Everyone knows credit unions must conduct independent BSA testing every 12-18 months. A credit union must consider their own size, complexity, and controls to determine if stretching out to 18 months makes sense. I recommend you also throw in a review of the results from your last three or four years’ tests to see if perhaps you should tighten up that window. One of the most common issues PolicyWorks sees when we conduct the independent testing is repeat findings. Year over year the same issues come up, and credit unions are not putting corrective action in place. If you see findings repeating themselves, take action and test again in 12 months to make sure new or enhanced controls are really working.
Waiting for the annual audit may be too late. We’ve compiled a list of the 10 most common findings from independent testing we conducted here at PolicyWorks over the last 14 months. We understand that credit union managers wear many different hats, so to assist you, I’m adding some recommendations for each finding that I think are practical and executable. Putting these controls in place will help keep your credit union compliant and efficient.
- Finding: Credit Unions do not properly identify when an MSB is part of their membership because procedures don’t include treating an agent as an MSB.
Recommendation: Review your procedures, update your member due diligence procedures, and provide training to your employees. Depending on your size, this might take as little as one hour to fix.
- Finding: RSSD numbers are missing on CTRs and SARs.
Recommendation: Review your procedures, update your CTR and SAR procedures, and provide training to your employees. One more hour.
- Finding: Credit Unions rely on a 3rd party to conduct OFAC checks for non-members participating in a wire transaction, usually through a system interface, that prevents wires from processing if there’s an OFAC hit. However, credit unions have not, or only periodically, validate the control is working.
Recommendation: Periodically pull a sample of 10 wires and run the non-members through the OFAC Sanctions list. Keep a record, and show it to your examiner. This will probably take 30 minutes.
- Finding: Policies refer to various procedures (i.e. Identifying High Risk Members, OFAC screening of membership, etc.), yet when we ask credit unions to produce those procedures, the credit union doesn’t have them.
Recommendation: Review your policies, make a list of missing procedures, and then create them. Make sure you provide refresher training to employees. Some credit unions are small enough that they don’t have robust written procedures. If that’s the case, and you have no findings, then update your policy to remove references to procedures that don’t exist. This will take some time, but is well worth it.
- Finding: Procedures include how to identify High Risk Members, but there is no procedure in place to identify when a High Risk member is no longer high risk and should be removed from your monitoring process.
Recommendation: Review your procedures and add procedures to remove those high risk members when allowed. This will save you time in the long run, and perhaps avoid an embarrassing conversation with a member that could have been prevented.
- Finding: BSA Policy says training takes place every year, but it really doesn’t.
Recommendation: Training is critical to the success of any compliance program. Get training materials created (or purchase them), keep logs that identify when training took place and who received it, and make sure you include your Board of Directors.
- Finding: OFAC checks are not documented at new account opening, membership cards are missing ID information, or fields just aren’t completed.
Recommendation: Every month, pull 10 new accounts and verify CIP procedures are being followed and OFAC checks are completed. Coach your employees to make sure they are following procedures. Keeping on top of this will help prevent concerns later.
- Finding: FinCEN 314(a) reports are not being reviewed, or if they are, there is no documentation retained to support the credit union’s actions.
Recommendation: Keep a record of each report and make notes about the actions taken.
- Finding: SARs are not being reported to the Board of Directors.
Recommendation: Make sure you report high level information to the Board each month. The Board is ultimately responsible for ensuring BSA compliance. Make sure your Board is aware of SAR activity, or lack of it.
- Finding: BSA Policies have not been reviewed and approved by the Board every year.
Recommendation: Put tasks on your calendar every year to ensure policies are reviewed, updated, and approved every year.
The common theme between these recommendations is to build your foundation, monitor it, and document your actions. I know it may seem daunting, but I believe in the KISS method. If you are small, lean, and don’t have IT folks at your beck and call to build cool systems and databases, then use a spreadsheet, delegate tasks so you can get things done faster, and inspect what you expect! When an independent auditor identifies issues, take action. PolicyWorks is here to help if you need it. Believe me, we love issuing a report with little to no findings.