1. BSA/AML & OFAC Staff Training
AS A BOARD MEMBER YOU DON’T NEED AS MUCH TRAINING AS THE CREDIT UNION’S EMPLOYEES –
YOU DO NEED TO UNDERSTAND
THE IMPORTANCE OF BSA REGULATIONS,
THEIR RAMIFICATIONS OF NONCOMPLIANCE AND
RISK POSED TO THE CREDIT UNION
AGENCIES THAT MONITOR ARE : PRIMARY REGULATOR, NCUA, FINCEN AND OFAC
PART 748 OF NCUA REGULATIONS REQUIRE EVERYTHING ABOUT FINCEN
2017

2. Today’s Discussion Overview Money Laundering Overview
FinCEN/OFAC & Penalties
5 Pillars of BSA
BSA Reporting Requirements (SAR & CTR)
Practice
Red Flags
Human Trafficking & BSA
Wire/Monetary Instruments
Final Exam
FINCEN IS THE ADMINISTRATOR OF BSA -
PROPOSE AND FINALIZE RULES
ISSUE ADVISORIES, BULLETINS, FACT SHEETS
CREATE GUIDANCE
REGULATE ALL FORMS
PROVIDE INFORMATION TO FINANCIAL INSTITUTIONS, LAW ENFORCEMENT, INSURANCE COMPANIES, ETC.
FREQUENT EXAM PROBLEM AREAS
Hotline: (866)
2017
Carolinas Credit Union League

3. Acronyms Acronym Reference BSA Bank Secrecy Act OFAC
Office of Foreign Asset Control
CTR
Currency Transaction Report
SAR
Suspicious Activity Report
CIP/MIP
Customer/Member Identification Program
AML
Anti-Money Laundering
2017
Carolinas Credit Union League

4. BSA/OFAC Overview Chart
Department of Treasury
Collect & Report using
CTR or SAR form
Do Not List
Freeze or Block Assets
Bureau of FinCEN
BSA/AML
314(a) & 314 (b)
Office of TFI
OFAC
SDN List
They do not share information between the 2 departments
Carolinas Credit Union League
2017

5. What is Money Laundering?
Money laundering is the process of making illegally- gained funds appear legal. There are 3 steps:
Placement
Layering
Integration
Money laundering can facilitate crimes such as drug trafficking and terrorism.
Money Laundering
Money laundering is the criminal practice of processing ill-gotten gains, or “dirty” money, through a series of transactions; in this way the funds are “cleaned” so that they appear to be proceeds from legal activities. Money laundering generally does not involve currency at every stage of the laundering process. Although money laundering is a diverse and often complex process, it basically involves three independent steps that can occur simultaneously:
Placement. The first and most vulnerable stage of laundering money is placement. The goal is to introduce the unlawful proceeds into the financial system without attracting the attention of financial institutions or law enforcement. Placement techniques include structuring currency deposits in amounts to evade reporting requirements or commingling currency deposits of legal and illegal enterprises. An example may include: dividing large amounts of currency into less-conspicuous smaller sums that are deposited directly into a bank account, depositing a refund check from a canceled vacation package or insurance policy, or purchasing a series of monetary instruments (e.g., cashier’s checks or money orders) that are then collected and deposited into accounts at another location or financial institution. Refer to Appendix G ("Structuring") for additional guidance.
Layering. The second stage of the money laundering process is layering, which involves moving funds around the financial system, often in a complex series of transactions to create confusion and complicate the paper trail. Examples of layering include exchanging monetary instruments for larger or smaller amounts, or wiring or transferring funds to and through numerous accounts in one or more financial institutions.
Integration. The ultimate goal of the money laundering process is integration. Once the funds are in the financial system and insulated through the layering stage, the integration stage is used to create the appearance of legality through additional transactions. These transactions further shield the criminal from a recorded connection to the funds by providing a plausible explanation for the source of the funds. Examples include the purchase and resale of real estate, investment securities, foreign trusts, or other assets.
2017
Carolinas Credit Union League

6. Elements of Money Laundering
Placement
Deposits
Money Orders
Cashiers Checks
2. Layering
Wire Transfers
Certificates
Loan Schemes
3. Integration
Property purchases (real estate, auto, antiques)
Funds reintroduced into the system
Placement. The first and most vulnerable stage of laundering money is placement. The goal is to introduce the unlawful proceeds into the financial system without attracting the attention of financial institutions or law enforcement. Placement techniques include structuring currency deposits in amounts to evade reporting requirements or commingling currency deposits of legal and illegal enterprises. An example may include: dividing large amounts of currency into less-conspicuous smaller sums that are deposited directly into a bank account, depositing a refund check from a canceled vacation package or insurance policy, or purchasing a series of monetary instruments (e.g., cashier’s checks or money orders) that are then collected and deposited into accounts at another location or financial institution.
Layering. The second stage of the money laundering process is layering, which involves moving funds around the financial system, often in a complex series of transactions to create confusion and complicate the paper trail. Examples of layering include exchanging monetary instruments for larger or smaller amounts, or wiring or transferring funds to and through numerous accounts in one or more financial institutions.
Integration. The ultimate goal of the money laundering process is integration. Once the funds are in the financial system and insulated through the layering stage, the integration stage is used to create the appearance of legality through additional transactions. These transactions further shield the criminal from a recorded connection to the funds by providing a plausible explanation for the source of the funds. Examples include the purchase and resale of real estate, investment securities, foreign trusts, or other assets.
2017
Carolinas Credit Union League

7. WHY DO WE CARE ABOUT BSA Penalties?
Standard negligence: $500
Pattern of negligence: up to $50,000
$10,000 per day for CTRs not filed within 15 days
If international money laundering is evident, penalties of up to $1,000,000
Intentional noncompliance:
Up to $100,000 in civil penalties – can be levied against individual employees and board members.
Criminal penalties for willful noncompliance:
$500,000 and up to 10 years in prison, levied against individual employees and board members.
Bad publicity & Reputational Risk
Criminal Penalties for Money Laundering, Terrorist Financing, and Violations of the BSA
Penalties for money laundering and terrorist financing can be severe. A person convicted of money laundering can face up to 20 years in prison and a fine of up to $500,000.12 Any property involved in a transaction or traceable to the proceeds of the criminal activity, including property such as loan collateral, personal property, and, under certain conditions, entire bank accounts (even if some of the money in the account is legitimate), may be subject to forfeiture. Pursuant to various statutes, banks and individuals may incur criminal and civil liability for violating AML and terrorist financing laws. For instance, pursuant to 18 USC 1956 and 1957, the U.S. Department of Justice may bring criminal actions for money laundering that may include criminal fines, imprisonment, and forfeiture actions.13In addition, banks risk losing their charters, and bank employees risk being removed and barred from banking.
Moreover, there are criminal penalties for willful violations of the BSA and its implementing regulations under 31 USC 5322 and for structuring transactions to evade BSA reporting requirements under 31 USC 5324(d). For example, a person, including a bank employee, willfully violating the BSA or its implementing regulations is subject to a criminal fine of up to $250,000 or five years in prison, or both.14 A person who commits such a violation while violating another U.S. law, or engaging in a pattern of criminal activity, is subject to a fine of up to $500,000 or ten years in prison, or both.15 A bank that violates certain BSA provisions, including 31 USC 5318(i) or (j), or special measures imposed under 31 USC 5318A, faces criminal money penalties up to the greater of $1 million or twice the value of the transaction.
2017
Carolinas Credit Union League

8. BSA Penalties & You
Directors, Management & Staff Take Note: For a credit union to be found “acting willfully” in these types of violations, FinCEN only needs to show that the credit union acted with “reckless disregard” or “willful blindness”.  FinCEN DOES NOT need to show that the credit union or credit union employee/board member had knowledge that the conduct violated the BSA or that the credit union or employee/board member acted with “improper motive or bad purpose”.
Bottom line: Make sure you fully understand your BSA compliance responsibilities!
Anatomy of a $4.5 million BSA violation penalty.  It’s becoming less uncommon to read in the news about multi-million dollar penalties for Bank Secrecy Act (BSA) violations.  FinCEN recently announced the assessment of a $4.5 million civil money penalty against a West Virginia Bank for failing to comply with several requirements of its anti-money laundering (AML) program.  
Let’s take a look at what the bank specifically did, or failed to do, so that you can breathe a sigh of relief as you tell yourself (and your credit union’s BOD), “whew, we would never do that!”.  
First some background: The West Virginia bank has 48 employees, six branches and $93,879,000 in assets.  It offers personal, commercial, and consumer banking products, as well as online services. The following actions lead to the bank’s BSA violations:
Although the bank designated a BSA compliance officer, it did not provide the BSA officer with sufficient resources and time to adequately oversee its compliance program (uh-oh); The bank assigned the BSA officer multiple non-BSA responsibilities that left him unable to adequately fulfill his BSA obligations, and failed to designate an additional person to support the BSA officer;
A branch manager facilitated a corporate customer’s structured transactions to evade the filing of CTRs;
Bank management was aware of the branch manager’s structuring scheme, but failed to file the required CTRs and SARs (allowing $9.2 million in structured, and otherwise suspicious, cash transactions to flow through the bank (that’s a lot of structuring!);
The bank did not risk-rate its customers during the account opening process or classify their respective accounts;
The bank did not assess its money laundering risk for its high-risk customers nor design an anti-money laundering compliance program to address those risks;
Although the bank used a software system to monitor its accounts for unusual activity going through the bank; it did not use it to detect and report suspicious activity (hello?! Are you kidding me?);
The bank failed to address procedures to handle check cashing, payroll activity and cash intensive customers;
The bank’s required BSA independent testing failed to include high-risk activities and failed to determine whether appropriate controls were in place to detect, monitor, and report suspicious activity and large currency transactions (um – what did they test?);
The bank’s employees lacked the knowledge and skills to identify high-risk accounts, recognize and report suspicious activities and currency transactions, and appropriately aggregate large cash transactions for BSA reporting requirements;
The bank did not have comprehensive training tailored to the needs of specific positions, departments, board members and other personnel;
A large percentage of the bank’s accounts were opened with P.O. Box addresses rather than physical street addresses as required by the BSA’s Customer Identification Program (CIP);
The bank failed to properly aggregate currency transactions and file the required CTRs;
A customer’s file indicated an account closure statement from a different bank, the customer made significant cash deposits ($310,000) compared to check deposits ($72,000) – which was unusual activity for the account, however no account monitoring or enhanced due diligence was triggered for this account.
And finally,
The branch manager approved a $50,000 line of credit (LOC) for a corporate customer and instructed the customer to fax a “Request for Advance” form to the branch for each cash withdrawal. The branch manager or his assistant would approve the Request for Advance, and a teller would then prepare a cashier’s check in the name of the corporate customer’s employee for amounts just under $10,000. The employee was allowed to cash the check without depositing it into the checking account of the corporate customer (over a five year period the customer withdrew $9.2 million this way!
Oppenheimer & Co. Inc. $20 Million for Continued Anti-Money Laundering Shortfalls
FinCEN and the New York Stock Exchange assessed a civil money penalty of $2.8 million against Oppenheimer in 2005 for similar violations. In 2013, the Financial Industry Regulatory Authority fined the firm $1.4 million for violations of securities laws and anti-money laundering failures.
From 2008 through May 2014, Oppenheimer conducted business without establishing and implementing adequate policies, procedures, and internal controls reasonably designed to detect and report suspicious activity.
FinCEN identified 16 customers who engaged in patterns of suspicious trading through branch offices in five states. All the suspicious activity involved penny stocks, which typically are low-priced, thinly traded, and highly speculative securities that can be vulnerable to manipulation by stock promoters and “pump-and-dump” schemes. Oppenheimer failed to report patterns of activity in which customers deposited large blocks of unregistered or illiquid penny stocks, moved large volumes of penny stocks among accounts with no apparent purpose, or immediately liquidated those securities and wired the proceeds out of the account.
In addition, Oppenheimer itself designated a customer foreign financial institution as “high risk” but failed to assess the institution’s specific risks as a foreign financial institution or conduct adequate due diligence. Oppenheimer inadequately monitored the foreign financial institution’s transactions and consequently did not detect or investigate numerous suspicious transactions conducted
The NCUA has issued a cease and desist order to North Dade Community Development FCU Miami Gardens, Fla.
Fincen assessed a civil money penalty in the amount of 300k
North Dade officials have consented to the order, which requires the following actions:
Cease and desist transacting all business activity for money services businesses not located within the credit union’s geographic field of membership.
Suspend transacting business activity for all remaining member money services businesses until an adequate Bank Secrecy Act/Anti-Money Laundering/Office of Foreign Assets Control program is developed and implemented.
Verify that all members are within the credit union’s field of membership.
Identify all bank secrecy/anti-money laundering/foreign assets control compliance deficiencies.
Designate a Bank Secrecy Act compliance officer.
Complete a comprehensive bank secrecy/anti-money laundering/foreign assets control risk assessment.
Revise and document board approval for all policies relating to bank secrecy, anti-money laundering, and foreign assets control.
Ensure staff and officials are adequately trained on all bank secrecy, anti-money laundering, and foreign assets control applicable laws and regulations.
Develop a system of internal controls to ensure ongoing compliance with all applicable bank secrecy, anti-money laundering, and foreign assets control laws and regulations.
Conduct bank secrecy, anti-money laundering, and foreign assets control compliance program testing.
Ensure bank secrecy, anti-money laundering, and foreign assets control testing is complete and results are reported to the board of directors.
Take away this is a region 3 credit union which is region we are in.
NCUA made the decision to liquidate North Dade Community Development Federal Credit Union and discontinue operations after determining the credit union had violated various provisions of its charter, bylaws and federal regulations. North Dade Community Development Federal Credit Union served 616 members and had assets of $3 million, according to the credit union’s most recent Call Report. Chartered in 1997, North Dade Community Development Federal Credit Union served a community field of membership that consisted of residents located in Northwest Dade County, Florida. North Dade Community Development Federal Credit Union is the second federally insured credit union liquidation in 2015.
NCME- 10k (4/14)-MSB
FinCEN has assessed a civil money penalty of $10,000 against New Milenium Cash Exchange, Inc. (NMCE) and its owner, Flor Angella Lopez, for multiple violations of BSA/AML regulations. FinCEN found that NMCE operated as a "financial institution" and "money services business" as those terms are defined in 31 CFR §§  (t) and (ff). Since 2006, three IRS exams of NMCE identified repeated violations of the BSA. The Florida Office of Financial Regulation also examined NMCE and found violations resulting in a written corrective action agreement and a fine in FinCEN determined that MNCE and Lopez willfully violated the BSA's program, reporting and recordkeeping requirements since at least NMCE and/or Lopez:
conducted business without continuous FinCEN registration for over three years
submitted MSB registrations in 2011 containing inaccurate information on services rendered by NMCE
failed to establish and implement an effective written anti-money laundering program
lacked adequate AML programs for check cashing and money order activities and currency exchange transactions
failed to have policies, procedures and internal controls to adequately verify the identity of persons conducting transactions to monitor for suspicious activity, to identify reportable currency transactions, or ensure the filing of CTRs failed to make or retain adequate records
lacked a BSA/AML risk assessment
provided no or inadequate training
filed 51 CTRs covering transactions totaling about one million dollars significantly late
failed to file at least 149 CTRs for exchanges of currency with other financial institutions.
Old National Bank -500k
Old National Bank is a Federally chartered bank headquartered in Evansville, Indiana, with 200 domestic locations in 5 states in Illinois, Indiana, Kentucky, Michigan and Ohio. On January 14, 2014, the Comptroller issued a Consent Order for a Civil Money Penalty of $500,000.
BSA/AML deficiencies were addressed in a Consent Order issued by the OCC on June 4, 2012, which in part required the bank to undertake remedial actions with respect to its BSA/AML program. In the 1/14/14 CMP Order, the OCC cited findings that
the bank failed to (1) conduct adequate risk assessments, (2) obtain more than the minimum information required for CIP purposes, (3) implement an adequate suspicious activity monitoring system, and (4) property identify high-risk customers.
the bank's internal audit review failed to identify the deficiencies in the program
the bank's BSA officer and staff lacked the necessary resources and expertise, including knowledge of regulatory requirements, and
after conducting a look back, the bank filed 110 new SARs and 172 supplemental SARs.
J.P. Morgan Chase Bank, N.A. $461 million
for willfully violating the Bank Secrecy Act (BSA) by failing to report suspicious transactions arising out of Bernard L. Madoff’s Scam – had suspicions of fraud in the 1990s and worked to save itself $250M
TD BANK
failure to file SARs related to the massive Ponzi scheme orchestrated by Florida attorney Scott Rothstein. OCC assessed a penalty of $37.5M From April September 2009, the Bank willfully violated the BSA’s reporting requirements by failing to detect and adequately report suspicious activities in a timely manner.
TD Bank employees failed to recognize the suspicious activity and file SARs in a timely manner.. LACK OF ADEQUATE TRAINING
TIAA-CREF - focus on BSA/AML concerns, and must develop & put into place a comprehensive BSA action plan including
a BSA risk assessment; BSA independent testing; BSA internal controls and high risk identification; CDD and EDD information gathering; a written program to ensure compliance with SAR filing requirements; BSA training; Appropriate BSA compliance department staffing
M&T - deficiencies in M&T's firm-wide compliance with BSA/AML Requirements; the Bank's internal controls, customer due diligence procedures, and transaction monitoring processes The Written Agreement requires that M&T adopt, submit and adhere to an acceptable revised written firm-wide BSA/AML compliance program that describes the specific actions that will be taken, including timelines for completion, and had to hire a third party consultant
TCF National Bank - earlier Order, the bank had a consultant conduct a look-back to review activity from November 2008 through July 2010, which resulted in the bank's late-filing of 2,357 SARs covering transactions of about $70 million,
In a November 2011 exam, the OCC identified
13 failures to properly file SARs on transactions possibly related to terrorist financing (the SARs had been filed, but were determined to be inadequate and "of poor quality." For example, the "terrorist financing" box on the SARs had not been checked (although the narrative made reference to possible terrorist financing), and
in some cases, the narrative section was considered inadequate.
TREND REGULATORS ARE TAKING A MORE ACTIVE ROLE IN ISSUING PENALTIES INSTEAD OF WAITING FOR FINCEN
2017
Carolinas Credit Union League

9. FREQUENT EXAM PROBLEM AREA
FinCEN (31 U.S.C. 310)
Administrator of (BSA) Bank Secrecy Act/(AML) Anti- Money Laundering Law authorized by CONGRESS in 1970.
Proposes and finalize rules
Creates guidance & Issue advisories, bulletins, fact sheets
Supports & enforce compliance with regulations
Collects & provide information to financial institutions, law enforcement, insurance companies, etc.
Administrator of 314 (a) program
Credit union has 2 weeks to respond to their ed request
Administrator of 314 (b) voluntary program
FREQUENT EXAM PROBLEM AREA
Hotline: (866)
“Bank Secrecy Act” or “BSA”) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering.
The BSA is sometimes referred to as an “anti-money laundering” law (“AML”) or jointly as “BSA/AML.
BSA was passed by the Congress of the United States in 1970
The BSA's recordkeeping and reporting requirements establish a financial trail for investigators to follow as they track criminals, their activities, and their assets. Over the years, FinCEN staff has developed its expertise in adding value to the information collected under the BSA by uncovering leads and exposing unknown pieces of information contained in the complexities of money laundering schemes.
The basic concept underlying FinCEN's core activities is "follow the money." The primary motive of criminals is financial gain, and they leave financial trails as they try to launder the proceeds of crimes or attempt to spend their ill-gotten profits. FinCEN partners with law enforcement at all levels of government and supports the nation's foreign policy and national security objectives.
2017
Carolinas Credit Union League

10. FinCEN Penalties
Civil Penalty – Any person who fails to comply with the registration requirements may be liable for a civil penalty of up to $5,000 for each violation. Each day a violation continues constitutes a separate violation.
Criminal Penalty – It is unlawful to do business without complying with the registration requirements. A criminal fine and/or imprisonment up to 5 years may be imposed.
Penalties
Civil penalty. Any person who fails to comply with the registration requirements may be liable for a civil penalty of up to $5,000 for each violation. Failure to comply includes the filing of false or materially incomplete information. Each day a violation continues constitutes a separate violation. In addition, the Secretary of the Treasury may bring a civil action to enjoin the violation.
Criminal penalty. It is unlawful to do business without complying with the registration requirements. A criminal fine and/or imprisonment for up to 5 years may be imposed. 31 CFR (e) (formerly 31 CFR (e)), 18 USC 1960
2017
Carolinas Credit Union League

11. Recent BSA Penalties Bethex Federal Credit Union (12/16) – ($500 K)
Began to serve MSBs and did not update AML programs
Failed to timely detect and report SARs
Cantor Gaming (10/16) – ($12 M)
No internal controls, independent audits or sufficient staff training
Failed to report CTRs & SARs
Hawaiian Gardens Casino (7/16) – ($2.8 M)
Failed to report large cash transactions
Failed to file many SARs
Failed to keep certain required records
Sparks Nugget, Inc. (4/16) – ($1 M)
Lacked a culture of compliance
Bethex Federal Credit Union
$500,000 penalty
Significant AML violations
FCU maintained internal controls specific to low to moderate income clientele within its designated FOM, but then began providing banking services to many wholesale, commercial MSBs without updating its AML program.
Did not file any SARs from 2008 thru 2011.
Cantor Gaming
$12 M penalty
Violations of AML provisions
Failed to have appropriate AML program in place
Failed to have sufficient internal controls and mandatory independent audits; no sufficient AML training for officers and employees; failed to use all available information to report and detect suspicios transactions.
Did not report CTRs or SARs
Hawaiian Gardens Casino
FinCEN issued a civil money penalty of $2.8 million for repeated AML violations
Failed to implement and maintain an effective AML program
Failed to report large cash transactions
Failed to file many SARs
Failed to keep certain required records.
Sparks Nugget, Inc.
FinCEN issued a civil money penalty of $1 million against Sparks Nugget, Inc. for willfully violating AML provisions of the BSA.
Disregarded its compliance manager
Failed to report CTRs and SARs
Lacked a culture of compliance
2017
Carolinas Credit Union League

12. (this is not the same as 314(a) lists by FinCEN)
OFAC (31 CFR 501)
OFAC= Office of Foreign Assets & Control
Administers and Enforces Economic Sanctions Against :
Targeted Foreign Countries
Terrorists and Terrorism sponsored organizations
International narcotic traffickers.
Every financial transaction falls under OFAC authority
Prohibits conducting business with anyone on OFAC Sanctions lists.
OFAC does not require a credit union to check members and transactions against their lists.
(this is not the same as 314(a) lists by FinCEN)
New members are run against the SDN list before account is opened (in most cases) the entire membership database is run against the SDN list on a daily basis
There is a list that can change on a daily basis that all transactions must be checked against – that’s why most credit unions rely on a third party usually incorporated into their core processor
Again you are looking at the risk that the credit union would conduct a transaction for a prohibited party
Although OFAC does not require a credit union to check people and transactions against the lists – however if you conduct a transaction
OFAC itself was formally created in December 1950, following the entry of China into the Korean War, when President Truman declared a national emergency and blocked all Chinese and North Korean assets subject to U.S. jurisdiction
2017
Carolinas Credit Union League

13. OFAC
All positive hits must be reported to OFAC within 10 business days ( )
Depending on the nature of the sanction, transactions to or from entities identified as a positive hit must either be blocked and the account funds frozen, or the transaction rejected
2017
Carolinas Credit Union League

14. TREND: TAKING A MORE ACTIVE ROLE IN ISSUING PENALTIES
Recent OFAC Penalties
National Oilwell Varco, Inc. (11/16) ($5,976,028)
Violation of Iranian Transactions & Sanctions Regulations
PanAmerican Seed Company (9/16) ($4,320,000)
Willfully violated US sanctions
Ignored OFAC compliance responsibilities
Did not initially cooperate with OFAC’s investigation
World Class Technology Corp (9/16) ($43,200)
No OFAC compliance program in place
Management had knowledge of violations
Alcon Laboratories, Inc. (7/16) ($138,982,584)
Reckless disregard of US sanctions
HyperBranch Medical Technology (6/16) ($1,129,912)
Did not have a compliance program in place at the time of the violations
TREND: TAKING A MORE ACTIVE ROLE IN ISSUING PENALTIES
National Oilwell
Settled for $5,976,028
Violation of the Iranian Transactions & Sanctions Regulations
PanAmerican Seed Company
Settled for $4,320,000
Violations of the Iranian Transactions & Sanctions Regulations
Willfully violated US sanctions
Ignored OFAC compliance responsibilities
Did not initially cooperate with OFAC’s investigation
World Class Technology Corporation
Settled for $43,200
Violations of the Iranian Transactions & Sanctions Regulation
Willfully violated US sanctions laws
Management had knowledge of violations
No OFAC compliance program in place
HyperBranch Medical Technology, Inc.
Settled for $107,691.30
Exported products to Iran in violation of US law
Former CEO & former Sales Manager knew of the issue with the exports
Did not have a sanctions compliance program in place at the time of the violations
Alco Laboratories, Inc.
Settled for $7,617,150
Reckless disregard of US sanctions
TREND REGULATORS ARE TAKING A MORE ACTIVE ROLE IN ISSUING PENALTIES INSTEAD OF WAITING FOR FINCEN
2017
Carolinas Credit Union League

15. Pillars of Bank Secrecy Act
BSA Officer
Internal Controls
Education & Training
Independent Testing
Cyber Security
BSA
The 5 pillars of the Bank Secrecy Act are the BSA Officer, Internal Controls, Education and Training, Independent Testing and Cyber Security
2017
Carolinas Credit Union League

16. Policy Requirements BSA/OFAC Compliance Officer 2014 BSA Manual Update
NCUA’s rule 748 requires federally insured credit unions to establish a BSA Compliance Program that includes the following:
Written, Board Approved, and Reflected in the minutes of the Credit Union’s Meeting
BSA/OFAC Compliance Officer
2014 BSA Manual Update
(Qualified Responsible Person)
Internal Controls
Independent Testing
Training
Customer/Member Identification Program
Must be written and approved by the board. It must also be reflected in the minutes of the credit union’s meeting.
The board must address the following areas in its policy:
BSA/OFAC Compliance Officer
2014 BSA Manual Update
(Qualified Responsible Person)
Internal Controls
Independent Testing
Training
Customer/Member Identification Program
2017
Carolinas Credit Union League

17. BSA Compliance Officer
The credit union's board of directors must designate a qualified BSA officer.  "Qualified" means the BSA officer is expected to be fully knowledgeable of the Bank Secrecy Act and all related regulations, as well as understand the credit union's products, services, members, geographic locations and the money laundering and terrorist financing risks associated with each of those activities.
While the BSA officer is responsible for coordinating and monitoring day-to-day BSA compliance, the board of directors is ultimately responsible for the credit union's compliance and is responsible for ensuring that the BSA compliance officer has sufficient authority and resources to effectively administer the compliance program. 
2017
Carolinas Credit Union League

18. Internal Controls
Made up of the credit union’s monitoring and reporting functions
Procedures and processes in place to monitor and identify unusual activity
Monitoring systems typically include:
Manual systems (Policy, Audit & Supervisor Committee)
Automated systems (Computer Generated Alerts & Reports, 314(a) requests)
Employee identification (Badges, Identification Numbers, requiring 2 employee verifications)
Internal Controls Credit unions must have appropriate internal control procedures to allow them to detect money laundering. These procedures must provide, among other things, a credit union with the ability to identify and report: (1) currency transactions in excess of $10,000 (2) transactions suspicious in nature.
Senior management responsibilities for internal controls should demonstrate their commitment to compliance, suggestions to show this are:
Establishing a comprehensive compliance plan that is approved by the board of directors and fully implemented by credit union staff.
Instituting a requirement that senior management be kept informed of compliance efforts, audit reports, identified compliance deficiencies, and the corrective action taken.
Making BSA compliance a condition for employment.
Incorporating compliance with the BSA and its implementing regulation into job descriptions and performance evaluations of credit union personnel.
2017
Carolinas Credit Union League

19. Internal Controls Procedures
Identify your credit union's products, services, members, and branches that you consider more vulnerable to abuse by money launderers or other criminals, and provide a program to manage the higher risk;
Inform the board of directors and senior management of your compliance initiatives, identify compliance deficiencies, corrective actions taken, and notify the board and the senior management of SARs that have been filed;
Provide for program continuity despite changes in management or employees ; 
Meet all of the BSA recordkeeping and reporting requirements;
Implement risk-based Member Due Diligence policies & procedures;
Internal Controls
The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting. The board of directors and management should create a culture of compliance to ensure staff adherence to the bank’s BSA/AML policies, procedures, and processes. Internal controls are the bank’s policies, procedures, and processes designed to limit and control risks and to achieve compliance with the BSA. The level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the bank. Large complex banks are more likely to implement departmental internal controls for BSA/AML compliance. Departmental internal controls typically address risks and compliance requirements unique to a particular line of business or department and are part of a comprehensive BSA/AML compliance program.
Internal controls should:
Identify banking operations (i.e., products, services, customers, entities, and geographic locations) more vulnerable to abuse by money launderers and criminals; provide for periodic updates to the bank’s risk profile; and provide for a BSA/AML compliance program tailored to manage risks.
Inform the board of directors, or a committee thereof, and senior management, of compliance initiatives, identified compliance deficiencies, and corrective action taken, and notify directors and senior management of SARs filed.
Identify a person or persons responsible for BSA/AML compliance.
Provide for program continuity despite changes in management or employee composition or structure.
Meet all regulatory recordkeeping and reporting requirements, meet recommendations for BSA/AML compliance, and provide for timely updates in response to changes in regulations.33
Implement risk-based CDD policies, procedures, and processes.
Identify reportable transactions and accurately file all required reports including SARs, CTRs, and CTR exemptions. (Banks should consider centralizing the review and report-filing functions within the banking organization.)
Provide for dual controls and the segregation of duties to the extent possible. For example, employees that complete the reporting forms (such as SARs, CTRs, and CTR exemptions) generally should not also be responsible for the decision to file the reports or grant the exemptions.
Provide sufficient controls and systems for filing CTRs and CTR exemptions.
Provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.
Provide for adequate supervision of employees that handle currency transactions, complete reports, grant exemptions, monitor for suspicious activity, or engage in any other activity covered by the BSA and its implementing regulations.
Incorporate BSA compliance into the job descriptions and performance evaluations of bank personnel, as appropriate.
Train employees to be aware of their responsibilities under the BSA regulations and internal policy guidelines.
The above list is not designed to be all-inclusive and should be tailored to reflect the bank’s BSA/AML risk profile. Additional policy guidance for specific risk areas is provided in the expanded sections of this manual.
2017
Carolinas Credit Union League

20. Internal Controls Procedures
Identify reportable transactions and accurately file all required reports, such as SARs, and CTRs;
Provide for the segregation of duties where you can; 
Provide for sufficient controls and monitoring systems for timely detection and reporting of suspicious activity;
Include adequate supervision of employees who handle currency, complete reports, grant exemptions, etc.;
Train all employees to be aware of their specific responsibilities under BSA.
Internal Controls
The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting. The board of directors and management should create a culture of compliance to ensure staff adherence to the bank’s BSA/AML policies, procedures, and processes. Internal controls are the bank’s policies, procedures, and processes designed to limit and control risks and to achieve compliance with the BSA. The level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the bank. Large complex banks are more likely to implement departmental internal controls for BSA/AML compliance. Departmental internal controls typically address risks and compliance requirements unique to a particular line of business or department and are part of a comprehensive BSA/AML compliance program.
Internal controls should:
Identify banking operations (i.e., products, services, customers, entities, and geographic locations) more vulnerable to abuse by money launderers and criminals; provide for periodic updates to the bank’s risk profile; and provide for a BSA/AML compliance program tailored to manage risks.
Inform the board of directors, or a committee thereof, and senior management, of compliance initiatives, identified compliance deficiencies, and corrective action taken, and notify directors and senior management of SARs filed.
Identify a person or persons responsible for BSA/AML compliance.
Provide for program continuity despite changes in management or employee composition or structure.
Meet all regulatory recordkeeping and reporting requirements, meet recommendations for BSA/AML compliance, and provide for timely updates in response to changes in regulations.33
Implement risk-based CDD policies, procedures, and processes.
Identify reportable transactions and accurately file all required reports including SARs, CTRs, and CTR exemptions. (Banks should consider centralizing the review and report-filing functions within the banking organization.)
Provide for dual controls and the segregation of duties to the extent possible. For example, employees that complete the reporting forms (such as SARs, CTRs, and CTR exemptions) generally should not also be responsible for the decision to file the reports or grant the exemptions.
Provide sufficient controls and systems for filing CTRs and CTR exemptions.
Provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.
Provide for adequate supervision of employees that handle currency transactions, complete reports, grant exemptions, monitor for suspicious activity, or engage in any other activity covered by the BSA and its implementing regulations.
Incorporate BSA compliance into the job descriptions and performance evaluations of bank personnel, as appropriate.
Train employees to be aware of their responsibilities under the BSA regulations and internal policy guidelines.
The above list is not designed to be all-inclusive and should be tailored to reflect the bank’s BSA/AML risk profile. Additional policy guidance for specific risk areas is provided in the expanded sections of this manual.
2017
Carolinas Credit Union League

21. Risk Assessment
The 1st step before a credit union develops a written, board approved, BSA or OFAC program
Assessment should consider
Products (lending, wires, RDC & ACH etc.)
Services (E-services)
Geographic Locations (HIDTA/HFCA)
Field of Membership
EXAMINER WILL CREATE A RISK ASSESSMENT IF CU DOESN’T HAVE BUT DOESN’T HAVE TO SHARE WITH CU
IN EVERY CIVIL MONEY PENALTIES ISSUED THE LACK OF AN ADEQUATE RISK ASSESSMENT WAS LISTED AS THE BIG ISSUE THAT LEAD TO THE FINE.
PRODUCTS/SERVICES: WIRES, ACH AND ATM TRANSACTIONS ELECTRONIC BANKING; MONETARY INSTRUMENTS; LENDING ACTIVITIES, PARTICULARLY LOANS SECURED BY CASH COLLATERAL AND MARKETABLE SECURITIES.
GEOGRAPHIC LOCATIONS: COUNTIES BRANCHES AND MEMBERS ARE LOCATED IN –
HIDTA COUNTIES – RICHLAND AND LEXINGTON
REMEMBER YOUR MEMBERS CAN LIVE IN OTHER COUNTIES OR STATES – DOES THIS INCREASE THE RISK TO THE CREDIT UNION?
REGULATORS ARE LOOKING FOR LIST OF HIGH RISK MEMBERS.
FOR EXAMPLE DID THE CU SUBMIT A SAR OR CTR THEN MAYBE THEY SHOULD BE ON A LIST UNTIL THEY STOP THE ACTIVITY
2017
Carolinas Credit Union League

22. Should be updated on an ongoing basis based upon:
Risk Assessment
Should be updated on an ongoing basis based upon:
New products & services
Threats
Breaches
Locations & markets
EXAMINER WILL CREATE A RISK ASSESSMENT IF CU DOESN’T HAVE BUT DOESN’T HAVE TO SHARE WITH CU
IN EVERY CIVIL MONEY PENALTIES ISSUED THE LACK OF AN ADEQUATE RISK ASSESSMENT WAS LISTED AS THE BIG ISSUE THAT LEAD TO THE FINE.
PRODUCTS/SERVICES: WIRES, ACH AND ATM TRANSACTIONS ELECTRONIC BANKING; MONETARY INSTRUMENTS; LENDING ACTIVITIES, PARTICULARLY LOANS SECURED BY CASH COLLATERAL AND MARKETABLE SECURITIES.
GEOGRAPHIC LOCATIONS: COUNTIES BRANCHES AND MEMBERS ARE LOCATED IN –
HIDTA COUNTIES – RICHLAND AND LEXINGTON
REMEMBER YOUR MEMBERS CAN LIVE IN OTHER COUNTIES OR STATES – DOES THIS INCREASE THE RISK TO THE CREDIT UNION?
REGULATORS ARE LOOKING FOR LIST OF HIGH RISK MEMBERS.
FOR EXAMPLE DID THE CU SUBMIT A SAR OR CTR THEN MAYBE THEY SHOULD BE ON A LIST UNTIL THEY STOP THE ACTIVITY
2017
Carolinas Credit Union League

23. Member Identification Program
4 pieces of written information required by all prospective members:
Name
Date of Birth
Identification Number
Residential /business street address
Depending on the type and use of account may require Enhanced Due Diligence (EDD)
*Adequate notice must be provided to members before collecting the above information
FIRST STEP IN CREATING A MIP IS TO CONDUCT A RISK ASSESSMENT. THE ASSESSMENT SHOULD CONSIDER:
THE TYPES OF ACCOUNTS OFFERED
THE METHODS OF OPENING ACCOUNTS
THE TYPES OF IDENTIFYING INFORMATION AVAILABLE
THE CREDIT UNION’S SIZE, LOCATION AND MEMBER BASE
MEMBER DUE DILIGENCE: RISK BASED FOCUS
OBTAIN OPENING THAT WILL ENABLE CU TO PREDICT THE NORMAL ACTIVITY OF AN ACCOUNT
DIFFERENTIATE BETWEEN LOW AND HIGH RISK MEMBERS
LOOKING FOR DUE DILIGENCE AT ACCOUNT OPENING FOR ALL BUSINESS ACCOUNTS
FOR LOW RISK MEMBERS:
PURPOSE OF ACCOUNT
EXPECTED WIRE AND ELECTRONIC FUNDS ACTIVITY
FOR HIGH RISK MEMBERS:
FINANCIAL STATEMENTS
FINANCIAL REFERENCES
OCCUPATION OR TYPE OF BUSINESS
REQUIREMENTS:
VERIFY IDENTITY AND ASSESS RISK;
MAINTAIN CURRENT INFORMATION;
COLLECTION ADDITIONAL INFORMATION FOR HIGHER RISK ACCOUNTS;
MONITOR HIGH RISK ACCOUNTS AS APPROPRIATE
2017
Carolinas Credit Union League

24. Member Identification Program (MIP)
CU needs policies/procedures
Identify high risk accounts
KNOW who is opening an account
Name, address, DOB for individuals, identification #
Verify information within reasonable time
Documentary/Non-documentary methods
Record Keeping Requirements
Maintain identification information for five years after account is CLOSED.
Maintain other data for five years after data is recorded.
Electronic records may be kept.
All banks must have a written CIP.40 The CIP rule implements section 326 of the USA PATRIOT Act and requires each bank to implement a written CIP that is appropriate for its size and type of business and that includes certain minimum requirements. The CIP must be incorporated into the bank’s BSA/AML compliance program, which is subject to approval by the bank’s board of directors.41 The implementation of a CIP by subsidiaries of banks is appropriate as a matter of safety and soundness and protection from reputational risks. Domestic subsidiaries (other than functionally regulated subsidiaries subject to separate CIP rules) of banks should comply with the CIP rule that applies to the parent bank when opening an account within the meaning of 31 CFR
The CIP is intended to enable the bank to form a reasonable belief that it knows the true identity of each customer. The CIP must include account opening procedures that specify the identifying information that will be obtained from each customer. It must also include reasonable and practical risk-based procedures for verifying the identity of each customer. Banks should conduct a risk assessment of their customer base and product offerings, and in determining the risks, consider:
The types of accounts offered by the bank.
The bank’s methods of opening accounts.
The types of identifying information available.
The bank’s size, location, and customer base, including types of products and services used by customers in different geographic locations.
2017
Carolinas Credit Union League

25. MIP – Business Accounts
CU NEEDS to obtain documentation for legal entity and all signers on a business account.
Verify legal existence of business entities.
Verify identity of agent opening account.
2017
Carolinas Credit Union League

26. Training Requirements 748 NCUA
Conducted at least annually (most conduct quarterly or monthly training)
Should be tailored to the individual’s positions at the credit union.
Infraction & penalties mostly stem from inadequately trained staff based upon the product and services offered.
BSA Officer, Lending & MSR Business Members are key areas to have higher level risk training requirements.
New employee training should be timely.
New Board Members should also be trained timely
30 days is usually a good time frame
2017
Carolinas Credit Union League

27. Money Service Businesses (MSBs)
FinCEN defines MSBs as doing business in one or more of the following capacities:
Dealer in foreign exchange
Check casher
Issuer or seller of traveler’s checks or money orders
Money transmitter
Provider of prepaid access
Credit unions that maintain an account relationship with an MSB, or are considering doing so, need to be aware of the potential risks involved – particularly with regard to money laundering.
MSBs provide a valuable service to consumers; however, the cash-intensive nature of these businesses may pose elevated risk for potential money laundering activities. This requires credit unions, where elevated risk activity is present, to exercise heightened due diligence by establishing monitoring and controls to properly assess, minimize, and manage the risk of money laundering.
Credit unions need to identify MSBs that may pose an elevated risk for money laundering and establish proper BSA/AML procedures related to these entities.
FinCEN, NCUA, and the other federal banking agencies have established minimum expectations that banking organizations should meet when providing banking services to MSBs. Based on existing BSA requirements applicable to credit unions, the minimum due diligence expectations associated with opening and maintaining accounts for MSBs are:
 Perform the required Customer Identification Program procedures;
 Confirm that member MSBs register with FinCEN, if applicable;
 Confirm that member MSBs comply with state or local licensing requirements, if applicable;
 Confirm the member MSB’s agent status, if applicable; and
Conduct a BSA/AML risk assessment to document the level of risk associated with the account and whether greater due diligence is necessary. As with any business account, in determining how much, if any, further due diligence would be required for any MSB member, the credit union should consider the following basic information:
o Types of products and services offered by the MSB.
o Location(s) and market(s) served by the MSB.
o Anticipated account activity and volume
o Purpose of the account.
If a credit union determines that a member MSB presents a higher level of money laundering or terrorist-financing risk, enhanced due diligence measures should be conducted in addition to minimum due diligence procedures. Depending on the level of potential risk, as well as the size and sophistication of a particular MSB, a credit union may pursue some or all of the following actions as part of an appropriate enhanced due diligence review:
 Reviewing an MSB’s BSA/AML program.
 Reviewing results of an MSB’s independent testing.
 Reviewing written procedures for the operation of an MSB.
 Conducting on-site visits of an MSB.
 Reviewing an MSB’s written employee screening practices.
2017
Carolinas Credit Union League

28. MSBs Continued Detecting possible MSB activity:
Large cash transactions
Cash transactions not commensurate with expected activity
High volume of wire transfers
Deposit high volume of third party checks
Conducting cash transactions just under $10,000
2017
Carolinas Credit Union League

29. Independent Testing Requirements 748.2 NCUA
May be performed by credit union staff/outside firm or volunteer officials as long as they meet the Requirements & Independence tests.
Must be conducted at least annually (every months)
Audits should address:
the overall integrity and effectiveness of policies, procedures and processes
THE BSA/AML RISK ASSESSMENT (2014 Manual)
Reporting & Recordkeeping Requirements
Competence of the BSA officer
Transaction testing (SAR & CTR, wires and high risk member list)
Employee training and its adequacy
NCUA will also evaluate board reporting, supervision, and responsiveness to the audit’s findings
Independent Testing; Compliance with the BSA should be independently tested periodically your policy states every 18 months by the internal audit department, outside auditors, or consultants. The audit program should, at a minimum, be able to:
Attest to the effectiveness of internal procedures for monitoring compliance with the BSA by, for example:
Sampling large currency transactions traced to CTR filings;
Testing the validity and reasonableness of exemptions granted; and
Reviewing a sample of SARs filed for completeness and accuracy.
Assess employees’ knowledge of regulations and procedures.
Assess adequacy of training programs.
INDEPENDENT AUDITS
•REQUIRED ANNUALLY BY THE USA PATRIOT ACT
•MAY BE COMPLETED BY CREDIT UNION STAFF. (PEOPLE WHO ARE NOT INVOLVED WITH BSA/AML)
–QUALIFICATIONS TO PERFORM THE AUDIT WILL BE EXAMINED.
•MAY BE COMPLETED BY AN OUTSIDE FIRM.
•NCUA WILL EXPECT THE AUDIT TO INCLUDE:
–OVERALL INTEGRITY AND EFFECTIVENESS OF THE BSA/AML COMPLIANCE PROGRAM, INCLUDING POLICIES, PROCEDURES, AND PROCESSES
–THE BSA/AML RISK ASSESSMENT
–APPOINTMENT/COMPETENCY OF BSA OFFICER
–BSA REPORTING AND RECORDKEEPING REQUIREMENTS
–MIP IMPLEMENTATION
–APPROPRIATE TRANSACTION TESTING, WITH PARTICULAR EMPHASIS ON HIGH-RISK OPERATIONS
–TRAINING ADEQUACY
–INTEGRITY AND ACCURACY OF MANAGEMENT INFORMATION SYSTEMS (MIS) USED IN THE BSA COMPLIANCE PROGRAM
–SUSPICIOUS ACTIVITY MONITORING SYSTEMS WILL BE EVALUATED TO DETERMINE THEIR CAPABILITIES
–EVALUATE RESEARCH/RESOLUTION OF ALERTS GENERATED BY YOUR CREDIT UNION’S SUSPICIOUS ACTIVITY MONITORING SYSTEM
–DETERMINE WHETHER THE CREDIT UNION’S PROCEDURES INCLUDE THE REVIEW OF MEMBER’S ACTIVITY WHEN THE CREDIT UNION HAS FILED A PREVIOUS SAR.
–TRACK PREVIOUSLY IDENTIFIED DEFICIENCIES AND VERIFIES THEY HAVE BEEN CORRECTED.
–NCUA WILL ALSO EVALUATE BOARD REPORTING, SUPERVISION, AND RESPONSIVENESS TO THE AUDIT’S FINDINGS.
DUE DILIGENCE
PURPOSE OF ACCOUNT
BENEFICIAL OWNER(S)
SOURCE OF FUNDS USED
STATED OR ANTICIPATED USE
OCCUPATION OR TYPE OF BUSINESS
HIGH INTENSITY DRUG TRAFFICKING OR HIGH INTENSITY FINANCIAL CRIMES AREAS
2017
Carolinas Credit Union League

30. Cyber Security FinCEN Guidance on Cyber Events & Crime
Cyber-Event: an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources or information
Cyber-Enabled Crime: Illegal activities (fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers
Cyber-Related Information: Information that describes technical details of electronic behavior and activity, such as IP addresses and timestamps.
The proliferation of cyber-events and cyber-enabled crime represents a significant threat to consumers and the U.S. financial system. The Financial Crimes Enforcement Network (FinCEN) issues this advisory to assist financial institutions in understanding their Bank Secrecy Act (BSA) obligations regarding cyber-events and cyber-enabled crime. This advisory also highlights how BSA reporting helps U.S. authorities combat cyber-events and cyber-enabled crime. Through this advisory FinCEN advises financial institutions on: I. Reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs); II. Including relevant and available cyber-related information (e.g., Internet Protocol (IP) addresses with timestamps, virtual-wallet information, device identifiers) in SARs; III. Collaborating between BSA/Anti-Money Laundering (AML) units and in-house cybersecurity units to identify suspicious activity; and IV. Sharing information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing, and cyber-enabled crime.
2017
Carolinas Credit Union League

31. Cyber Security SAR Reporting of Cyber Events
Mandatory SAR Reporting – involves or aggregates more than $5,000 in funds
Cyber-events targeting the CU that could affect a transaction or series of transactions
Voluntary SAR Reporting – Cyber events and crimes that do not necessarily require the filing of a SAR
Ex. Attack that disrupts a financial institution’s website and disables online banking services for a significant period of time. The CU determines the attack was not intended to and could not have affected any transactions. Reporting is encouraged, but not required.
Voluntary SAR Reporting – FinCEN encourages, but does not require, financial institutions to report egregious, significant or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR.
2017
Carolinas Credit Union League

32. Cyber Security
Reporting cyber-related information involving cyber- events:
Description and magnitude of event
Known or suspected time, location, and characteristics or signatures of the event
Indicators of compromise
Relevant IP addresses and their timestamps
Device identifiers
Methodologies used
Other information the institution believes is relevant
2017
Carolinas Credit Union League

33. Cyber Security Collaborating between BSA/AML & Cybersecurity Units:
Internally share relevant information from across the organization
Sharing Cyber-Related Information between Financial Institutions:
Under Section 314(b), CUs may share cyber-related information such as specific malware signatures, IP addresses and device identifiers, and seemingly anonymous virtual currency addresses. This can help identify those involved or responsible for cyber-event or crime linked to money laundering or terrorist activities.
2017
Carolinas Credit Union League

34. BSA Basic Reporting Forms
CASH only
10,000+
By, Through or To CU
15 days to file electronically
May tell member about CTR
Must keep records for 5 years
CTR
Suspicious activity that possibly violates federal or state regulation
30days to file electronically
Continuing activity new SAR must be filed every 90 days
MUST NOT tell member about SAR
SAR
As of April 1, 2013, financial institutions must use the new FinCEN reports, which are available only electronically through the BSA E-Filing System. FinCEN is no longer accepting legacy reports.
2017
Carolinas Credit Union League

35. CTR Mandatory Requirements
Rule #1
The CU must obtain personal identification information about the individual conducting the transaction such as a Social Security number as well as a driver’s license or other government issued document.
Rule #2
Must retain a copy of CTR data and all supporting documentation for 5 years from the date of report.
CTR originally had to be filed within 25 days that policy has been changed to the 15 day requirement
As of April 1, 2013 FINCEN stopped accepting legacy CTR forms must be filed electronically.
1. John has $15,000 in cash he obtained from selling his truck. John knows that if he deposits $15,000 in cash, his financial institution will be required to file a CTR. John instead deposits $7,500 in cash in the morning with one financial institution employee and comes back to the financial institution later in the day to another employee to deposit the remaining $7,500, hoping to evade the CTR reporting requirement.
2. Jane needs $18,000 in cash to pay for supplies for her wood-carving business. Jane cashes a $9,000 personal check at a financial institution on a Monday, then cashes another $9,000 personal check at the financial institution the following day. Jane cashed the checks separately and structured the transactions in an attempt to evade the CTR reporting requirement.
3. A married couple, John and Jane, sell a vehicle for $15,000 in cash. To evade the CTR reporting requirement, John and Jane structure their transactions using different accounts. John deposits $8,000 of that money into his and Jane’s joint account in the morning. Later that day, Jane deposits $1,500 into the joint account, and then $5,500 into her sister’s account, which is later transferred to John and Jane’s joint account.
4. Bob wants to place $24,000 cash he earned from his illegal activities into the financial system by using a wire transfer. Bob knows his financial institution will file a CTR if he purchases a wire with over $10,000 currency in one day. To evade the CTR reporting requirement, Bob wires the $24,000 by purchasing wires with currency in $6,000 increments over a short period of time, occasionally skipping days in an attempt to prevent the financial institution from filing a CTR.
If you have further questions, please contact FinCEN’s Regulatory Helpline at (800)
This requirement applies whether the individual conducting the transaction has an account relationship with the institution or not.
2017
Carolinas Credit Union League

36. CTR Exemptions Phase 1: Phase 2:
Government agencies & Domestic Financial Institutions
No filing or annual review required
Publicly Traded Companies
One-time filing and annual review required
Phase 2:
Non-listed businesses & payroll customers who meet certain requirements
One-time filing and annual review required
2017
Carolinas Credit Union League

37. Businesses Ineligible for CTR Exemptions
High Risk Industries
Motor Vehicle Dealers
Law Firms
Accountant /Tax Firms
Doctors
Gaming Institutions
Real Estate Brokers
Investment Advisors
Pawn Shops
Title Insurance & Closing CO.
2017
Carolinas Credit Union League

38. Suspicious Activity Reports (SARS)
Criteria:
Conducted or attempted by, at or through the Credit Union
Know, suspect or have reason to suspect:
Funds are from, or to hide funds from, illegal activities
Plan to avoid federal reporting law/laws
No business or apparent lawful purpose
Unusual for the member
No reasonable explanation after examining the facts
Plan to avoid federal reporting law/laws: Structuring Activities
Large cash payments in a non-cash business could be an indication of money laundering activity
Unusual for the member: Cashing third party checks but is a Individual
Family Inheritance
Law suit Proceeds
Deposit of U.S. Treasury checks to an account
held by a deceased customer
Sale of Marijuana Proceeds
Human Trafficking Proceeds
2017
Carolinas Credit Union League

39. Suspicious Activity Reports (SARS)
Filing Thresholds:
$0 No Threshold for Insider Activity (Teller/Mgt./BOD)
In 2014 approximately 15,000 total insider activities were reported
$5,000 threshold for a known suspect and for transactions involving money laundering, evasion of BSA, or activities that have no apparent business or lawful purpose.
$25,000 threshold when the suspect is unknown.
Activity Trends and Patterns in the Most Frequently-Reported Relationships23
Director of the institution engaged in various suspicious activities.
• A director stole and embezzled funds by deleting clearing items from the bank’s system before they posted against his account;
• A director misused her position by misusing the corporate credit card;
• Filers often reported directors who owned or operated other businesses for structuring or check kiting in their business accounts;
• Directors did not disclose their own interests in loans to other entities.
Officers engaged.
• An Executive Vice President/Chief Information Officer owned a portion of a company hired to evaluate the filer’s ATM security.
• An Assistant Vice President embezzled funds by wire transferring funds from a general ledger to his own account.
• An Executive Vice President, Director and controlling shareholder misused a corporate credit card and attempted to pay the bill from general ledger funds.
Employees
activities included:
Teller theft from cash drawer or vault, often followed by forced balancing;
• Misappropriation of customer funds by tellers and other employees by altering deposits, accessing customer funds, or using customer credit to purchase items;
• Fraudulent or empty envelope deposits to the ATM, followed by cash withdrawals;
• Corporate credit card fraud;
• Structuring;
• Check Kiting;
• Opening new accounts for fraudulent or non-existent customers in order to qualify for performance goals or employee incentive programs;
Changing ledgers and other records to hide their own overdraft or kiting statuses;
• Improperly crediting back overdraft fees and other service charges to themselves and others;
• Theft of equipment or information by contractors or vendors;
• Engaging in mortgage loan fraud by submitting misrepresentations of borrowers’ income, employment, credit, occupancy and other requirements; submission of improper gift letters; unduly influencing appraisers to increase values; misrepresenting equity and other information to the loan committee. Loan Officers were often identified as employees in these activities. .
• Misuse of position of an employee, such as improper refunding of service or overdraft fees to relatives or friends, or loan application misrepresentations;
• Theft of proprietary information by a temporary staffer;
• Mysterious property disappearance attributed to the cleaning crew;
2017
Carolinas Credit Union League

40. SAR Mandatory Requirements
Credit Union
Member/Unknown Suspect
Must not be notified of the SAR or the filing/possible filing of the SAR.
Safe Harbor against PRIVACY violations.
In the case that no suspect has been identified but the CU is reasonably sure that one will be identified, the time period is extended to 60 days
2017
Carolinas Credit Union League

41. Practical Examples
Let’s Practice what we have learned with a few – EXAMPLES
Including:
Examining the Facts/Scenario;
Determining which form if any is required & who is required to complete it; and
Completing the required reporting form (CTR/SAR)
Tellers are the first line of defense.
When a reportable transaction occurs the CU employee conducting the transaction is required to complete the initial documentation, even if the forms are submitted electronically by the BSA officer.
Examples Include:
Cash Scenario- over 10,000/ aggregated over 10,000
Suspicious wire
Suspicious Loan – Insider Issues
2017
Carolinas Credit Union League

42. Red Flags
Sections 114 and 315 of the FACT Act require financial institutions to develop policies and procedures and train employees on Red Flags which are designed to help detect, prevent and mitigate Identity Theft issues.
There are 26 Red Flags, which are lumped into 5 categories:
Alerts, Notifications or Warnings from a consumer reporting agency
Suspicious documents
Suspicious personal identifying information
Unusual use of, or suspicious activity related to the covered account
Notice of Identity Theft
2017
Carolinas Credit Union League

43. 1. Alerts, Notifications or Warnings from a Consumer Reporting Agency
A fraud or active duty alert included with consumer report
CRA provides notice of credit freeze in response to request for a consumer report
CRA provides notice of address discrepancy
CRA indicates pattern of activity inconsistent with history and usual pattern of activity
Recent & significant increase in volume of inquiries
Unusual number of recently established credit
Material change in use of credit
Account that was closed for abuse of account
2017
Carolinas Credit Union League

44. 2. Suspicious Documents
Documents provided for identification appear to be altered or forged
Photograph or physical description not consistent with appearance
Other information on ID not consistent with information provided by person opening new account
Other info on ID not consistent with info on file with the CU, such as signature card or recent check
Application appears altered for forged, or gives appearance of having been destroyed and reassembled
2017
Carolinas Credit Union League

45. 3. Suspicious Personal Identifying Information
Personal identifying info not consistent with other personal info provided by member. Ex: SSN range & DOB do not match
Info provided is associated with known fraudulent activity such as:
Address on application is same as address provided on fraudulent application
Phone # on application is same as # on fraudulent application
2017
Carolinas Credit Union League

46. 3. Suspicious Personal Identifying Information
SSN provided is same as that submitted by others opening an account
Address or phone # is same or similar to the account or phone # submitted by an unusually large number of other persons opening accounts
Info provided is commonly associated with fraudulent activity as indicated by internal or 3rd party sources. Example:
Address on application is fictitious, a mail drop, or a prison
Phone # is invalid, or is associated with a pager or answering service
2017
Carolinas Credit Union League

47. 3. Suspicious Personal Identifying Information
Person opening account fails to provide all required info on application or in response to notification that application is incomplete
Info provided not consistent with what is on file with CU
For CUs that use challenge questions, person opening account cannot provide authenticating info beyond what is generally available from a wallet or consumer report
2017
Carolinas Credit Union League

48. 4. Unusual use of, or suspicious activity, on related account
CU notified of unauthorized charges or transactions
Shortly after change of address, there is a request for new, additional or replacement card or addition of authorized users on account
New revolving credit account used in manner commonly associated with known fraud patterns. Ex:
Majority of available credit is used for cash advances or merchandise easily convertible to cash (jewelry, electronics, etc)
Member fails to make first payment or makes initial payment but no subsequent payments
2017
Carolinas Credit Union League

49. 4. Unusual use of, or suspicious activity, on related account
CU is notified that member is not receiving paper statements
Account has been inactive for lengthy period of time
Mail sent to member is returned repeatedly as undeliverable even though transactions continue
Account is used in a manner not consistent with established patterns of activity on the account. EX:
Nonpayment when there is no history of late or missed payments
Material increase in use of available credit
Material change in purchasing or spending patterns
Material change in electronic fund transfer patterns
2017
Carolinas Credit Union League

50. 5. Notice of Identity Theft
CU is notified by a member, victim of identity theft, law enforcement, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
2017
Carolinas Credit Union League

51. Human Trafficking Red Flags:
Identifying human trafficking and human smuggling transactions
Money flows that do not follow common remittance patterns
Unusual currency deposits into U.S. financial institutions, followed by wire transfers to countries with high migrant populations
Incorporate red flags into monitoring and training program
Human Trafficking The act of recruiting, harboring, transporting, providing or obtaining a person for forced labor or commercial sex acts through the use of force, fraud or coercion.
2017
Carolinas Credit Union League

52. Wire Transfers Recordkeeping:
Originating bank; transfer in excess of $3,000
Name and address of originator
Name and address of beneficiary
Amount
Execution date
Payment Instructions
Identity of beneficiary bank
2017
Carolinas Credit Union League

53. Sale of Monetary Instruments
Credit unions must maintain records of their cash sales of monetary instruments (credit union checks and drafts, cashier’s checks, money orders. traveler’s checks, etc.) when the sale involves amounts from $3,000 to $10,000.
2017
Carolinas Credit Union League

54. Sale Of Monetary Instruments
The members’ ID must be verified and the following information must be retained:
The member’s name
The date of the purchase
The type, serial number and
$$$Dollar amount of each instrument
Monetary Instruments Log is no longer a requirement
2017
Carolinas Credit Union League

55. BSA Record Keeping Requirements
E-Filing System: filers are required to save a printed or electronic copy of the report in accordance with applicable record retention policies and procedures. Filers are reminded that they are generally required to keep copies of their filings for five (5)years after submitting a report .
C/MIP Program: Maintain identification information for five (5) years after account is CLOSED.
Five Years- Can keep Longer but why?
Keeping documents longer than required can potentially open CU up to undue liability and examination.
2017
Carolinas Credit Union League

56. Class will demonstrate knowledge of materials by taking a 25 question timed/ multiple choice exam
2017
Carolinas Credit Union League

57. BSA Best Practices
Create a culture of compliance, ensure it is in the job descriptions of all employees, training and provide a copy of the BSA policy to all employees it is a great reference tool.
Document why you decided to or not to do something. You may need it later as it is hard to prove why you decided on a course of action when you don’t have specifics or back-up
Ensure BSA reporting documents are filed timely. If BSA officer is not available seek out Back –up BSA officer
2017
Carolinas Credit Union League

58. BSA Best Practices
Revamp your risk assessment annually it should document all update & changes to product services and BSA officer designations on an ongoing basis not just once.
Address suspicious cybersecurity items in you BSA policy manual under SAR section.
Address 314(b) information sharing in your BSA policy.
Anytime there is an exception to the CIP policy it should be documented.
2017
Carolinas Credit Union League

59. BSA Best Practices
8. High risk accounts: If there are no high risk accounts it
should be so stated in policy
9. Address audit issues and concerns timely
10. Ensure you training is conducted timely for staff & board
Ensure BSA/OFAC Policies are board approved timely and dated accordingly.
Appoint back-up BSA Officer & OFAC officers
OFAC all check/wire payees and account beneficiaries
Carolinas Credit Union League
2017

60. Carolinas Compliance & Risk Management Department.
2017
Carolinas Credit Union League