“Bank Secrecy Act Compliance Management – The Basics”

First of all and let’s get this out of the way first: the Bank Secrecy Act isn’t going away.  Sorry to have to be the one who tells you this.  
Personally, I think the Bank Secrecy Act requirements will increase in scope and intensity.  So, now that this is out of the way, let’s see
how we manage this increasing regulatory burden effectively and realistically.

FinCEN or the Financial Crimes Enforcement Network is in charge of administering and enforcing the Bank Secrecy Act.  Through
the NCUA and the state regulatory agencies, the Bank Secrecy Act is enforced by FinCEN.  The NCUA and state regulatory agencies
have signed agreements with FinCEN to examine for Bank Secrecy Act compliance at the credit unions.  So I urge you to visit the
FinCEN website to keep up with what’s going on.  The website address is www.FinCEN.gov.

Because FinCEN, the NCUA, and state regulatory agencies have signed these agreements, that is why your regulatory examiner is
asking you all of these questions about the Bank Secrecy Act.  The NCUA has issued several Letters to Credit Unions far regarding
the Bank Secrecy Act.  I urge you to read these Letters for more information on what is required of your credit union.  Visit the NCUA
website at www.NCUA.gov and the Letters to Credit Unions link is on the left side of the web page.  The most recent and pertinent
Letters to Credit Unions are discussed below.  These Letters are what your regulatory examiner is reading, so you should read them
also!

As you well know, with compliance comes policy and procedures.  I often joke with my clients that “In the beginning was the Policy
Manual.”  You are required to have a Bank Secrecy Act Policy and provide for a Bank Secrecy Act Compliance Officer.  To implement
your Bank Secrecy Act Policy, written procedures are necessary.  The Board of Directors should approve the Policy and also
designate, by name, the BSA Compliance Officer in their Board minutes.  I also recommend the Board approve the Bank Secrecy Act
Policy on an annual basis.  Be proactive, don't avoid the Bank Secrecy Act!  I will discuss more about the Bank Secrecy Act Policy
below.

After the Bank Secrecy Act Policy is developed and approved by the Board of Directors, you will need documented, written procedures
to implement the Policy.  I strongly recommend you keep your Policy and procedures separate for two reasons:
1.        The compliance requirements are continually changing.  It is easier to update procedures than Policy.  Policy changes require
action by the Board of Directors while procedures can be changed without Board action.
2.        As your operations change your procedures will change.  Again, it is easier to change procedures than Policy.  As you add new
products, locations, staff, and operating procedures you can change just the Bank Secrecy Act procedures and not the Policy.

In developing your Bank Secrecy Act Policy, NCUA Letter to Credit Unions 03-CU-16 issued in October 2003, which is titled “Bank
Secrecy Act Compliance”, is your guiding document.  To summarize this NCUA Letter and what is required:

“Credit unions must establish and maintain a written compliance program for fulfilling the requirements of the Bank Secrecy Act that
includes at least:
  1. a system of internal controls
  2. designation of an individual to coordinate/monitor BSA compliance
  3. independent testing
  4. training of appropriate personnel.
  5. In addition, an effective Bank Secrecy Act compliance program should include written policies and procedures designed to
    detect and prevent money laundering activities.

Failure to comply with the requirements of Bank Secrecy Act and its implementing regulations can result in both civil and criminal
penalties.”

This is where you start with your credit unions’ compliance with the Bank Secrecy Act.  Your Bank Secrecy Act Policy must include the
first four (4) requirements and components.

Part 748 of the NCUA Rules & Regulations briefly addresses the Bank Secrecy Act.  Basically Part 748 states that the credit union
should “establish and maintain procedures reasonably designed to assure and monitor compliance” with the Bank Secrecy Act.  Part
748 also lists the four components of a Bank Secrecy Act Compliance Program, previously noted above in NCUA Letter to Credit
Unions 03-CU-16.

The fifth requirement regarding anti money laundering, or AML, is a subject in itself.  The NCUA has issued Letter to Credit Unions 05-
CU-09 in June 2005, titled “Bank Secrecy Act Compliance – Frequently Asked Questions and Answers”, which deals specifically with
detection and prevention of money laundering and terrorist financing.  An anti money laundering (AML) program will be addressed
separately on this website.

I should also mention that on June 30, 2005 the FFIEC, and in particular the NCUA, issued a Bank Secrecy Act / Anti Money
Laundering  Examination Manual.  This is a large document (300+ pages!) which is also a subject in itself.  I will address this
examination manual in a separate writing.  Visit the FFIEC website to download this document: www.FFIEC.gov.

In October, 2005 the NCUA issued Letter to Credit Unions 05-CU-16, "Bank Secrecy Act Compliance".  This Letter included
commentary and one enclosure:
  • Reiterates the FFIEC June, 2005 release of the "Bank Secrecy Act / Anti Money Laundering Examination Manual"
  • Written risk assessment advised
  • Required validation of internal controls by independent testing
  • Required monitoring for suspicious activity
  • Examiner ARIES BSA Questionnaire (updated to reflect agreed-upon procedures contained in the FFIEC BSA/AML Manual)

The written procedures to implement your Bank Secrecy Act Policy are also a subject in itself.  Volumes of commentary have been
written about the specific procedures necessary, depending on the size and complexity of the credit union operations.

In addition to written procedures a risk assessment should be performed by the credit union.  There are several risk assessment
forms available, your regulatory examiner may be able to provide one for you to utilize.  My clients received a risk assessment form
from me as part of my value-added service.

I hope this brief outline on Bank Secrecy Act helps you get an idea of what is required to get started.  The complexity of your
requirements to comply with the Bank Secrecy Act is not going to get easier.  Please feel free to contact me if you have any questions
and/or would like to receive a risk assessment worksheet.

Below is a list of Bank Secrecy Act regulatory guidance and pronouncements for further research and your reference.
Bank Secrecy Act Regulatory Guidance & Pronouncements


Financial Crimes Enforcement Network
www.FinCEN.gov

FinCEN administers the Bank Secrecy Act (including USA Patriot Act) on behalf of the Department of the Treasury
The SAR Activity Review: Trends, Tips, & Issues
Other FinCEN rulings & guidance is on their website


Federal Financial Institutions Examination Council
www.FFIEC.gov

Bank Secrecy Act / Anti-Money Laundering Examination Manual
June 2005


National Credit Union Administration
www.NCUA.gov

NCUA Regulation 748.2
"Bank Secrecy Act compliance programs and procedures"

Letter to Credit Unions 05-CU-16
October 2005
"Bank Secrecy Act Compliance"
Reiterates FFIEC Bank Secrecy Act / Anti-Money Laundering Examination Manual
ARIES Bank Secrecy Act Questionnaire (supersedes Letter 03-CU-16 Questionnaire)

Letter to Credit Unions 05-CU-09
June 2005
"Bank Secrecy Act Compliance"
Frequently Asked Questions and Answers
Anti-Money Laundering Compliance

Regulatory Alert 05-RA-06
September 2005
"The Bank Secrecy Act and Hurricane Katrina Victims"
Frequently Asked Questions and Answers"

Regulatory Alert 05-RA-05
May 2005
"USA Patriot Act Section 326: FAQs for Customer Identification Program (CIP)"
Final CIP Rule

Letter to Credit Unions 04-CU-03
March 2004
"Suspicious Activity Reports"
Suspicious Activity Report Form and Instructions

Regulatory Alert 04-RA-04
February 2004
"USA Patriot Act Section 326: FAQs for Customer Identification Program (CIP)
Final CIP Rule

Letter to Credit Unions 03-CU-16
October 2003
"Bank Secrecy Act Compliance"
Compliance Self-Assessment Guide, includes:
BSA Review Considerations
BSA Checklist
BSA Definitions
BSA Questionnaire (superseded by Letter 05-CU-16)

Regulatory Alert 03-RA-07
May 2003
"Final Patriot Act Regulations on Customer (Member) Identification"
FinCEN 314(a) Requests

Letter to Credit Unions 02-CU-14
September 2002
"Financial Action Task Force on Money Laundering"
Guidance for Financial Institutions in Detecting Terrorist Financing

Regulatory Alert 02-RA-04
June 2002
"Anti-Money Laundering Programs Interim Final Rule Published by FinCEN"


Financial Action Task Force
FATF
An inter-governmental body whose purpose is the development and  promotion of national and international policies to combat
money laundering and terrorist financing.
Financial Controls Online Audio Services
Listen to Dave Dyer speak about emerging credit union compliance issues, including the Bank Secrecy Act
Go to the Online Audio page or click here
View a Directory of this website!
Credit Union Services
Financial Controls, Inc.
Bank Secrecy Act