AML Compliance for Credit Unions
Disclaimer: The contents of this article are intended to provide a general understanding of the subject matter. However, this article is not intended to provide legal or other professional advice, and should not be relied on as such.
Credit unions face many of the same money laundering risks as other depository financial institutions and are subject to similar Bank Secrecy Act/Anti-Money Laundering (BSA/AML) standards. However, while credit unions lacking a federal functional regulator were exempt from certain BSA requirements, the Financial Crimes Enforcement Network (FinCEN) passed a final rule changing that. As a result, BSA compliance, including the establishment of an AML compliance program, is mandatory for all credit unions.
The purpose of AML rules is to help financial institutions detect and deter money laundering and other financial crimes. The consequences of non-compliance can be severe and go beyond fines and penalties. Increased regulatory scrutiny, reputational damage, and loss of business can also result. This article outlines the BSA/AML compliance requirements applicable to credit unions, highlights several challenges and associated best practices specific to credit unions, and concludes with information about FinCEN’s proposed new rule and its expected impact on credit unions.
BSA/AML Compliance Requirements for Credit Unions
Financial institutions lacking a federal functional regulator, include entities such as private banks, non-federally insured credit unions, and certain trust companies. Although subject to some BSA requirements, such as the filing of Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs), these institutions were previously exempt from the requirement to establish a formal AML compliance program. However, criminal exploitation of discrepancies in AML coverage across financial institutions led FinCEN to extend BSA/AML obligations more broadly.
FinCEN’s final rule extends parallel AML program obligations, previously applicable to federally insured credit unions, to non-federally insured credit unions. The rule came into effect on November 16, 2020, and compliance with these new requirements is mandated as of March 15, 2021.
According to its press release, FinCEN anticipates that entities newly covered by the rule will be able to leverage existing policies, procedures, and internal controls to fulfill their new obligations. Additionally, a number of entities previously outside the scope of AML program requirements nonetheless had BSA policies, management oversight, personnel training and internal compliance reviews in place because many state regulators mandated it. These and other credit unions should work with their compliance and legal departments to ensure they remain in compliance or are otherwise able to meet the new obligations set forth in FinCEN’s final rule.
More specifically, non-federally insured credit unions are now also required to establish and implement a BSA/AML program approved by their board of directors or an analogous governing body. At a minimum, the BSA/AML compliance program must include the following five pillars:
- A system of internal controls to assure ongoing compliance with the BSA;
- Independent testing of the BSA/AML compliance program;
- A designated individual or individuals responsible for coordinating and monitoring BSA/AML compliance;
- BSA/AML training for appropriate personnel; and
- Appropriate risk-based procedures for conducting ongoing member due diligence.
Member Due Diligence
Customer due diligence, or in the case of credit unions, member due diligence, is a fundamental component of an effective BSA/AML compliance program and is essential for developing a member risk profile.
Conducting due diligence enables a credit union to understand the nature and purpose of member relationships, including the types of transactions in which its members are likely to engage. This information establishes a baseline against which member activity can be assessed and helps credit unions identify and report potentially suspicious transactions. Such information may include the type of member or type of account, service, or product. It could also include information indicating a possible change in the member’s transaction activity or beneficial ownership status, as such information could be relevant in assessing the risk posed by the member.
Updating Member Information and Conducting Ongoing Monitoring
Member due diligence includes conducting ongoing monitoring, as well as maintaining and updating member information on a risk basis. Credit unions are not required to update member information on a continuous or even a periodic basis. Rather, the requirement to update member information is event-driven and only occurs as a result of detecting unusual activity through the course of normal monitoring. Changes in member activity may include things such as sudden cross-border wire transfers with no apparent justification or a significant change in the volume of activity without any logical explanation. Ideally, information about members, along with transaction activity, should be integrated into the credit union’s automated monitoring system, if applicable.
Due to their smaller customer base, credit unions often assert that they “know their customers,” and hence do not need to conduct thorough reviews. However, credit unions are not precluded from requirements to conduct proper CDD and periodic reviews. In fact, AML compliance is more important than ever before, particularly for smaller financial institutions.
Increased BSA/AML scrutiny of large global banks in recent years has redirected criminal activity to community banks and credit unions, as these institutions are perceived to have less sophisticated internal controls, inferior technology, and more lax compliance supervision. Consequently, credit unions need to have a heighted awareness of their AML risk and ensure that effective policies, procedures, and internal controls are in place to identify and mitigate illicit financial activity and maintain regulatory compliance. Furthermore, smaller financial institutions are increasingly held to the same standards as their larger counterparts, and credits unions must adopt to these evolving expectations.
Red Flag Indicators
The Barbardos Financial Intelligence Unit has compiled a list of red flag indicators that may warrant a closer look by financial institutions, including credit unions. While not exhaustive, it covers a number of scenarios from client behavior to transaction patterns.
- Client does not want correspondence sent to home address
- Client shows uncommon curiosity about internal systems, controls and policies
- Over justification or explanation for transactions
- Client is involved in activity out-of-keeping for that individual or business
- Client produces seemingly false identification or identification that appears to be counterfeited, altered or inaccurate
- Client provides insufficient, false, or suspicious information, or information that is difficult or expensive to verify
- Transaction is unnecessarily complex for its stated purpose
- Activity is inconsistent with what would be expected from declared business
- Transaction involves non-profit or charitable organization for which there appears to be no logical economic purpose or where there appears to be no link between the stated activity of the organization and the other parties in the transaction.
- Accounts that show virtually no banking activity but are used to receive or pay significant amounts not clearly related to the customer or the customer’s business.
- Client starts conducting frequent cash transactions in large amounts when this has not been a normal activity in the past.
- Frequent exchanges small bills for large ones
- Deposits of small amounts of cash on different successive occasions, in such a way that on each occasion the amount is not significant, but combines to total a very large amount. (i.e. “smurfing”)
- Consistently making cash transactions that are just under the reporting threshold amount in an apparent attempt to avoid the reporting threshold
- Stated occupation is not in keeping with the level or type of activity (e.g. a student or an unemployed individual makes daily maximum cash withdrawals at multiple locations over a wide geographic area)
- Unusually large deposits or withdrawals of cash by an individual or a legal entity whose apparent business activities are normally carried out using cheques and other monetary instruments
- Multiple and frequent purchase or sale of foreign currency by a tourist
- Multiple and frequent large withdrawals from an ATM using a local debit card issued by another financial institution
- Multiple and frequent large withdrawals from an ATM using debit or credit card issued by a foreign financial institution.
- Account with a large number of small cash deposits and a small number of large cash withdrawals
- Funds are being deposited into several accounts, consolidated into one and transferred outside the country
- Multiple transactions are carried out on the same day at the same branch but with an apparent attempt to use different tellers
- Establishment of multiple accounts, some of which appear to remain dormant for extended periods
- Account that was reactivated from inactive or dormant status suddenly exhibits significant activity.
- Reactivated dormant account containing a minimal sum suddenly receives a deposit or series of deposits followed by frequent cash withdrawals until the transferred sum has been removed
- Multiple deposits are made to a client’s account by third parties
- Deposits or withdrawals of multiple monetary instruments, particularly if the instruments are sequentially numbered.
- Deposits followed within a short time by wire transfers to or through locations of concern, such as countries known or suspected to facilitate money laundering activities
- Transaction involves a country where illicit drug production or exporting may be prevalent, or where there is no effective anti-money laundering system
- Immediate conversions of funds transfers into monetary instruments in the name of third parties
- Frequent sending and receiving of wire transfers, especially to or from countries considered high risk for money laundering or terrorist financing, or with strict secrecy laws. Added attention should be paid if such operations occur through small or family-run banks, shell banks or unknown banks
- Large incoming or outgoing transfers, with instructions for payment in cash
- Client makes frequent or large electronic funds transfers for persons who have no account relationship with the institution
- Client instructs you to transfer funds abroad and to expect an equal incoming transfer
- Client sends frequent wire transfers to foreign countries, but business does not seem to have connection to destination country
- Wire transfers are received from entities having no apparent business connection with client.
- Client has no employment history but makes frequent large transactions or maintains a large account balance
- Client has numerous accounts and deposits cash into each of them with the total credits being a large amount
- Client frequently makes automatic banking machine deposits just below the reporting threshold.
- Increased use of safety deposit boxes. Increased activity by the person holding the boxes. The depositing and withdrawal of sealed packages
- Third parties make cash payments or deposit cheques to a client’s credit card
- Client has frequent deposits identified as proceeds of asset sales but assets cannot be substantiated
Corporate and Business Transactions
- Accounts have a large volume of deposits in bank drafts, cashier’s cheques, money orders or electronic funds transfers, which is inconsistent with the client’s business
- Accounts have deposits in combinations of cash and monetary instruments not normally associated with business activity
- Unexplained transactions are repeated between personal and business accounts.
- A large number of incoming and outgoing wire transfers take place for which there appears to be no logical business or other economic purpose, particularly when this is through or from locations of concern, such as countries known or suspected to facilitate money laundering activities.
- Customer suddenly repays a problem loan unexpectedly, without indication of the origin of the funds
- Loans guaranteed by third parties with no apparent relation to the customer
- Loans backed by assets, for which the source is unknown or the value has no relation to the situation of the customer
- Default on credit used for legal trading activities, or transfer of such credits to another company, entity or person, without any apparent justification, leaving the bank to enforce the guarantee backing the credit
- Use of standby letters of credit to guarantee loans granted by foreign financial institutions, without any apparent economic justification.
- Client frequently makes large investments in stocks, bonds, investments trusts or the like in cash or by cheque within a short time period, which is inconsistent with the normal practice of the client
- Client makes large or unusual settlements of securities in cash
- Client is willing to deposit or invest at rates that are not advantageous or competitive
Accounts Under Investigation
- Accounts that are the source or receiver of significant funds related to an account or person under investigation or the subject of legal proceedings in a court or other competent national or foreign authority in connection with fraud, terrorist financing or money laundering
- Accounts controlled by the signatory of another account that is under investigation or the subject of legal proceedings by a court or other competent national or foreign authority with fraud, terrorist financing or money laundering
- Client seeks to invest a large sum of money with no apparent interest in the details of the product (e.g. mutual fund) and does not enquire about the characteristics of the product and /or feigns market ignorance
- Corporate client opens account with large sum of money that is not in keeping with the operations of the company, which may itself have recently been formed
- Formation of a legal person or increases to its capital in the form of non-monetary contributions of real estate, the value of which does not take into account the increase in market value of the properties used.
- Lifestyle, financial status or investment activity is not in keeping with employee’s known income.
- Reluctance to go on vacation, to change job position or to accept a promotion, with no clear and reasonable explanation
- Employee frequently receives gifts &/or invitations from certain clients, with no clear or reasonable justification
- Employee hinders colleagues from dealing with specific client(s), with no apparent justification.
- Employee documents or partially supports the information or transactions of a particular client, with no clear and reasonable justification.
- Employee frequently negotiates exceptions for a particular client(s).
Money or Value Transfer Services (MVTS) Business
- Customer is unaware of details surrounding incoming wire transfers, such as the ordering customer details, amounts or reasons
- Customer does not appear to know the sender of the wire transfer from whom the wire transfer was received, or the recipient to whom they are sending the wire transfer
- Customer frequents multiple locations to send wire transfers overseas
- Customer sends wire transfers or receives wire transfers to or from multiple beneficiaries that do not correspond with the expected activity of the customer
- Customer is accompanied by individuals who appear to be sending or receiving wire transfers on their behalf
- Customer utilizes structured cash transactions to send wire transfers in an effort to avoid record keeping requirements
- Multiple customers have sent wire transfers over a short period of time to the same recipient
- Large and/or frequent wire transfers between senders and receivers with no apparent relationship
- Customer sending to, or receiving wire transfers from, multiple customers
For those engaged with cryptocurrencies, virtual assets or associated businesses, our blog on red flag indicators for virtual assets, cryptocurrencies provides some tips on how to spot unusual activities that may be indicative of money laundering or terrorist financing.
Unique Challenges and Best Practices for Credit Unions
Managing money laundering risk is a complicated and resource-intensive process for many financial institutions. This is especially the case for credit unions which, despite their smaller size, more limited member base, and narrower geographic reach, must comply with the same BSA/AML requirements as large global banks. As a result, credit unions must be especially strategic about how and where they allocate critical resources. Below are six best practices credit unions should consider when it comes to managing money laundering risk.
- Credit unions need to be aware of the specific risks they face. Knowledge of specific risks is gained through regular and periodic AML reviews, such as audits and risk assessments which help to identify changing and emerging risks, as well as through the active monitoring of AML review results. To be truly effective, such reviews must be conducted whenever the credit union makes changes to its internal controls or when other changes affect the credit union’s operations, such as changes in its member base. More frequent reviews allow compliance personnel and senior management to identify potential issues in a timely manner. Additionally, AML audits and risk assessments can be targeted toward specific areas or departments within the credit union rather than conducting full-blown and time-consuming reviews of the entire operation.
- The necessity to scale and adapt over time as the credit union matures and grows is often an over-looked factor. Therefore, a credit union’s AML program should be flexible enough to adapt to changes in regulations, advancements in technology, and an evolving market while maintaining strict internal controls. Some examples of these types of changes include expansion into jurisdictions targeted by FinCEN’s Geographic Targeting Orders (GTOs) and a rise in high-risk members such as money services businesses (MSBs) and marijuana-related companies. In fact, flexibility is an area where credit unions may have an advantage over larger institutions. The smaller size of credit unions compared to many banks means that there is generally less bureaucracy and fewer hoops to jump through in order for credit unions to implement necessary changes to policies, procedures, and processes.
- The growing complexity of AML compliance means that financial institutions are increasingly implementing technological solutions to complement their AML processes. However, while large banks can generally afford the latest technology, credit unions have more limited resources and therefore should plan ahead and invest strategically in new technologies and automation. The use of technology can assist with things such as managing vast amounts of data and an increased number of mobile payments, conducting more effective sanctions screening (e.g., reducing the number of false positive alerts), and streamlining the SAR filing process. Technology can also aid a smaller and more burdened AML staff. Of course, this will require that credit unions take into consideration factors such as the need to balance accuracy and speed.
- Credit unions need to be proactive in taking correction action when a problem arises or when an issue is identified. Because credit unions have fewer financial resources, they are typically not as well equipped as banks to handle the consequences of non-compliance, such as the payment of steep fines and penalties, or to bounce back from reputational damage and loss of customers. This is particularly important in today’s climate of heightened regulatory and enforcement activity, which includes a focus on uncorrected and repeat violations.
- It’s important that credit unions understand the role of effective compliance management in their overall business strategy. This includes recognizing the impact of compliance on operations as well as member acquisition and retention. It also includes knowing the unique needs and circumstances of the credit union and then working to implement measures that optimize compliance activity. For example, sometimes processes can be harmonized across departments or data can be shared among different functions.
- Credit unions must ensure that comprehensive compliance polices are in place, updated regularly, and enforced consistently. By now, most institutions know that it’s not enough simply to have documented compliance policies. Rather, these policies must be tailored to the credit union and its specific risks, updated on a timely basis to reflect changes in regulations and internal procedures, and continuously communicated to employees as well as enforced across the institution.
FinCEN’s Convertible Virtual Currency (CVC) Proposal
Sound compliance management involves planning for regulatory changes. In this regard, credit unions need to be aware of FinCEN’s proposed new rule (which was released for comment on December 2020 and closed to comments in January 2021) targeting virtual currencies that are used to move illicit funds.
Under the proposed rule, credit unions would be required to submit reports to FinCEN containing certain information related to convertible virtual currency (CVC) or legal tender digital asset (LTDA) transactions and counterparties. Other requirements include customer verification and recordkeeping. Credit unions are urged to keep an eye on the status and developments related to FinCEN’s proposed rule and consult with their legal departments in order to determine if the rule applies to their institution, and if so, what needs to be done to ensure compliance.
Due to the rise in AML fines and penalties, the majority of which involve non-compliance with global AML laws and regulations, compliance demands are at an all-time high with little room for error. As criminals increasingly seek new avenues to exploit the financial system, it’s imperative that credit unions effectively manage their money laundering risk. Adhering to best practices and staying abreast of laws and regulations are just some of the measures credit unions can take to substantially mitigate these threats.
How Alessa can help
Alessa is a technology solution designed to support AML programs for credit unions. The solution can support member due diligence, ongoing monitoring and reporting activities. It also is adaptable to changing regulations.
Alessa integrates with existing core systems and can be tailored to the financial institution’s needs and size. Specific functionality in the solution includes:
- Identity verification and customer due diligence for KYC/KYB
- Real-time transaction monitoring and screening
- Sanctions, PEPs, watch list, crypto/virtual currency and other forms of screening
- Configurable risk scoring
- Automated regulatory reporting
- Advanced analytics like anomaly detection and machine learning
- Dashboards, workflows and case management
Contact us today to see how we can help you implement or enhance the AML program at your credit union.