Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

8 compliance lessons from recent enforcement actions: Part two

By: Jennifer Morrison, VP, Senior Risk Manager

Jennifer MorrisonMarch 19, 2015 -- Last month we featured part one of this article, which listed three compliance lessons we should apply based on recent FinCEN enforcement actions penalizing North Dade Community Development Federal Credit Union and MoneyGram’s SVP Thomas Haider.

If you missed part one or just need to refresh your memory on the first three compliance lessons, you can read the full article here. Today in part two, we will pick up where we left off last month and share the remaining five lessons.

Register now for our annual BSA/AML and OFAC compliance training and take advantage of our early bird discounts.

BSA/AML and OFAC Webinar
August 26 - 27, 2015
1:00 p.m. - 4:00 p.m. ET

Register Here

Lesson 4: Follow your own policies and procedures.

A written document becomes a standard by which an auditor or examiner can test compliance. Failure to follow your own policies and procedures is like having instructions for assembly that you consciously ignore and then complaining about the time it took for you to assemble Jimmy’s new bike. And if you take shortcuts, the wheels might just fall off.

Policies and procedures ensure continuity. FinCEN is not going to accept the excuse that you have a new BSA officer when a SAR is filed late. They are going to point to your procedures as documentary evidence that you knew how to complete the required SAR, including the identification of the activity and determination that a SAR was required.

Test your procedures. Systems change and business acumen often drives us to better processes over time. At least annually, pick up a procedure and follow it exactly as stated to ensure accuracy. Additionally, the BSA officer should sign off on the completed procedure testing and any needed edits.

Lesson 5: Know your members.

We have talked many times about the risks your business members’ clients or customers pose to your credit union. For example, when allowing the local CPA firm to originate ACH, you must recognize that many of the CPA firm’s clients are probably not members of your credit union. But monitoring the business member’s client ACH transactions is necessary because there is a risk that one of the CPA’s clients might be perpetrating some sort of tax evasion or fraud.

And while this is likely a very small risk, “know your member” means that you understand the types of transactions your business member is likely to conduct, that you monitor the transactions, and that you have the ability to identify and report when such transactions appear unusual or illegal.

North Dade entered into a contract with a third-party vendor (also an MSB) to provide financial services to other MSBs. The third-party vendor’s clients were not members of North Dade. North Dade’s own counsel notified management that they would still have BSA/AML responsibilities for the third-party vendor’s clients, and North Dade went so far as to create sub-accounts for the vendor’s clients, creating an even clearer opportunity to monitor transactions.

Lesson 6: Gordon Gekko might be wrong.

In the 1987 movie Wall Street, lead character Gordon Gekko famously proselytizes “that greed, for lack of a better word, is good.” In the case of North Dade, greed did not work out so well. The aforementioned third-party MSB generated 90% of the credit union’s annual revenue in 2013 per FinCEN. FinCEN actually goes on to say, in the Civil Money Penalty documentation, that North Dade relied on this business line for its survival and that this revenue source appeared to outweigh any consideration by management of the risks and appropriate compliance measures.

Lesson 7: Train, train, and train your staff.

North Dade had no record of board training, and the staff training that was conducted was limited, not job specific. It did not provide references to external sources for current information. And given the decision to serve MSBs, North Dade’s training did not address MSB compliance. North Dade did not designate a BSA compliance officer until January 2014.

BSA/AML training must be conducted for all staff at least annually. Training must be job-specific, and all new hires must be trained within a reasonable period after hire. As staff transfer to new positions, do not neglect the job-specific BSA training for the new hire.

We provide all staff with a quarterly newsletter, including current events and topics from FinCEN’s own website. We find case examples make good training tools ( In addition, all of our job descriptions include at least a basic reference to BSA/AML and OFAC compliance among required duties.

Lesson 8: Conduct independent testing.

A federally chartered credit union’s anti-money laundering program must include independent compliance testing to monitor the institution’s program and ensure its adequacy (31 C.F.R. § 1020.210; 12 C.F.R. § 748.2(c)). While the frequency of such testing is not specified, the NCUA recommends annual testing when credit unions serve high-risk members.

In the case of North Dade, FinCEN notes that an independent audit was completed in December 2011; however, the significant issues remained unaddressed with the August 2013 audit. Both audits appear to have identified the BSA/AML program deficiencies that would later result in the C&D order and civil money penalties.

Selecting a vendor to provide the independent testing can be daunting. Ask colleagues at similar sized credit unions or contact your league for references. Our supervisory committee conducts a request for proposal (RFP) every three years to ensure we have the appropriate level of expertise. Among our requirements, we state that the senior auditor must be CAMS certified.

We also require support throughout the year, including the often-needed review of any new guidance and alerts to recent federal pronouncements that might affect how we conduct our BSA program. In the end, we view our independent review as a partnership in meeting our compliance obligations.

Keeping these lessons in your “compliance toolbox”

As noted previously, FinCEN in FIN-2014-A007 specifically directs financial institutions (credit unions) to use the lessons from recent enforcement actions as additional “tools in our compliance toolbox.” Not only does it appear that FinCEN is emphasizing its focus, but it is also reinforcing the message that we must be serious in constructing and managing a risk-focused BSA/AML program designed to prevent terrorist financing and money laundering.

For more information, please see