The following sections provide additional detail and potential questions to aid in analyzing each risk factor as part of the AML/CFT risk assessment.
Products and services
Understanding the credit union's products and services involves knowing how many members use these services and the risks involved in those products or services. For example, the following questions may be asked:
- Does the FI offer the sale of monetary instruments?
- Are monetary instruments allowed to be sold to non-accountholders?
- Do you allow customers or members to send outgoing international wires?
- If so, how is this monitored?
- How many accounts and to which countries are they sent?
- Do you offer services to those without a Tax ID Number (TIN)?
- If so, how many customers or members?
Although not all-inclusive, other products and services that you may want to include in your review are:
- Foreign correspondent accounts
- Special use accounts
- Trade finance
- Bulk cash
- Consumer or business loan portfolios
- Online account access/opening
- ATM services
- Remote deposit capture
Remember, it’s essential to understand whether these volumes are increasing or decreasing and what controls are in place to mitigate the inherent risk. Once again, all supporting documentation of your analysis must be retained.
Understanding the credit union's branch footprint is critical to analyze geography. Specific questions to ask include:
- What are the area's populations of cities and towns?
- Are the branches located within High-Intensity Financial Crime Areas or High-Intensity Drug Trafficking Areas?
- Does the credit union have a presence on the U.S.-Mexico border?
- Does the credit union file many suspicious activity reports (SARs) annually compared to the other credit unions in the same geographical area? If not, what might be the reason?
Determine whether these volumes are increasing or decreasing and what controls the credit union has for each.
The member base should be evaluated on several factors, such as the number of high-risk credit union members. Consider the following types of members in your account base:
- Non-Resident Aliens (NRAs)
- Politically exposed persons (PEPs)
- Cash-intensive businesses (including marijuana-related businesses)
- Money Services Businesses (MSBs)
- Virtual currency exchanges
- Non-bank credit unions (NBFIs)
- Professional service providers
In addition, the risk assessment will want to include assessing how well the credit union collects beneficial ownership information and whether the customer due diligence (CDD) and enhanced due diligence (EDD) processes are sufficient. Again, determine if these volumes are increasing or decreasing and what controls are in place. These questions must be answered to understand the member risk fully.
Transactions will require a review of both volumes and frequencies. Analyze processes such as:
- Number of currency transaction reports (CTRs) filed annually
- Number of SARs filled annually
- Volumes and frequencies of international wires compared to domestic
- Number of international ACH transactions compared to domestic transactions
- The volume of Private ATM users, if any
- The volume of loan transactions
FinCEN issued eight National AML/CFT priorities in June 2021. Each of the following priorities should have a section within the risk assessment addressing the credit union’s risk and any mitigating factors available for each risk:
- Cybercrime and related cybersecurity, including virtual currency considerations
- Foreign and domestic terrorist financing
- Transnational criminal organizations (TCO) activity
- Drug trafficking organizations (DTO) activity
- Human trafficking and human smuggling
- Proliferation financing (weapons and materials of mass destruction)
Adequate compliance staffing is critical to any AML program. When analyzing human resources for your risk assessment, consider the following:
- Number of full-time and part-time employees in AML function
- How these numbers compare to the previous year
- Qualifications and experience level of the AML staff
- What training is provided for the team (and the financial institution staff more broadly)
- Whether background checks are conducted when hiring
Regulatory audit and exams
Regulatory audit and exam results demonstrate a picture of your AML/CFT program's health and any gaps that may be present in the program. If the credit union has a history of violations, particularly repeat findings, the risk of the credit union should be increased in the risk assessment. Suppose the board of directors has been adequately apprised of the audit or exam outcomes, and repeat violations occur. In that case, this could indicate a need for a strong culture of compliance, which will ultimately lead to further increased risk. The following other items should also be addressed within an audit or exam:
- Policies and procedures should be checked and updated when necessary.
- A designated officer should be appointed and approved by the board of directors as responsible for AML/CFT and OFAC compliance.
- SARs and CTRs should be filed regularly and promptly, following FinCEN guidelines.
Adequate OFAC compliance is essential for mitigating a credit union’s risk. A robust OFAC risk assessment supporting the program is critical to avoid costly monetary penalties or regulatory consent orders. Certain transactions, such as wire transfers and ACH, must be checked for OFAC matches before being sent. A credit union should have a clear set of policies and procedures for OFAC compliance and provide training to all stakeholders. If the credit union has a history of OFAC violations, the OFAC risk should be classified as elevated and tightened with mitigating factors.