Given the small number of CUs cited and the fact none were actually accused of any wrongdoing, it would be easy to shrug off the recent ruckus about FinCEN's report on potential anti-money laundering problems at credit unions. But that would be a mistake.
Only about 50 credit unions were named in a recent FinCEN report that identified CUs as possible money-laundering conduits for money services businesses (MSBs), but a number of experts told Credit Union Journal the impact of the report extends far beyond whether or not a CU was included on FinCEN's list or those that serve MSBs.
Everything from reputation risk and more probing examinations, to tougher bank regulations turning credit unions into the "bank of last resort" for shady operator is on the table. But for starters, a number of observers expressed concerns about how the confidential report got out, in the first place.
"When the Wall Street Journal has an article with a headline saying a bunch of small credit unions might not be doing things well, that is an issue," said Bill Hampel, chief economist and chief policy officer at CUNA.
"I was bothered by the fact that it was a front-page story in the Wall Street Journal from what should be a confidential report," said Geoff Bacino, a former NCUA board member and now a partner at Bacino & Associates in Washington. "I think frankly somebody at FinCEN or some department at FinCEN has some answering to do either to NCUA or to the IG. Because this isn't the type of thing that should get out in the manner in which it got out."
FinCEN showed NCUA the report before the news broke, and the group agreed last week to share advance drafts of any reports concerning credit unions with NCUA. But NCUA didn't inform any of the credit unions on the FinCEN list that they were being investigated, nor will it do so in the future. According to NCUA's Fairbanks, "it would be illegal to even notify a credit union that they were on the list and possibly impede a law enforcement investigation."
Besides, Fairbanks added, "law enforcement is focused on people who seek to launder money, not on the institutions."
Reputational Risk
Dennis Dollar, a former NCUA chairman and now principal at Dollar Associates consultancy, called the report "quite confusing in its lack of logic," given that no specific evidence of wrongdoing was presented.
"It seems to be an anti-small financial institution bias on the part of FinCEN, and it appears to be based more on speculation than fact," said Dennis Dollar, a former NCUA chairman and now principal at Dollar Associates consultancy. "I believe they think a FI has to be the size of B of A or Wells Fargo in order to keep up with money laundering these days. They completely overlook the familiarity with members and member tendencies that I would submit is much more likely to detect money laundering activities than the totally systems based approaches that larger FIs have."
But, CUNA's Hampel said that these sorts of reputational risks might also just be part of the cost of doing businesses.
"If credit unions avoided all potential reputation risk at the expense of not providing enough services for their members or generating enough income to serve their members, that'd be a shame," he said. "Sometimes you have to take the lumps and deal with it. If there's no follow-up to this story in the ensuing several months — if this raises the yellow flag but after they look under the hood they raise the green flag, which I expect is very likely — there's no permanent reputation risk there."
John ReVeal, a partner specializing in money laundering issues at Washington D.C.-based law firm Bryan Cave, noted that the situation isn't as reputation-damaging as it might seem.
"It's my sense that there are a lot worse things to be written up for than potential money laundering problems," said ReVeal. "The reason being that even the major institutions that make mistakes really were just making mistakes. It's pretty rare to have an institution participating in that problem. I don't think the public generally thinks you must be a terrorist organization because you banked a terrorist; they just think it's sloppy."
Up Next: Regulator Scrutiny
One thing that complicates the response — and what credit unions should expect moving forward — is that there is little historical precedent for this sort of thing. Perhaps the closest parallel, said Bacino, was in the wake of the Sept. 11 terrorist attacks "with more of the continued focus on 'know your member/know your customer,' which is when FinCEN increased its profile."
Steve Williams, a principal at Cornerstone Advisors, said that the fact that credit unions are now being eyed by FinCEN shouldn't come as a surprise.
"I always tend to see the regulatory winds come to credit unions later than banks, so given the past decade of very intense, almost punitive regulation of this topic with banks, it doesn't surprise me that it's arriving at this point now with credit unions," he said. "I can't fault [FinCEN] for looking to see if some of the smaller, less sophisticated credit unions might have found a business niche that has long been seen as high risk on the banking side."
The larger concern, he said, is the potential for an industry-wide over-correction, despite the fact that the report concerned less than 1% of all credit unions.
While NCUA has said it does not plan to change any of its supervisory policies as a result of this, Williams and others said it's natural to expect NCUA and state examiners to peer a bit more closely on the next round of examinations.
"I would expect [additional scrutiny] is going to occur," said Williams. "What I worry about is an overreaction. I've always felt the bank scrutiny was fairly rigorous, because they grew up in business banking and commercial accounts. As credit unions get into business banking, they can expect more scrutiny here."
When it comes to how to bone up in advance of that scrutiny, Andrew Davies, business development manager in the financial crime and risk management division at Fiserv, said the process starts with making sure an AML program in place.
"If there's a perceived risk associated with a particular market segment, there may be a de facto increase in the regulatory burden through examination," he said. "Make sure you're secure, have all of the processes and tools in place, and that you can react to requests for data and insights into specific customer segments." While Davies declined to speculate on where NCUA might direct examiners to focus, he stressed that "as long as [credit unions] have a program in place and that program addresses all of the necessary risks of your credit union, I think you'll have a sound foundation to deal with any regulator, NCUA included."
But John ReVeal cautioned against purchasing AML policy and program documents from vendors as a quick fix.
"Every institution is different from its peers in terms of its customer base, how it takes on its customers — whether online or face-to-face, whether they have offices in high drug-trafficking areas, that sort of thing — and as a result, each institution's policies and programs need to take that into account," said ReVeal. "And vendor forms tend to be somewhat cookie-cutter if that's what they're using."
Cornerstone's Williams suggested those institutions relying on such systems make sure those programs can capture certain structures and see patterns over time in which multiple transactions might be related. "You have to make sure your systems providers have made the development around structuring," he said.
Secondly, credit unions need automated triggering for Suspicious Activity Reports and Currency Transaction Reports, along with training to ensure those reports are being filled out thoroughly and correctly enough for examiners.
ReVeal added that while credit unions may have scoffed at Operation Choke Point in the past when it was directed at banks, now might be a good time to take a second look at the Department of Justice's controversial project.
"I wouldn't suggest that Operation Choke Point is going to now turn to credit unions," he said, "but the underlying concerns FinCEN voiced, when you have the arrangement that you're processing for your members' customers — you need to know more about your members' customers than we have in years past."
Risks From Derisking
One thing that's harder for credit unions to protect against is the fallout from derisking at the big banks, which has sent many money services businesses — not all of them on the up and up — searching for a new financial home.
That puts credit unions — and particularly small credit unions that don't always have the same resources as their larger counterparts — at risk. Most analysts believe that the majority of the credit unions listed in the FinCEN report were small credit unions or community development CDCUs.
Cathie Mahon, president and CEO of the National Federation of Community Development CUs, said in a statement that the issues associated with serving MSBs are "no more pervasive among community development credit unions than other types of financial institutions." What's most important, she added, is "that institutions with appropriate compliance and risk-management programs are not prevented from serving low-income communities which would otherwise be without access to fair financial services."
According to Cornerstone's Williams, anyone entering the MSB arena needs to ensure that they have a focus on risk processes and controls.
"I think some of these folks are probably taking the time to build real niches and know the regulatory environment and the processes required to be in the niche," he said. "And others are probably too excited about the fact that they're gaining business customers but don't understand what's required to be in this space from a regulatory standpoint."
CUNA's Hampel said that derisking was only part of the reason behind banks getting out of the MSB space.
"The reason the banks got out of this was as much the fact that if there is going to be additional regulatory burden, the business wasn't big enough to muscle up for that regulatory burden the way they do on other things," he explained. "If it were a much larger business they would've put the money into dealing with the regulatory hassles."
The FI of Last Resort?
But is there a danger that as the for-profit banking sector sheds its MSB customers, they could be driving those clients to credit unions, making CUs, in effect, the financial institution of last resort for shady businesses?
"Some of these businesses are looking to move to places where they can get less attention," said ReVeal. "They can be friendly with the tellers and give them a false sense of confidence. We see this on the banking side: 'Oh, we know Bill, he's the guy who works down the street.' Large banks treat everyone suspiciously. Strangely enough, despite the notion of invisibility in crowds, you get more attention at large banks" because those institutions have the automated systems in place to detect when something is wrong.
Yet most sources who spoke to Credit Union Journal said it's unlikely that MSBs looking to cause trouble will flock to CUs. Even if they did, the general consensus was that credit unions are sophisticated enough and know their members well enough to identify those businesses and turn them away.
"I think it's somewhat arbitrary to say there's a weak link with respect to credit unions," said Fiserv's Davies, adding "criminals find the path of least resistance. It's unfair to say that's inevitably a credit union. It could be a small community bank or some other non-traditional financial services provider like some of the new payment services providers. It's not a pervasive industry issue with credit unions as such."
Geoff Bacino said that while credit unions may not end up as the lender of last resort, "they are probably further down the list of choices for somebody looking to do something in this line of work. If you're a money launderer, you'd probably much rather be with a big bank than you would a small credit union, but if the big bank is not going to take your business then you may have no choice but to approach a credit union."
