BSA Compliance Remains a Challenge

Valerie Y. Moss and Nichole Seabron

Expect continued regulatory scrutiny of your BSA compliance program.

Most credit unions have adjusted to tougher regulatory scrutiny of their Bank Secrecy Act (BSA) compliance programs. Nevertheless, compliance remains a challenge for most, if not all, institutions. That’s why so many credit union compliance professionals attend the BSA Compliance Conference every year. It’s sponsored jointly by the Credit Union National Association (CUNA) and the National Association of State Credit Union Supervisors.

Last year’s conference in November featured speakers from the National Credit Union Administration (NCUA), Financial Crimes Enforcement Network (FinCEN), and Office of Foreign Assets Control (OFAC); federal law enforcement agencies; and BSA compliance experts and consultants. Here are some highlights.

Common violations
Although credit unions have worked hard to improve their compliance programs, examiners see many of the same violations. For example:

• Training. Credit unions often don’t document BSA training efforts, making it appear they have no training program at all. Maintain training and testing materials, training session dates, and attendance records. Examiners would like to see a testing method to determine comprehension (although testing remains optional).

In some cases, examiners discovered training isn’t comprehensive or frequent enough. Credit unions should provide audience-specific training to all appropriate personnel. For example, front-line staff should receive a much different level of training than the compliance officer. Boards and senior management should receive high-level training on BSA’s general aspects. Training should be done at least annually, and not just during new-employee orientation.

• Independent testing (audit). Examiners noted credit unions don’t conduct independent audits often enough (should be at least every 12 to 18 months) or that the audits don’t cover all of the credit union’s operations. Independent testing should include transactional testing, conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. Credit unions can even swap auditors. Use the Federal Financial Institutions Examination Council’s (FFIEC) Bank Secrecy Act/Anti-Money Laundering Examination Manual as a guide. 

• Internal controls. The credit union’s board of directors, acting through senior management, must ensure the credit union maintains an effective BSA anti-money laundering (AML) internal control structure, which includes suspicious activity monitoring and reporting. But many credit unions’ AML systems are inadequate. The more complex or “higher risk” a credit union’s profile, the more robust its system needs to be. Examiners have also found that many credit unions aren’t reviewing (and updating if necessary) their risk assessments as needed (at least every 12 to 18 months).

• Data quality errors. Consistent errors include incomplete Currency Transaction Reports (CTR) and blank Suspicious Activity Report (SAR) narratives. FinCEN asked credit unions to complete all fields on the SAR as required by the form instructions and FinCEN guidance. Credit unions should be sure to review SAR narratives for completeness, always keeping in mind that law enforcement is the target audience. Both NCUA and FinCEN encouraged credit unions to consider FinCEN’s e-filing system (see Issue 16 of FinCEN’s SAR Activity Review). 

BSA is forever
BSA has been around since 1970, so why the continued regulatory focus? Criminal activity never goes away. The information credit unions gather via suspicious activity and currency transaction reporting remains vital to law enforcement in investigating money laundering, terrorist financing, and other financial crimes.

Law enforcement officials assured credit unions that they read all the SARs and CTRs institutions file. SAR review teams—with the primary purpose of systematically examining reports from specific geographic jurisdictions—identify individuals who may be engaged in criminal activities, and coordinate and disseminate leads to appropriate agencies for follow-up. Currently, there are about 90 review teams, made up of law enforcement and various federal, state, local, and regulatory agencies. 

Credit unions also may not be aware of the Currency and Banking Retrieval System (CBRS), an online database that contains BSA information. The Internal Revenue Service, as well as local, state, and federal law enforcement agencies (e.g., Justice and Customs departments, the Drug Enforcement Administration) access it to research tax cases and track money laundering activities. Federal regulatory agencies also use CBRS for general examination, compliance, and enforcement efforts.

So, how can credit unions better help law enforcement agencies do their jobs? In a nutshell: Conduct thorough research and analysis, accurately complete all the data fields, and write a clear and comprehensive SAR narrative. What SAR narratives often lack:

• Signers on accounts (e.g., not just “doing business as” information for business accounts);

• Phone numbers and e-mail addresses (if available);

• Certain key words to give law enforcement a heads up regarding what the SAR is about (e.g., tax evasion, mortgage fraud);

• Descriptions of related transactions and any supporting documentation that’s available for review (do not send the actual attachments or use tables in the narrative);

•Any conversation details; and

• Names of any credit union employees with personal knowledge.

This is in addition to the SAR basics, such as:

• Who conducted the suspicious activity?

• What instruments or mechanisms were used to facilitate the suspect transactions?

• When and where the suspicious activity took place?

• Why do you think the activity is suspicious?

• How or by what method of operation the suspicious activity took place?

Lastly, don’t forget that law enforcement also investigates financial institutions for BSA violations. How do financial institutions become targets? As one law enforcement speaker at the conference said, “They make themselves targets by participating in substantial money laundering activity and not cooperating with investigations.”

The Justice Department prosecutes financial institutions that have systemic deficiencies in their AML programs, or are involved in money laundering activity. This usually occurs when ongoing AML issues persist or the financial institution is under a consent order (with the regulator) to correct problems, and yet they persist.

Here’s a look at a few BSA issues ahead:

• The Credit Card Accountability, Responsibility, and Disclosure (CARD) Act of 2009 required the Treasury Department to issue BSA regulations regarding the “sale, issuance, redemption, or international transport of stored value, including stored value cards.” Expect a final regulation in the first quarter of 2010.

• NCUA and the banking agencies will add new sections to the FFIEC BSA/AML Examination Manual in early 2010.

• OFAC finalized its Economic Sanctions Enforcement Guidelines, effective Nov. 9, 2009. The guidelines outline the factors to determine the appropriate enforcement response to an apparent violation of an OFAC sanctions program. This final rule supersedes all previous enforcement guidance OFAC issues, and applies to all persons and entities subject to any of the sanctions programs OFAC administers.

• OFAC will change its regulations to mandate electronic filing of blocked and rejected transaction reports and is currently beta testing the new system.

VALERIE Y. MOSS is director of compliance information, and NICHOLE SEABRON is federal compliance counsel for the Credit Union National Association. Send compliance questions to cucomply@cuna.com.