“It is of great concern that North Dade failed to even review the 314(a) requests it received,” FinCEN Director Jennifer Shasky Calvery said in a press release.

FinCEN's 314(a) requests are posted on a secure website every two weeks and must be downloaded, with responses verified by the financial institution within a specified deadline, the agency said.

North Dade had 314(a) requests sent to a single email address accessed by only one person, making timely responses dependent on that person's availability, FinCEN said.

“These are time sensitive requests that, by their very nature, are intended to further criminal investigations into significant money laundering and terrorist financing activities,” Calvery said.

Second Mistake: Stepped Outside FOM

North Dade's authorized field of membership was limited to individuals and entities that live, work or worship in the North Dade County area.

Yet, the cooperative handled transactions for money services businesses in known high-risk areas such as Central America, the Middle East and Mexico.

“When a small institution opens its doors to the world, takes on greater risks than it can manage, and puts profits before AML controls, bad actors are bound to take advantage,” Calvery said.

“This case raises pretty obvious questions that no one seems to have asked: Why would MSBs located all over the world choose a small Florida credit union to conduct close to $2 billion in transactions?”

For example, during a one-year period, the small credit union handled hundreds of millions of dollars in wire transfers to foreign bank accounts of MSBs located in Mexico and Israel, and deposits in excess of $14 million in U.S. cash physically imported into the country on behalf of nearly 40 Mexican currency exchangers, the agency said.

Third Strike: Skimped on Compliance

The NCUA and U.S. Dept. of Treasury require federally-chartered cooperatives to implement AML programs. Credit unions are also required to designate a person responsible for ensuring day-to-day compliance, according to federal regulations.

At North Dade, no staff member was assigned to oversee compliance, FinCEN said.

The credit union could have easily avoided any problems, according to compliance experts.

“As flagged by FinCEN, North Dade should have designated a person responsible to oversee BSA compliance,” attorney Martin Kenney, an anti-money laundering expert, said. “However you first have to have compliance to oversee.”

“By all accounts, in this case there was none,” he continued. “This sounds like a case of hear no evil, see no evil, or the ostrich sickness – sticking one's head in the sand.”

If a credit union is unable to appoint an staff member to oversee compliance, the institution's leaders should reach out and ask for help for their fellow credit unions or look for a shared resource person with compliance expertise, said Randy Thompson, CEO of TCT Risk Solutions, a balance sheet and risk management CUSO based in Eagle, Idaho.

Smaller credit unions like North Dade often have bigger challenges in achieving BSA compliance, Thompson said.

TCT Risk Solutions will launch a newCompliance Officer in a Box program next month, Thompson said.

Fourth Folly: Didn't Adequately Train Staff

Federally-chartered cooperatives are required to train staff on spotting suspicious transactions, but North Dade's five-person staff did not have sufficient resources or technical expertise to ensure compliance, FinCEN said.

Employees at North Dade did receive annual BSA training, but it was significantly deficient because it was not tailored for each department, and did not encompass all aspects of BSA, cover MSB compliance or ensure employees had access to current compliance rules and guidance, the agency said.

In addition, North Dade did not have any records of compliance materials for its board of directors as recommended by the Federal Financial Institutions Examination Council Manual.

Plus, the credit union did not obtain outside assistance or technical resources in a timely manner to compensate for its small staff, the agency said.

Fifth Failure: Lacked Risk Assessment

Even though independent audits in 2012 identified money laundering and terrorist financing risks at North Dade, the cooperative did not perform a risk assessment until November 2013, FinCEN said.

“When NCUA examiners requested a copy of North Dade's risk assessment for its Dec. 31, 2011 exam, they were provided with an outdated template from the 2006 Federal Financial Institutions Examination Council Manual, rather than an assessment of North Dade's particular risks,” the agency's penalty assessment said.

“A solid BSA program is a vital component of any financial institutions compliance related activities,”Jim Vilker, VP of professional services at CU*Answers, said. “A strong BSA program controls not only compliance risks but transactional and reputation risks as well. A well-executed BSA program is not difficult to establish, with the foundation being a risk assessment.”

“Financial institutions must show they understand the risks of money laundering and terrorist activity funding from both the members doing business with the credit union as well as the communities the credit union does business in,” Vilker said. “This risk assessment shoulders all other components of an appropriate BSA monitoring program including CIP, monitoring requirements, appropriate trainings, and outside audits to name a few.”

Sixth Sticky Situation: Inadequate Internal Controls

Until it instituted a new anti-money laundering policy in November 2013, North Dade lacked written procedures for important tasks, such as opening accounts for members who did not have a social security number, FinCEN said.

According to federal regulators, the most significant example of North Dade's failure to have adequate internal controls was its 2009 contract with a third-party vendor, an MSB that provided financial services to other high-risk MSBs, including check-cashing stores and currency exchangers.

“North Dade agreed to become the depository institution for the vendor's MSB clients, providing sub-accounts for each MSB to conduct deposits and transfer funds,” the agency said. “Under the contract, the vendor was North Dade's member and customer and the vendor's MSB clients were not. However, in practice, 56 of the Vendor's MSBs sub-accounts could receive financial services directly from North Dade.”

Although North Dade's own counsel cautioned the credit union it would still have anti-money laundering compliance responsibilities for the vendor's MSBs, the credit union relied on the vendor to conduct all related due diligence and suspicious activity monitoring without conducting any verification or inspection of the vendor's compliance activities.

Seventh FinCEN Sin: Didn't Know Its Customers

Credit unions are supposed to have a Customer Identification Programs (CIP) that are suitable for the size and scope of the business, but North Dade failed to verify customer identification information for many members, including MSBs, according to federal regulators.

Although the credit union's internal policy required each MSB to be properly registered with FinCEN and licensed with the state in which they conducted business, North Dade provided services to MSBs located in the Middle East that were not registered with FinCEN, the agency said.

In one case, an individual connected to more than 60% of the businesses banking with North Dade conducted 2,036 cash withdrawals from January 2010 and August 2013, but North Dade never identified the person as potentially high-risk or reviewed his activities, FinCEN said.

In order to monitor for suspicious activities, employees had to manually investigate accounts, but they lacked sufficient knowledge to do so properly, the agency said.

Eighth Mistake: Slow or No SARs

Between April 2010 and April 2013, North Dade filed only 15 Suspicious Activity Reports, according to FinCEN.

“The SARs were filed late and the narrative sections lacked essential information explaining why the suspicious activity was being reported,” the agency said. “Furthermore, North Dade failed to file SARs on customers engaged in suspicious activity, including a customer that was arrested and charged with conspiring to launder money.”

In one case, law enforcement seized more than $1.5 million dollars from an owner of an MSB who held an account at North Dade, yet the cooperative never filed a SAR, federal regulators said.

Ninth Naughty Move: Got Greedy

In 2013, the total transaction volume through North Dade by MSBs included $54.8 million in cash orders, $1.01 billion in outgoing wires, $5.3 million in returned checks, and $984.4 million in remote deposit capture, FinCEN said.

The MSB activity constituted 90% of North Dade's annual revenue in 2013, the agency said.

“This was not the expected business behavior of a small credit union like North Dade and led to substantial BSA compliance failures and violations,” FinCEN said.

The revenue generated by the questionable activity was vital to North Dade's survival, according to federal regulators.

“The substantial revenue generated by the Vendor's program appeared to outweigh any consideration by North Dade of associated risks and appropriate compliance measures,” FinCEN said. “For example, NCUA examined North Dade in 2010 and instructed the credit union to ensure that its MSB members all met field of membership requirements.”

But, by December 2012, North Dade had accounts for 56 different MSBs.

Tenth Mistake: No Independent Testing

A federally chartered credit union's anti-money laundering program must include independent compliance testing to monitor the institution's program and ensure its adequacy, according to FinCEN regulations.

NCUA recommends annual testing of a credit union's compliance program when it serves high-risk clients.

North Dade did not have its anti-money laundering program tested on a regular basis until NCUA cited this shortfall, a failure of particular concern for an entity, like North Dade, engaged in high-risk business lines, federal regulators said.

The cooperative began receiving independent audits in December 2011, but significant issues persisted almost two years later, FinCen said.