Dear Board of Directors:
Compliance with the Bank Secrecy Act (BSA) remains a mandatory area of review during examinations and a condition for continued federal deposit insurance through the National Credit Union Share Insurance Fund.
In June 2005, the National Credit Union Administration (NCUA), the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) jointly issued examination procedures for evaluating compliance with BSA. These examination procedures are contained in the Federal Financial Institutions Examination Council Bank Secrecy Act /AntiMoney Laundering Examination Manual (FFIEC BSA/AML Manual).
The enclosed AIRES BSA questionnaire has been updated to reflect the agreed upon procedures contained in the FFIEC BSA/AML Manual. This questionnaire will be completed during all NCUA examinations started after September 30, 2005. The AIRES BSA questionnaire establishes a minimum standard for NCUA review of BSA compliance.
Credit unions will notice three significant changes from the prior version of the AIRES BSA questionnaire. The updated questionnaire includes questions about credit union risk assessment, independent testing of internal controls over BSA processes, and monitoring for suspicious activity. NCUA examiners will be looking closely at these areas of focus during their review of BSA compliance.
Areas of Focus: Risk Assessment, Independent Testing, and Monitoring
During the BSA examination process, examiners will evaluate the rationale underlying a decision to accept avoidable risk, the frequency and quality of independent testing, and the process of monitoring accounts and transactions for suspicious activity.
While there is no statutory requirement for a credit union to prepare a written risk assessment, it is the initial step in the development and approval of anti-money laundering policies and procedures. Before a board of directors can approve a BSA policy or set standards for the identification of members, decisions about risk are required.
By documenting these decisions in a written risk assessment, officials and credit union management will better understand areas of risk exposure, internal controls adopted to offset risk exposure, and decisions made to accept risk. The complexity and documentation associated with a credit union’s risk assessment should correspond to the extent of products and services offered.
Credit unions must perform periodic independent tests to validate internal controls over compliance with the Bank Secrecy Act. Independent testing is required by Section 748.2(c)(2) of the NCUA Rules and Regulations. Unless a credit union can demonstrate strong controls and limited risk exposure, NCUA expects independent testing to be conducted annually. Additional guidance concerning independent testing is provided in Letter to Credit Unions, 05-CU-09, Bank Secrecy Act Compliance, published in June 2005. A copy is available on NCUA’s web site at: http://www.ncua.gov/Resources/Documents/LCU2005-09.pdf
Monitoring for Suspicious Activity
Credit unions must establish systems to identify suspicious transactions and to monitor accounts for suspicious activity, including structuring. In July 2005, the Financial Crimes Enforcement Network (FinCEN) published FinCEN Ruling 2005-06, Suspicious Activity Reporting (Structuring). This ruling clarifies that credit unions must have systems in place to identify transactions and accounts that appear suspicious. A copy of the ruling is available on FinCEN’s web site at: http://www.fincen.gov/fincenruling2005-6.pdf (opens new window)
NCUA will expect to see identification and monitoring systems commensurate with credit union resources, product breadth, and services offered.
To support credit unions in better understanding their BSA responsibilities, NCUA has made a special effort to communicate about the importance of the BSA and agency expectations for compliance.
- Participated in development of the FFIEC BSA/AML Manual. An electronic copy of the manual is available at: http://www.ncua.gov/Legal/BSA/Pages/BSAResources.aspx
- Engaged in outreach to credit unions through free Credit Union Conferences hosted by the NCUA Office of Small Credit Union Initiatives. A list of upcoming conferences is available at: http://www.ncua.gov/Resources/CUs/Dev/Pages/CUDev.aspx
- Coordinated with credit union leagues, chapters, and trade groups
- Published written guidance addressing BSA compliance, including Regulatory Alerts and Letters to Credit Unions. This guidance is available on the NCUA web site, http://www.ncua.gov/
- Updated the AIRES questionnaire used by NCUA to assist in evaluating compliance with BSA. The enclosed BSA questionnaire incorporates material from the FFIEC BSA/AML Manual. An electronic copy of the questionnaire is available on the NCUA website at: http://www.ncua.gov/Resources/CUs/Pages/AIRES.aspx
If you have questions regarding the enclosed questionnaire or compliance with BSA, please contact your district examiner, regional office, or state supervisory authority.