4 minutes
Managing Bank Secrecy Act/Anti-Money Laundering risk requires careful and extensive planning and governance. A credit union should establish a sound BSA/AML program to properly identify, measure, monitor, and control its risks. BSA/AML regulatory enforcement actions can greatly impair a credit union’s image and reputation.
There are four pillars to an effective BSA/AML program: 1) development of internal policies, procedures, and related controls, 2) designation of a compliance officer, 3) a thorough and ongoing training program, and 4) independent review for compliance.
National Credit Union Administration guidelines require that credit unions periodically perform a comprehensive risk assessment of their BSA/AML programs.
The Federal Financial Institutions Examination Council’s BSA/AML Risk Assessment also is an important tool for quantitatively and qualitatively documenting your program’s effectiveness.
1. Strong Internal Controls
Specific risk categories, such as products and services, members and entities, and geographic location, should be identified as part of the credit union’s risk assessment. Certain products and services, such as electronic banking, funds transfers, and automated clearinghouse transactions, may pose a higher risk of money laundering than others. Certain geographic locations, such as big cities vs. rural settings, also pose a higher risk for criminal enterprise activity, drug trafficking and human trafficking, and should be addressed.
Notably, strong AML/BSA controls by very large banks may be driving BSA/AML risk to CUs.
The measurement of BSA/AML risk can be compiled through the CU’s core processing database. A CU should risk-score members at account opening. CUs must be cognizant that the completeness and accuracy of the member profile data is of upmost importance to providing a reasonable basis to measure BSA/AML risk.
Transaction monitoring at a CU can be performed efficiently and automatically through the use of software. Practically speaking, most CUs will need to implement some form of automated monitoring tools to have an effective BSA/AML program.
It is important for CUs to calibrate and tailor the automated BSA/AML monitoring software’s rule sets so the alerts generated are meaningful and efficiently detect suspicious activity, while minimizing unwarranted alerts. CUs have 90 days to file a Suspicious Activity Report where required or face fines. Ineffective BSA/AML monitoring can lead to enforcement actions, civil money penalties or worse. Credit unions should consider a self-initiated BSA/AML automated model review. Such a review ensures the rule sets and functionality of model are working as intended. This can involve the testing of historical rule sets to confirm that suspect testing transactions designed to represent red flags are being captured as intended.
2. The BSA Officer
A CU should designate an experienced BSA officer who can identify areas that pose BSA/AML risks and recommend ways to mitigate or control these risks. Basic BSA/AML training should be provided to all individuals within the organization. The BSA officer should be especially alert for multiple cash transactions on new accounts that could indicate attempts at “structuring” cash activities to circumvent a currency transaction report being filed. For example, a customer could parcel a $12,000 cash transaction, which would require a CTR filing, into four separate $3,000 cash transactions over a span of a few days.
The BSA officer also should ensure appropriate initial and periodic validation of the BSA/AML monitoring tools, and should ensure prompt action on any exceptions. A backlog of unreviewed exceptions is the most frequent regulatory criticism of a BSA/AML program. Senior management should ensure prompt action and clearance on exceptions, as well as prompt filing of currency transaction reports and SARs.
The BSA officer should be accountable for the BSA program, as well as ensuring adequate ongoing training is performed.
3. Training
In training, each employee needs be taught what “suspicious” means and how to report suspicious activity. This is especially true in a CU where employees are taught to value and respect every member. It can sometimes be difficult to report member activity when the basic mindset is geared to member service. Effective training and encouragement to “know your members” is an important control for any BSA/AML program. Training should take various forms, including online training, annual in-person training, and encouragement that managers keep training top of mind.
4. Independent Review
An independent review by the CU’s internal auditor or an outside BSA/AML compliance review can provide a sound framework for the effective functioning of the BSA/AML program. The independent review should validate and test the BSA/AML automated tool’s rules and calibrations for effectiveness against the overall member risk profiles described above. Management should have an annual review to ensure the CU is compliant with regulatory standards. Any findings and recommendations should be addressed to strengthen and enhance the BSA/AML program.
Thoughtful adoption of these four pillars will help ensure your CU has an effective BSA/AML program.
James M. Deitch is CEO of Teraverde. He is a thought leader in community and mortgage banking, having served as CEO of four community banks, including two de novo banks. He has successfully implemented residential lending strategies in his banks, and served on the Mortgage Bankers Association’s Board of Governors for three terms, representing a community bank lender. He is a Certified Mortgage Banker, and has extensive secondary marketing experience as well as extensive regulatory experience with the Office of the Comptroller of Currency, the Federal Deposit Insurance Corp. and state regulators, especially in the residential lending and community banking areas. Anthony Nguyen is a CPA at Teraverde.
