customers, which created a conflict of interest. Furthermore, absent this conflict of interest, the volume of MSB transaction activity likely warranted the designation of a BSA officer with that sole responsibility. The institution’s own BSA audits in 2011, and again in 2012, found a number of deficiencies, including a lack of internal controls to detect structuring, insufficient know your customer or CDD policies for its MSB customers, overdue BSA risk assessment and the lack of a written process to determine high-risk accounts.
Category 2: Adequate Reporting
The second category of failures cited in this action by FinCEN involved suspicious activity reporting violations. Per the BSA, financial institutions, including credit unions, are obligated to report transactions of at least $5,000 that are conducted through the institution and are deemed suspicious. Suspicious transactions have been broadly defined as those involving funds derived from illegal activities or transactions conducted to hide or disguise such funds, transactions designed to evade the BSA or other regulations, or transactions that appear to have no apparent business or lawful purpose, or are essentially out of character for the customer.
In this enforcement action, it was noted that the institution filed late suspicious activity reports as a result of a lookback. In addition, most of those SARS were found to be inadequate and of such poor quality as to have minimal benefit to law enforcement, the primary end-user of these reports.
To recap, credit unions have the same obligations under the BSA as other financial institutions. Relevant agency reports, priorities and lessons gleaned from enforcement actions in the BSA/AML space can be effectively leveraged by credit unions to ensure that their own compliance programs pass regulatory muster and contribute to the essential goals of the BSA, which include the prevention and detection of money laundering, terrorist financing and other criminal activities using the financial system
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 31 U.S.C. 5311 et seq.
 “financial institution” includes, among other entities, FDIC-insured banks; any credit union; broker/dealers; a currency exchange; an issuer, redeemer, or cashier of travelers’ checks; an operator of a credit card system; an insurance company; a dealer in precious metals, stones, or jewels; a pawnbroker; a loan or finance company; a travel agency; a licensed sender of money or any other person who engages as a business in the transmission of funds; a casino, etc.
 Treasury Order 180-01; 31 C.F.R. § 1010.810
 31 U.S.C. § 5321(a)(1)
 31 C.F.R. § 1020.210