Go to:

April 2019
< Mar May >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

BSA Compliance Tips, Common Violations from NCUA
Thursday, November 6, 2014 6:30 AM

Speaking at the Credit Union National Association BSA Conference last week, Judy Graham, a program officer in the NCUA's Office of Examination and Insurance, gave an update about what the agency expects to see from credit union BSA programs.

The NCUA is required by law to conduct a review of the BSA compliance program at each examination of a federally insured credit union. Part 748 of the agency's rules and regulations describes the requirements of such a program, which must:

  • Establish a system of internal controls;
  • Provide for independent testing;
  • Designate a BSA compliance officer who will monitor day-to-day compliance;
  • Establish a customer identification program; and
  • Establish a BSA training program for appropriate employees and volunteers.

According to Graham, the regulation itself requires credit unions to provide training, but does not set a specific time frame for how often it should be conducted. "The general rule of thumb is every 12 to 18 months, but that depends on your risk profile, your products, your services," she said.

"Some of the larger credit unions that may be taking on higher-risk products and services might be doing periodic or ongoing training on a quarterly basis. Some of our smaller, lower-risk institutions without a lot of products and services might consider a year, up to 18 months." But, Graham warned her audience, "Our examiners aren't going to let anyone go on much longer than that."

Graham says that customer due diligence is part of the foundation of a credit union's BSA compliance program. If credit union staff don't perform customer due diligence when they open accounts and in ongoing customer due diligence, the credit union can't adequately monitor those accounts for suspicious activities.

She emphasized, "If you don't know what the norm is for the account, how can you tell when something suspicious is happening?"

So what are credit unions doing wrong? According to the NCUA, the most common violations found during examinations involve:

  • Training that is not recent, not documented, does not cover credit union policies and procedures, and does not include the institution's board of directors;
  • Failure to check the Financial Crimes Enforcement Network's 314(a) lists, which are generally sent every other Tuesday to inform financial institutions of consumers who are the subject of current investigations;
  • Independent testing that does not cover all credit union operations, has not been done within the last 12 to 18 months or is not fully independent; and
  • Internal controls failures such as an out-of-date risk assessment or a suspicious activity monitoring system that is inadequate.

Graham points out that a lot of the information credit unions gather is not just for BSA compliance; it's going to help with other day-to-day operations, such as making sure records have current phone numbers and other contact information.

Graham also recommended several "enhanced due diligence" strategies, including recording the purpose of an account and the source of a member's funds; tracking beneficial owners signatories of guarantors; noting the proximity of a member's residence, place of employment or business to the credit union; and keeping on file a description of a member's business operations, anticipated volume, and activity.