In preparation for a BSA review, Graham advised:

1. Document, document, document.

2. Prioritize issues and track resolution.

3. Think in cycles.

4. Foster communication between the credit union and its examiner.

5. Sign up for periodic e-mail alerts from

the agencies.

Going forward, examiners will expect greater attention from the board of directors on BSA issues; designated compliance officers; greater attention at account opening; regular screening of existing accounts and all transactions; and accurate, timely reporting,

Sharpe forecast. "I don't see how a financial institution can survive without an electronic screening system," he added.

Sharpe noted that a lot of the customer identification procedures currently in place would likely have raised red flags on the 9/11 hijackers' accounts. For example, accounts were opened in groups of two or three and addresses were not physical locations and the hijackers often used the same addresses, numerous cash withdrawals were made in small amounts, no payroll checks were deposited and normal living expenses were not incurred. "If an institution is not paying attention to the fundamentals…they're not going to pick up on this stuff," he said.

NCUA Vice Chairman Rodney Hood said he is taking seriously the comments from credit unions that NCUA BSA exams vary from region to region. He said the agency is striving for consistency in the exam process on all levels. One attendee suggested that NCUA set up regional meetings between examiners and credit unions to vet BSA issues in a venue other than the actual exam. Hood said the dialogue would make sense and said he would explore the opportunity. He also noted that vendors providing BSA compliance products and services may be engaged in those

meetings as well.

Hood also reminded attendees that NCUA has an ombudsman who can address credit union claims of inconsistent exams and encouraged credit unions to use that resource. As far as fears of BSA violations, Hood reminded credit unions to "document, document, document" and ensured them that NCUA is not taking a "gotcha" approach to BSA, but wants to help credit unions understand what is necessary for compliance. Hood also welcomed Treasury Secretary Henry Paulson's recent commitment to streamline BSA. He said NCUA would be active in that process.

Detecting Risk

On the surface, a high risk may not present itself as such, Verafin President/Co-Founder Jamie King said, which is why activity monitoring is crucial. Verafin is a software company specializing in anti-money laundering and fraud detection solutions.

Scoring a credit union's risk for BSA related concerns can be risk-focused when credit unions look at where they are located compared to high drug trafficking areas or the risk a member's business presents, for example. A more cash intensive business will likely earn a higher risk score. Further, electronic surveillance can also recognize red flags, like a sudden peak in account activity.

However, King stated that not all credit unions need software for this, particularly the smaller ones. And, he emphasized that simply having software in place is not going to solve your problems. "I don't feel software can make you compliant. Only you can make you compliant," he warned participants. Those red flags that may pop up

with software could be something or they could be nothing, but they "generally warrant

further review."

Wolters Kluwer Financial Intelligence Unit Senior Consultant Kevin Byrne added that regulators are looking for enterprise risk management characteristics with regard to a risk assessment. "You also want to focus on achieving enterprise-wide compliance objectives," he said. He added of a credit union's risk assessment, "This is a living document. You need to go in and assess it…as things change."

Constant reviewing and updating of the overall BSA compliance program is important too, Pennsylvania State Employees Credit Union Administrator of Corporate Compliance Arthur Dinger said. The credit union's board of directors must initially approve a policy, but it does not just sit on a shelf after that. The board must review it annually. Internal controls have to be put in place, a BSA officer must be designated, and monitoring must be on going, as well as employee training and independent testing.

At PSECU, he shared, the credit union's policy is written in the same format as all the others so it is easily recognizable and it is available to all employees on the credit union's intranet. All employees and the board receive training suitable to their responsibilities and are tested on it regularly, according to Dinger.

In addition, he said that the credit union should have a job description for the BSA officer that spells out their duties and credit unions should consider establishing a succession plan if that person leaves the credit union.

Dinger agreed with Byrne that an enterprise-wide approach to BSA policy should be taken and controls layered. He continued, "Well communicated policy and procedures are controls…a well trained and informed staff." If the staff does not know what they are supposed to be looking for they should not be chastised, Dinger, who started his credit union career as a teller, advocated. The person filling out the CTR or SAR should submit it to a supervisor who looks it over then sends it on to the BSA officer who also reviews it for completeness and accuracy.

Risky Business

Proper BSA compliance is a time consuming and costly process, but consider the alternative. Some of the bank BSA violations–and the major fines they carry–have made headlines in major media outlets. Charlotte Bahin, partner with Lord, Bissell & Brook LLP, noted that one of the first and most notable was at Riggs Bank right under Congress' nose in Washington, D.C., which was fined $25 million on top of having to go back a make corrections and limits were placed on activities that ultimately led to the bank's demise.

ABN AMRO was another she pointed to that was fined $80 million because some of its foreign

branches were not adhering to the policies and procedures in place.

The large banks have been the most cited publicly, but "that doesn't means you don't have to pay attention to them," Bahin warned her credit union audience. Credit unions can learn from the commonalities of their mistakes. Primarily, both of these banks and others were found to have weak management and board oversight, inadequate internal auditing, and non-compliance with the Office of Foreign Assets Control.

Again, she emphasized it is important for everyone from the board and senior management on down to take their BSA responsibilities seriously. "The important thing is you have to have a process and follow that process and make sure your staff is doing that as well," Bahin explained.

While no credit unions have as yet been hit with the mega-fines these institutions have since 9/11, there are other risks. First, Bahin noted, a $15 million credit union back in February has been asked to go back and file any Suspicious Activity Reports it had missed over the last seven years, which comes at an enormous cost and takes away from the actual business of the institution. There are also additional reputational and regulatory risks as well.

Once you find yourself in trouble, Greg Baldwin, a partner with Holland & Knight LLP, offered A Primer on What To Do and What Not to Do in Civil and Criminal Investigations. There are three different types of enforcement actions that can be taken against a financial institution for BSA noncompliance: regulatory, civil, and criminal. As part of its regular examination, NCUA looks at BSA compliance. If violations are found potential penalties can include cease and desist orders, removal of employees and directors, and monetary penalties reaching up to $1 million a day against a credit union and its officers and directors.

Following that can come civil enforcement, typically by FinCEN. "FinCEN doesn't have any agents. It is relying on your regulatory agency," Baldwin explained. This can include fines and civil forfeitures of property "involved in" or traceable to a violation.

Finally, there can be criminal enforcement by the Department of Justice for which there are two levels: a $250,000 fine and five years in prison or a

$500,000 fine and 10 years in prison, in

addition to civil forfeitures.

So if your credit union or staff is found in violation, Baldwin said, "For God's sake, take it seriously…you can get lambasted to the point you're put out of business."

Be realistic as well because it is not going away, he warned. Under a civil/regulatory investigation, look at the same areas, disclose the problems and explain how they will be resolved. Do not try to cover anything up, Baldwin advised. "Sooner or later, even a blind squirrel is going to find a nut," he said.

If things look like they are turning to a criminal investigation, be sure to hire outside counsel because otherwise an in-house attorney likely does not have the experience and attorney-client privilege could be taken away. Outside counsel should discover whether the credit union is the target, a subject of interest, or a witness. If the latter just fork over information, but credit unions should really gear up for either of the other two. He went through a laundry list of recommendations, but, in the end, the credit union has to be willing to discover the wrongdoing and deal with it, whether by disciplining or firing the employees involved or paying a fine.

Getting Results

A customer identification program was listed as a mandatory part of anti-money laundering efforts under the USA PATRIOT Act. Under 314(a) of the law, FinCEN sends a financial institution's point of contact a confidential list of information it is seeking on particular targets. The CIP had to include reasonable procedures for verifying a member's identity, maintaining records of how that was verified, and determining whether the person appears on any list of known or suspected terrorists. "FinCEN was given much greater authority than they ever have in the past," Fiserv VISION Assistant Vice President and Senior Compliance Product Manager Janae Abegglen commented.

This information sharing has resulted in 651 requests between November 2002 and May 2007, she said. These searches have involved 227 terrorism-related cases and 424 money laundering cases and covered 5,534 subjects of interest. This information has lead to 117 arrests and 12 convictions. Abegglen added that a total of $24.3 million in terrorist financing or laundered money has been located through this program alone.

Beyond sharing the information with the government, registered financial institutions are permitted to share information among themselves under section 314(b) of the law.

–[email protected]