RB-2005-01 Guidance on Bank Secrecy Act (BSA) Compliance
In October 2004, the Financial Crimes Enforcement Network (FinCEN) entered into an agreement with the federal banking regulators, including the National Credit Union Administration (NCUA), concerning the reporting of significant BSA violations. The agreement went effect on December 1, 2004 and all state credit union regulators will be bound to similar reporting requirements. Currently, FinCEN is negotiating with the Department to develop a separate agreement with this state. This agreement may cause slight variations from the guidance in this Bulletin for future BSA reporting requirements for the Department.
Under the agreement entered into by NCUA and FinCEN, the Department is expected to identify and report significant BSA compliance violations to the NCUA, who will then report these violations to FinCEN. Significant BSA violations include pervasive violations, systemic violations, and repeat findings.
A pervasive violation is “all-encompassing”. A pervasive violation generally pertains to policies and procedures; it should be assessed from a strategic perspective. A partial list of examples follows:
- Absence of written policy and procedures
- Inadequate policy and procedures covering all essential elements
- Absence or lack of training for employees
- No independent review process
- Refusal to file a CTR or SAR for a single observable incident (could imply preferential treatment)
- Refusal to freeze an account when information appears to match a government listing
A systemic violation is a willful or reckless disregard for compliance with BSA provisions; it typically involves multiple incidents of noncompliance. A systemic violation should be assessed from a transactional perspective. A partial list of examples follows:
- Absence of a monetary transaction log
- Absence of CTR and/or SAR identification and filing process
- No records retention process
- No routine comparison with government lists
- Incomplete member or beneficiary information recorded in logs, CTSs and/or SARs
- No verification of member-furnished identifying information
- Not performing 314(a) searches in a timely manner
- Not reporting 314(a) matches in a timely manner
- More than one observable incident of not filing a CTR or SAR
Depending on the circumstances associated with an individual violation, a violation which, would usually be classified as systemic, may become pervasive.
A repeat violation is any violation (pervasive or systemic) that was previously identified and not resolved by a credit union.
CORRECTON OF VIOLATIONS
Once a significant BSA violation has been identified by examiners, it is important that credit union management correct the violation as soon as possible. The Department’s examiners will set-up an acceptable time frame for the BSA violation to be corrected. Under NCUA plans, this time frame must be no longer than 90 days from the date the violation was discovered by the examiner. Individual credit unions will be required to forward documentation to the Department that shows the significant BSA violation was satisfactorily corrected. After the Department verifies that satisfactory correction was made, the Department will notify NCUA of the resolution. NCUA will in turn notify FinCEN that satisfactory correction was made. It is imperative that all significant BSA violations be corrected within 90 days of identification by the examiners.
The Department encourages credit unions to be proactive in identifying weaknesses and problems in their credit union’s BSA compliance program. Specifically, credit unions should take the following steps to ensure BSA compliance:
- Adopt strong BSA policies and procedures, which cover the required elements of BSA;
- Develop a system of internal controls to ensure ongoing BSA compliance;
- Assure that employees receive sufficient BSA compliance training;
- Test for BSA compliance, either by independent credit union staff or officials, or by an independent third party;
- Document that your credit union is properly meeting the BSA compliance requirements and retain those documents; and
- Stress the importance of BSA compliance to all staff members.
At a minimum, a satisfactory BSA policy should cover the following required elements:
Customer Identification Program (CIP)
- Identification of a member’s name, date-of-birth, address, and identification number prior to account opening;
- Verification of the information obtained.
Currency Transaction Report (CTR) Filings
- Are CTRs filed timely (within 15 days) when necessary (involves more than $10,000 in cash-in or cash-out)?
- Does the credit union properly exempt permitted people from filing CTRs by filing a “Designation of Exempt Person” form?
Suspicious Activity Reports (SAR) Filings
- Are SARs filed within 30 days after discovery of a suspicious activity?
- Is staff aware of what activity might be termed “suspicious”?
OFAC – Searching OFAC Lists for Prohibited Countries, Organizations and Individuals
- Does the credit union block or freeze accounts and transactions that are found to match the prohibited OFAC listing?
- Does the credit union report this information to FinCEN immediately?
Money Transfer Services
- Credit unions that provide money transfer services (i.e. wire transfers) must obtain and record specific information on each money transfer of $3,000 or more.
- Maintain Necessary Information for the Purchase or Issuance, by Currency, Credit Union Checks, Cashier’s Checks, Traveler’s Checks, and Money Orders for Amounts Between $3,000 and $10,000
- Other BSA Compliance Requirements
The importance of following the BSA requirements cannot be over-emphasized. Federal government regulators, FinCEN, the Department of Homeland Security, OFAC and others, have elevated even more the importance of blocking transactions that occur at financial institutions that might benefit terrorism and drug trafficking. To this end, they have elevated the importance of BSA and are requiring that financial institutions, including credit unions and their regulators, elevate the importance of examining for BSA compliance. Federal monetary penalties can be assessed to financial institutions who do not comply with BSA; and both criminal charges and civil money penalties can be brought against individuals who are willfully non-compliant with BSA requirements.
Credit unions need to ensure that their policy and procedures are compliant with BSA, that employees are properly trained on BSA, and that internal controls are in place to ensure that employees are properly implementing these policies and procedures.
The requirements for BSA compliance do not vary based on the asset size of a credit union; however, the cost and type of action necessary to achieve compliance may vary. For example, a small, non-cash credit union, would need to have a BSA policy, but this credit union will have a very different policy (less complex and much smaller) than a large, multi-branch credit union