10 Costly FinCEN Compliance Mistakes
(The purpose in providing this information is to not only share additional details regarding a recent action by FinCEN, but to offer solutions to help credit unions avoid the same action. We hope you find it helpful.)
The recent Financial Crimes Enforcement Network’s $300,000 fine against a Federal Credit Union has credit union leaders wondering how this credit union wound up in the FinCEN hot seat.
Finding out what went wrong could prevent other credit unions from winding up in similar sticky situations, according to compliance experts. Following are 10 costly mistakes this credit union made.
#1 - Ignored FinCEN
Federal officials said one of the credit union’s biggest mistakes was violating PATRIOT Act regulations requiring financial institutions to review and respond quickly to FinCEN information requests submitted on behalf of law enforcement.
“It is of great concern that the credit union failed to even review the 314(a) requests it received,” FinCEN Director Jennifer Shasky Calvery said in a press release.
FinCEN’s 314(a) requests are posted on a secure website every two weeks and must be downloaded, with responses verified by the financial institution within a specified deadline, the agency said.
The Credit Union had 314(a) requests sent to a single email address accessed by only one person, making timely responses dependent on that person’s availability, FinCEN said.
“These are time sensitive requests that, by their very nature, are intended to further criminal investigations into significant money laundering and terrorist financing activities,” Calvery said.
Solution: Make sure these requests go to more than one individual at the credit union.
#2 - Stepped Outside FOM
The credit union’s authorized field of membership was limited to individuals and entities that live, work or worship in the credit union’s County area.
Yet, the cooperative handled transactions for money services businesses in known high-risk areas such as Central America, the Middle East and Mexico.
“When a small institution opens its doors to the world, takes on greater risks than it can manage, and puts profits before AML controls, bad actors are bound to take advantage,” Calvery said.
“This case raises pretty obvious questions that no one seems to have asked: Why would MSBs located all over the world choose a small credit union to conduct close to $2 billion in transactions?”
For example, during a one-year period, the credit union handled hundreds of millions of dollars in wire transfers to foreign bank accounts of MSBs located in Mexico and Israel, and deposits in excess of $14 million in U.S. cash physically imported into the country on behalf of nearly 40 Mexican currency exchangers, the agency said.
Solution: Stay within your approved Field of Membership
#3 - Skimped on Compliance
The NCUA and U.S. Dept. of Treasury require federally-chartered cooperatives to implement AML programs. Credit unions are also required to designate a person responsible for ensuring day-to-day compliance, according to federal regulations.
At this credit union, no staff member was assigned to oversee compliance, FinCEN said.
The credit union could have easily avoided any problems, according to compliance experts.
"As flagged by FinCEN, The credit union should have designated a person responsible to oversee BSA compliance,” attorney Martin Kenney, an anti-money laundering expert, said. “However you first have to have compliance to oversee.”
“By all accounts, in this case there was none,” he continued. “This sounds like a case of hear no evil, see no evil, or the ostrich sickness – sticking one’s head in the sand.”
If a credit union is unable to appoint an staff member to oversee compliance, the institution’s leaders should reach out and ask for help for their fellow credit unions or look for a shared resource person with compliance expertise, said Randy Thompson, CEO of TCT Risk Solutions, a balance sheet and risk management CUSO based in Eagle, Idaho.
Solution: Be sure you have a BSA program in place and an individual and a backup, if possible, to oversee BSA compliance.
#4 - Didn’t Adequately Train Staff
Federally-chartered cooperatives are required to train staff on spotting suspicious transactions, but this credit union did not have sufficient resources or technical expertise to ensure compliance, FinCEN said.
Employees at the credit union did receive annual BSA training, but it was significantly deficient because it was not tailored for each department, and did not encompass all aspects of BSA, cover MSB compliance or ensure employees had access to current compliance rules and guidance, the agency said.
In addition, the credit union did not have any records of compliance materials for its board of directors as recommended by the Federal Financial Institutions Examination Council Manual.
Plus, the credit union did not obtain outside assistance or technical resources in a timely manner to compensate for its small staff, the agency said.
Solution: Use available resources (ComplySight, InfoSight, etc.) to bolster your BSA Compliance training program and structure it for respective staff members.
#5 - Lacked Risk Assessment
Even though independent audits in 2012 identified money laundering and terrorist financing risks at the credit union, the cooperative did not perform a risk assessment until November 2013, FinCEN said.
“When NCUA examiners requested a copy of the credit union’s risk assessment for its Dec. 31, 2011 exam, they were provided with an outdated template from the 2006 Federal Financial Institutions Examination Council Manual, rather than an assessment of the credit union’s particular risks,” the agency’s penalty assessment said.
“A solid BSA program is a vital component of any financial institutions compliance related activities, “Jim, VP of professional services at CU*Answers, said. “A strong BSA program controls not only compliance risks but transactional and reputation risks as well. A well-executed BSA program is not difficult to establish, with the foundation being a risk assessment.”
“Financial institutions must show they understand the risks of money laundering and terrorist activity funding from both the members doing business with the credit union as well as the communities the credit union does business in,” Vilker said. “This risk assessment shoulders all other components of an appropriate BSA monitoring program including CIP, monitoring requirements, appropriate trainings, and outside audits to name a few.”
Solution: Develop your comprehensive policies and necessary risk assessments using available resources.
#6 - Inadequate Internal Controls
Until it instituted a new anti-money laundering policy in November 2013, the credit union lacked written procedures for important tasks, such as opening accounts for members who did not have a social security number, FinCEN said.
According to federal regulators, the most significant example of the credit union’s failure to have adequate internal controls was its 2009 contract with a third-party vendor, an MSB that provided financial services to other high-risk MSBs, including check-cashing stores and currency exchangers.
“The credit union agreed to become the depository institution for the vendor’s MSB clients, providing sub-accounts for each MSB to conduct deposits and transfer funds,” the agency said. “Under the contract, the vendor was the credit union’s member and customer and the vendor’s MSB clients were not. However, in practice, 56 of the Vendor’s MSBs sub-accounts could receive financial services directly from the credit union.”
Although the credit union’s own counsel cautioned the credit union it would still have anti-money laundering compliance responsibilities for the vendor’s MSBs, the credit union relied on the vendor to conduct all related due diligence and suspicious activity monitoring without conducting any verification or inspection of the vendor’s compliance activities.
Solution: Develop written procedures for all aspects of BSA/AML and conduct verification activities of vendors as necessary.
#7 - Didn’t Know Its Customers
Credit unions are supposed to have Customer Identification Programs (CIP) that are suitable for the size and scope of the business, but the credit union failed to verify customer identification information for many members, including MSBs, according to federal regulators.
Although the credit union’s internal policy required each MSB to be properly registered with FinCEN and licensed with the state in which they conducted business, the credit union provided services to MSBs located in the Middle East that were not registered with FinCEN, the agency said.
In one case, an individual connected to more than 60% of the businesses banking with the credit union conducted 2,036 cash withdrawals from January 2010 and August 2013, but the credit union never identified the person as potentially high-risk or reviewed his activities, FinCEN said.
In order to monitor for suspicious activities, employees had to manually investigate accounts, but they lacked sufficient knowledge to do so properly, the agency said.
Solution: Make sure your CIP policy is followed for all who wish to become members.
#8 - Slow or No SARs
Between April 2010 and April 2013, the credit union filed only 15 Suspicious Activity Reports, according to FinCEN.
“The SARs were filed late and the narrative sections lacked essential information explaining why the suspicious activity was being reported,” the agency said. “Furthermore, the credit union failed to file SARs on customers engaged in suspicious activity, including a customer that was arrested and charged with conspiring to launder money.”
In one case, law enforcement seized more than $1.5 million dollars from an owner of an MSB who held an account at the credit union, yet the cooperative never filed a SAR, federal regulators said.
Solution: Understand what requires the filing of a SAR and don’t hesitate to file one.
#9 - Got Greedy
In 2013, the total transaction volume through the credit union by MSBs included $54.8 million in cash orders, $1.01 billion in outgoing wires, $5.3 million in returned checks, and $984.4 million in remote deposit capture, FinCEN said.
The MSB activity constituted 90% of the credit union’s annual revenue in 2013, the agency said.
“This was not the expected business behavior of a small credit union and led to substantial BSA compliance failures and violations,” FinCEN said.
The revenue generated by the questionable activity was vital to the credit union’s survival, according to federal regulators.
“The substantial revenue generated by the Vendor’s program appeared to outweigh any consideration by the credit union of associated risks and appropriate compliance measures,” FinCEN said. “For example, NCUA examined the credit union in 2010 and instructed the credit union to ensure that its MSB members all met field of membership requirements.”
But, by December 2012, the credit union had accounts for 56 different MSBs.
Solution: Always follow the recommendations of the examiners and properly analyze as prudent any expected financial gain.
#10 - No Independent Testing
A federally chartered credit union’s anti-money laundering program must include independent compliance testing to monitor the institution’s program and ensure its adequacy, according to FinCEN regulations.
NCUA recommends annual testing of a credit union’s compliance program when it serves high-risk clients.
The credit union did not have its anti-money laundering program tested on a regular basis until NCUA cited this shortfall, a failure of particular concern for an entity, like this credit union, engaged in high-risk business lines, federal regulators said.
The cooperative began receiving independent audits in December 2011, but significant issues persisted almost two years later, FinCen said.
Solution: Be sure to follow the requirements for independent testing and develop a method for ensuring compliance.
Source: Credit Union Times and MCUL