AML compliance for credit unions: A comprehensive guide

Credit unions’ operations put them in a similar financial crime risk category as banks. It is therefore of utmost importance that these firms fully understand their risks and associated obligations for anti-money laundering and counter-terrorist financing (AML/CFT) under federal law. But these obligations can be overwhelming, and some firms may be unsure what regulatory category their firm falls into for compliance purposes. Beyond this, it can be hard to know where to start in evaluating whether a firm’s processes effectively manage its financial crime risks. This guide will help credit unions understand their core requirements and offer key AML/CFT resources for establishing an effective program.

The main AML regulations and regulators for credit unions

Generally, credit unions fall under the same AML/CFT regulations as banks. There are also specific resources and agencies dedicated to providing guidance and oversight to credit unions.

AML regulators for credit unions

The National Credit Union Administration (NCUA) supervises credit unions and their AML/CFT programs. The agency has multiple functions, including ensuring compliance with the Bank Secrecy Act (BSA). 

However, as the NCUA makes clear, credit unions are subject to laws and statements issued by multiple other agencies. Several key bodies issue relevant regulations and guidance:

• The Financial Crimes Enforcement Network (FinCEN) – Under the USA PATRIOT Act of 2001, this bureau of the US Treasury has the authority to enforce compliance with the BSA. According to the NCUA, credit unions are included in FinCEN and Treasury AML regulations for banks. FinCEN also releases regular guidance and notices containing important information for regulated institutions.
• Federal Financial Institutions Examination Council (FFIEC) Agencies – According to the NCUA, joint statements by member agencies use the terms “bank” and “credit union” interchangeably. Therefore, any joint statements on AML/CFT requirements for one should be taken to apply to the other, too.
• The Securities and Exchange Commission (SEC) – The SEC regulates AML reporting requirements, which the NCUA implements in its Rule 748.

The NCUA exercises AML/CFT oversight in line with 12 USC 1786(q)(2), which requires it to review federally insured credit unions’ BSA compliance programs. It also provides guidance and resources to help firms comply with these requirements.

Credit unions and AML regulations

In the US, credit unions are subject to several key AML/CFT regulations:

• The PATRIOT Act – The act lays out important anti-terrorism and money laundering requirements for financial institutions. Among these, it requires firms, including credit unions, to establish a customer identification program (CIP). This requirement is implemented in joint regulation 31 C.F.R. § 103.121. FinCEN also issued a rule in 2016 extending PATRIOT Act AML program requirements to non-federally insured credit unions, private banks, and other banks lacking a federal functional regulator. 
• The BSA – Under this act, credit unions are considered “banks,” – critical given the BSA’s centrality in US AML/CFT regulations. This means credit unions need to be as familiar with its requirements as traditional banks do. The next section will consider key credit union AML compliance requirements under the act.
• FinCEN AML regulations – According to the NCUA, all FinCEN and Treasury AML regulations for banks implicitly include credit unions in their scope. It’s crucial that credit unions study these regulations to fully understand their AML/CFT compliance requirements.
• The Anti-Money Laundering Act (AMLA) – This act requires credit unions to comply with FinCEN AML/CFT priorities. 
• NCUA Rule 748 – This rule lays out key features of a BSA-compliant program in credit unions. While this is a crucial reference for NCUA expectations, it does not entail any exemption from the government’s more general AML/CFT requirements for banks. Rather, it serves as a focused application of those requirements, to which the rule answers.

Key AML requirements for credit unions

While regulators do not dictate specific tactics for executing AML/CFT due diligence, they do require firms’ programs to provide for customer due diligence (CDD), internal controls and independent testing, a designated AML compliance officer, and adequate personnel training.

A helpful overview of these requirements and connected best practices can be found in the FFIEC BSA/AML Examination Manual. Several key features are discussed below.

Risk assessment

Risk assessments are not specifically required from a legal standpoint, but they are indispensable for any truly risk-based program. The FFIEC describes a sound AML risk assessment as providing several key benefits. This includes:

• Understanding a firm’s risk profile – Firms can only address their risks effectively if they first understand them. An accurate and comprehensive risk analysis provides crucial information, without which a firm cannot conduct effective risk management.
• Identifying program gaps – Regularly-renewed risk assessments can help firms assess their existing program against real risks, closing any gaps.

To effectively accomplish these goals, a firm’s risk assessment should identify financial crime risks specific to its operations. These can vary widely between firms based on their unique products and services, their clientele demographics, the jurisdictions within which they operate, and the geographic locations where their clients do business. Despite this variability, accurate risk categories are essential to reliable AML/CFT risk prevention. Failure to identify all relevant risks – or to accurately identify known categories – can create a chain reaction undermining the whole risk management framework.

The FFIEC emphasizes that credit unions should record their risk assessment in writing and provide it to all relevant personnel throughout the firm, from upper leadership to concerned staff. It must also be updated regularly because firms’ risks change constantly, and ongoing due diligence data offers newer, more accurate risk insights.

Customer due diligence

FinCEN’s final CDD rule, effective July 11, 2016, outlines banks’ core CDD responsibilities under the BSA. Under the law, firms must have ongoing CDD programs subject to regulatory inspection for compliance. A compliant program should:

• Enable customer identification and verification (ID&V), including beneficial owners for legal entities – Firms need to collect enough documentation and background information to confirm the customer is who they say they are, isn’t sanctioned, and doesn’t pose other outsized risks. It includes relevant research on politically exposed persons (PEPs), sanctions lists, and negative news.
• Enable ongoing monitoring – This includes transaction monitoring and broader customer monitoring. Firms need to remain constantly in touch with customer activity, from their transactions to any changes in circumstances, profile data, or other behaviors that could change their level of risk.

In addition, firms should conduct ongoing transaction screening. This looks at transactions before they’re approved, flagging those that violate sanctions or don’t align with a firm’s established risk profile and appetite. Sound transaction screening can reduce the alerts transaction monitoring teams receive and allow them to focus on more nuanced patterns not evident at screening. 

Firms must also have enhanced due diligence (EDD) procedures in place for especially high-risk customers or activity. At onboarding, this may entail more in-depth checks into a PEP’s background and networks, for example. During ongoing monitoring, this may entail a multi-stage investigation into an out-of-character series of transactions that appear to avoid AML thresholds. 

Ongoing monitoring

Although ongoing monitoring is integral to CDD, it’s worth highlighting separately. It forms the backbone of any effective CDD process, often mistakenly associated with onboarding alone. Yet, effective know your customer (KYC) at onboarding does not exhaust a credit union’s due diligence obligations. On the contrary, the bulk of the CDD a firm conducts over the life of a client’s account happens after onboarding. CDD begins with ID&V but must continue throughout the entire customer lifecycle.

This is the purpose of ongoing monitoring, which comprises:

• Transaction monitoring (supported by transaction screening).
• Ongoing customer monitoring to identify relevant information or behavior changes.
• Associated investigations and any relevant collaboration with law enforcement.

To function effectively, all teams involved in CDD, from the beginning to the end of the customer lifecycle, must be able to share relevant information. Siloing teams and data within the AML/CFT process cripples a firm’s ability to comply with regulations or manage risks. The most important risk data can often only be accessed when teams collaborate. Ideally, this collaboration should extend beyond AML/CFT compliance to include all aspects of a firm’s financial crime risk management, such as fraud prevention and detection.

Reporting

Federal regulators require firms to report specific transactions that could be involved in illicit activity. Although there are multiple regulations covering these obligations, two main categories are key:

• Suspicious activity reports (SARs) – Firms are required to submit a SAR when they suspect or believe a transaction of $5,000 or above is involved in illicit activity or when they suspect smaller transactions to be structured to evade currency transaction reports requirements (below). When criminal violations are identified, specific requirements apply depending on the situation, so firms should consult the FFIEC guide for further details and references to applicable laws.
• Currency transaction reports (CTRs) – With a few exceptions, firms must submit a CTR for any currency transaction over $10,000 or smaller amounts adding up to $10,000 in a single day. These latter transactions count as one for reporting purposes. 

For detailed guidance on federal reporting requirements, including for special situations, credit unions can consult the FFIEC’s manual in the section titled Assessing Compliance with BSA Regulatory Requirements. This section is divided into subheadings detailing firms’ obligations by topic. NCUA Rule 748 also deals with reporting requirements for credit unions.

Federal and state credit unions (as defined under 12 U.S.C. 1752) are exempt from the new FinCEN rule requiring certain companies to report their own beneficial owners. However, this does not mean that they are exempt from CDD requirements involving researching a legal entity’s UBO. In fact, NAFCU emphasizes that credit unions may be among the institutions allowed to access the BOI registry under the new FinCEN rule.

AML red flags concerning credit unions

Money laundering red flags are complex and can vary between typologies. Credit unions should review  specific indicators based on their unique risks. These stem from their current operations and broader financial crime trends to which they are exposed. Firms will need to tap into historic data from their existing AML/CFT processes, keep track of trends in the wider industry, and follow regulator alerts and reports. For example, FinCEN releases regular notices to firms regarding emerging financial crime risks. These offer typology-specific red flag lists, which firms can further customize based on their own data.

Still, some red flags are common across many credit unions. The NCUA and FFIEC have both released helpful red flag guides as a starting point. Examples include:

• A member balks at proceeding with a transaction after discovering it will be reported or recorded.
• Accountholder tries to get employees to forego recordkeeping requirements.
• Evidence of structuring transactions to avoid reporting thresholds.
• Repeated deposits of amounts below specific thresholds using automated tellers.
• Repeated even dollar transactions.
• Attempting to exchange smaller bills for larger ones without a clear business purpose.
• Deposits into multiple accounts under $3,000 that are then sent to a single account and transferred out-of-country. This is especially risky if the transfer involves a high-risk country.
• Cash deposits increase significantly, but non-cash deposits do not change.
• Difficulty identifying business account originators or beneficiaries.

Although red flags can help firms detect money laundering and other financial crime, it’s essential to remember that they are only indicators. Certain legitimate activities can also present red flags, so following up with a more in-depth analysis is essential. If suspicion of illicit activity persists after further research, credit unions should follow applicable reporting laws and take necessary measures to ensure they manage the risk effectively and compliantly. 

Best practices for an effective AML compliance program

Credit unions wishing to revamp or review their current AML/CFT process would do well to review in-depth the FFIEC’s guide and the resources offered by the NCUA. As firms assess the state of their current process, they should consider whether they’ve established:

• Regularly-updated risk assessments documented in writing, allowing for accurate risk profiles and risk-based policies and procedures.
• Written AML/CFT policies and procedures tailored to the firm’s risk profile.
• Sound governance, including a BSA compliance officer accountable to regulators, and clearly-delineated risk management roles.
• Robust CDD, from customer onboarding through all stages of ongoing monitoring.
• Compliant, thorough reporting processes. 
• Internal and independent reviews and audits to ensure the program is compliant and effective.
• Comprehensive, constantly-updated risk data – especially for sanctions lists, PEPs, and adverse media.
• Tailored and regularly updated training on AML/CFT risks, regulations, and processes for all relevant personnel.
• Teams with enough qualified personnel to carry out the AML/CFT framework’s policies and procedures.
• Technology that integrates data and processes across all levels and stages of CDD.
• The use of automation and artificial intelligence to detect more risk, prioritize higher risks, and streamline repetitive work.