Article

Building a credit union compliance program

Heightened Bank Secrecy Act scrutiny over large financial institutions has disrupted money-laundering logistics, redirecting criminal deposits into credit unions and smaller banks. For clandestine financial operatives, smaller institutions ensure lower visibility through reduced compliance supervision, fewer rules and obsolete regulatory technologies, or regtech. A confidential Financial Crimes Enforcement Network (FinCEN) report that leaked in 2015 reveals the scope of the problem, identifying 50 credit unions with elevated anti-money laundering (AML) risks [1].

The findings relied on pure data analysis and accused no credit union of criminality. Nevertheless, FinCEN assessed AML threats using statistically reliable techniques, identifying check-cashing companies and other money service businesses as a frequent credit union diligence challenge. Driving this trend is an enforcement regime pressuring large global banks to reject high-risk clients like money services businesses (MSBs) and foreign correspondent banks, because these customers have spawned more than $5 billion in Bank Secrecy Act (BSA) fines over the last seven years [2].

In turn, riskier clients are moving to credit unions willing to open their business accounts, in exchange for the higher fees these counterparties will pay for banking services. Specifically, check-cashing companies, remitters and currency exchange firms are attractive to credit unions because of the supplemental account maintenance fee that is standard for all MSB clientele. But in this regulatory era, credit unions will find that crime doesn't pay, irrespective of lucrative fee structures. Recent scandals that forced the 2015 closures of North Dade Community Development Federal Credit Union in Florida and Bethex Federal Credit Union in New York highlight the existential threat posed by MSB clients, in particular.

While the Consumer Financial Protection Bureau (CFPB), the supervisory agency tasked with overseeing credit unions, reserves examinations for lenders with a minimum of $10 billion in deposits, the Panama Papers have upped the ante for the whole sector. In response to the leak, FinCEN announced its BSA final rule last May, which now demands the identification of the ultimate beneficial owners for all customer accounts. With 50 credit unions on FinCEN's AML radar, this legislation is primed to have a ripple effect across the industry, further compounding their compliance burden.

In order to survive in an enforcement landscape increasingly holding smaller banks to the same standards as large institutions, credit unions must adopt new controls to confront evolving money-laundering logistics. Central to the creation of a best-in-class credit union compliance program are the following: the designation of chief risk officer; upgrading regtech assets, with a focus on MSB vetting and monitoring; ensuring policies are comprehensive; and taking corrective action ahead of regulatory notice. The following article will provide guidance on how credit unions should implement these best practices.

Elevated regulatory pressures are increasingly pushing credit unions to follow the lead of larger institutions and appoint a chief risk officer. Emblematic of this trend is Firstmark Credit Union, the fourth-largest credit union in San Antonio, Texas by deposits, which announced the hiring of its first chief risk officer in October of 2016 [3]. Domiciled within Bexar County, one of six jurisdictions targeted by FinCEN's July Geographical Targeting Order (GTO) tracking all-cash purchases of high-end real estate [4], the San Antonio-based CU has made a smart decision.

By designating a chief risk officer, credit unions achieve better organizational structure for compliance operations. This executive sets the tone for compliance from the top and provides a key organizational buffer between business operations and regulatory relations. Enhanced AML risks and regulatory scrutiny demand better organization, preparation and internal oversight from credit unions. A chief risk officer is crucial to the execution of these initiatives.

Because they are smaller and have traditionally operated with a lower risk profile, credit unions have viewed investment into modern data analytics systems as non-essential. But the proliferation of non-traditional financial services customers has overwhelmed antiquated and, at times, non-existent diligence controls and technology assets. With their heightened third-party and AML risks, MSBs in particular, have disrupted the old credit union compliance model. A modern regtech solution enables credit unions to improve the business intelligence and suspicious activity tracking capabilities that are essential for vetting and monitoring high-risk clients like MSBs.

MSBs can range from large international money transmitters to small businesses that offer financial services as a secondary component to their core business; for example, a grocery store that offers check cashing. But according to the National Credit Union Administration (NCUA), it is the large MSBs that present the "greatest off-balance-sheet risks by generating significant transaction volumes that could overwhelm smaller credit unions [5]." As a result, credit unions with only a few million dollars of deposits could end up processing MSB transactions numbering in the billions. The problem is that most credit unions, by design, lack the controls to manage high volumes of cash flows.

With weak vetting and monitoring systems to authenticate the legitimacy of counterparties, high transactional volumes inherently magnify the AML risks of large MSB clientele. Also, some MSBs may not properly identify their business type at the account-opening stage, adding another layer of complexity. A data-driven, investigative public-records tool can mitigate adverse selection during onboarding by optimizing customer identification; autonomously cross-referencing prospects with FinCEN's MSB registry; ensuring the MSB's good standing with state or local licensing requirements; and confirming their agent status. Credit unions should also invest in modern transaction-monitoring applications if they plan to service MSB customers that generate large transactional volumes, or those that operate internationally.

CU compliance teams must draft and enforce internal policies that reflect the regulatory standards delineated by the Consumer Financial Protection Bureau, National Credit Union Administration and FinCEN. Although current asset thresholds only mandate CFPB examinations for the five credit unions that have $10 billion or more in deposits, FinCEN's AML concerns demand a comprehensive response.

In light of the regulatory actions that dismantled North Dade Community Development Federal Credit Union and Bethel Federal Credit Union, credit unions should adopt formal AML programs. A formal AML program entails the designation of a chief compliance officer, reasonable policies and procedures, and timely currency transaction tracking and suspicious activity reporting functionalities. This paradigm shift demands the creation of a credit union compliance framework more advanced than the regulatory regime monitoring the industry.

In today's punitive regulatory regime, credit unions must self-report compliance failures before the regulators respond. Reluctance to do so could lead to disastrous consequences for both the organization and the risk management personnel it employs. Forcing accountability upon individuals is Deputy Attorney General Sally Yates' 2015 memo, which authorizes the criminal prosecution of noncompliant bank employees.

Although this guidance is more applicable to bad actors at large institutions, credit unions cannot be lulled into complacency. Key to identifying compliance missteps is a digitized record-keeping system that promotes accuracy and transparency for transactional and compliance incidents. An all-digital record-keeping framework enables authorized compliance personnel to intuitively review the history of every incident report and resolution, along with the metadata underlying each entry. Additionally, more organized and database-driven record-keeping assists regtech applications in their identification of suspicious account activity and clientele.

By implementing the best practices highlighted above, credit unions will mitigate the threat of operational disruption and criminal prosecution for their personnel. The reality is that, lacking Wall Street balance sheets of scale, most credit unions cannot afford the monetary penalties and operational interruptions wrought by a FinCEN enforcement action. Although the incoming administration of President-elect Donald Trump may usher in a new era of deregulation in financial services, AML will remain a top concern for the U.S. Treasury.

In the age of homegrown ISIS-funding networks and increasingly sophisticated transnational organized crime, credit unions represent a weak link in the AML chain. The key to more effective AML management is a modern investigative public-records tool that identifies tainted MSBs and other adverse counterparties before they compromise CU accounts. With 50 credit unions on FInCEN’s radar, the time to act is now.