AUTO-OWNERS ASSOCIATES CREDIT UNION POLICY AND PROCEDURES MANUAL

Transcription

1 Reviewed/Approved by Board of Directors: September 20, 2011 Page 1 of 16 BSA/AML Compliance Auto-Owners Associates Credit Union s (AOACU) Bank Secrecy Act (BSA) Program will include internal policies, procedures and controls designed to comply with the USA PATRIOT Act of 2001 (PATRIOT Act), The Bank Secrecy Act (BSA), the Currency and Foreign Transactions Reporting Act, Office of Foreign Assets Control (OFAC) rules and all related laws and regulations. The Board of Directors will approve the BSA Program and any changes to it. The Board will designate a BSA Compliance Officer who is responsible for the AOACU s overall BSA Program, including antimoney laundering compliance, OFAC Program Compliance and the PATRIOT Act requirements. 2. Acronyms: AML: Anti Money Laundering BSA: Bank Secrecy Act CDD/MDD: Customer (Member) Due Diligence CIP/MIP: Customer (Member) Identification Program CTR: Currency Transaction Report OFAC: Office of Foreign Assets Control SAR: Suspicious Activity Report 3. Compliance Officer: BSA Compliance Officer will be responsible for ensuring that: a. Reports required by the BSA are filed within a timely manner; b. Account opening procedures, including CIP procedures, conform to the provisions of the BSA; c. Appropriate staff training is provided, as necessary; d. BSA auditing is performed every months; and, e. Adequate record retention procedures are in place. The BSA Compliance Officer may delegate specific compliance responsibilities to departments or individuals within the AOACU. AOACU will assure that the BSA Compliance Officer has every opportunity to seek ongoing training to assure that the AOACU s compliance program is up to date and current. 4. Internal Controls: The BSA Compliance Officer will develop and implement a system of internal controls and procedures under the oversight of the Board of Directors. Within the control structure, the BSA Compliance Officer will assure that dual controls will be in place for the processing of a SAR, CTR, CTR Exemption and Fund (Wire) Transfers. 1

2 Reviewed/Approved by Board of Directors: September 20, 2011 Page 2 of Staff Training: AOACU will assure that all staff will receive appropriate training. This will include all management and staff. The BSA Compliance Officer will ensure that the staff receives their training and that records documenting the training will be kept. The records maintained will include the date, time, topic covered and who attended. All new staff will have coverage of BSA/AML compliance and OFAC included in their initial training sessions. Annually, the Board of Directors and Credit Committee will be trained on BSA/AML and OFAC Compliance. 6. Non-Member Transactions: Currently AOACU only allows non-members to cash checks-on-us transactions. To comply with OFAC, the credit union will obtain identification of the non-member and complete OFAC verification on the non-member. 7. Audit: The BSA Compliance Officer will include independent testing and auditing of the AOACU s BSA/AML Compliance Program and Customer Identification program to be done every months in the internal review plan. The report will be provided to the Board of Directors. 8. Record Retention: All forms, documents and supporting documentation whether in hard copy or electronic media format will be retained and available for review for five (5) years from the date the record was made, with the exception of CIP documentation which will be retained for five (5) years from the date the account is closed. Other retention criteria will apply for certain OFAC blocked accounts. See the OFAC Section of this policy. This five-year retention does not supersede other retention requirements that may have longer retention periods. 9. Dual Control Processing: All SAR, CTR, CTR Exemptions and Fund (Wire) Transfer processing will be completed under dual controls. 10. Periodic Updates: Periodic updates due to regulatory requirements will be addressed as they are made to the AOACU. 11. Annual Part 748 Compliance Statement: The AOACU will file an annual statement with the NCUA Regional Director certifying compliance with the requirements of Part 748 of the NCUA Rules and Regulations. (This statement is on the Report of Officials which is submitted annually by the AOACU after the election of officials.) 2

3 Reviewed/Approved by Board of Directors: September 20, 2011 Page 3 of 16 Customer (Member) Identification Program CIP 1. Account Opening and Identity Verification: The CIP Program is designed to enable AOACU to form a reasonable belief of an applicant s identity; provide applicants with notice; compare applicant s names with certain government lists and ensure the retention of documents and information for required periods. 2. Information Required for Account Opening: Except as indicated otherwise in this policy, effective October 1, 2003, before opening any account for a person not currently a member or for whom the AOACU does not have a reasonable belief as to his/her true identity, the AOACU will obtain the following information. a. Name (legal name) b. Date of birth (for individuals) c. Address: 1. Individuals - Residential street address; - Army Post Office (APO) or Fleet Post Office (FPO) box number; - The residential or business street address of next of kin or other contact individual. 2. Non-individuals AOACU does not open any business style accounts. d. An identification number: 1. For U.S. persons a taxpayer identification number; or 2. For Non-U.S. persons one or more of the following: - A taxpayer identification number; - Passport number and country of issuance; - Alien identification card number; or - Number and country of issuance of any other government issued document evidencing nationality or residence and bearing a photograph or similar safeguard, including: Foreign drivers license Other - Account opening for persons awaiting issuance of a TIN. An account will not be opened for a person who has applied for but not yet received a taxpayer identification number. Once the member received their taxpayer identification number, the account can be opened. - Non-individuals without an identification number. AOACU does not offer business accounts. 3

4 Reviewed/Approved by Board of Directors: September 20, 2011 Page 4 of Verifying Identity: Using a risk-based approach (SEE CIP RISK ASSESSMENT), within a reasonable time after a person provides the AOACU with the information required to open the account, the AOACU will verify the applicant s identity using documentary or non-documentary means, individually or in concert. a. Account Use Prior to Identity Verification: An applicant will not have full use of the services provided to credit union members prior to identity verification. Any such uses will be specifically outlined in the procedures implementing this policy. b. Using Documentary Evidence to Verify Identity: 1. Natural Persons: AOACU will accept un-expired government-issued identification evidencing nationality or residence and bearing a photograph of the applicant, or similar safeguard (e.g., driver s licenses, state ID cards, passport or other similar identification). 2. Non-individual Persons AOACU does not offer business (non-individual) accounts c. Using Non-Documentary Means to Verify Identity: AOACU may verify identity by means other than reliance on written documents or identification. The AOACU may use means other than written documentation when: 1. An individual is unable to present an un-expired government-issued identification document bearing a photograph or similar safeguard; 2. AOACU is unfamiliar with the documentary evidence presented by the applicant; 3. The account is opened without documents; 4. The account is not opened in a face-to-face transaction; and, 5. AOACU deems it prudent to do so, either as the sole means of verifying identity, or in concert with documents. d. Verifying Identity for Minors, Those Lacking Capacity and Non-Legal Entity Associations: The identity of individuals seeking to open accounts for: 1. Minors whose identity cannot otherwise be verified; 2. Persons lacking legal capacity, or 3. A non-legal entity association(s) shall be verified pursuant to this policy. Individuals seeking to open accounts for those listed above will be provided notice of identity verification; identity information will be obtained from them prior to account opening; the Credit Union will verify their identity; required records will be kept; and their names will be compared with government terrorist lists as provided herein. e. Inability to Verify Identity: If AOACU, using the means outlined herein, is unable to verify true identity of an applicant or any existing member, or if the AOACU reasonably believes that the information supplied by the applicant is fraudulent, the credit union will promptly notify the applicant that his/her application for membership has been denied and promptly return any funds the applicant provided with the membership application. 4

5 Reviewed/Approved by Board of Directors: September 20, 2011 Page 5 of 16 AOACU procedures (See New Account Procedures) will detail under what circumstances the inability to verify identity or the reasonable belief that the applicant has provided fraudulent identification will result in the filing of a Suspicious Activity Report. (See the Suspicious Activity Report section of this BSA/AML Policy.) f. Additional Certification for Certain Non-Individual Members: AOACU does not offer business accounts. g. Proof of Identity Verification: AOACU will retain a description of: 1. Any document relied upon to verify identity, noting: a. The type of document; b. Any identification number on the document; c. The place of issuance, and, if any, d. The date of issuance; and e. The expiration date. 2. The methods and results of any measures undertaken to verify the identity of the member using non-documentary methods and any additional verification measures for non-individuals; and 3. The resolution of any substantive discrepancy discovered when verifying identity. h. Member s Identity Has Already Been Verified: Nothing in this policy will be construed to require AOACU to require additional proof of identity from a member of the AOACU opening a new account, if that member or signer has previously had his/her/its identity verified using means consistent with the procedures contained within this policy, provided that the AOACU continues to have a reasonable belief that it knows the true identity of the member. Customer (Member) Due Diligence CDD AOACU will maintain sound policies, procedures and processes for all members, particularly those that present a high risk of money laundering and terrorist financing. The objective of these policies, procedures and processes will be to predict with relative certainty the types of transactions in which a member is likely to engage. The procedures will assist in determining when transactions are potentially suspicious. The concept of a sound CDD program begins with verifying the member s identity and assessing the risks associated with the member. Procedures will include enhanced due diligence (EDD) for high-risk members and ongoing due diligence of the member base. AOACU CDD policies, procedures and processes are critical to the organization because they will aid in: a. Detecting and reporting unusual or suspicious transactions that potentially expose the credit union to financial loss, increased expenses or reputation risk. b. Avoiding criminal exposure from persons who use the credit union s products and services for illicit purposes. 5

6 Reviewed/Approved by Board of Directors: September 20, 2011 Page 6 of 16 c. Adhering to safe and sound financial practices. To assure that AOACU follows this policy, we will: a. Develop and maintain a BSA/AML risk profile, paying particular attention to high-risk members; b. Maintain clear expectations and establish specific staff responsibilities, including who is responsible for reviewing or approving changes to a member s risk rating or profile; c. Ensure we possess sufficient member information to implement an effective suspicious activity monitoring system; d. Provide guidance for documenting analysis associated with the due diligence process; e. Including guidance for resolving issues when insufficient or inaccurate information is obtained; f. Ensure the credit union maintains current member information; and, g. At least annually unless the need of the business dictates otherwise, review and update the risk assessment of our products and services. 2. Product and Services Risk Assessment Details: See the Risk Assessment Policy for related information. Suspicious Activity Reporting SAR AOACU will have procedures in place to ensure that suspicious financial transaction(s) by any member, whether exempt or not are reported on a Suspicious Activity Report (SAR) to FinCEN. 2. When to File a SAR: a. Within thirty (30) days of becoming aware of facts that form the basis for filing a SAR, the AOACU will complete and submit a SAR regarding any transaction involving or aggregating in access of $5,000 when the AOACU knows, suspects (or has reason to suspect) that the transaction: 1. Involves funds from illegal activities or is intended to hide funds from illegal activities in order to violate or evade any federal law or regulation or to avoid any CTR requirement; 2. Evades any regulation set forth under BSA; 3. Has no business or apparent lawful purpose or is not the sort in which the member would normally be expected to engage and the AOACU knows of no reasonable explanation for the transaction after examining the available facts. b. Within thirty (30) days of becoming aware of facts that form the basis for filing a SAR, the AOACU will complete and submit a SAR regarding: 1. Any known or suspected criminal violation that was committed against the AOACU, regardless of the amount of money involved, if the AOACU believes the violation was committed by an insider; 2. Any known or suspected criminal violation has been committed against the AOACU by a noninsider, involving $5,000 or more, if the AOACU can identify the suspect; 6

7 Reviewed/Approved by Board of Directors: September 20, 2011 Page 7 of Any known or suspected criminal violation has been committed against the AOACU involving $25,000 or more, regardless of whether any suspects have been identified. 3. Non-Disclosure: AOACU will not provide any person involved in a transaction about which a SAR has been filed, with notice of the fact that a SAR was filed and if the person inquires as to whether a SAR has been filed regarding any transaction, this inquiry will be considered a sufficient basis for filing of another SAR. 4. Law Enforcement Inquiries and Requests: The AOACU will have procedures for identifying subjects of law enforcement requests, monitoring the transaction activity of those subjects, identifying unusual or suspicious activity related to those subjects, and filing, as applicable, SARs related to those subjects. Law enforcement inquires and requests can include grand jury subpoenas, National Security Letters (NSLs), and section 314(a) requests. Pursuant to 12 USC 3414(a)(3) and (5)(D), the AOACU will not disclose to any person that a government authority or the FBI has sought or obtained access to records through a Right to Financial Privacy Act NSL. If the AOACU files a SAR after receiving a NSL, the SAR will not reference the receipt or existence of the NSL. 5. Non-filing of SAR: If after reviewing information brought to the compliance officer s attention the AOACU opts not to file a SAR, all information leading to this decision will be documented and retained. 6. Consultation with Legal Counsel: The BSA Compliance Officer will develop procedures, considering the provisions of the BSA and the Right to Financial Privacy Act, regarding when consultation with the AOACU s legal counsel is appropriate prior to the filing of a SAR. The AOACU will also consult legal counsel if continued suspicious activity leads to the limiting or closing of a member s services or account. 7. Board of Director Notification: AOACU will notify the Board of Directors on a monthly basis when a SAR is filed and the Board of Directors will maintain the confidentially of such notice. Currency Transaction Reporting CTR Whenever a non-exempt member deposits or withdraws currency in excess of $10,000 (i.e., $10, or more) the AOACU will submit FinCEN Form 104, Currency Transaction Report (CTR), to the IRS by the 15 th day following the date of the transaction. AOACU will have adequate procedures in place to ensure that: a. Multiple same-day cash transactions by or on behalf of a member are treated as a single transaction; b. The name and address of any member that presents a transaction that is reportable on a CTR is verified and recorded; c. Each person who receives in the U.S. currency or other monetary instruments in an aggregate amount exceeding $10,000 at one time which have been transported, mailed or shipped to such a person from any place outside the United States will have a CTR filed, stating the amount, the date of receipt, the form of monetary instruments and the person from whom received; 7

8 Reviewed/Approved by Board of Directors: September 20, 2011 Page 8 of 16 d. Each person subject to the jurisdiction of the United States (except a foreign subsidiary of a U.S. person) having a financial interest in or signature or other authority over a bank, securities or other financial account in a foreign country will report such relationship to the Commissioner of the Internal Revenue for each year in which such relationship exists. Currency Transaction Reporting Exceptions CTRE If certain criteria are met, the AOACU may elect to exempt a member from CTR reporting. No CTR will be filed for a transaction involving an exempt person acting within the scope of his/her/its exemption. The AOACU will exercise due diligence in ascertaining whether any member that requests an exemption meets eligibility requirements. Any member deemed to be exempt must be approved by two (2) members of management. Exempt persons (members) include: a. U.S. depository institutions; b. Local, state or federal departments, agencies, subdivisions or entities; c. Corporations listed on the New York Stock Exchange, the American Stock Exchange or NASDAQ and their subsidiaries; and, d. Any Phase II non-listed business meeting CTRE requirements. 2. Reporting Exempt Members: AOACU will have procedures in place to ensure that a Designation of Exempt Person, FinCEN Form 110 is filed with FinCEN within 30 days of the otherwise reportable transaction. The AOACU will document exactly how the member was deemed exempt. In addition, any information obtained from the members will be retained by the compliance officer. 3. Members Ineligible for an Exemption: AOACU will have procedures in place to ensure that persons that are ineligible for the exempt designation pursuant to the BSA are precluded from obtaining such a designation. 4. Review of Continuing Eligibility for Exemption: AOACU will have procedures in place to ensure that there is an annual review of all exempt members to assure their continuing eligibility for the exemption. Information Sharing Sections 314(A) and 314(B) The PATRIOT Act and regulations allow the AOACU to provide information about specific accounts or transactions in response to requests from FinCEN and to share information about specified accounts or transactions in response to requests from FinCEN, and to share information with other financial institutions. 2. Information Sharing between Law Enforcement and Financial Institutions Sections 314(A): AOACU designates its BSA Compliance Officer as the FinCEN contact person. Upon FinCEN s request, the Compliance Officer will search its records for a specified individual or entity. 8

9 Reviewed/Approved by Board of Directors: September 20, 2011 Page 9 of 16 a. Certification: Prior to FinCEN requesting information, the underlying federal law enforcement agency must provide FinCEN with a written certification, that the person named in the request is reasonably suspected, based on credible evidence, of engaging in money laundering or terrorist activity. b. Record Search: Upon receiving a FinCEN request, the Compliance Officer will search AOACU records to determine whether it maintains or has maintained an account for, or has engaged in a transaction with each named individual or entity. Unless otherwise specified in FinCEN s request, the search will cover: 1. Current accounts; 2. Accounts maintained / closed during the preceding twelve (12) months; and, 3. Transactions and funds transfers conducted during the preceding six (6) months. AOACU is not required to search any account holders processed checks for payee information related to a named suspect. c. Report to FinCEN: If the AOACU finds an account or transaction identified with any individual, entity or organization named in a FinCEN request, the AOACU will place an X on the 314 (A) form, next to the particular named subject for which a match was found. The AOACU will also provide point-of-contact information. d. Use and Confidentiality of Information: The AOACU will not use FinCEN information to report to FinCEN or to determine whether to establish or maintain an account or to engage in a transaction. The AOACU will not disclose to any person, other than FinCEN or the federal law enforcement agency on whose behalf FinCEN is requesting information, the fact that FinCEN has requested information, except to the extent necessary to comply with the request. The AOACU may share this information under the Voluntary Information Sharing policy. The AOACU will maintain adequate procedures to protect the security and confidentiality of FinCEN information request. e. Right to Financial Privacy Act: AOACU responses to FinCEN requests under this Information Policy fall within permissible disclosure exceptions to the Right of Financial Privacy Act. 3. Voluntary Information Sharing Section 314 (B): AOACU may share information with other financial institutions or associations of financial institutions regarding individuals, entities and countries for purposes of detecting, identifying or reporting activities that it suspects may involve money laundering or terrorist activities. If the AOACU engages in this type of information sharing, it will not be liable to any person under any state or federal law or regulation or under any contract or other legally enforceable agreement, for such sharing or for any failure to provide notice of such sharing, to an individual, entity or organization that is identified in such sharing. a. Certification: If AOACU intends to share this information, it will submit a completed FinCEN Notice, either by accessing FinCEN s website, and entering the appropriate information, or by mailing the completed certification to: FinCEN, P.O. Box 39, Mail Stop 100, Vienna, VA Each certification is effective for one year beginning on the certification date. The AOACU will submit a new certification annually. b. Security and Confidentiality: The AOACU will create and maintain procedures to protect security and confidentiality of shared information. This information will be used only to detect, identify and report on activities that may involve terrorist or money laundering activities or to determine whether to establish or maintain an account, or to engage in a transaction. If the AOACU suspects terrorist activity or money laundering, it will call FinCEN; and if appropriate, file a SAR. 9

10 Reviewed/Approved by Board of Directors: September 20, 2011 Page 10 of 16 As of the approval date of this policy, the AOACU does not engage in the BSA provisions of the Voluntary Information Sharing-Section 314(B) program. Purchase and Sale of Monetary Instruments AOACU will comply with the statutory and regulatory requirements for the recording of information required for the purchase and sale of monetary instruments for currency amounts between $3,000 and $10,000 inclusive. 2. Monetary Instruments $3,000 - $10,000 to Members: For monetary instruments purchased by members with currency, with a value between $3,000 and $10,000, the AOACU will record the member s name; date; type of instrument; serial number of instrument and the dollar amount of the transaction. 3. Monetary Instruments $3,000 - $10,000 to Non-Members: In addition to the information obtained for instruments purchased for members, monetary instruments purchased by non-members with currency, with a value between $3,000 and $10,000, the AOACU must record the person s address; social security number or alien ID number and date of birth. As of the approval date of this policy, AOACU does not allow non-members the right to purchase any form of monetary instruments. Funds Transfers (Wire Transfers) AOACU will comply with the statutory and regulatory requirements for funds transfers. In 1995, the U.S. Treasury and the Board of Governors of the Federal Reserve System issued a final rule on record keeping requirements concerning payment orders by credit unions (31 CFR ). The rule requires each credit union involved in funds transfers to collect and retain certain information in connection with the transfers of $3,000 or more. For all wire transfers of $3,000 or more and for all wire transfers covered by Regulation E or the Electronic Funds Transfer Act, made via ACH, an ATM or on a point-of-sale system, the following information will be retained. 2. Credit Union Originates the Wire: When AOACU originates a wire transfer, the name, address, amount, date, beneficiary, financial institution ID, beneficiary s name, address and account will be retained. 3. Credit Union Receives the Wire: When AOACU receives a wire, we will retain a copy of the payment order and if the beneficiary is not a current member, we will verify the beneficiary s name and address; keep a record of the means used to verify the name and address, along with the person s social security number, alien ID or EIN. 10

11 Reviewed/Approved by Board of Directors: September 20, 2011 Page 11 of OFAC Verifications: For all incoming and outgoing fund transfer transactions, AOACU will complete OFAC verifications for all non-member names and foreign countries appearing on the wire transfer form. Refer to the OFAC Policy for further details on OFAC verifications. Foreign Correspondent Account Record Keeping and Due Diligence AOACU will comply with statutory and regulatory requirements for correspondent accounts for foreign shell banks, foreign correspondent account record keeping and due diligence programs to detect and report money laundering and suspicious activity. As of the approval date of this policy, AOACU does not engage in any foreign correspondent banking activity. Private Banking Due Diligence Program (Non-U.S. Persons) AOACU will comply with the statutory and regulatory requirements to implement policies, procedures and controls to detect and report money laundering and suspicious activity through private banking accounts established, administered or maintained for non-u.s. persons. As of the approval date of this policy, AOACU does not engage in any banking activities with non-u.s. persons. 2. Special Measures: AOACU will comply with the statutory and regulatory requirements for special measures issued under Section 311 of the Patriot Act. As set forth in Section 311, certain measures may be imposed by and order without prior public notice and comment, but such orders must be limited in duration and must be issued together with a Notice of Proposed Rulemaking. As of the approval date of this policy, the AOACU does not have international banking activities and foreign jurisdictions in which the AOACU conducts transactions and activities. Foreign Bank and Financial Accounts Reporting AOACU will comply with the statutory and regulatory requirements for the reporting of foreign bank and financial accounts. Each person (including a credit) subject to U.S. jurisdiction with a financial interest in, or signature authority over, a bank, securities, or other financial account in a foreign country must file a Report of Foreign Bank and Financial Accounts (FBAR) with the U.S. Department of Treasury (TD F ) if the aggregate value of these accounts exceeds $10,000 at any time during the calendar year. As of the approval date of this policy, AOACU does not have a financial interest in/or signature authority over banks, securities or other financial accounts in a foreign country. 11

12 Reviewed/Approved by Board of Directors: September 20, 2011 Page 12 of 16 International Transportation of Currency or Monetary Instruments AOACU will comply with the statutory and regulatory requirements for the reporting of international shipments of currency or monetary instruments. Each person (including a credit union) who physically transports, mails or ships currency or monetary instruments in excess of $10,000 at one time out of the United States (and each person who causes such transportation, mailing or shipment), must file a Report of International Transportation of Currency or Monetary Instruments (CMIR), FinCEN Form 105. As of the approval date of this policy, AOACU does not physically transport, mail or ship currency or monetary instruments out of the United States or receives currency or monetary instruments into the United States. Office of Foreign Assets Control (OFAC) OFAC is an office of the U.S. Treasury that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against entities such as targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. OFAC has been delegated responsibility by the Secretary of the Treasury for developing, issuing, and administering U.S. sanctions programs. Generally, the OFAC regulations contain two major provisions: a. Institutions must block accounts and other assets of countries and entities identified by the President of the United States are being a threat to national security. b. Institutions are prohibited from engaging in unlicensed trade and financial transactions with such countries and entities. While OFAC is responsible for establishing, developing, and administering the sanctions for the Treasury under six basic statutes, all of the bank regulatory agencies cooperate in ensuring financial institution compliance with the regulations. All U.S. persons, including U.S. financial institutions, bank holding companies, and non-bank subsidiaries must comply with OFAC s regulations. OFAC-issued regulations also apply to foreign branches, overseas offices, and subsidiaries of U.S. institutions. 2. Key Definitions: A number of key terms appear in OFAC regulations and sanctions: a. Blocking: Also called freezing, this is a form of controlling assets under U.S. jurisdiction. While title to blocked property remains with the designated country or nation, the exercise of the powers and privileges normally associated with ownership is prohibited without authorization from OFAC. Blocking immediately imposes an across-the-board prohibition against transfers or transactions of any kind with regard to the property. b. Blocked account: This is an account with respect to which payments, transfers, withdrawals, or other dealings may not be made, except as licensed by OFAC or otherwise authorized by the Department of the Treasury. Debits are prohibited; however, credits are authorized. 12

13 Reviewed/Approved by Board of Directors: September 20, 2011 Page 13 of 16 c. General license: This is a regulatory provision authorizing certain transactions without the filing of an application with OFAC. Its terms are listed in the appropriate regulations. Whenever an individual or entity is granted a general license, it is set forth in the Federal Register. The concept is similar in meaning to that employed by the U.S. Department of Commerce. Transactions consistent with normal banking practice are frequently permitted by general license. For questions about general licenses, contact OFAC at 202/ d. Specific license: This is a permit issued by OFAC on a case-by-case basis to a specific individual or company, allowing an activity that would otherwise be prohibited by the embargo or sanctions program. OFAC-specific licenses (which may take the form of a letter or a license) are always issued on U.S. Treasury Department stationery. Applications for the release of blocked funds must be presented in an original letter, signed by the applicant, and have been mailed or otherwise physically delivered to OFAC. Faxed applications are strongly discouraged, and you should notify your correspondent banks accordingly. e. Offset: This is the exercise of the right to net out mutual indebtedness. Offset is a prohibited transfer of frozen assets in situations of blocked property. When foreign assets held by an American company (including a financial institution) are frozen, the assets and any claims the American company may have against the foreign owner are kept separate. f. Property: This includes anything of value. Examples of property under sanctions include money, checks, drafts, debts, obligations, notes, warehouse receipts, bills of sale, evidences of title, negotiable instruments, trade acceptances, contracts, and anything else real, personal, or mixed, tangible or intangible, or interest or interests therein, present, future, or contingent. Practically everything your institution does involves property within the meaning of the regulations. Likewise, property interest is defined as any interest whatsoever, direct or indirect. g. Persons subject to the jurisdiction of the United States: These are the entities that must comply with OFAC regulations. The list includes U.S. citizens and permanent resident aliens wherever they are located, individuals and entities located in the United States (including all foreign branches, agencies, and representative offices), corporations organized under U.S. law (including foreign branches), and (under Trading with the Enemy Act-based sanctions) entities owned or controlled by any of the above, the most important being foreign-organized subsidiaries of U.S. corporations. h. Specially Designated Nationals (SDN): These are usually persons that are not nationals of a designated target country, but that nonetheless are treated as nationals or as the government in applying sanctions to their transactions; they are typically front organizations. The term also includes actual nationals who are highlighted as being of special concern to the Treasury Department by being mentioned on the specially designated nationals and blocked entities list, so that persons subject to the jurisdiction of the United States will know they are prohibited from dealing with them. i. Palestinian Legislative Council (PLC): (NON-SDN) OFAC has issued new rules that will require credit unions and other to check an additional list to make sure they are not dealing with a Specially Designated National (SDN). OFAC has created a new list called the Palestinian Legislative Council List (PLC List), which must be consulted in conjunction with the SDN list restricting dealings by U.S. nationals with the Palestinian Authority. 13

14 Reviewed/Approved by Board of Directors: September 20, 2011 Page 14 of 16 (The Credit Union National Association s (CUNA s) compliance department has noted that some OFAC software providers have included this second list in their packages. However, credit unions using interdiction software should double-check with their vendors to be sure that the PLC List is being monitored.) CU*Answers does provide. j. Census: This is a comprehensive statistical survey of blocked assets conducted from time to time by OFAC. Response is mandated by law. The information obtained from the survey is of vital importance to the U.S. government for foreign policy planning purposes, to assist the Treasury in the preservation of blocked assets, and to enhance the value of those assets for U.S. claimants, including financial institutions. k. International ACH Transactions (IAT): ACH transactions will be classified as IAT when at least one processing financial institution or third party is domiciled in the U.S. or otherwise under U.S. jurisdiction; or, most or all parties to the transaction are outside the U.S., but at least one processing financial institution is subject to U.S. jurisdiction (e.g. Foreign branch of U.S. bank). 3. OFAC Responsibilities: The AOACU will: a. Block accounts and other property of specified countries, entities, and individuals; b. Prohibit or reject unlicensed trade and financial transactions with specified countries, entities, and individuals; and, c. Make periodic reports to OFAC regarding blocked funds, if any accounts are blocked. 4. Blocked Transactions: U.S. law requires that assets and accounts be blocked when such property is located in the United States, is held by U.S. individuals or entities, or comes into the possession or control of U.S. individuals or entities. The AOACU will attempt to block transactions that: a. Are by or on behalf of a blocked individual or entity; b. Are to or through a blocked entity; or c. Are in connection with a transaction in which a blocked individual or entity has an interest. A blocked account will be a segregated interest-bearing account (at a commercially reasonable rate), the AOACU will hold the member s property until the target no longer appears on any OFAC list, the sanctions program is rescinded, or the customer obtains an OFAC license authorizing the release of the property. 5. Prohibited Transactions: In some cases, an underlying transaction may be prohibited, but there is no OFAC requirement to block the assets. In these cases, the transaction will not be processed. (For example, the Sudanese Sanctions Regulations prohibit transactions in support of commercial activities in Sudan. Therefore, your institution would have to reject a funds transfer between two companies, which are not Specially Designated Nationals (SDNs), Palestinian Legislative Council (PLCs) or Blocked Persons (SDNs), involving an export to a company in Sudan that also is not an SDN. Because Sudanese sanctions would only require blocking transactions with the Government of Sudan or SDNs, there would be no reason to block the funds between the two companies. However, because the transactions would constitute support of Sudanese commercial activity, which is prohibited, the AOACU cannot process the transaction and would simply reject the transaction.) 14

15 Reviewed/Approved by Board of Directors: September 20, 2011 Page 15 of OFAC Reporting: The AOACU will report all blocked assets to OFAC within ten business days of the occurrence, and all assets blocked as of June 30 are reported annually by September 30. Once assets or funds are blocked, they will be placed in a blocked account. Prohibited transactions that are rejected must also be reported to OFAC within ten days of the occurrence. The AOACU will keep a full and accurate record of each blocked or rejected transaction for at least five years after the date of the transaction. For blocked property, records will be maintained indefinitely. The AOACU no longer needs to file Suspicious Activity Reports (SARs) on blocked narcotics or terrorism related transactions, as long as the credit union files the required blocking report with OFAC. However, because blocking reports require only limited information, if the AOACU has additional information not included on the blocking report filed with OFAC, a separate SAR including that information may be filed with FinCEN. In addition, the AOCU may file a SAR if the transaction itself would be considered suspicious in the absence of a valid OFAC match. 7. OFAC Licenses: OFAC has the authority, through a licensing process, to permit certain transactions that would otherwise be prohibited under its regulations. OFAC issues licenses to engage in otherwise prohibited transactions when it determines that the transaction does not undermine the U.S. policy objectives of the particular sanctions program, or is otherwise justified by U.S. national security or foreign policy objectives. It will be the AOACU s policy to verify and obtain a copy of any license submitted to the credit union. 8. Record Retention: All OFAC documentation will be retained for a minimum of five (5) years. Accounts that have been blocked will be retained indefinitely. OFAC Program As a matter of sound banking practice and in order to ensure compliance, the AOACU will establish and maintain an effective written OFAC Risk Assessment and program. (See OFAC Risk Assessment) 2. Internal Controls: a. The AOACU will designate an OFAC Compliance Officer. This can be and in most cases the BSA Compliance Officer. b. The AOACU will use the CU*Answers Software Program to flag those accounts that appear to be a match against any OFAC listing. (Be sure to detail how these matches have been arrived at. Filtering Criteria.) c. Should there be any matches; the OFAC compliance officer will follow certain set written procedures. d. All new accounts will be checked against the SDN/PLC lists using the CU*Answers Software Program prior to the account being opened. In addition to the owner of the account being checked, any joint owner and/or beneficiaries listed on the account will be checked against OFAC. 15

16 Reviewed/Approved by Board of Directors: September 20, 2011 Page 16 of 16 e. All funds transferred (wire transfers) will be checked against OFAC. For any wire transfer that involves a non-member, an OFAC check will be done using the sites: and f. In the event the AOACU cashes an on-us check or does credit card cash advance for a nonmember, they will be checked against the SDN/PLC lists prior to the transaction taking place. g. All owners of collateral on loans that are non-members will be checked against the SDN/PLC lists prior to the loan taking place. h. Any co-signer on a loan that might not be a member of the AOACU will be checked against the SDN/PLC lists prior to the loan taking place. i. In addition to the above listed situations, if it is brought to the AOACU s attention that a person or entity is attempting to do business with the AOACU an SDN/PLC check will be done prior to any transaction taking place. j. The AOACU currently does not scan the payees of its cashier s checks against the SDN or PLC list but realizes and has accepted the risk. k. The AOACU has scanned all of its vendors that are listed in the Contract section of its Risk Analysis against the SDN and PLC lists. As new vendors are added, the AOACU will scan those vendors against the SDN and PLC lists. 3. International ACH Transaction (IAT): a. The entire ACH Record will be checked against the SDN & PLC list prior to processing the transaction. b. If there is a match to the SDN and/or PLC lists, the transaction will be blocked or rejected. See procedures on determining a valid SDN or PLC match. c. If the IAT is returned within one calendar day, re-scanning the entire ACH record against the SDN & PLC lists is not needed. If the IAT is returned after more than one calendar day the entire ACH record must be scanned against the SDN & PLC lists again. 4. Updating SDN/PLC Lists: It will be the responsibility of the OFAC Compliance Officer to maintain updated SDN/PLC listings. Any matches will be reviewed and documented by the OFAC Compliance Officer. A search for matches will be run each Monday. New accounts will be checked before opening. 5. Training: The AOACU will provide adequate training for all appropriate employees. The frequency of training will be reflected in the risk assessment attached. (See OFAC-Risk Assessment) The OFAC Compliance Officer will keep track of all training including the names and titles of persons attending, the date of the meeting, and a sample of the material used for training. These training documents will be retained for 5 years from the date of training. 6. Updating for Regulatory Requirements: The AOACU will update its policy, procedures and practices for regulatory requirements as these requirements are made known to the AOACU. 7. Review of Policy This Policy will be reviewed and approved at least annually by the Board of Directors. Any additions, deletions, or corrections must carry Board approval. 16