FinCEN BSA Leadership Expectations

An Effective BSA/AML Program Tested by a Competent, Independent Party

The appropriate involvement of a credit union’s leadership in its BSA/AML program should be at least commensurate with the credit union’s level of risk exposure. This includes ongoing risk assessment, sound risk-based member due diligence, appropriate detection and reporting of suspicious activity, and independent program testing. BSA/AML compliance officers should be familiar with guidance by federal functional regulators, self-regulating organizations, and FinCEN as well.

FinCEN stresses that compliance program testing must be independent. Credit union leadership needs to ensure that the party testing the program (whether external or internal) is independent, qualified, unbiased, and does not have conflicting business interests that may influence the outcome of the compliance program test. Ensuring the integrity and independence of the compliance program testing enables the credit union to locate and take appropriate correct actions to address deficiencies.

Understanding How BSA Reports Are Used

All credit union staff should have an understanding of how information collected through the credit union’s BSA/AML program is used, and the purpose that BSA reports serve. Reporting provides law enforcement with important information that safeguards the nation’s interest, and helps to confront serious threats, both domestic and abroad. Reporting also helps the credit union protect itself and aid law enforcement in protecting the institution from bad actors, including inside threats, frauds, and cyber-related threats. BSA regulations have the deterrent effect on those who would abuse the financial systems, and force illicit actors to behave in ways that expose them to scrutiny. The advisory lists four main ways that financial institutions can inform staff of the how reporting is used:

  1. Serving as tips to initiate investigations;
  2. Expanding existing investigations;
  3. Promoting international information exchange; and
  4. Identifying significant relationships, trends and actors

For additional information, click here for the topic.

Review the information today to help your credit union remain in compliance.


NCUA’s BSA Policy for Federally Insured Credit Unions

NCUA's rule 748 requires federally insured credit unions to establish a BSA compliance program.

At a minimum your BSA Compliance program must provide for:

  1. A designated BSA compliance officer who has been appointed by the credit union's board of directors;
  2. A system of internal controls to ensure ongoing compliance;
  3. Independent testing to be conducted by qualified, unbiased credit union personnel or outside parties; and
  4. Training for appropriate personnel. 

NCUA requires credit unions' compliance programs to be:

  • in writing,
  • approved by the credit union's board of directors, and
  • reflected in the minutes of the credit union's meeting.   

BSA Compliance Officer:  The credit union's board of directors must designate a qualified BSA officer.  "Qualified" means the BSA officer is expected to be fully knowledgeable of the Bank Secrecy Act and all related regulations, as well as understand the credit union's products, services, members, geographic locations and the money laundering and terrorist financing risks associated with each of those activities.

The BSA compliance officer should be in a position to regularly apprise the senior management staff and the board of directors of ongoing compliance with the BSA.

While the BSA officer is responsible for coordinating and monitoring day-to-day BSA compliance, the board of directors is ultimately responsible for the credit union's compliance and is responsible for ensuring that the BSA compliance officer has sufficient authority and resources to effectively administer the compliance program.

Internal Controls:  A system of internal controls refers to the policies and procedures the credit union puts in place to limit and control risks associated with BSA.  The level of sophistication of your internal controls will be commensurate with the size, structure, risks and complexity of your credit union.  A large, complex credit union is more likely to have departmental internal controls that will uniquely address the risks to a particular department or line of business.

The following are examples of some of the items that may be included in your internal control procedures:

  • Identify your credit union's products, services, members, and branches that you consider more vulnerable to abuse by money launderers or other criminals, and provide a program to manage the higher risk;
  • Inform the board of directors and senior management of your compliance initiatives, identify compliance deficiencies, corrective actions taken, and notify the board and the senior management of SARs that have been filed;
  • Provide for program continuity despite changes in management or employees ; 
  • Meet all of the BSA recordkeeping and reporting requirements;
  • Implement risk-based Member Due Diligence policies & procedures;
  • Identify reportable transactions and accurately file all required reports, such as SARs, and CTRs;
  • Provide for the segregation of duties where you can; 
  • Provide for sufficient controls and monitoring systems for timely detection and reporting of suspicious activity;
  • Include adequate supervision of employees who handle currency, complete reports, grant exemptions, etc.;
  • Train all employees to be aware of their specific responsibilities under BSA.

Independent Testing: It is recommended that an audit of the BSA compliance program be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. "Qualified" means someone who understands the requirements of BSA. Credit unions that do not have any of these options available to them may comply with this requirement by using qualified credit union staff who are not involved in the function being tested, or audited.  The persons conducting the test should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors. 

Training:  At a minimum, the credit union's BSA training program must provide training for all personnel whose duties require knowledge of the BSA.  The training should be tailored to the person's specific responsibilities.  An overview of the BSA requirements typically should be given to new staff during employee orientation.  And, the BSA compliance officer should receive periodic training that is relevant and appropriate to the activities and overall BSA risk of the credit union.

While the board of directors may not need the same degree of training as credit union personnel, they need to understand the importance of BSA regulatory requirements, the ramifications of noncompliance, and the risks posed to the credit union.  Without a general understanding of the BSA, the board of directors cannot adequately provide BSA oversight, approve policies, or provide necessary resources.

Source:  NCUA

OFAC and Commerce ease Cuba restrictions

The U.S. Department of the Treasury has announced the amendment of the OFAC Cuban Assets Control Regulations (CACR) to implement the new U.S. policy direction towards Cuba. Among other things, these amendments authorize certain transactions related to Cuban-origin pharmaceuticals and joint medical research; add, expand, and clarify authorizations relating to trade and commerce; authorize certain civil aviation safety-related services; further facilitate authorized travel to Cuba; and expand the authorizations for grants and humanitarian-related services designed to directly benefit the Cuban people. The amendment was published at 81 FR 71372 in today’s Federal Register, and was effective on publication. OFAC also published new and updated FAQs, a Fact Sheet, and updated Travel Guidance.

In a coordinated action, the Department of Commerce published a final rule at 81 FR 71365 amending a license exception to allow cargo aboard aircraft to transit Cuba when that cargo is bound for destinations other than Cuba. This rule also authorizes export and reexport of certain items sold directly to individuals in Cuba under a license exception. Finally, this rule revises the lists of ineligible Cuban officials for purposes of certain license exceptions. Commerce's rule was effective 10/17/16.

Source:  U.S. Department of Treasury

TRID guidance documents updated

The CFPB has posted updated versions of two "Know Before You Owe" (TRID Rule) compliance guides. October 7, 2016, versions of the Small entity compliance guide and the Guide to loan estimate and closing disclosure forms are now available on the Bureau's TILA-RESPA Integrated Disclosure rule implementation page.

CFPB Publishes Reg E Corrections

The CFPB published a final rule on October 12, 2016 with "clerical and non-substantive corrections" to errors in Regulation E. The errors included two erroneous cross-references to other sections of the regulation; text missing from a remittance transfer model disclosure regarding state regulatory agency contact information (A-37: Model Form for Error Resolution and Cancellation Disclosures – Short Form); and an incorrect heading within the commentary to section 1005.36. According the CFPB "no substantive change is intended by the corrections," which become effective on November 14, 2016. Click here for the Federal Register notice.

Source:  CFPB

CFPB's Consent Order Against Credit Union Raises Additional Questions

This past week the CFPB has ordered a large credit union to pay $28.5 million for improper debt collection practices in violation of UDAAP.  Based on the consent order the CFPB reasoned that the credit union:

  • Falsely threatened legal action and wage garnishment;
  • Falsely threatened to contact commanding officers to pressure service members to repay;
  • Misrepresented credit consequences of falling behind on a loan; and
  • Illegally froze members' access to their accounts

What the consent order fails to address is whether the credit union was limiting services to a member who has caused a loss to the credit union as authorized by the FCU Act.  The CFPB claims that the credit union violated UDAAP when the credit union froze electronic account access and disabled electronic services for about 700,000 accounts after consumers became delinquent on a credit union credit product. This meant delinquency on a loan could shut down a consumer's debit card, ATM, and online access to the consumer's checking account. The only account actions consumers could take online would be to make payments on delinquent or overdrawn accounts.  In addition to the civil money penalty and required remunerations to affected members, the CFPB has now ordered the credit union to "ensure consumer account access" and has prohibited the credit union from blocking its members' account access if they are delinquent on one or more accounts.

In direct conflict with this are several NCUA legal opinion letters where the agency has said that nothing in the FCU Act or NCUA's regulations precludes a federal credit union from restricting the availability of certain services (e.g., ATM services, credit cards, loans, share draft privileges, preauthorized transfers, etc.) to members provided there is a rational basis for doing so and as long as the members are aware of the policy.  The NCUA opinion letters also state that "any policy limiting services an FCU provides to a member who causes a loss may also be restricted by contract, state, and other federal laws."  What has yet to be determined is whether UDAAP is one of these "federal laws" that could restrict a credit union's ability to limit member services.  CUNA has reached out to NCUA for clarity on this issue and is continuing to study the matter and will report any new developments.

While there are only a limited number of credit unions under CFPB's supervision, CUNA is hearing rumblings of inquiries about whether and/or how the CFPB's order could impact other institutions' business practices.  CUNA realizes that as a business decision some credit unions may choose to suspend certain services to members that are in default of their loan obligations.   Being mindful that suspension of services to members may also be impacted by contract and other state laws, CUNA recommends credit unions consult with local counsel on this matter while the issue continues to evolve.

Source:  CUNA Compliance Blog


Items of note for the coming weeks:

TCPA Oral Arguments to be Held Wed. Oct. 19

Oral arguments in the case challenging the Federal Communications Commission's (FCC) July 2015 TCPA Order will be held Wednesday. CUNA staff plans to attend the hearing that will be held at the D.C. Circuit Court of Appeals. The three judge panel will include the Honorable Srinivasan, Pillard, and Edwards, and each side will have 20 minutes for the argument.

CUNA has been closely following this case and filed a joint Amici Brief highlighting credit union concerns with the Order. Some of the specific consequences of the Order that the brief takes issue with include: 

  • The inability to use automated calling methods delay the institution’s ability to contact credit union members about fraud and identify theft and other important account information that can help members avoid hardship or embarrassment; 
  • The expanded scope of the definition of autodialer, which effectively prohibits financial institutions from using many efficient dialing technologies. The brief argues that this leaves financial institutions with no useful guidance as to the kinds of dialing devices they may use to contact their members or customers with communications that must be made promptly and in substantial volume; 
  • The Order provides a strong disincentive for a financial institution to make calls to its customers or members as a result of the onerous guidance about calling reassigned numbers. The potential liability for calls made in good faith to parties who have consented to receive them, but whose telephone number has subsequently been reassigned without notice to the financial institution, threatens to curtail important and valued communications; 
  • The problematic guidance about how a consumer can revoke consent. The brief notes that the TCPA Order requires financial institutions to receive revocations through any and all communication channels by which institutions receive communications and by any employee who works for the institution or, potentially, who works for a partner of the institution; and 
  • The practical limitations of the financial institutions exemption. The exemption is of particular concern to small financial institutions, and as articulated in the TCPA Order, offers very limited relief. The brief states some small financial institutions have even concluded that the restrictions established by the FCC in the TCPA Order result in a de facto ban on their ability to utilize the exemption. 

Since the FCC issued its Order, CUNA has: written to Congress numerous times with its TCPA concerns; outlined credit union concerns to the National Credit Union Administration and the Consumer Financial Protection Bureau; met with the FCC to discuss concerns; hosted a webinar on potential issues for credit unions; and requested congressional oversight and hearings to be held on this matter. The U.S. Senate Commerce Committee and House Energy and Commerce Subcommittee on Communications and Technology conducted hearings.

Many cases around the country have stayed TCPA decisions to see how the D.C. Circuit rules. We will be monitoring any additional actions after the arguments and keeping credit unions updated.

Pending Regulatory Comment Calls:

CUNA intends to comment on the following pending regulatory proposals. For our comment letter to have the greatest impact, we need to hear from you. Please consider whether and how these proposals would affect your credit union, and contact the CUNA staff listed with each proposal with your feedback   

We encourage Leagues and credit unions to use PowerComment to file comment letters with regulators. Below are the current proposals, Comment Period Deadlines, and Contact information.

CIP/AML & Beneficial Ownership Requirements for Banks Lacking a Functional Federal Regulator

October 24, 2016


Luke Martone

Amendments Relating to Disclosure of Records and Information

October 24, 2016


Luke Martone

Request for Information: Payday Loans

November 7, 2016


Leah Dempsey

Indemnification Payments

November 21, 2016


Andy Price

FHLB Membership for Non-Federally-Insured CUs

November 28, 2016


Andy Price

CUNA Advocacy Update

The CUNA Advocacy Update is published at the beginning of every week and keeps you on top of the most important changes in Washington for credit unions--and what CUNA is doing to monitor, analyze, and influence government agencies and federal law. Additional Advocacy efforts may also be found under CUNA’s Removing Barriers blog.

ComplySight: 30 Day Free Trial!

League InfoSight is offering a free, 30-day trial of ComplySight so you can see the benefits first hand. It's easy to get started. Just visit us online.

FREE Webinars on ComplySight, the League's latest compliance resource

Registration is now open for your front row seat to learn about ComplySight, League InfoSight’s newest addition to your compliance toolbox. If you're looking for a solution to the compliance tidal wave, this system is for you!


For “recorded” webinars, click on the title of the webinar to listen.  Users may be asked to download WebEx, which is a safe download for viewing the webinars.  These are also available on the Dashboard in ComplySight and are available 24/7! 

Introduction to ComplySight
Designed to introduce and show the many features and benefits of ComplySight.

ComplySight Training & TipsWhere to Start?
This webinar will: suggest a starting point as a new ComplySight user, discuss how Factor Grading works, review the Action Item Build/Edit process, and discuss the need for a compliance management tool that regulators - and you - will appreciate.

ComplySight Training & Tips Regulatory Alerts, Assigning Employees, Preview of L2.5, Tools in the Help Area
What should be done when you get an email about a Regulatory Alert?  Where are “old” Regulatory Alerts? How do I assign an employee to an Area, and what will be different with the upcoming Level 2.5?  And – what tools are available in the Help area?  This webinar will explore all of this – and more!

ComplySight Training & TipsHow to Export Data
When you need to archive or copy data out of ComplySight for a fresh start or to provide information for a Board meeting, this webinar will explain the process.

ComplySight Training & TipsReports in ComplySight
What information is contained on the reports in ComplySight and how are they used?

Compliance eNEWSLETTER

October 21, 2016
Vol. 10, Issue 42

Created in partnership with the

Credit Union National Association

Military Lending and 3rd Quarter 2016 Review

This video provides an overview of the key changes made to the Military Lending Act that credit unions are going to need to consider and implement prior to the compliance effective date of October 3, 2016.  View the video here.

Be sure to view this new video, where Glory LeDu, Manager of League System Relations provides an overview of the compliance challenges your credit union is facing now in the 3rd quarter of 2016. 

Same Day ACH Preview

In this newly released video Amy Smith, VP and Executive Director of The Clearing House Payments Authority, provides background information on the current batch-and-forward ACH payment system and introduces the “Phased Approach” of the Same Day ACH program, which will begin in September of 2016.  You will want to pay special attention to Amy’s suggestion to review current ACH files you may be transmitting.  View the video here.

November, 2016
  • November 6th, 2016: Daylight Savings Time Ends
  • November 11th, 2016: Veterans' Day - Federal Holiday
  • November 24th, 2016: Thanksgiving Day - Federal Holiday
December, 2016
  • December 1st, 2016: Overtime Rule (Department of Labor) – Effective date
  • December 26th, 2016: Christmas Day (observed) - Federal Holiday
January, 2017 April, 2017 September, 2017 January, 2018 March, 2018

NCUA Webinars - Regulatory Compliance Training

Hot Topics in Compliance (click to complete the on-screen registration to view recorded webinar)

  • An overview of the Bank Secrecy Act, with discussion of requirements and common violations; 
  • Monitoring of money laundering; 
  • Suspicious Activity Reports; 
  • Equal Credit Opportunity Act adverse action notice requirements; and 
  • Office of Consumer Protection contact information. 

Cybersecurity – Intrusion threats and vulnerabilities


CUNA offers hundreds of online training events that make it easy for you to learn right at your desk. Whether you are looking for a beginner course or want a comprehensive understanding on a specific topic, CUNA webinars, audio conferences and eSchools have what you need. 

Click here for updates on compliance, operations, lending topics and more!