Bank Secrecy Act Director Edition

As a credit union board member, you have an important role in Bank Secrecy Act (BSA) compliance. The board has oversight of your credit union's BSA program. That includes understanding the basics of it, approving the policy, and appointing a BSA compliance officer once a year. You are also required to attend training annually on the topic.

We offer a pre-recorded webinar for director BSA training that is specific to the board role. It is currently available on our Director Training Tools page. Credit union staff have had the opportunity for a few years to do a 10-day email series in early December as an alternative to audio learning. This newsletter is a compilation  of some of what they had in their recent email series, and is intended for any board member as an update or refresher on BSA.

Please  let me know  if you have questions or would like additional resources on any of the discussions below.

The Risk Assessment
While risk assessments are expected with your Bank Secrecy Act program, credit unions have been going through them informally for years. Your board and management likely did analysis and risk assessments prior to implementing many of your existing products, building a new branch, establishing vendor relationships, or going through an expansion or merger. A risk assessment is just a process that gets the risk analysis translated from discussion to paper.

The BSA risk assessment should address your credit union's field of membership, products, services, and geographic location. Because each of these have an impact on the potential risk in the credit union for money laundering and other illegal activities, the risk assessment must be updated whenever anything is added or changed. At a minimum, both the board and management need to review and/or update it every year, and any discussions impacting it should be recorded in the board meeting minutes.

Field of Membership  
A risk assessment should clearly reflect the credit union's field of membership (FOM). Consider whether your FOM is a single employer, includes business accounts, encompasses multiple counties and urban areas, or is within a growing community where many members and potential members are new to the area and not well known.
When a credit union expands to new counties or moves from a SEG-based to a community-based membership, it is an appropriate time to review the inherent risk of that change and adjust the credit union's policies and procedures to reflect it.
Products and Services
Certain products and services pose a higher risk of money laundering or terrorist financing because they may have a higher degree of anonymity or involve handling higher volumes of currency. Changing the way members access their accounts and services also impacts a credit union's risk level. 

Geographic Location
When assessing geographic location, your credit union should consider specifically whether it has offices or a field of membership in a High Intensity Drug Trafficking Area (HIDTA). If your field of membership includes a county with this designation, your risk is higher for money laundering activity than if it were not.
There are currently six counties in Montana deemed to be an HIDTA: Cascade, Flathead, Gallatin, Lewis & Clark, Missoula, and Yellowstone. Also included is Williams County in North Dakota (Williston), so keep it in mind if your service area borders or includes that area.
Resource Sharing
In early October, NCUA and other federal agencies issued an interagency statement reminding financial institutions that they can "use collaborative arrangements to pool human, technology, or other resources to reduce costs, increase operational efficiencies, and leverage specialized expertise."
The intention of sharing and collaborating is to reduce expenses and resources devoted to the Bank Secrecy Act compliance efforts required of all financial institutions. Examples they give in the statement include sharing a compliance officer, providing the independent testing for one another's institutions, or assisting each other with training. Leveraging available knowledge and expertise whenever possible can be helpful.
Beneficial Ownership Rules
FinCEN's new Beneficial Ownership rule became effective on May 11, 2018. Here are a few details to review for compliance:
  • The credit union's BSA policy should have been updated to include the new member due diligence and beneficial owner collection.
  • The rule covers "legal entities" including a corporation, limited liability company, or any other entity that registers with the Montana Secretary of State, but not sole proprietorships or unincorporated sports leagues.
  • The beneficial ownership test includes ownership (>25%) or significant managing control of the entity. If someone meets one of those two qualifications, the credit union collects their name, address, date of birth, and tax ID number. 
  • Loan and account staff should have been trained to discuss and collect this information on affected accounts.
  • Legal entity accounts open prior to May 11, 2018 were exempt from the beneficial ownership rule, until the entity opens a new account or loan after that date.
  • FinCEN provided a model form to use for collecting beneficial owner information.
Your credit union also needs a process to risk rate members and risk-based procedures for high risk accounts and members. NCUA exams in 2019 are expected to look closely at compliance efforts on these new rules.
BSA Program Oversight
Your board should ensure you provide the following in oversight of the credit union's BSA program:
  • Annual approval of the program and policy
  • Review any changes impacting the risk assessment or program
  • Document any discussions on the program
  • Follow up on audit and exam findings
  • Provide adequate funding & resources for the BSA compliance officer and program
Compliance Gone Wrong
As much as credit unions strive for compliance, no one is perfect. Below are some examples of BSA-related penalties and civil money penalties when regulatory agencies reacted accordingly. They serve as a good reminder of the importance of compliance efforts.
The bank was imposed a $70 million penalty by the OCC in January for violating a 2012 Cease and Desist Order which identified BSA program violations. Citibank failed to adopt and implement a BSA compliance program, which led to failure to timely file SARs and inadequate customer due diligence on some accounts. Their independent audit also missed systemic deficiencies that their examiner later uncovered. 
Capital One
The Office of the Comptroller of the Currency (OCC) imposed a $100 million civil money penalty against Capital One Bank in October for deficiencies in their BSA program. The OCC's 2015 order against the bank was sited, along with the bank's failure to achieve timely compliance with the previous order. It had weaknesses in its compliance program; deficiencies in its risk assessment, remote deposit capture, and correspondent banking processes; and a failure to file SARs.

U.S. Bank
In perhaps the oddest example of failure in a BSA program, this bank -- that operates across Montana -- was given a $185 million civil money penalty for capping alerts rather than investing in necessary resources for their BSA program. It was noted "alert capping caused it to fail to investigate and report thousands of suspicious transactions." The order also noted that U.S. Bank had an inadequate process to handle high risk accounts and, as a result, "customers whom the bank identified or should have identified as high risk were free to conduct transactions through the bank, with little or no bank oversight."
Board Policy Review
The board of directors is required to review and approve the credit union's BSA policy at least annually. You have the ultimate oversight and responsibility for your BSA/AML program, so you need to be briefed on any changes, noted deficiencies from audits and exams, adjustments made to policy or regulation, and other pertinent factors. 
The board review and approval of the program should always be noted in board minutes. The review may be scheduled to coincide with the board's annual BSA  training, or can be done at a different time. Detailed documentation of both in the minutes is suggested.
Monthly Report
At each board meeting you should receive a report on all suspicious activity reports (SARs) filed by the credit union for the previous month. It should include the number of SARs filed, their category type(s), and the dollar amounts involved.

The filing of a SAR is extremely confidential. It should NEVER be discussed with or mentioned to a member or any other employee who is not involved in the situation. For that reason, the report your board receives monthly may contain limited details on the situation that prompted the filing.This helps preserve the highly confidential nature of the reports while keeping board members apprised of the program you are responsible for overseeing.
What is an MSB?
An area of continued focus in BSA exams is Money Service Businesses (MSBs) that hold their account at a credit union. FinCEN has defined MSBs to include five distinct types of financial services providers: 
  1. currency dealers or exchangers; 
  2. check cashers; 
  3. issuers of traveler's checks, money orders, or stored value cards; 
  4. sellers or redeemers of traveler's checks, money orders, or stored value cards; and 
  5. money transmitters. 
In Montana, many MSBs are local bars, grocery stores, or convenience stores. FinCEN's website has a wealth of information available on the compliance expectations for MSBs. 
Marijuana-Related Issues
Credit unions across Montana are seeing activity related to marijuana dispensaries and related businesses. Sometimes that comes in the form of a request for a business account or loan, and other times it is noticing activity that is suspected to involve an MRB (marijuana-related business). It is highly recommended that your credit union have a board-approved policy on whether or not you will serve the marijuana industry. 
If you do not serve MRBs, your policy should include detail on how your credit union will respond if you are approached about accounts or loans, as well as steps that will be taken if you find you already have accounts open that serve the industry.
If you do choose to serve the industry, your policy should lay out the steps you will take for filing the necessary SARs and collecting and tracking needed information.
There are two great examples available in CU PolicyPro in #2113 (Not Servicing Marijuana-Related Business Accounts) and #2112 (Marijuana-Related Business Accounts). You may need to incorporate references to specific Montana features such as the DPHHS website and the fact that only medical marijuana is currently legal in our state.

Culture of Compliance
Regulatory agencies continually stress the importance of promoting a strong culture of BSA/AML compliance for all financial institutions regardless of their size. FinCEN issued advisory FIN-2014-A007 in response to the slew of civil and criminal enforcement actions taken by the regulatory agencies in the years prior. 
The culture starts with the board and management and must be communicated and supported at all levels within the credit union. Some credit unions have even added expectations of compliance to position descriptions.
Donya Parrish

Donya Parrish, BSACS, CUDE

VP-Risk Management
(o) 406.324.7374
(c) 406.459.3497