Despite their unique structures and community-oriented principles, credit unions are not immune to the threats of money laundering, fraud, and associated illicit activities. As a Bank Secrecy Act (BSA) Officer, navigating Anti-Money Laundering (AML) concerns has exposed me to the intricacies of safeguarding these institutions. While credit unions may seem worlds apart from large global banks, the principles of financial integrity, trust, and security are paramount to the success of banks and credit unions alike. The following best practices address the top AML concerns specific to credit unions. Former BSA Officer Melissa Mantooth includes hands-on experiences and offers insights that bridge the gap between regulatory expectations and real-world application.
Top AML concerns for credit unions: A BSA Officer’s perspective
Advice from a former credit union BSA Officer
A former compliance officer offers considerations for creating a successful and compliant AML program at your credit union.
You might also like this resource: "Building a strong future: Succession planning strategies for you AML program."
Gap institutions: What credit union BSA Officers should know
The first concern to address is for gap institutions. A gap institution is a financial institution that does not have a federal functioning regulator, such as a state-chartered credit union. In a 2023 Financial Crime Enforcement Network (FinCEN) consent order for a gap institution, Kingdom Trust Company, a critical finding was that the trust company had no transaction monitoring or AML program for reporting suspicious activity reports (SARs). Kingdom Trust had virtually no process to identify and report suspicious transactions, processing over $4 billion in international wires with no controls. FinCEN assessed a $1.5 million civil money penalty for willful violations of the BSA and its implementing regulations.
This enforcement action is an essential statement that governing bodies will not tolerate weak compliance programs that fail to identify and report suspicious activities, particularly regarding high-risk members whose businesses pose an elevated risk of money laundering. It shows that regulators are scrutinizing smaller institutions, particularly gap institutions, to ensure the AML Programs are sufficient to monitor and effectively identify risks.
AMS World Trading, a perfume store, was recently charged a civil money penalty by FinCEN for BSA violations because they fell under the geographic targeting order (GTO) within the Los Angeles Fashion District and did not have a sufficient AML program. This example highlights the importance of taking location and clientele into consideration at your credit union. As credit unions have evolved and expanded offerings, many have gained a greater diversity of business members and accounts. It is important to conduct due diligence measures on business members as well as personal members to ensure your credit union understands the true nature of the business. Offering services to higher-risk businesses may match your credit union’s risk tolerance as it will likely produce significant revenue and opportunities. Your compliance department should be involved with understanding the membership base and the types of companies the credit union is willing to onboard.
As a former BSA compliance officer, I recommend observing and researching consent orders to identify best practices for my AML program.
As you read through the orders, address each regulatory finding and ask:
- What are we doing at my credit union to manage and mitigate this risk?
- Would I pass or fail if my credit union was examined on these or similar points?
If there is an uneasy feeling, seek out associates or peers, credit union leagues, or contact an advisory services team to help you develop the appropriate policies and procedures to address the areas needing attention.
Creating risk frameworks
Risk mitigation considerations for credit union BSA Officers
Banking as a Service
As credit unions expand their products and services, they must ensure that sufficient member due diligence is being performed and the proper framework of policies and procedures is in place. This especially applies to Banking as a Service (BaaS) providers, which are new and complex and could be viewed as an easy way to make money. However, they could also place a considerable burden on BSA compliance departments.
There is not currently much guidance for BaaS, but a framework can be achieved by replicating third-party guidance with a detailed and expanded due diligence checklist. For example, does the member have BSA requirements similar to those of a Money Services Business (MSB)? Maybe they are more similar to a foreign correspondent account. Find guidance addressing risks for businesses most similar to your member, and apply due diligence measures sufficient to monitor for suspicious activity.
Addressing risk in training
There are several critical steps for your credit union's compliance department to take to build a strong training program. First, develop a follow-the-money culture. Resources for financial crime training can be limited. Corporations and businesses are being prosecuted no matter the size, and the institutions are the gatekeepers to stopping and reporting the movement of funds. BSA staff are your credit union's gatekeepers to safeguard the institution and the members, so finding resources and training to keep up with trends and concerns for AML hot topics is imperative.
Even if your regulator has yet to ask for an education plan in an exam, developing and formulating how you will stay on top of trends in your overall BSA risk assessment, policies, and procedures is critical. Educate yourself and find ways to obtain training despite a tight budget. Sign up for every newsletter and email blast from agencies touching BSA compliance. Examples include the Department of Justice, CUNA, various state leagues, NCUA, FFIEC, FinCEN, OFAC, Treasury, FBI, USSS, and Homeland Security. Take advantage of free resources such as this BSA Compliance Training Guidebook.
Avoiding risk from turnover
Another concern for AML programs is turnover and BSA/AML staffing needs. When BSA employees exit, institutional knowledge is often lost. Staffing deficiencies should be communicated to the Board of Directors and executive management so they understand the critical nature of being fully staffed with trained team members. With a lack of trained resources, the quality suffers in AML compliance due to deficiencies in enhanced due diligence reviews, SAR reporting, identifying and mitigating fraud losses, and monitoring and managing alerts and cases. As the compliance officer at the credit unions I previously worked for, I was, in most cases, the only employee in my department. If this is the situation at your credit union, it is essential to cross-train employees and create a BSA contingency plan. Put robust policies and deeply detailed procedures in place in case someone needs to act in your absence.
The pandemic aftermath
Now that we have overcome the challenges brought about by the COVID-19 pandemic, let's discuss what processes your credit union had in place pre-pandemic that you may have stopped doing during the lockdown. Did the compliance department conduct branch or onsite visits to higher-risk business members? How did the pandemic impact your disaster recovery, and more importantly, if you had lessons learned, did you update your disaster recovery plan? Supporting remote working environments as a credit union would have been unheard of five years ago. Ensure your disaster recovery plan matches the policy, procedures, and processes you have added or changed since the pandemic. This will prepare you for any future disasters that interrupt your business processes.
Culture of proactivity
Developing an enterprise mindset in your AML department
Compliance officers should always be thinking about how BSA, AML, and fraud concerns impact their credit union and, ultimately, their members. Not every credit union's fraud and AML concerns correlate, but there is a case to be made for combining BSA and fraud departments. You may consider combining AML and fraud departments for a holistic transaction monitoring and SAR reporting approach.
I recently joined the "NCUA's Consumer Compliance Supervisory Observations & Hot Topics" webinar on September 27, 2023. The webinar focused more on critical consumer compliance exam activities like fair lending, overdrafts, fair credit, and truth in lending than BSA compliance. While the webinar was beneficial for consumer compliance, I did leave the webinar with ideas on overdrafts. Reporting and tracking overdraft usage through your BSA and fraud units can be helpful as it alerts analysts to your riskier members that could cause a loss to the credit union. If a fraud department has metrics to monitor and track overdrafts, those members could be monitored for suspicious activity to prevent future losses. I left the training with ideas on how to make a compliance department think more proactively about BSA and fraud. In my time as a compliance officer, I always asked myself how my department could be more proactive with questions like the following:
- What is my BSA or fraud program doing in this area?
- Is there a gap that could be filled?
- Are there mitigating controls in place to prevent fraud losses or money laundering?
- Is this a risk for my institution?
Update AML/CFT procedures to ensure success
Credit unions must be just as proactive, innovative, and watchful as large banks when it comes to money laundering and other illicit financial activities that could be flowing through their member accounts. No matter your asset size, being a BSA Officer is like being a guard, always watching to ensure no suspicious activity goes undetected. The COVID-19 pandemic changed many policies and routines, but a reset is in order for many credit unions to return to the robust AML procedures to stay compliant and run a successful program.
Ultimately, it's all about ensuring our financial system is safe and sound and regulatory expectations are met. Remember, catching the bad guys is always fun, and it brings everything full circle with how we have structured our compliance departments.