FinCEN Adds Fifth BSA Compliance “Pillar”

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network issued a final rule in 2016 that imposed new requirements for identifying and verifying beneficial owners of legal-entity customers. This new rule, amending the Bank Secrecy Act, became effective in July 2016, and all federally insured credit unions must comply fully by May 11, 2018.

This revised rule adds a fifth core element to the original four core elements of an effective BSA and anti-money laundering compliance program. These core elements are often referred to as the “pillars.” For a credit union’s BSA/AML program to be considered effective, it must provide—at a minimum—for the following:

  • A system of internal controls to ensure ongoing compliance;
  • Independent testing of BSA/AML compliance;
  • The designation of an individual responsible for day-to-day compliance; and
  • Training for appropriate personnel.

Under the new rule, a credit union’s program must now include these four core elements plus the new, fifth core element noted below:

  • Risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
    • Understanding the nature and purpose of customer relationships for the purpose of developing a customerrisk profile; and
    • Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

Going forward, federally insured credit unions will be required to maintain written compliance procedures that are reasonably designed to identify and verify the beneficial owners of legal-entity customers or members. To comply with these requirements, credit unions will need to make changes to their policies, processes, record-retention practices, information technology systems, employee training and other aspects of their BSA/AML compliance programs.

Even though FinCEN is providing a two-year implementation period, credit unions should be preparing now. At a minimum, credit unions should be performing a business-impact and risk analysis now as a basis of their implementation plan.

For more information, refer to “Customer Due Diligence Requirements for Financial Institutions,” published in the Federal Register on May 11, 2016, and to FinCEN Guidance, FIN-2016-G003, “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions.”