AML Compliance for Credit Unions

March 23, 2021

Disclaimer: The contents of this article are intended to provide a general understanding of the subject matter. However, this article is not intended to provide legal or other professional advice, and should not be relied on as such.


Credit unions face many of the same money laundering risks as other depository financial institutions and are subject to similar Bank Secrecy Act/Anti-Money Laundering (BSA/AML) standards. However, while credit unions lacking a federal functional regulator were exempt from certain BSA requirements, the Financial Crimes Enforcement Network (FinCEN) passed a final rule changing that. As a result, BSA compliance, including the establishment of an AML compliance program, is mandatory for all credit unions.

The purpose of AML rules is to help financial institutions detect and deter money laundering and other financial crimes. The consequences of non-compliance can be severe and go beyond fines and penalties. Increased regulatory scrutiny, reputational damage, and loss of business can also result. This article outlines the BSA/AML compliance requirements applicable to credit unions, highlights several challenges and associated best practices specific to credit unions, and concludes with information about FinCEN’s proposed new rule and its expected impact on credit unions.


BSA/AML Compliance Requirements for Credit Unions

Financial institutions lacking a federal functional regulator, include entities such as private banks, non-federally insured credit unions, and certain trust companies. Although subject to some BSA requirements, such as the filing of Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs), these institutions were previously exempt from the requirement to establish a formal AML compliance program. However, criminal exploitation of discrepancies in AML coverage across financial institutions led FinCEN to extend BSA/AML obligations more broadly.

FinCEN’s final rule extends parallel AML program obligations, previously applicable to federally insured credit unions, to non-federally insured credit unions. The rule came into effect on November 16, 2020, and compliance with these new requirements is mandated as of March 15, 2021.

According to its press release, FinCEN anticipates that entities newly covered by the rule will be able to leverage existing policies, procedures, and internal controls to fulfill their new obligations. Additionally, a number of entities previously outside the scope of AML program requirements nonetheless had BSA policies, management oversight, personnel training and internal compliance reviews in place because many state regulators mandated it. These and other credit unions should work with their compliance and legal departments to ensure they remain in compliance or are otherwise able to meet the new obligations set forth in FinCEN’s final rule.

More specifically, non-federally insured credit unions are now also required to establish and implement a BSA/AML program approved by their board of directors or an analogous governing body. At a minimum, the BSA/AML compliance program must include the following five pillars:

  • A system of internal controls to assure ongoing compliance with the BSA;
  • Independent testing of the BSA/AML compliance program;
  • A designated individual or individuals responsible for coordinating and monitoring BSA/AML compliance;
  • BSA/AML training for appropriate personnel; and
  • Appropriate risk-based procedures for conducting ongoing member due diligence.


Member Due Diligence

Customer due diligence, or in the case of credit unions, member due diligence, is a fundamental component of an effective BSA/AML compliance program and is essential for developing a member risk profile.

Conducting due diligence enables a credit union to understand the nature and purpose of member relationships, including the types of transactions in which its members are likely to engage. This information establishes a baseline against which member activity can be assessed and helps credit unions identify and report potentially suspicious transactions. Such information may include the type of member or type of account, service, or product. It could also include information indicating a possible change in the member’s transaction activity or beneficial ownership status, as such information could be relevant in assessing the risk posed by the member.


Updating Member Information and Conducting Ongoing Monitoring

Member due diligence includes conducting ongoing monitoring, as well as maintaining and updating member information on a risk basis. Credit unions are not required to update member information on a continuous or even a periodic basis. Rather, the requirement to update member information is event-driven and only occurs as a result of detecting unusual activity through the course of normal monitoring. Changes in member activity may include things such as sudden cross-border wire transfers with no apparent justification or a significant change in the volume of activity without any logical explanation. Ideally, information about members, along with transaction activity, should be integrated into the credit union’s automated monitoring system, if applicable.

Due to their smaller customer base, credit unions often assert that they “know their customers,” and hence do not need to conduct thorough reviews. However, credit unions are not precluded from requirements to conduct proper CDD and periodic reviews. In fact, AML compliance is more important than ever before, particularly for smaller financial institutions.

Increased BSA/AML scrutiny of large global banks in recent years has redirected criminal activity to community banks and credit unions, as these institutions are perceived to have less sophisticated internal controls, inferior technology, and more lax compliance supervision. Consequently, credit unions need to have a heighted awareness of their AML risk and ensure that effective policies, procedures, and internal controls are in place to identify and mitigate illicit financial activity and maintain regulatory compliance. Furthermore, smaller financial institutions are increasingly held to the same standards as their larger counterparts, and credits unions must adopt to these evolving expectations.


Unique Challenges and Best Practices for Credit Unions

Managing money laundering risk is a complicated and resource-intensive process for many financial institutions. This is especially the case for credit unions which, despite their smaller size, more limited member base, and narrower geographic reach, must comply with the same BSA/AML requirements as large global banks. As a result, credit unions must be especially strategic about how and where they allocate critical resources. Below are six best practices credit unions should consider when it comes to managing money laundering risk.


  1. Credit unions need to be aware of the specific risks they face. Knowledge of specific risks is gained through regular and periodic AML reviews, such as audits and risk assessments which help to identify changing and emerging risks, as well as through the active monitoring of AML review results. To be truly effective, such reviews must be conducted whenever the credit union makes changes to its internal controls or when other changes affect the credit union’s operations, such as changes in its member base. More frequent reviews allow compliance personnel and senior management to identify potential issues in a timely manner. Additionally, AML audits and risk assessments can be targeted toward specific areas or departments within the credit union rather than conducting full-blown and time-consuming reviews of the entire operation.
  2. The necessity to scale and adapt over time as the credit union matures and grows is often an over-looked factor. Therefore, a credit union’s AML program should be flexible enough to adapt to changes in regulations, advancements in technology, and an evolving market while maintaining strict internal controls. Some examples of these types of changes include expansion into jurisdictions targeted by FinCEN’s Geographic Targeting Orders (GTOs) and a rise in high-risk members such as money services businesses (MSBs) and marijuana-related companies. In fact, flexibility is an area where credit unions may have an advantage over larger institutions. The smaller size of credit unions compared to many banks means that there is generally less bureaucracy and fewer hoops to jump through in order for credit unions to implement necessary changes to policies, procedures, and processes.
  3. The growing complexity of AML compliance means that financial institutions are increasingly implementing technological solutions to complement their AML processes. However, while large banks can generally afford the latest technology, credit unions have more limited resources and therefore should plan ahead and invest strategically in new technologies and automation. The use of technology can assist with things such as managing vast amounts of data and an increased number of mobile payments, conducting more effective sanctions screening (e.g., reducing the number of false positive alerts), and streamlining the SAR filing process. Technology can also aid a smaller and more burdened AML staff. Of course, this will require that credit unions take into consideration factors such as the need to balance accuracy and speed.
  4. Credit unions need to be proactive in taking correction action when a problem arises or when an issue is identified. Because credit unions have fewer financial resources, they are typically not as well equipped as banks to handle the consequences of non-compliance, such as the payment of steep fines and penalties, or to bounce back from reputational damage and loss of customers. This is particularly important in today’s climate of heightened regulatory and enforcement activity, which includes a focus on uncorrected and repeat violations.
  5. It’s important that credit unions understand the role of effective compliance management in their overall business strategy. This includes recognizing the impact of compliance on operations as well as member acquisition and retention. It also includes knowing the unique needs and circumstances of the credit union and then working to implement measures that optimize compliance activity. For example, sometimes processes can be harmonized across departments or data can be shared among different functions.
  6. Credit unions must ensure that comprehensive compliance polices are in place, updated regularly, and enforced consistently. By now, most institutions know that it’s not enough simply to have documented compliance policies. Rather, these policies must be tailored to the credit union and its specific risks, updated on a timely basis to reflect changes in regulations and internal procedures, and continuously communicated to employees as well as enforced across the institution.


FinCEN’s Convertible Virtual Currency (CVC) Proposal

Sound compliance management involves planning for regulatory changes. In this regard, credit unions need to be aware of FinCEN’s proposed new rule (which was released for comment on December 2020 and closed to comments in January 2021) targeting virtual currencies that are used to move illicit funds.

Under the proposed rule, credit unions would be required to submit reports to FinCEN containing certain information related to convertible virtual currency (CVC) or legal tender digital asset (LTDA) transactions and counterparties. Other requirements include customer verification and recordkeeping. Credit unions are urged to keep an eye on the status and developments related to FinCEN’s proposed rule and consult with their legal departments in order to determine if the rule applies to their institution, and if so, what needs to be done to ensure compliance.



Due to the rise in AML fines and penalties, the majority of which involve non-compliance with global AML laws and regulations, compliance demands are at an all-time high with little room for error. As criminals increasingly seek new avenues to exploit the financial system, it’s imperative that credit unions effectively manage their money laundering risk. Adhering to best practices and staying abreast of laws and regulations are just some of the measures credit unions can take to substantially mitigate these threats.


How Alessa can help

Alessa is a technology solution designed to support AML programs for credit unions. The solution can support member due diligence, ongoing monitoring and reporting activities. It also is adaptable to changing regulations.

Alessa integrates with existing core systems and can be tailored to the financial institution’s needs and size. Specific functionality in the solution includes:

Contact us today to see how we can help you implement or enhance the AML program at your credit union.


Try Alessa