Perhaps the most frustrating aspect of compliance is that there are so many definite penalties for not complying with indefinite rules.
Should credit unions file a suspicious activity report on every bounced check? What are their risks in a shared branch network? What if the mayor of the local town is a member?
As NASCUS' Brian Knight, VP of Regulatory Affairs, noted in remarks to a room of regulators and state-chartered credit unions, when it comes to Bank Secrecy Act and anti-money laundering activities, "I think this perhaps is one of the most challenging questions simply because the majority of the statutes are so subjective. I don't think I've ever seen a rule (BSA) with so much gray area."
Knight stressed that some credit unions have simply not complied by assuming the rules don't apply to them. Those CUs are in for a rude, and perhaps expensive, awakening.
"Regardless of where you are, you don't really know your customers or your members," said Knight. "No matter how often that individual has walked through the doors, how much do you really know about them? The days of 'We know Bob or Sue from the plant' are gone. You have to do exactly what the regulations require."
Of course, as two other experts on those regulations readily agreed, the rules are not exactly exact. That much was acknowledged by Jeffrey Pratt, senior regulatory specialist with the Financial Crimes Enforcement Network (FinCen), who observed, "There is very little black and white to be found in BSA."
"BSA was glossed over for a long time, but after Sept. 11, things have changed," said Pratt, who urged credit unions to recognize the basic steps to compliance are an independent audit, policy and procedures and internal controls. "We have encountered many, many times credit unions that do not have a basic understanding. I'm not saying credit unions are the only weak link in the system, but they are one of them."
Pratt urged credit unions and regulators to read the published enforcement actions, calling FinCen's actions "painfully detailed" and to "be read as a roadmap on where not to go." One thing consistently noticeable in enforcement actions has been the lack of independent audits, said Pratt.
Pratt encouraged every credit union to investigate electronic filing of BSA forms, saying it's a "great way to stay in compliance." Electronically filed forms require a time and budget investment upfront, including a digital signature, but also provides for a receipt that the form has been filed, he noted.
Another expert on compliance, Carol Van Cleef, a partner with Bryan Cave, LLP, and a frequent trainer of examiners, offered this laundry list of advice on the Bank Secrecy Act:
* "When we talk about BSA compliance the one issue we don't hear spoken about much is 'who is the audience that you are playing to?'" she said.
The answer, according to Van Cleef, is not the regulator but instead law enforcement. "In almost every enforcement action we've seen there has been a very close tie to law enforcement activity," said Van Cleef. "Many institutions, if they haven't heard from the regulator, assume they don't have to do it." Then they hear from a law enforcement agency. "Law enforcement is getting very good at what they are doing. They have brought on line some very sophisticated data mining. We have heard from people saying they file CTRs and SARs and they never hear anything. Why do I need to do it? But law enforcement is getting very good about mining for the right information."
* Van Cleef said that if someone else in the transaction chain is reporting a SAR on a particular transaction and if you are not looking at that transaction and reporting a SAR, you may down the road be looking at a legal claim that you are not upholding your responsibility.
* Van Cleef said that in recent meeting with examiners, there were two "ah-ha" moments.
The first was the recognition by examiners that BSA and anti-money-laundering is much more complex than taking the institution's program down the street and putting your name on it. Every institution needs to look at its risk, how it will address that risk, and that procedures are in place to handle the risk, she said.
The second ah-ha, she said, is the recognition that bigger institutions have the resources to address these issues; smaller institutions are going to be really strapped. Van Cleef said every institution needs to have a BSA officer. "It's a bigger job than most organizations anticipate. That comment is broad, and I know within credit unions there is a broad range of asset sizes," she said. "Even that small one- or two- or three-person credit union has to have a program in place. The bad guys are very, very good, and to be perfectly frank, if I were one of them I'd be looking at a credit union or even setting up my own credit union."
Van Cleef said regulators must set the right tone for every institutions they oversee. "You let credit unions know you consider it important that they do comply."
Some of Van Cleef's other advice.
* "You're probably going to need an outsider to be the buffer or catalyst within the credit union that is needed for change within the organization. Fortunately, in credit unions, you don't have quite the same pressures that stock corporations have in that they have monthly targets to be met and the profit motive. So from one perspective credit unions are in a much better position to set the tone on compliance."
* "Don't blame the BSA Compliance Officer. As soon as there is an issue with the regulators, the compliance officer is blamed. More often than not the officer knows what they should do, but they haven't gotten the support from management. Has that BSA compliance officer been given the tools they need to have or been sent to training sessions?"
"If you don't look, you're not going to see. This is monitoring for suspicious activity. Many organizations say, 'we're low risk, we know our members'. The real fundamental issue is if you're not looking for suspicious activity you're not going to find it. I could come into every credit union in this room and with 48 hours probably detect two or three activities that look suspicious and for which you probably should have filed a SAR."
* "FinCen, I predict, is going to make an example out of a credit union." said Van Cleef. "As we've seen in other industries and other areas, to get an industry to really wake up and pay attention it often takes an enforcement action to cause that. Riggs Bank was a sexy case, but at the end of the day what was happening was a breakdown in an effective compliance program. Don't think that you're really that different from Riggs."
