Reporting and Recordkeeping
Examiners assess the credit union’s compliance with BSA regulatory requirements and the effectiveness of internal controls through risk-focused review and testing of the following areas.
Suspicious Activity Reporting
A credit union must file a SAR electronically through FinCEN’s BSA E-Filing system within 30 days of the date of detection (if no suspect can be identified, the period for filing a SAR is extended to 60 days). The date of detection is not always the transaction date. For automated alerts, the date of detection can be the date the alert was reviewed, or it could be the date they completed the investigation. Credit unions are required by NCUA regulation § 748.1(d)(1), Reportable activity, to file a SAR for:
-
Criminal violations involving insider abuse in any amount
-
Criminal violations aggregating $5,000 or more when a suspect can be identified
-
Criminal violations aggregating $25,000 or more regardless of potential suspect
-
Transactions conducted or attempted by, at, or through the credit union and aggregating $5,000 or more, if the credit union knows, suspects, or has reason to suspect that the transaction:
-
may involve any known or suspected federal criminal violation
-
is designed to evade the BSA or its implementing regulations
-
has no business or apparent lawful purpose or is not the type of transaction that the member would normally be expected to engage in, and the credit union knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction
-
Suspicious activity detection and monitoring is a critical component of any AML/CFT program. Under FinCEN regulation § 1020.210(a)(2)(v)(B), credit unions must monitor transactions for suspicious activity in all products and services. A transaction is defined as:
-
A deposit
-
A withdrawal
-
A transfer between accounts
-
An exchange of currency
-
An extension of credit
-
A purchase or sale of any stock, bond, certificate of deposit, monetary instrument, or investment security
-
Any other payment, transfer, or delivery by, through, or to a credit union
SAR requirements also apply to transactions conducted through a shared branch network. A shared branch network agreement generally defines what information a credit union will share within the shared branch network regarding suspicious activity; however, the credit union that houses the account is ultimately responsible for reporting any suspicious activity. If a credit union participates in a shared branch network, examiners review shared branching reports to confirm the credit union is monitoring the transactions for suspicious activity and filing SARs and CTRs when appropriate.
The sophistication of monitoring systems can vary between credit unions. Monitoring programs may be manual, automated, or a combination of the two, and a credit union following best practices will document these procedures. Under NCUA regulation § 748.2(c)(4), credit union staff must have appropriate training on, and knowledge of, suspicious activity red flags, BSA reporting requirements, and the credit union’s own monitoring procedures.
NCUA regulation § 748.2(c)(4) requires senior management to promptly notify the board of directors or designated committee when a SAR is filed. The regulations do not mandate a notification format, which allows senior management flexibility in structuring this report. However, identifying details are generally excluded from the report due to the SAR confidentiality requirements under NCUA regulation § 748.1(d)(5), Confidentiality of reports. For more information about SAR confidentiality, see FinCEN Advisory FIN-2012-A002.
An examiner can review board packages and minutes (including those of a designated committee) to confirm that this reporting requirement is being met.
A credit union following best practices will document the due diligence performed to determine if transactions are suspicious and the rationale for not filing a SAR, when applicable. Examiners evaluate the effectiveness and sufficiency of the credit union’s suspicious activity monitoring program through a review of procedures and due diligence documentation. Examiners determine whether the credit union's policies and procedures address:
-
Documenting decisions not to file a SAR
-
Escalating issues identified as the result of repeat SAR filings on accounts
-
Determining when an account will be evaluated for possible closure due to continuing suspicious activity
-
Completing, filing, and retaining SARs and their supporting documentation
-
Reporting SARs to the board of directors, or a designated committee, and informing senior management
-
Sharing SARs with head offices and controlling companies, as necessary
When evaluating the effectiveness of the credit union’s monitoring systems, examiners consider the credit union’s overall risk profile (higher-risk products, services, customers, and geographic locations), volume of transactions, and adequacy of staffing. Examiners may also perform transaction testing or other analytical reviews to assist with this evaluation.
For more information, see the Suspicious Activity Reporting section, Appendix L, and Appendix S of the FFIEC BSA/AML Examination Manual, and the FinCEN SAR Filing Instructions.
Currency Transaction Reporting and Exemptions
Under FinCEN regulation § 1010.311, Filing obligations for reports of transactions in currency, all credit unions must file a CTR if total currency transactions in or total currency transactions out conducted by, or on behalf of, the same person exceed $10,000 in one day. Every credit union must file CTRs either discretely (one at a time) or through batch filing through FinCEN’s E-Filing system within 15 days of the transaction, per FinCEN regulation § 1010.306(a)(1) .
Currency is defined as the coin and paper money of the United States or of any other country if it is used and accepted as a medium of exchange in the country of issue. A currency transaction is any transaction involving the physical transfer of currency from one person to another and covers deposits, withdrawals, exchanges, or transfers of currency or other payments.
Examiners may compare a sample of system reports from the data processor to the list of CTRs filed with FinCEN to confirm if the credit union is properly aggregating cash transactions and reporting them within the 15-day timeframe, per FinCEN regulation § 1010.313, Aggregation. Ideally, the system report will include cash from all sources, including ATM transactions, debit card cash back, credit card cash advances, and coin machines.
CTR requirements also apply to applicable transactions conducted through a shared branch network. A shared branch network agreement generally defines which credit union is contractually responsible for filing the CTR; however, the credit union that houses the account is ultimately responsible for ensuring that a CTR is filed when required.
Credit unions can exempt certain business accounts from CTR reporting by filing a DOEP with FinCEN. Credit unions designate exempt accounts as either a Phase 1 Exemption or a Phase 2 Exemption. Phase 1 Exemptions include public companies, banks, government agencies, and subsidiaries of public companies. Phase 2 Exemptions include non-listed businesses, payroll customers routinely conducting transaction over $10,000, and payroll customers routinely withdrawing over $10,000 to pay employees of US companies.
Examiners determine whether credit unions are accurately identifying exempt accounts as either Phase 1 or Phase 2. For more information, refer to FinCEN Regulation § 1020.315(b), Exempt Person . Examiners can request this list from the credit union or their regional DOS. Credit unions must review DOEPs annually to determine if the member still qualifies for an exemption and if the transaction activity matches the volume of transactions expected from the member, per FinCEN regulation § 1020.315, Transactions of exempt persons.
A DOEP does not exempt a credit union from monitoring an account for suspicious activity or filing a SAR if the activity deviates from the expected transaction types and volume. Examiners may review a sample of exempt accounts to evaluate the credit union’s processes for exempting accounts and confirm that management monitors these accounts for suspicious activity.
Examiners assess the adequacy of the credit union’s internal controls over reporting currency transactions. Specifically, examiners determine whether these internal controls are designed to mitigate and manage ML/TF and other illicit financial activity risks, and to ensure that the credit union complies with CTR requirements.
Examiners may review correspondence from FinCEN’s BSA E-Filing System as well as other information, such as recent independent testing or audit reports, to aid in their assessment of the credit union’s internal controls over the reporting of currency transactions. When reviewing the credit union’s reporting of currency transactions, examiners may also consider general internal controls concepts such as dual controls, segregation of duties, and management approval for certain actions.
For more information, see the Currency Transaction Reporting and Transactions of Exempt Persons sections of the FFIEC BSA/AML Examination Manual and FinCEN’s CTR Filing Instructions.
Information Sharing
314(a) Searches
In conjunction with § 314(a) of the USA PATRIOT Act, FinCEN established the 314(a) program (FinCEN regulation § 1010.520, Information sharing between government agencies and financial institutions), which requires credit unions to search their records to identify if they have information on a particular subject. FinCEN receives requests from law enforcement and, upon review, sends notifications to credit unions’ designated point(s) of contact once every two weeks, though this can be more frequent if an emergency request is transmitted.
FinCEN posts § 314(a) subject lists through its web-based 314(a) Financial Industry Portal. The requests contain subject and business names, addresses, and as much identifying data as possible to assist financial institutions with searching their records.
The designated points of contact are the individuals listed as Patriot Act Contacts in each credit union’s CUOnline Profile. These contacts can access the current § 314(a) subjects list (and one before) and download the files in various formats for searching. As required by FinCEN regulation § 1010.520(b)(3)(i), Record search , credit unions must query their records for data matches, including accounts maintained by the named subject during the preceding 12 months and transactions conducted within the last 6 months.
Credit unions have two weeks from the posting date of the request to respond through the Financial Industry Portal with any positive matches, per FinCEN regulation § 1010.520(b)(3)(ii), Report to FinCEN. If the search does not uncover any matching of accounts or transactions, the credit union is instructed not to reply to the 314(a) request. A credit union cannot disclose to any person, other than to FinCEN, NCUA, or the law enforcement agency on whose behalf FinCEN is requesting information, the fact that FinCEN has requested or obtained information.
If performing testing or other analytical reviews in this area, examiners may analyze documentation to verify that the credit union completes these reviews within 14 days and that any matches are reported promptly to FinCEN. A credit union may provide the 314(a) subject lists to a third-party service provider or vendor to perform or facilitate record searches if the formal agreement between the credit union and the third party includes a requirement to protect the integrity and confidentiality of the information.
If a credit union fails to perform or complete searches on one or more information requests received during the previous 12 months, it must immediately obtain these requests from FinCEN and perform a retroactive search of its record.
Examiners will verify that the credit union is receiving section 314(a) requests from FinCEN on a bi-weekly basis. Examiners will determine whether the credit union has sufficient policies and procedures to comply with regulatory requirements. At a minimum, procedures that follow best practices:
-
Designate a point of contact for receiving information requests
-
Safeguard the confidentiality of requested information
-
Establish a process for responding to FinCEN’s requests
-
Establish criteria for determining when to file a SAR
For more information, see the Information Sharing section of the FFIEC BSA/AML Examination Manual and FinCEN’s 314(a) site.
314(b) – Voluntary Information Sharing
The USA PATRIOT Act § 314(b) (FinCEN regulation § 1010.540, Voluntary information sharing among financial institutions) encourages credit unions to voluntarily share information to better identify and report potential ML/TF activities. Specifically, § 314(b) provides protection from civil liability. This “safe harbor” is obtained when a credit union or an association of financial institutions notifies FinCEN of its intent to engage in information sharing and confirms that it has established and will maintain adequate procedures to protect the security and confidentiality of the information. Failure to comply with the requirements of § 314(b) will result in the loss of safe harbor protection for information sharing and may result in a violation of privacy laws or of other laws and regulations.
If a credit union participates in § 314(b) information sharing, examiners review the annual registration with FinCEN and the credit union’s policies and procedures for sharing and receiving information.
For more information, see the Information Sharing section of the FFIEC BSA/AML Examination Manual and FinCEN’s Section 314(b) Fact Sheet.
Purchase and Sale of Monetary Instruments Recordkeeping
Monetary instruments are teller or credit union checks, cashier’s checks, money orders, gift cards, and traveler’s checks. These instruments can be used in the structuring or layering stages of money laundering. Accordingly, FinCEN regulation § 1010.415, Purchases of bank checks and drafts, cashier's checks, money orders and traveler's checks, requires credit unions to verify the identity of purchasers of monetary instruments in currency between $3,000 and $10,000, inclusive, and maintain records of the sales. Reviewing these records can help to identify frequent purchasers, common payees, and other commonalities indicative of reportable suspicious activity.
Some credit unions keep a physical monetary instrument log; however, the BSA does not require a specific type of log. Monetary instrument sales records can be maintained in the data processing system if all the information is captured and can be retrieved upon request. Many data processing systems have automated reports for monetary instrument sales purchased with cash. However, relevant transactions may not appear on these reports if a credit union requires members to deposit cash into their accounts before purchasing a monetary instrument. Written procedures or interviews with management are good ways to determine how a credit union processes monetary instrument sales.
A credit union can verify the identity of the purchaser using information in the data processing system if the purchaser is a member of the credit union. The monetary instrument sales record must contain the information outlined in FinCEN regulation § 1010.415(a).
-
Name of the purchaser
-
Date of purchase
-
Type of instrument(s) purchased
-
Serial number of each instrument purchased
-
Dollar amount of each instrument purchased
-
Verification information (for example, a signature card or driver’s license)
If the credit union sells monetary instruments to nonmembers, either through the credit union or through a shared branch network, then it must obtain and record the additional information required by FinCEN regulation § 1010.415(a)(2).
Examiners determine:
-
The adequacy of the credit union’s policies and procedures (internal controls) related to the purchase and sale of certain monetary instruments
-
Whether the internal controls are designed to mitigate and manage ML/TF and other illicit financial activity risks, and comply with recordkeeping requirements
-
Whether the credit union’s internal controls are commensurate with its risk profile
Examiners also consider general internal controls concepts, such as dual controls, segregation of duties, and management approval for certain actions as they relate to the purchase and sale of certain monetary instruments.
For more information, see the Purchase and Sale of Monetary Instruments Recordkeeping section of the FFIEC BSA/AML Examination Manual.
Funds Transfer Recordkeeping
Funds transfer recordkeeping requirements set forth in FinCEN regulation § 1010.410, Records to be made and retained by financial institutions, require credit unions to collect and retain certain information on funds transfers of $3,000 or more in currency.
For each payment order in the amount of $3,000 or more that a credit union accepts, it must obtain and retain the records listed below, as required by FinCEN regulation § 1010.410(e)(1)(i).
-
Name and address of the originator
-
Amount of the payment order
-
Date of the payment order
-
Any payment instructions
-
Identity of the beneficiary’s institution
-
As many of the following items as are received with the payment order:
-
Name and address of the beneficiary
-
Account number of the beneficiary
-
Any other specific identifier of the beneficiary
-
If this area is selected for transaction testing or other analytical reviews, examiners may verify whether the credit union:
-
Obtains and maintains appropriate records for compliance with FinCEN regulation § 1020.410(a)
-
Transmits payment information as required by FinCEN regulation § (missing or bad snippet) otherwise known as the “Travel Rule”
-
Files CTRs when currency is received or dispersed in a funds transfer that exceeds $10,000 per FinCEN regulation § 1010.311, Filing obligations for reports of transactions in currency
For more information, see the Funds Transfer Recordkeeping section of the FFIEC BSA/AML Examination Manual.
Other Complex Bank Secrecy Act Issues
Examiners may refer to the FFIEC BSA/AML Examination Manual if the credit union has added BSA complexity or offers complex products or services, such as payable through accounts, foreign correspondent banking services, private banking services, or international transportation of currency, for example.
Review Bank Secrecy Act Violation Reporting
NCUA policy requires examiners to complete the CCV in the Issue Details Form within MERIT when a BSA violation is identified. BSA violations are categorized as significant or non-significant. For more information on BSA violation reporting requirements, see the
Office of Foreign Assets Control
OFAC is a financial intelligence and enforcement agency within the U.S. Treasury. This agency administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against:
-
Targeted foreign countries and regimes
-
Terrorists
-
International narcotics traffickers
-
Those engaged in activities related to the proliferation of weapons of mass destruction
-
Any other threats to the national security, foreign policy, or the economy of the United States
All U.S. persons, including U.S. financial institutions and nonbank subsidiaries, must comply with OFAC regulations §§ 501.603, Reports on blocked and unblocked property, and 501.604, Reports on rejected transactions. The OFAC regulations require credit unions to:
-
Block accounts and other property of specified countries, entities, and individuals
-
Prohibit or reject unlicensed trade and financial transactions with specified countries, entities, and individuals
OFAC has the authority to impose significant fines on credit unions for noncompliance. While not required by specific regulation, as a matter of sound business practice and to mitigate the risk of OFAC noncompliance, credit unions should establish and maintain an OFAC compliance program.
An effective OFAC compliance program includes:
-
OFAC risk assessment
-
Internal controls
-
Independent testing
-
Responsible individual
-
Training
Although OFAC regulations do not fall under the scope of the BSA or AML laws, evaluating OFAC compliance is frequently included with AML/CFT program reviews. Examiners evaluate the credit union’s risk-based OFAC compliance program to determine whether it is appropriate for the credit union’s OFAC risk, taking into consideration products, services, members (including legal entity members), and geographic locations.
Information about OFAC can be found on the U.S. Department of the Treasury’s website, including current sanctions programs.
For more information, see the Office of Foreign Assets Control section of the FFIEC BSA/AML Examination Manual.
Last updated on August 19, 2024