BSA Basics: The Role of the Board and the Supervisory Committee
The NAFCU compliance team sometimes receives questions regarding the role of a credit union’s officers in Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance. Let’s review some of the responsibilities of the Board of Directors and Supervisory Committee in terms of a credit union’s BSA functions:
The Written Program. Section 748.2(b) of the NCUA regulations requires a credit union to have a written BSA compliance program. According to the FFIEC’s BSA/AML Examination Manual, the “BSA/AML compliance program should be commensurate” with the credit union’s risk profile for money laundering, terrorist financing and other illicit financial activity. Importantly, the regulation requires that the BSA compliance program be approved by the credit union’s Board of Directors and reflected in the meeting minutes.
According to section 748.2(c), the board-approved policy should address the original four pillars of BSA compliance (the fifth pillar, ongoing customer due diligence, was added with FinCEN’s 2016 final rule on that topic and is not mentioned in section 748.1):
- A system of internal controls to assure ongoing compliance;
- Independent testing for compliance to be conducted by credit union personnel or outside parties;
- An individual responsible for coordinating and monitoring day-to-day compliance; and
- Training for appropriate personnel.
Internal Controls & Internal Culture. The first “pillar” listed above is a system of internal controls, which the FFIEC manual notes are the credit union’s “policies, procedures, and processes designed to mitigate and manage [money laundering and terrorist financing] and other illicit financial activity risks and to achieve compliance with BSA regulatory requirements.” The exact internal controls put in place should be tailored to the size and complexity of the credit union.
With regard to the specific policies and procedures the credit union will implement, the FFIEC manual notes that the buck stops with the Board of Directors, stating: “[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the [credit union] maintains a system of internal controls to assure ongoing compliance with BSA regulatory requirements” (emphasis added). The manual also notes that the board of directors play a role by “establishing and maintaining an appropriate culture that places a priority on compliance…” Thus, in addition to approving the written BSA program, the board also affects a credit union’s BSA compliance by setting the tone and culture regarding BSA compliance, and ultimately bears responsibility for the credit union’s compliance functions.
As for the Supervisory Committee, the FFIEC manual notes that part of a culture that places a priority on compliance is having a “structure that provides oversight and holds senior management officials accountable for implementing the [credit union’s] BSA/AML internal controls.” The supervisory committee, which is supposed to be independent from the board and senior management, serves to provide a credit union’s oversight function. This includes providing oversight of the credit union’s BSA/AML compliance functions.
Training. NCUA regulations require a credit union’s BSA program to include the provision of training to “appropriate personnel.” As discussed above, the board of directors is responsible for the written BSA program and the credit union’s internal controls and culture, and thus they have been deemed to be “appropriate personnel” who should receive BSA training. The FFIEC manual’s discussion of training notes that the board may not require the same degree of training as operations personnel, but recommends the board receive foundational change that will provide sufficient understanding of the credit union’s “risk profile and BSA regulatory requirements.”
As for the supervisory committee, the regulations and FFIEC manual do not explicitly reference the supervisory committee with regards to BSA training, but NAFCU has heard that NCUA examiners have been asking about BSA training for the supervisory committee, indicating that NCUA believes the supervisory committee fits the “appropriate personnel” label, possibly due to their oversight of BSA functions.
Suspicious Activity Reports (SARs). Section 748.1(c)(4) requires the credit union to “promptly” notify the board of directors of “any SAR filed.” However, the regulations do not require a specific style or method of reporting, which grants credit union leeway in determining how they wish to comply with this requirement. The FFIEC Manual’s section on SARs notes:
“However, the regulations do not mandate a particular notification format and [credit unions] should have flexibility in structuring their format. Therefore, [credit unions] may, but are not required to, provide actual copies of SARs to the board of directors or a board committee. Alternatively, [credit unions] may opt to provide summaries, tables of SARs filed for specific violation types, or other forms of notification. Regardless of the notification format used by the [credit union], management should provide sufficient information on its SAR filings to the board of directors or an appropriate committee in order to fulfill its fiduciary duties, while being mindful of the confidential nature of the SAR.” (emphasis added).
As the discussion above illustrates, a credit union’s board of directors is integral to BSA compliance, and the supervisory committee has its own role to play as well. For more information on BSA compliance, see our other BSA-related posts in the Compliance Blog.
About the Author
Nick St. John, was named regulatory compliance counsel in March 2020. In this role, Nick helps credit unions with a variety of compliance issues.