Bank Secrecy Act 101 Fall Colleen Kelly & Valerie Moss CUNA Compliance

Transcription

1 Bank Secrecy Act 101 Fall 2016 Colleen Kelly & Valerie Moss CUNA Compliance

2 BSA: COMBAT ILLICIT FINANCIAL TRANSACTIONS

3

4 BSA Reporting Homeland Security: The only way to stop ISIS is to cut off their money supply FBI: Approximately 18% of the Bureau s international terrorism cases had related BSA filings in 2014

5 Bank Secrecy Act Bank Secrecy Act (BSA), also known as the Financial Recordkeeping and Reporting of Currency and Foreign Transactions Act of 1970 Enacted to help in the investigation of money laundering, tax evasion and other criminal activity

6 BSA Timeline Bank Secrecy Act (1970) Money Laundering Control Act (1986) Anti-Drug Abuse Act (1988) Annunzio Wylie Anti-Money Laundering (1992) Money Laundering Suppression Act (1994) Money Laundering and Financial Crimes Strategy Act (1998) Title III of the USA Patriot Act (2001)

7 USA PATRIOT Act Verify identity of anyone opening an account. Maintain records of the verifying information. Check lists of known or suspected terrorists. Provide member with a notice of the information collection requirement. Participate in information sharing with law enforcement and financial institutions.

8 Who Administers the BSA? The Financial Crimes Enforcement Network (FinCEN), administers the BSA, along with the assistance of the financial institution regulatory agencies. FinCEN was created to maximize information sharing between law enforcement agencies and financial institutions.

9

10 BSA Risk Assessment Location Membership Products and Services Types of Accounts

11 BSA Risk Assessment Involves two steps: Step 1: Identify the specific risk categories unique to your credit union Step 2: Provide a detailed analysis of the data you gathered in Step 1

12 BSA Risk Assessment Some of the factors you may consider: Purpose of the account Actual or anticipated activity in the account Nature of the member s business or occupation Member s location Type of products and services used by the member

13 Determining Risk Level Two credit unions each send out 25 international fund transfers per day. Credit Union #1: 90% of the fund transfers are recurring, well-documented transactions from long-term members. Credit Union #2: 90% of the fund transfers are nonrecurring or from nonmembers. Which credit union s fund transfers are higher risk? Credit Union #2

14 BSA Risk Assessment Develop appropriate policies and procedures to monitor and control the credit union s BSA risks, with more emphasis on higher risk products, services, members and branches. Risk assessment is an ongoing process, not a one-time exercise. Recommend reassessing the BSA risk every 12 to 18 months.

15 Risk Assessment and Your Exam If your CU does not have a proper risk assessment, your examiner must create one for you could subject you to more scrutiny during exam. Also, your examiner is not required to share this risk assessment with you.

16

17 BSA Risk Assessment Credit unions should refer to the Federal Financial Institutions Examination Council s (FFIEC) BSA/AML examination manual Appendices I, J and K -- to assist in developing their risk assessment. These appendices should be considered a STARTING point and not a template for your risk assessment.

18 Identify & Verify Your Members

19 Customer Identification Programs (CIP) To help identify your potential members To assist in the detection and prevention of money-laundering and terrorist financing. Must verify information of members, joint accountholders & co-borrowers CIP should be based on CU s specific risk assessment CIP must be incorporated in overall BSA program and approved by Board of Directors.

20 Customer Identification Programs Name; Address; Date of birth; and Identification number.

21 Customer Identification Programs Identification number U.S. Persons: Taxpayer Identification Number (TIN) - usually a Social Security Number Non U.S. Persons: Individual Taxpayer Identification Number (ITIN), usually a passport or other government-issued document reflecting an identification number, country of origin, and photo or similar safeguard.

22 Verification of Identity You must verify enough of the information to establish a reasonable belief that you know the true identity of the member. Two methods you can use to verify identity: Documentary Non-documentary

23 Documentary Method Unexpired government issued identification, such as: A driver s license; Passport; or Military ID.

24 Non-documentary Method Information obtained from a credit bureau, or against fraud and bad check databases; References from other financial institutions; Confirm information such as telephone number and address by contacting member; Tax return or a financial statement.

25 Non-documentary Method Online verification system; Information available from any other trusted third-party source; Public databases, such as an online telephone directory for address or local telephone number.

26 CIP Procedures How the identity will be verified; When documents, non-documentary methods or a combination of both methods will be used; What documents and non-documentary information will be accepted.

27 Verification of Identity Specific Situations to Consider: When should the credit union not open an account at all? When will the credit union open an account while it attempts to verify identification? When should the credit union close an account after attempts to verify the identity of the person fails? When should the credit union file a suspicious activity report (SAR)?

28 Verification of Identity Must be done before or within a reasonable time after the account is opened You must verify enough information to form a reasonable belief that you know the member, any joint owners, and any coborrowers

29 Services not Subject to CIP Check cashing Wire transfers Sale of checks or money orders ERISA Accounts

30 Verifying Business Accounts Could be higher risk for money laundering Verify actual existence of business: Certified articles of incorporation A government issued business license A partnership agreement

31 CIP: Record Retention Records of identifying information and verification methods Retained for 5 years after the date the account is closed Maintained as either a copy of the actual document or a description of the document Description should include: the type of document, any identifying number on the document, the location the document was issued (country, state), the date of issuance, expiration date, if any.

32 Additional Records Description of verification methods Results of the verification Any necessary resolution Keep for 5 years after record is made

33 CIP: Notice to Members You must provide your members and potential members with a notice describing the information collection requirements of the BSA. You must ensure that every member will see the notice before opening an account.

34 CIP: Examiner Review Risk-based Examiners may review the board minutes to verify approval of the Customer Identification Program Transaction testing reviewing a sample of selected accounts to determine compliance

35 Customer Due Diligence (CDD) Obtain information at account opening to understand normal activity for member; This information allows credit unions to differentiate between low and high risk members;

36 Customer Due Diligence Member s normal and expected transaction activity Changes in the member s risk profile, Periodically monitor information to keep it up to date Collect from all members not just high risk

37 CDD: High Risk Member Purpose of the account; Source of funds and wealth; Individuals with ownership or control over the account, Occupation or type of business Financial statements Financial institution references Where the business is organized Member s place of employment Are international transactions routine? Business operations, volume of currency and sales, major customers and supplies Changes in account activity

38 CDD: Guidelines Commensurate with the credit union s BSA/AML risk profile Clear statement of management s overall expectations Sufficient information for suspicious activity monitoring

39 CDD: Guidelines Guidance for documenting analysis associated with the due diligence process Maintain current member information.

40 The New Customer Due Diligence Rule GOOD NEWS: Applies to legal entity accounts Compliance date: May 11, 2018 Only for new accounts

41 Beneficial Owner Due Diligence Identification & Verification of Beneficial Owners Certification Form Written Procedures Recordkeeping & Retention

42

43

44

45

46

47

48 Office of Foreign Assets Control A division of the U.S. Treasury Department Administers and enforces economic and trade sanctions against: Targeted countries and their agents Terrorism sponsoring agencies organizations International narcotics traffickers

49 OFAC Compliance Program Designate an OFAC compliance officer Identify high-risk areas Provide for appropriate internal controls for OFAC screening and reporting Establish independent testing for compliance Create training programs for appropriate personnel in all relevant areas of the credit union

50 OFAC Requirements Block ( freeze ) accounts and other property of any country, entity, or individual appearing on OFAC s Specially Designated Nationals (SDN) and Blocked Persons List (or any other list(s) maintained by OFAC). Prohibit or reject (don t process) unlicensed financial transactions with OFAC-specified countries, entities or individuals (when no block-able interest is involved).

51 What s the SDN List? OFAC s primary list of U.S. sanction targets, which includes: Individuals and entities owned or controlled by, or acting for or on behalf of, targeted countries; and Individuals, groups, and entities, such as terrorists and narcotics traffickers designated under sanction programs that are not country-specific.

52 Other OFAC Lists S ectoral Sanctions Identifications List F oreign Sanctions Evaders List Non-SDN Palestinian Legislative Council List No n SDN Iranian Sanctions List Consolidated Sanctions List

53 What is property? Anything of value. Examples of property include: money, checks, drafts, debts, obligations, notes, warehouse receipts, bills of sale, evidences of title, negotiable instruments, trade acceptance, contracts, and anything else real, personal, or mixed, tangible or intangible, or interest or interests therein, present, future, or contingent.

54 Property Practically everything that credit unions do every day involves property within the meaning of OFAC regulations. Likewise, property interest is defined as any interest whatsoever, direct or indirect.

55 OFAC covers EVERYTHING! Opening new accounts Wire transfers ACH transfers Electronic Fund Transfers Cashing/depositing share drafts/checks Purchase of money orders/cashier s checks Dispensing loan proceeds/accepting loan payments Etc.

56 Transaction Parties Based on the CU s risk profile for each area of its operations and available technology, the CU should establish policies, procedures and processes for reviewing transactions and transaction parties. (FFIEC BSA-AML Exam Manual) Transaction parties include primary members, joint account holders, check payees, beneficiaries, cosigners, parties on the other end of a wire, etc

57 Reporting OFAC Hits Blocked and rejected transactions must be reported to OFAC within 10 business days from the date that property becomes blocked. Call OFAC and ask for instructions when you have a hit on the list, or questions regarding a potential match: OFAC (6322) or

58 Blocked Account Place blocked funds into an interest-bearing account on your books. Only OFAC-authorized debits may be made. Funds must earn interest at a commercially reasonable rate (i.e., a rate currently offered to other members on deposits or instruments of comparable size and maturity). Check sanction program before charging any service charges (generally allowable).

59 OFAC Licenses OFAC can issue a license to permit certain transactions that would otherwise be prohibited under its regulations. General license authorizes categories of transactions. Specific license issued case-by-case.

60 Annual OFAC Report All holders of blocked property must file a comprehensive annual report on blocked property held as of June 30 by September 30 each year. Blocked Properties Reporting Form is available on the OFAC Web site at under OFAC Reporting and License Application Forms.

61 OFAC Record Retention All OFAC records must be retained for 5 years. Rejected items: maintain records for 5 years from the date of the transaction. Blocked accounts: maintain records for 5 years after the date that the account is unblocked. Maintain a complete and accurate record of the blocked account for as long as the CU is holding the blocked property.

62 Suspicious Activity Reporting Suspicious activity reporting forms the cornerstone of the BSA reporting system and is critical to the United States ability to utilize financial information to combat terrorism, terrorist financing, money laundering and other financial crimes. -FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual

63 Suspicious Activity Monitoring Suspicious activity monitoring and reporting are critical internal controls. Proper monitoring and reporting processes are necessary for an effective BSA compliance program. Appropriate policies, procedures, and processes should be in place to monitor and identify unusual activity.

64 Suspicious Activity Monitoring Identification/alert of unusual activity Managing alerts (i.e., investigate & evaluate unusual activity) Suspicious Activity Report (SAR) decision-making SAR completion and filing Monitoring and SAR filing on continuing activity

65 Suspicious Activity Reporting When to file a Suspicious Activity Report? Insider abuse involving any amount. Violations aggregating $5,000 or more where a suspect can be identified. Violations aggregating $25,000 or more, regardless of a potential suspect.

66 Suspicious Activity Reporting Transactions aggregating $5,000 or more that you suspect: May involve potential money laundering or other illegal activity (e.g., terrorism financing). Are designed to evade the BSA or its implementing regulations (e.g., structuring to evade currency transaction reporting). Has no business or apparent lawful purpose.

67 Suspicious Activity Reporting The term transaction includes: Deposits Withdrawals Transfers between accounts Exchanges of currency Extensions of credit Sales of a monetary instrument Any other payments by, through, or to a financial institution

68 Safe Harbor The BSA provides protection from civil liability for all reports of suspicious transactions made to appropriate authorities, regardless of whether the reports are filed according to the SAR instructions. The safe harbor applies to SARs filed within the required reporting thresholds, and to SARs filed voluntarily on any activity below the thresholds.

69 Appropriate Authorities Bureau of Alcohol, Tobacco, and Firearms (ATF) Criminal investigative services of the armed forces Drug Enforcement Administration (DEA) Federal Bureau of Investigation (FBI) Immigration and Customs Enforcement (ICE) IRS or state tax enforcement agencies Office of Foreign Assets Control (OFAC) U.S. Postal Inspection Service U.S. Secret Service United States Attorney s Office State or local police department; Attorney General, District Attorney, or State s Attorney at the state or local level

70 What s suspicious activity? There are a number of activities that should raise a red flag as possibly facilitating money laundering, terrorist financing, or other illicit activity. Red flags warrant closer scrutiny, and possibly filing a SAR.

71 Red Flags A member uses unusual or suspicious identification documents that cannot be readily verified. A member makes frequent or large transactions and has no record of past or present employment experience. Member visits a safe deposit box on an unusually frequent basis.

72 Red Flags A member separates a cash transaction over $10,000 in to several transactions in an attempt to avoid the CTR reporting threshold ( structuring ). Deposits are structured through multiple branches of the same institution, or by groups of people who enter a single branch at the same time.

73 Red Flags A member s wire or EFT activity is unexplained, repetitive, or shows unusual patterns. Member conducts large deposits and withdrawals during a short time period after account opening, then subsequently closes the account or the account becomes dormant. An account with little activity suddenly experiences large deposit and withdrawal activity.

74 Red Flags Funds are frequently sent or received via international wire transfers from or to higherrisk locations. When establishing a business account, a member is reluctant to provide complete information about the nature and purpose of his business, anticipated account activity, or the names of the company s officers and directors.

75 Red Flags The currency transaction patterns of a business show a sudden change inconsistent with normal activities. A large volume of cashier s checks, money orders, or funds transfers is deposited into, or purchased through, an account when the nature of the accountholder s business would not appear to justify such activity.

76 Types of Suspicious Activity Structuring Fraud (e.g., ACH, check, loan, wire, etc.) Account takeover Elder financial exploitation Forgeries Embezzlement Identity theft Unauthorized electronic intrusion Terrorist financing

77 Exceptions A credit union is not required to file a SAR for: A robbery or burglary committed or attempted that is reported to appropriate law enforcement authorities; or Lost, missing, counterfeit, or stolen securities, that the credit union properly reports to the SEC, and FBI when criminal activity is involved.

78 Filing the SAR File the SAR no later than 30 calendar days from the date of the initial detection of facts that may constitute a basis for filing a SAR. The phrase initial detection does not mean the moment a transaction is highlighted for review. Legitimate transactions can sometimes raise a red flag because they are inconsistent with a member s usual account activity. The 30-day period does not begin until an appropriate review is conducted and a determination is made that the transaction warrants a SAR filing.

79 Filing the SAR No identified suspect: CUs may delay filing a SAR for an additional 30 calendar days to identify a suspect, i.e., the CU has up to 60 calendar days after the date of initial detection to file the SAR. Reporting continuing suspicious activity: CUs may file SARs for continuing activity after a 90-day review, with the filing deadline being 120 days after the date of the previously-related SAR filing.

80 Continuing Suspicious Activity Day 0: Identification of suspicious activity and subject Day 30: Deadline for initial SAR filing Day 120: End of 90 day review Day 150: Deadline for continuing activity SAR with subject information (120 days from the date of the initial filing on Day 30) If the activity continues, this timeframe will result in 3 SARs filed over a 12-month period (FinCEN SAR FAQs, Q&A #16).

81 Document Everything! Document your decision-making process, whether or not the CU files a SAR. Maintain a copy of the SAR & supporting documentation for 5 years from the date of filing the SAR. Be ready to respond to law enforcement requests should they occur.

82 SAR Confidentiality No credit union and no director, officer, employee, or agent of the credit union that reports a suspicious transaction may notify any person involved in the transaction that the transaction has been reported. The unauthorized disclosure of a SAR is a violation of federal law. Both civil and criminal penalties may be imposed for SAR disclosure violations.

83 SAR Confidentiality Employees and board members who are appropriately entrusted with information in a SAR must maintain SAR confidentiality. This obligation applies not only to the SAR itself, but also to information that would reveal the existence (or nonexistence) of the SAR.

84 Notifying the Board of SAR Filings Management must promptly notify the CU s board of directors (or designated committee) of any SAR filings. Promptly means at least monthly, e.g., the monthly board meeting.

85 Notifying the Board of SAR Filings There is no required format for sharing SAR information with the board (summary, spreadsheet, etc.) What if a board member is a suspect? Remember SAR confidentiality requirements - the CU cannot notify a board member that s/he was the subject of a SAR.

86 Law Enforcement Requests Law enforcement agencies may ask a CU to maintain certain accounts to aid in their investigations. The decision to comply with such a request is left to the CU. CUs should carefully weigh the pros/cons of complying with such requests.

87 Law Enforcement Requests Get the request in writing. Make sure the request is issued by a supervisory agent or an attorney representing federal, state, or local law enforcement. Limit the duration of the request to no more than six months. Maintain documentation of such requests for at least 5 years after the requests have expired.

88 Law Enforcement Requests Complying with an LE request does not relieve a credit union of its record-keeping and reporting responsibilities under the BSA. A CU that opts to maintain an account that reflects suspicious activity would still be expected to complete and file SARs on the account.

89 Requests for SAR Supporting Documentation Supporting documentation includes all documents or records that the credit union used to make the determination to file the SAR. Supporting documentation is considered to be a part of the SAR, even though it is retained by the credit union.

90 Requests for SAR Supporting Documentation Appropriate law enforcement (e.g. FBI, IRS, etc.) or the CU s federal regulator may request the supporting information without a subpoena or court order. Right to Financial Privacy Protections do not apply.

91 Currency Transaction Reports Credit unions are required to report: Deposits, withdrawals, transfers and other transactions Involving currency (cash or coin) Exceeding $10,000 Includes single or multiple transactions made on the same day (aggregate weekends, ATM and night deposit transactions)

92 Currency Transaction Reports CTR triggered by: Deposits & withdrawals Denomination exchanges Loan payments ATM transaction Purchase of share certificates Fund transfer paid for in currency Purchase of monetary instruments

93 Currency Transaction Reports Includes transactions made by the member or on behalf of the member Joint accounts CTR should list all joint owners on account for deposits. In the case of account withdrawals, list only the individual who is making the withdrawal unless you have facts to suggest that all or additional joint owners will benefit from the transaction.

94 CTR - Structuring Member deposits $4,000 at Branch #1, $4,000 later that day at Branch #2 and $3,000 ATM deposit. If aware of all deposits, file a CTR. Do not offset deposits and withdrawals: Member deposits $11,000 in savings (Cash In), withdraws $3,000 from checking (Cash Out), withdraws $4,000 from ATM (Cash Out). $11,000 Cash In reportable, $7,000 Cash Out not reportable.

95 CTR: Aggregating Deposits and Withdrawals Member deposits $6,000 into savings, withdraws $4,000 from checking, presents $5,000 in US currency to be exchanged for Euros. Cash In: $6,000 + $5,000 = $11,000 reportable Cash Out: $4,000 + $5,000 (Euros) = $9,000 not reportable

96 Weekend Aggregation Deposits made at night or over the weekend = next business day. NCUA s Weekend example: Member places deposit bag into night depository on Friday night, 2 on Saturday, 2 on Sunday treated as a single transaction on Monday, which is the next business day.

97 Currency Transaction Reports CTRs must be filed within 15 calendar days. If CTRs deadline is missed, begin the process of completing the forms and contact the BSA Hotline for assistance BSA Helpline: or Keep copies of CTRs for 5 years

98 Designation of Exempt Person (DOEP) Exempt designation = no CTRs There are two types of exemptions under BSA: Phase I - credit unions & banks, government agencies, any entity exercising government authority, entities whose common stock is listed on the stock exchange, and any subsidiary of these listed entities. Phase II Non-listed businesses, Payroll members

99 Summary of Phase II Requirements Type of Customer Trans. Freq. Waiting Period Ineligible Activity File DOEP Report Annual Review Non-listed businesses 5 or more transaction /year 2 months, or less after riskbased analysis No more than 50% of gross revenues from ineligible activity Yes Yes Payroll Customer 5 or more transaction /year 2 months, or less after riskbased analysis N/A Yes Yes

100 Summary of Phase I Requirements Type of Customer Credit unions & banks Govt departmts., agencies, or authorities Entities listed on stock exchange Subsidiaries of those listed on stock exchange Trans Freq Waiting Period Ineligible Activity File DOEP Report N/A None N/A No No N/A None N/A No No N/A None N/A Yes Yes Annual Review N/A None N/A Yes Yes

101 Phase II: Non-listed businesses that: CTR Exemptions Have maintained a transaction account for at least 2 months or granted an exemption after a risk assessment Frequently (5/year) engage in currency transactions over $10,000, Are organized under a U.S. federal or state law AND No more than 50% gross revenue from ineligible business Payroll customers that: Have maintained a transaction account for at least 2 months or granted an exemption after a risk assessment Regularly withdraw more than $10,000 to pay employees, AND Are organized under a U.S. federal or state law This exemption only applies to payroll withdrawals

102 CTR Exemptions Must file DOEP within 30 days of the triggering transaction. No need to renew the DOEP The exemption only applies to transactions involving the exempt person s funds

103 CTR: Exemptions Exemption Reviews: Maintain good documentation so that you can review it annually Safe Harbor: Not liable for failure to file CTR, unless you provide false information or know member doesn t qualify for exemption.

104 Monetary Instruments Purchase of a cashiers check, traveler s check or money order Between $3,000 and $10,000 in cash

105 Monetary Instruments For purposes of recordkeeping, multiple purchases during one business day totaling $3,000 or more are treated as one purchase. Similarly, purchases of different types of instruments totaling $3,000 or more are treated as one purchase.

106 Monetary Instruments Credit union must keep a record of: Name of the purchaser Date of the purchase Type of instrument purchased Serial numbers of each instrument Dollar amount of each instrument Verify ID of purchaser (obtain additional info for non-members) Retain records for five years

107 Monetary Instruments Can the credit union require the member to deposit the currency before purchasing a monetary instrument? Yes. CUs are permitted to implement such a policy, but the transaction is still subject to the BSA recordkeeping requirements. CUs generally maintain most of this information in the normal course of business.

108 International Currency or Monetary Instrument Report (CMIR)* A person must file a CMIR if s/he physically transports, mails, or ships currency or monetary instruments in an aggregate amount exceeding $10,000 at one time to/from the U.S. to/from any place outside the United States. A CU is not required to file a CMIR for transfers of funds through normal CU operations that don t involve the physical transportation of currency or monetary instruments. * For informational purposes only, not on the exam.

109 Funds Transfers CUs must retain records in connection with funds transfers of $3,000 or more. The term funds transfer means any payment order issued by the originator's financial institution or an intermediary institution intended to carry out the originator's payment order (e.g., wire transfers). Records must be retained for 5 years.

110 Funds Transfer Rules Do Not Cover Transfers less than $3,000 Electronic fund transfers as defined by the Electronic Fund Transfer Act and Regulation E ACH transactions

111 Funds Transfer Rules Do Not Cover Transfers where both the originator and the beneficiary are any of the following: A domestic bank or credit union; A federal, state or local government agency or instrumentality; or The same person, and the originator s and beneficiary s financial institution are the same institution.

112 Funds Transfers of $3000 or more Credit unions must obtain & retain the following information in connection with a funds transfer of $3000 or more: Transmittor s name and address Amount, date of payment order and any payment instructions received Beneficiary bank identification Beneficiary s name and address, and account number if it was provided to the credit union

113 Funds Transfers of $3000 or more Travel Rule: the information must travel with the payment order to the beneficiary (i.e. receiving) financial institution. Only originators and intermediary institutions must comply with the Travel Rule. There are no Travel Rule requirements for beneficiary institutions. Beneficiary institutions must retain a record of the payment order once the fund transfer reaches its destination.

114 Other Recordkeeping Requirements* Credit extensions (not secured by real property) in excess of $10,000 Signature cards Account statements Checks in excess of $100 Deposits in excess of $100 Records to reconstruct checking accounts Share certificates/cds purchased/presented *For informational purposes only, not on the exam.

115 Information Sharing USA Patriot Act Section 314(a): sharing with FinCEN Section 314(b): sharing with other financial institutions

116 314(a) Information Requests Credit union must have a contact person to receive requests from FinCEN Requests for information sent every 2 weeks Credit union has 14 days to search records Report positive matches to FinCEN Must maintain evidence of compliance Keep documentation confidential and secure Cannot disclose FinCEN request

117 314(a) - Searching Records Conduct a one-time search of the CU s records to identify accounts or transactions of a named suspect. Unless otherwise instructed by an information request, search records for: Current accounts; Accounts maintained during the preceding 12 months; and Transactions conducted outside of an account by or on behalf of a named suspect during the preceding six months.

118 314(a) - Reporting a Positive Match Notify FinCEN via Web-based 314(a) Secure Information Sharing System (SSIS) of any positive matches. No details should be provided regarding the account or transaction other than the fact that you have a match. Only report positive match - a negative response is not required.

119 Documenting Compliance The CU must keep 314(a) documentation confidential and secure. CU cannot disclose the 314(a) request to anyone other than FinCEN, its regulator, or the law enforcement agency on whose behalf FinCEN requested the information.

120 314(b) Information Sharing Permits financial institutions to share information with one another to identify and report activities that they suspect may involve possible money laundering or terrorist activity. There is a safe harbor from civil liability for a financial institution (or an association of financial institutions) that chooses to participate in 314(b) information sharing.

121 314(b) Information Sharing In order to participate in voluntary information sharing, an institution must: Complete a notice to share information with FinCEN, which is effective for one year. Designate a point of contact for receiving and providing information. Establish a process for sending and receiving information sharing requests.

122 314(b) Information Sharing Take reasonable steps to verify that the other financial institution has also submitted the required notice to FinCEN before sharing any information. Have procedures in place to ensure the security and confidentiality of information received from other 314(b) institutions. The credit union cannot share a SAR, its intention to file a SAR, or disclose the existence of a SAR.

123 Bank Secrecy Act Program 1. BSA compliance officer, appointed by the board 2. Internal controls 3. Independent testing, conducted by credit union personnel or outside parties 4. Training BSA Compliance Program must be: in writing, approved by board of directors, and reflected in the minutes of the meeting

124 Bank Secrecy Act Officer Board designated, qualified BSA officer, fully knowledgeable of the BSA rules, credit union s products, services, members, and geographic locations; Manages all aspects of the BSA compliance program; Must have sufficient authority and resources to perform duties; Must regularly apprise the senior management and board of directors on BSA compliance issues.

125 Board of Directors The Credit Union s board of directors is ultimately responsible for the credit union s compliance and is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (ie: monetary, physical and personnel) to effectively administer the compliance program.

126 BSA Internal Controls Policies and procedures to limit and control BSA/ AML risks; Commensurate with the size, structure, risks and complexity of your credit union;

127 BSA Internal Controls Identify credit union products, services, members, branches that are more vulnerable to abuse - manage the higher risk. Inform the board and senior management of compliance initiatives, deficiencies, corrective actions, and SARs Program continuity. Recordkeeping and reporting requirements

128 BSA Internal Controls (cont.) Customer Due Diligence policies & procedures Identify reportable transactions and file reports Segregation of duties, where possible Sufficient controls and monitoring systems Supervision of employees BSA training for employees

129 BSA Independent Testing Conducted by parties not involved in BSA functions Audit results must be reported to the Board Audit must be conducted at least every 12 to 18 months, depending on credit unions risk profile

130 Bank Secrecy Act Training All personnel whose duties require knowledge of BSA Tailored to specific responsibilities New employee orientation Periodic training for BSA officers Board of Directors should receive enough training to gain a general understanding to provide adequate oversight NCUA recommends BSA training at least annually Keep records of training programs

131 High-Risk Business Accounts

132 Money Services Businesses The following are considered MSBs: Currency dealers or exchangers Check cashers Issuers or sellers of traveler s checks or money orders Providers of prepaid access Money transmitters US Postal Service (low risk)

133 Money Services Businesses Monetary thresholds for: Currency Dealers or Exchangers Check Cashers Issuers or Sellers of traveler s checks or money orders Must be transactions in excess of $1000 per person, per day (single or aggregated transactions) to be considered an MSB

134 MSBs: NCUA s Expectations Properly identify MSB accounts; Assess the potential risk; Conduct adequate and ongoing due diligence; Include MSBs in the your suspicious activity monitoring and reporting system.

135 Money Services Businesses Credit unions are expected to apply their riskbased BSA standards to MSBs. MSBs should be prepared to produce basic information such as: Basic identification State licensing, if applicable FinCEN registration Additional helpful information

136 Money Services Businesses In the event an MSB is: (i) not able to present appropriate registration /licensing documentation, AND (ii) there is no reasonable explanation for this lack of documentation A credit union should file a SAR.

137 MSB: Due Diligence Minimum Expectations: Apply your MIP; Confirm FinCEN registration; Confirm state or local license; Confirm agent status; and Apply Risk Assessment

138 MSB: Risk Assessment To determine level of risk, consider: Types of products/services offered by the MSB; Location and market served by MSB; Anticipated account activity; Purpose of the account.

139 Money Services Businesses MSBs are subject to BSA regulatory controls: Anti-money laundering Suspicious Activity Reports Currency Transaction Reporting Customer Identification Programs

140 STATES FEDS

141 High Risk : Marijuana-Related Businesses Department of Justice: IF marijuana use is legal in the state, and IF the state has strong and effective state regulatory and enforcement systems; THEN prosecuting these businesses is not an efficient use of federal resources

142 DOJ S PRIORITIES

143 FinCEN Guidance FinCEN: BSA Expectations Regarding Marijuana-Related Businesses, February 2014 Marijuana Limited SAR Marijuana Priority SAR Marijuana Termination SAR

144 BSA Compliance Resources FFIEC s Bank Secrecy Act/Anti-Money Laundering Examination Manual is considered to be the leading authority on BSA compliance: /manual_online.htm NCUA s Rules & Regulations, Part 748: Security Program, Report of Suspected Crimes, Suspicious Transactions, Catastrophic Acts and BSA Compliance:

145 Online Resources CUNA s BSA Compliance Guide, e-guide to Federal Laws and Regulations & CompBlog available at FFIEC BSA/AML Exam Manual available online at NCUA FinCEN MSB Resources or OFAC

146 Questions? Please send any follow-up questions to Include BSA 101 in the subject line of your message. Good luck on your exam!