Supervisory Expectations During BSA/AML Examinations; Bureau Updates Loan Originator Guidance
Written By Stephanie Lyon, NAFCU Senior Regulatory Compliance Counsel
Over the years I have been working with and at credit unions, I have observed a number of supervisory expectations pertaining to a credit union’s BSA/anti-money laundering (AML) program that creep up during examinations. This goes something like this: examiners look through your AML program, they make some comments about how you are not doing something correctly, you look at them with the deer-in-the-headlights look because you didn’t know this was required. You ask the examiner where it says in the regulations you have to do this, and in turn you get told this is a supervisory expectation or a best practice.
To help credit unions avoid this scenario during its next examination, here are a few supervisory expectations we have heard made an appearance during this year’s BSA/AML examinations.
OFAC All the Things
We have blogged in the past explaining that there isn’t a specific regulatory requirement that tells credit unions to complete OFAC scans during a specific transaction but the risk of completing a prohibited transaction can be severe. For those reasons, the NCUA has taken a rather risk-adverse approach to OFAC compliance. In the past, we have heard the agency has issued findings or recommendations when credit unions do not scrub every transaction and/or party through OFAC. A credit union can find the agency’s recommendation to OFAC everyone on NCUA AIRES Questionnaire, which states in part:
The Names of all parties to a transaction should be checked, including:
(Emphasis added.) In addition, OFAC FAQ guidance also seems to promote checking all parties to a transaction as a risk mitigation technique to avoid facilitating a prohibited transaction. If a credit union is going to make a business decision not to check all parties, it may want to ensure it has taken into account its OFAC risk and is ready to defend this decision during its examination.
Provide Directors the BSA Risk Assessment
The Bank Secrecy Act (BSA) and NCUA require credit unions to create a BSA compliance program that is board-approved. See, 12 C.F.R. § 748.2(b)(1). While the regulation does not specifically mandate that a credit union must get its risk-assessment approved by the board, the risk-assessment is a critical component to a credit union’s BSA compliance program. For those reasons, the FFIEC BSA/AML Examination Manual recommends the risk assessment be “shared and communicated with all business lines across the [credit union], board of directors, management, and appropriate staff…” (Emphasis added.)
To empower directors to better understand a credit union’s unique BSA risk, it may be a good idea to periodically provide them the most up-to-date BSA risk assessment. This may also help the BSA Officer explain to directors if more resources are needed for that department.
Ensure You Are Identifying Structuring
Credit unions are required to file Suspicious Activity Reports (SARs), among other things, when the credit union suspects a member may be structuring their transactions (in excess of $5K) to avoid triggering the filing of a Currency Transaction Report (CTR). See, 12 C.F.R. § 748.1(c)(iv)(A). But how does a credit union go about identifying structuring? The answer to this question is tricky as it depends on whether the credit union has automated transaction monitoring software, it is relying on its BSA/compliance department to sort through transactions manually or uses a combination of both.
While neither FinCEN nor NCUA regulations are prescriptive in the exact way to identify structuring, examiners expect credit unions to identify potential structuring. For automated transaction monitoring software, the credit union may want to ensure its parameters and filters are tailored to identify common money laundering techniques or frauds, including structuring. The FFIEC BSA/AML Examination Manual recommends that credit unions “refine [its] filter[s] in order to avoid missing potentially suspicious activity because common cash structuring techniques often involve transactions that are slightly under the CTR threshold.”
If a credit union is doing its transaction monitoring manually, it may need to review and aggregate cash deposits over several days, weeks or months to identify potential structuring. Whichever method the credit union chooses, it is clear NCUA expects credit unions to be aware of structuring and report it when it may be taking place. As a credit union’s BSA/AML risk increases, doing the manual monitoring may become more difficult and time consuming.
Bureau Updates Loan Originator Rule Guide. This past Friday, the bureau updated its Loan Originator Rule guide and the HOEPA Rule guide to reflect amendments made by S.2155. Among other things, the updates reflects a carved out exemption for some retailers of manufactured homes that will now not be pulled into the loan originator definition if certain conditions are met (e.g., no compensation in excess of what is provided in a cash transaction, making certain disclosures, etc). A credit union can find the updated guides here.