Fine. But Not Dandy
A $24-million fine should say it all.
On Aug. 17, 2005 the U.S. Treasury Department's Office of the Comptroller of the Currency and the Financial Crimes Enforcement Network (FinCEN) imposed its second-largest fine for alleged failures to comply with anti-money laundering laws.
Government officials stated that Arab Bank's New York branch "failed to implement an adequate anti-money laundering program to comply with the Bank Secrecy Act" and "manage the risks of money laundering and terrorist financing."
The Arab Bank fine isn't a surprise to any of the compliance experts and regulators who spoke to The Credit Union Journal about the present compliance climate. Experts say they understand the mountain of work facing credit unions regarding compliance and how regulations are frequently hazy, often flat-out confusing and sometimes contradictory. For many mid-size and especially smaller credit unions, managers frequently feel they spend more time on compliance issues than in the basic business of helping members.
But analysts all agree: the workload isn't about to shrink, and regulators will not be backing off on any compliance requirements, especially BSA regulations, in a post-Sept. 11 world. But those analysts also agreed that there are steps credit unions can take to make the process of compliance smoother.
"It's scary when you're seeing the fines out there," agreed Shannon L. Bennett, a compliance analyst with Bankers Systems, Inc. "Guess what? These requirements are here to stay."
In response, credit unions have hired compliance "tutors," purchased compliance models, turned to their state leagues and regulators, or secured the services of some of the many companies that offer compliance services. And at least one analyst believes the time is ripe for CUSOs to be formed to assist small and mid-size CUs with compliance demands (see related story).
The experts say most state and federal examiners are primarily focusing on Suspicious Activity Reports, Cash Transfer Reports, and most heavily on staff training, independent auditing and three other areas: documentation, documentation, documentation. When it comes to compliance, here are some examples of what to look for and how some credit unions are responding.
What The Leagues Are Doing
Wisconsin Credit Union League Legal Counsel Paul Guttormsson said most credit unions understand the need for increased emphasis on BSA as it relates to the PATRIOT Act, and are complying out of a sense of duty. But once they get into the "nitty-gritty" of it and see just how much work there is, they often overlook smaller details.
"It gets a little daunting. Compliance can be really overwhelming," he acknowledged. "Some just don't realize how big it is."
The Wisconsin league has been seeking to help its member credit unions with "written summaries in plain English" detailing BSA, new PATRIOT Act requirements, SAR and an adaptable policy model can fit their own needs. Guttormsson said CUs should be able to quickly find outside advice and services to aid compliance. "CUNA is really good about providing help," Guttormsson said.
In fact, every compliance expert who spoke with The Credit Union Journal mentioned the resources and advice provided by credit union leagues and CUNA. Guttormsson recommended CUNA's e-Guide to Federal Laws and Regulations, its links to helpful websites, and a list of Frequently Asked Questions. CUNA also offers "Cobweb," a listserv for online discussion on various compliance issues; and Compliance Challenge, a monthly newsletter with a Q & A format.
Yet for all that education that is available, Guttormsson noted that much of the work under BSA falls on front-line staff where the most employee turnover takes place.
The Policy on Policies
When it comes to compliance, a common theme among experts is the need for credit unions to be as specific as they can: policies need written procedures to follow, on-going training needs to be verified and documented for examiners. Failure to do so is a failure in itself.
Bankers Systems' compliance analysts Shannon Bennett and Sue Pogatschnik said a common mistake is to create a policy for a member identification program, for example, and not have the procedures to match it. While the filing of a CTR is a black and white matter, when to file is not, and both analysts said many credit unions do not have a policy in place addressing that issue. In turn, it's created a gray area that left quite a few compliance staffers confused or not fully understanding requirements. "They'll have a CIP policy but no procedures to go with it," Bennett said.
If, for instance, the policy states "verify member identification," the procedures must explicitly list getting a driver's license number, SSN, address, etc. Like always, it will have to be proved to examiners.
In Richmond, Virginia Credit Union AVP of Security Brenda Schadle said VCU has a "three-pronged approach" with three distinct and independent departments. One section ensures the $1.3-billion CU is in compliance with BSA, the security section manages day-to-day operations and a third, independent group forms the internal audit department.
Like others, Schadle recommended a detailed, comprehensive plan and the use of the resources of a credit union league, especially for smaller CUs. She also stressed that BSA requires an independent audit and continual training, and she further recommended the FinCEN e-mail alerts. "If you're wearing many different hats, this is very easy to get away from you," Schadle said.
How To Avoid Being Written Up
Kathy Thompson, senior VP of Compliance at CUNA, was straight to the point stating that staff training requirements and independent testing are common trouble spots for everyone. "Those are the two things credit unions are most likely to be written up for," Thompson said.
Thompson noted that CUNA has held 10 webinars since March 2005 and is planning five more by September. Thompson engineered Cobweb, a listserv with 1,000 people asking questions and posting ideas regarding compliance that are stored online for future use. CUNA is also developing a compliance-training manual that will also be available on a CD.
New Orleans Fireman's FCU Compliance Security Coordinator Jeff Caire echoed advice on staff training and keeping strict logs of every aspect of BSA. Fireman's FCU teller staff undergoes annual training detailing step-by-step procedures. Anything out of the ordinary is promptly sent to Caire for a decision. "All of our staff, front line or back office, they're required to take (BSA) training," Caire said. "The main thing is keeping on top of it."
Caire said New Orleans Fireman's had sought help from a private attorney who provides sample BSA forms that are modified for the CU's needs. Caire said to "practice what you preach" and be prepared to back it up before any examiner.
BSA requires CUs to document programs with training and testing materials, session dates and attendance records, all of which need to be kept for examiner review.
WANTED: COMPLIANCE CUSO
CHICAGO-If there is a shining need and opportunity for a CUSO to be formed, one analyst says its in the area of compliance. Guy Messick, a Media, Penn.-based attorney who specializes in CUSO law, said he sees such a jointly-owned compliance CUSO as the only way smaller CUs will be able to cope. "How can a credit union with three people that has the same responsibilities to comply with FinCEN as a billion-dollar credit union cope?" Messick told The Credit Union Journal he doesn't know of a CUSO that has been formed specifically for the purpose of compliance, although CommunityAmerica Credit Union does operate Counter Intelligence Associates as a CUSO and it does offer some related services.