Compliance Blog

Written by Shereefat Balogun, Regulatory Compliance Counsel

This week NAFCU hosted its annual Regulatory Compliance School, focusing on the most important regulatory compliance issues facing credit unions. Today's session will cover the Bank Secrecy Act (BSA) and OFAC (Office of Foreign Assets Control) regulatory framework. However, attendees seemed all too anxious and could not wait to ask their BSA/AML related questions- and understandably so. With an increase in enforcement actions for BSA/AML violations, ongoing OFAC sanctions and impending rules on customer due diligence, credit unions, and other financial institutions, are working hard to keep up with their compliance requirements under the BSA/AML regime. Today's 'FAQs' were inspired by the many BSA/AML related questions and concerns raised throughout the week.

Q: Does a credit union have an obligation to reconcile conflicting identification information provided by a member? We have a member who recently filled out a change of address form, and the SSN he put down is completely different from the one he gave to open this account. Is there any responsibility on the credit union's part to take any action concerning this discrepancy?

A: Yes, the credit union does have an obligation to address any discrepancies as it pertains to identifying information.  Generally, before opening an account for a customer, the credit union must be able to form a reasonable belief that it knows the true identity of the customer based on the information gathered. The conflicting information may have been made in error.  In any event, the CIP procedures must specify how the credit union will resolve the discrepancies.  If the information is indeed conflicting and can't be reconciled, the credit union may have an obligation to file a SAR.

Each credit union must have a written CIP that allows it to form a reasonable belief that it knows the true identity of each customer.  The CIP must contain procedures for opening an account that specify the identifying information that will be obtained from each customer.  The credit union must obtain, at a minimum, the following four pieces of information from the customer prior to opening an account:

• Name
• DOB for individuals
• Address
• Identification Number

In addition to gathering the four pieces of information outlined above, the credit union is required to verify the identity of the customer using the information gathered.  In verifying the information, the credit union may use documents and/or non-documentary methods, if its CIP procedures allow for that. If there are discrepancies in the information, this may create a challenge in the credit union's ability to form a reasonable belief that it  knows the true identity of a member.  The CIP procedures should outline steps the credit union will take to properly, and more accurately, identify an individual.  The conflicting information may have been made in error.  In any event, the CIP procedures must specify how the credit union will resolve discrepancies using documents and/or non-documentary information.  This may include calling the member to address inconsistencies, relying on other sources such as public databases, or checking references with other banks and/or credit unions. If the information is indeed conflicting and can't be reconciled, the credit union may have an obligation to file a SAR. Also note that the credit union is well within their right to put the account on hold while it reconciles the information.

Q: Can a credit union accept a current passport instead of a taxpayer identification number or social security number at account opening?

A: Generally, credit unions must obtain an identification number before opening an account for a prospective member.  For US persons, this would be a taxpayer identification number.  For non-US persons, a current passport would suffice.  It appears, however, that a credit union may accept other forms of ID if its CIP procedures provide for that, especially where the customer has applied for a taxpayer identification number, but has not yet received one.  Generally, before opening an account for a customer, the credit union must be able to form a reasonable belief that it knows the true identity of the customer based on the information gathered. The relevant rules can be found in 31 CFR 1020.220.

Before opening an account for a customer, a credit union must collect identifying information, including an identification number.  For a U.S. person, this will be a taxpayer identification number.  For a non-U.S. person, one or more of the following will be acceptable: (i) a taxpayer identification number; (ii) passport number and country of issuance; (iii) alien identification card number; or (iv) number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.

The rule does make an exception for individuals who are applying for a taxpayer identification number.  According to the rule, a credit union's CIP may include procedures for opening an account for someone who has applied, but not received a taxpayer identification number.  This may include accepting other forms of identification number, including a current passport.  However, the procedures must ensure that the individual obtains the taxpayer identification number within a reasonable period of time after the account is opened.

(B) Exception for persons applying for a taxpayer identification number. Instead of obtaining a taxpayer identification number from a customer prior to opening the account, the CIP may include procedures for opening an account for a customer that has applied for, but has not received, a taxpayer identification number. In this case, the CIP must include procedures to confirm that the application was filed before the customer opens the account and to obtain the taxpayer identification number within a reasonable period of time after the account is opened. 31 CFR 1020.220(a)(2)(i)(B)(emphasis added.).

Also, the rules provide credit unions with the ability to verify identification through non-documentary methods.  The credit union's CIP must specify the situations where a credit union would use non-documentary methods to verify a customer's identity and how to handle them, including when a customer doesn't have all the necessary documents at the time he/she comes in to open the account.

Q: Is a credit union required to file a CTR where a member withdraws $9,500 in cash from a rep payee account and $700 from his personal account on the same day?

A: The answer to your question can be found in Treasury's BSA/AML regulations, 31 CFR 1010.  Yes, in this situation, the credit union is required to file a CTR because, although there were multiple transactions, the transactions: (i) resulted in a cash withdrawal in excess of $10k; (ii) occurred during the same business day; and (iii) were made by the same person.

31 CFR 1010.311 requires that a credit union report cash transactions in excess of $10,000 during the same business day. Indeed, the rule states:

Each financial institution other than a casino shall file a report of each deposit, withdrawal, exchange of currency or other payment or transfer, by, through, or to such financial institution which involves a transaction in currency of more than $10,000, except as otherwise provided in this section. 31 CFR 1010.311 (emphasis added.).

Moreover, the amount over $10,000 can be either in one transaction or a combination of cash transactions.  The credit union should treat the multiple transactions as a single transaction if the credit union knows that the transactions are by the same person. The rule provides:

(b) Multiple transactions. In the case of financial institutions other than casinos, for purposes of the transactions in currency reporting requirements in this chapter, multiple currency transactions shall be treated as a single transaction if the financial institution has knowledge that they are by or on behalf of any person and result in either cash in or cash out totaling more than $10,000 during any one business day (or in the case of the U.S. Postal Service, any one day). Deposits made at night or over a weekend or holiday shall be treated as if received on the next business day following the deposit. 31 CFR 1010.313 (b)(emphasis added.).

Here, although the first cash withdrawal of $9,500 was made from a rep payee account, and thus was not his own personal account and not his own personal funds, the aggregate amount withdrew on that day was in excess of $10,000 and was made by the same person.  The credit union was asked to give a single person more than $10,000 in cash on a single day. The fact that the transactions involved multiple, or different, accounts is irrelevant.  Accordingly, the credit union should file the CTR with FinCEN.

Q: What steps should a credit union take when it gets an OFAC hit?

A: OFAC's (Office of Foreign Assets Control) regulations prohibit all US persons from engaging in transactions with certain specified persons and countries. Specifically, credit unions must: (i) block accounts and other assets of Specifically Designated Nationals (SDNs) and Blocked Persons and (ii) block or reject prohibited transactions with SDNs and Blocked Persons.

Generally, if the credit union gets an OFAC hit, the credit union needs to confirm that the individual that was flagged is indeed the individual on the SDN list. Treasury has a hotline dedicated to providing assistance with making a determination if the person is the same. If the person or entity is indeed the same included on the SDN list, the credit union cannot open the account; but rather must block the transaction and account, and also report the blocked transaction/account to OFAC.

While not required by specific regulation, NCUA expects that a credit union will establish and maintain an effective, written OFAC compliance program commensurate with its OFAC risk profile. Amongst other things, the policies, procedures and processes should address how the credit union will identify and review transactions and accounts for possible OFAC violations. The policies and procedures should also define the credit union's criteria for comparing names provided on the OFAC SDN list with the names in the credit union's files or transactions and for identifying transactions or accounts involving sanctioned countries. Furthermore, the policies and procedures should address how the credit union will determine whether an initial OFAC hit is a valid match or a false hit.

Q: Where can I go for assistance in developing our BSA/AML risk-based model? The rules don't say anything. I've checked the FFIEC BSA/AML examination manual and it doesn't say much on how the risk based model program should look like.

A: Honestly, the guide or the rules will not go into that level of detail. Here's the reason. Generally, governments around the world feel that the risk-based approach is preferable to a more prescriptive approach in the BSA/AML space because it is:

1. Flexible- AML/BSA risks vary across jurisdictions, customers and products; and
2. Effective- Credit unions are better equipped than legislators to effectively assess and mitigate specific BSA/AML risks they face.

Notwithstanding the lack of specific guidance, however, there are four main things a credit union's risk assessment should consider:

1. Members- Who are you selling your products or offering services to? Individuals or private companies? Foreign public officials? Money Servicing Businesses?
2. Products and Services- What products and services are you offering that may be vulnerable to money laundering? Online banking? Private banking? Correspondent banking? Wire transfers?
3. Geographical Location- In what countries do your members reside and what are their countries of citizenship? Where are your corporate customers headquartered and where do they conduct their business? Are you engaging in transactions involved with countries included on any government lists?

Generally, some member types , products and services, and geographical locations pose higher risks than others, and thus your program wants to properly identify those and tailor its monitoring accordingly.

As indicated above, we received a substantial number of BSA/AML inquiries. Indeed, compliance with the BSA/AML rules remains a top priority for financial institutions. NAFCU is here to assist you as you navigate through the rules and will keep you abreast of emerging challenges, and regulatory developments. In fact, the industry is still awaiting FinCEN's final rule on Customer Due Diligence and beneficial ownership requirements, which is expected this year. We will keep you posted.

###

NAFCU's new BSA Seminar + Certification is Here!

We've had hundreds of requests from credit unions to provide more BSA training, and I'm excited to announce, it's here. We'll be holding our first in-person, BSA Seminar in New Orleans October 24 - 28. If those dates and location sound familiar to you, it's not deja vu. We'll be running this BSA Seminar concurrently to our Regulatory Compliance Seminar. While they are two separate educational events, the networking aspects will be co-mingled, making it an awesome way to build your network of credit union and BSA professionals from around the country.

You can expect a full week of everything you've ever wanted to know about BSA, but didn't have time to ask. It's designed for just credit union professionals. You'll find no erroneous bank information that doesn't apply to credit unions. Check out the full agenda and sessions.

There's an optional, pre-conference workshop to help get you up-to-speed on BSA fundamentals it's perfect if you're new to BSA or just want a refresher. And at the end of the week, you'll have the opportunity to get certified when you sit and pass the NAFCU Certified Bank Secrecy Officer (NCBSO) exam.

This seminar, and the certification, is an excellent way to demonstrate to NCUA and FinCEN you're dedicated to compliance and to protecting your credit union against financial crime. It was designed by NAFCU's Director of Education Devon Lyon, former director of BSA at State Department Federal Credit Union so the curriculum is extremely relevant at both a strategic and tactical level. You'll walk away ready to master your AML responsibilities. And of course, it fulfills your yearly BSA training requirement!

We have limited seating so register early!