Microsoft Word - LCU_BSA

NCUA LETTER TO CREDIT UNIONS

NATIONAL CREDIT UNION ADMINISTRATION

1775 Duke Street, Alexandria, VA 22314

DATE: June 2005 LETTER NO.: 05-CU-09

TO: Federally Insured Credit Unions

SUBJ: Bank Secrecy Act Compliance

ENCL: Frequently Asked Questions and Answers

Dear Board of Directors:

Compliance with the Bank Secrecy Act (BSA) is a key component in the

detection and prevention of money laundering and terrorist financing. All

financial institutions in the United States of America must comply with BSA.

NCUA recognizes credit union staff and officials have questions about how to

comply with the BSA. To establish consistent understanding, NCUA has created

the enclosed guidance, Frequently Asked Questions and Answers (FAQs) on

BSA. This guidance does not supersede or replace the requirements established

in Part 748 of the NCUA Rules and Regulations and Title 31 of the Code of

Federal Regulations.

Credit unions are encouraged to carefully review their practices for compliance

with BSA. If improvements are necessary, please make them a priority. Review

of compliance with BSA is required during NCUA’s risk-focused examination

program, and examiners will inquire about BSA practices at your credit union.

Should you have questions, please contact your district examiner, regional office,

or state supervisory authority.

Sincerely,

/s/

JoAnn Johnson

Chairman

Enclosure

Page 2

Anti-Money Laundering Compliance

Frequently Asked Questions and Answers (FAQs)

The implementing regulations for recordkeeping and reporting requirements of

the Bank Secrecy Act are codified at Title 31, Part 103 of the Code of Federal

Regulations “31 C.F.C. §103”. These regulations are referred to throughout these

FAQs and should be consulted for further details regarding these and other BSA

compliance questions. The Financial Crimes Enforcement Network (FinCEN) also

maintains a web page with FAQs and other helpful information. The address is

http://www.fincen.gov

Anti-Money Laundering Statutes

Q1.) Are OFAC and BSA procedures inter-related and/or one in the same?

A1.) No. While both OFAC and BSA compliance are essential parts of a successful anti-

money laundering program, compliance for each arises from distinct laws and

regulations with different requirements. While they are different, some requirements for

successful compliance are the same. A credit union must evaluate potential compliance

risk due to BSA and OFAC requirements and take appropriate action to reduce this risk.

A written policy defining responsibilities and processes for compliance should be

established for both OFAC and BSA; these policies can be combined in one anti-money

laundering policy, if that works best for a credit union. Every credit union, regardless of

services offered, has both BSA and OFAC responsibilities.

OFAC compliance requires credit unions to take appropriate action to block, freeze, or

prohibit transactions with persons and countries contained on the list of Specially

Designated Nationals and Blocked Persons (SDN). Credit unions must take steps to

download or otherwise obtain the SDN list from OFAC on a regular basis. The SDN list

may be updated daily or hourly, and credit unions are responsible for having the most

frequent list. The SDN list is not

the same as the 314a list provided by FinCEN. The

OFAC web site, http://www.treas.gov/offices/enforcement/ofac/

provides helpful

information about OFAC regulations.

BSA compliance requires credit unions to track cash transactions and purchases of cash

equivalents, such as money orders, and to comply with other recordkeeping and

reporting requirements. The forms used most frequently by credit unions to report

transactions are the Currency Transaction Report (CTR) and the Suspicious Activity

Report (SAR). BSA also requires the verification of member identity and response to the

314a information requests lists provided by FinCEN.

Information requests by FinCEN through the 314a list are part of law enforcement’s

ongoing efforts to combat terrorism and money laundering. The 314a list is confidential

and usually provided every two weeks on Tuesday via fax or posting on FinCEN's

secure web site. Occasionally, lists are provided more frequently. After FinCEN's

posting of a list, credit unions usually have 10 days to check this list against the member

database and provide an appropriate response to FinCEN. Infrequently, FinCEN will set

a quick-turn around deadline and a credit union must respond in 3 or 4 days. While

FinCEN makes the 314a list available, it is a credit union's responsibility to ensure the

list is received. If a list is not received every two weeks (or more frequently), credit

unions should investigate non-receipt by contacting FinCEN to inquire about list delivery

Page 3

or taking other, appropriate action. The periodic 314a list is not the same as the SDN list

provided by OFAC.

Independent Testing

Q2.) Who may complete independent testing of BSA compliance for a credit

union?

A2.) Any qualified person may perform independent testing for the credit union.

Independent testing for BSA compliance can be performed by an outside person,

internal staff, or volunteer officials. To be qualified to test for compliance, the person

conducting the testing must understand the requirements of BSA and be independent of

the credit union's BSA program.

If you are seeking an organization or individual not associated with the credit union to

conduct the testing, perform the same type of due diligence used to select the

supervisory committee auditor. To make contact with someone able to perform

adequate testing, you can read advertisements in trade publications, talk to other credit

unions, contact the local league, or ask for a referral from your supervisory committee

auditor. Many outside persons will perform this type of testing for a fee.

If you are trying to perform compliance tests internally, staff members not involved in the

BSA program, such as internal auditors, or volunteer officials can conduct the tests.

Q3.) My credit union engaged an auditor to independently validate the BSA

program as part of the annual audit (to occur within the next 3-6 months), but the

credit union has not previously completed an independent validation. Is the credit

union in violation of BSA?

A3.) Yes. Section 748.2(c) of NCUA’s Rules and Regulations requires independent

testing for compliance. Given the circumstances, your credit union has a significant BSA

violation. The violation will persist until the auditor completes testing and provides

written feedback to the board of directors or their delegate.

Q4.) Where can a credit union get information on how to conduct testing of a BSA

compliance program?

A4.) To assist volunteers, NCUA issued the Bank Secrecy Act portion of the

Compliance Self-Assessment Guide

in October 2003 through Letter to Credit Union 03-

CU-16, Bank Secrecy Act Compliance. The enclosures of Letter to Credit Unions 03-

CU-16 include a checklist for BSA compliance. This checklist provides an example of

the type of review that may be conducted. For large and complex credit unions, further

steps may be needed.

Large or mentor credit unions may also be willing to share information about their

internal controls and testing methods.

Page 4

Training

Q5.) Where can credit union personnel obtain information or training regarding

BSA, USA Patriot Act, and OFAC compliance?

A5.) Multiple sources of training material are available on the internet. The Bank

Secrecy Act is found at Title 31, United States Code, Section 5311. Part 748 of the

NCUA Rules and Regulations implements compliance with BSA.

NCUA provides information about the Bank Secrecy Act on the NCUA web site,

http://www.ncua.gov

. From the NCUA home page, select Resources for Credit Unions

and Bank Secrecy Act. The AIRES questionnaires used by NCUA examiners to review

BSA and OFAC are also available on the NCUA web site; from the NCUA home page,

http://www.ncua.gov

, select Resources for Credit Unions and AIRES.

FinCEN also provides information about BSA on its web site, http://www.fincen.gov

under the Regulatory and Publication options. The text of the regulations that FinCEN

issued to implement the Bank Secrecy Act is published in Title 31, Section 103, of the

US Code of Federal Regulations.

OFAC provides information about the SDN list and OFAC statutes on its web site,

http://www.treas.gov/offices/enforcement/ofac/

Training and information may also be available from the local league, national credit

union organizations, and state regulators. In addition, various vendors offer training

material for purchase.

Q6.) What is appropriate BSA training for credit union personnel?

A6.) Every credit union should perform at least annual training on BSA. Most credit

unions will perform quarterly or monthly training. It is important that your training

program educate employees about types of money laundering schemes and

recordkeeping and reporting requirements, such as the completion of CTRs and SARs.

Training should cover both the requirements of BSA and your credit union's policies and

procedures used to comply with these requirements.

The type, breadth, and frequency of appropriate BSA training will vary between credit

unions. To determine the kind of training that is appropriate for your credit union, you

should evaluate the frequency of staff turnover, kinds of transactions handled by your

credit union, types of products offered to your membership, and whether your credit

union is located in a high risk money laundering and related financial crimes area

(HIFCA) or high intensity drug trafficking area (HIDTA). Current HIFCAs include

Chicago, San Francisco, New York/New Jersey, San Juan/Puerto Rico, Los Angeles,

and a "Southwest Border systems HIFCA", designed to address cross-border currency

smuggling in Texas/Arizona to and from Mexico. A list of HIDTAs is maintained at the

following web site: http://www.whitehousedrugpolicy.gov/hidta/index.html

In addition to BSA, a credit union should also conduct regular training on OFAC.

Employees should understand the purpose of the SDN list and how to evaluate whether

a transaction will be subject to OFAC requirements.

Page 5

Q7.) My credit union does not deal in cash. Can I get an exemption from BSA

compliance? If not, what topics should my written BSA policy cover?

A7.) There are no exemptions from BSA compliance available for credit unions. Small

credit unions, credit unions with limited services, and credit unions that do not accept or

distribute cash must comply with applicable provisions of the Bank Secrecy Act and the

implementing regulations.

As a credit union, your written Bank Secrecy Act policy must address the four required

elements from Part 748 of the NCUA Rules and Regulations. These elements include:

¾ a system of internal controls to ensure ongoing compliance,

¾ independent testing,

¾ an individual responsible for coordinating and monitoring day to day compliance,

and

¾ training for appropriate personnel.

Within the internal controls section of your policy, you should describe your process for

responding to requests from FinCEN for information. These requests are often referred

to as 314a requests, as the request process was established by Section 314a of the

USA Patriot Act. You must also have a written policy for your Customer Identification

Program (CIP). It can be incorporated into the internal controls section of your BSA

policy. The CIP policy must address acceptable methods for verifying member identity

and your process for providing the required CIP disclosure.

You are also required to file Suspicious Activity Reports as needed. Your policy should

address when filing is appropriate and the confidential nature of SARs. You must also

comply with the five year record retention requirements of BSA. Many of these

requirements are referred to in the AIRES BSA Questionnaire available on the NCUA

web site.

In addition, your written policy should address how your credit union will handle a

situation where you inadvertently receive cash, such as a currency deposit by mail or

payment of a loan. If appropriate, you would need to file a Currency Transaction Report.

Customer Identification Programs (CIP)

Q8.) Do I have to verify the identity of a minor when opening an account for the

minor? If so, how can I do it?

A8.) Yes, when an account is opened by a minor, you must verify the identity of the

minor. However, the applicable regulation defines a customer in part as “an individual

who opens a new account for: (1) an individual who lacks legal capacity, such as a

minor…” (31 CFR 103.121(a)(3)). If an adult or other person opens an account for a

minor, you would only need to verify the identity of the person opening the account, not

the minor.

Verification of a minor's identity can be done through documentary methods, if the minor

has acceptable documentary evidence of identity, such as a work or driver’s permit. If

not, you could rely upon some form of non-documentary evidence. Examples of this

type of evidence include verification of identity by an existing member; using public

databases; calling the member at a phone number obtained independently from the

Page 6

member, etc. Your CIP policy should address what types of non-documentary evidence

of identity you will utilize, and the situations when you will accept such evidence.

Q9.) We require two forms of identification upon opening an account. What must

we do if two different addresses are presented by the same applicant?

A9.) You must resolve any existing inconsistency and request other verifying

information which would allow you to determine the current address of the applicant. An

example might be a current utility or telephone bill in the applicant’s name. Your

Customer Identification Program notice should be general enough to permit asking for

additional identifying information.

Recordkeeping

Q10.) What information should be recorded in a monetary log? Do credit unions

need to make a hand written monetary instrument log if the computer system

does not maintain this information?

A10.) By “monetary log”, you mean a record to document the purchase in currency and

issuance of a credit union check, cashier’s check, money order, or traveler’s check in

amounts of $3,000 to $10,000 inclusive.

If the purchaser has a credit union account, you must verify that the accountholder is

your depositor or verify the individual’s identity. The monetary log must also capture the

following data:

• Purchaser’s name

• Date of purchase

• Type of instruments bought

• Serial number(s) of each instrument bought

• Dollar amount of each instrument purchased

If the purchaser does not have an account with your credit union, you must determine

whether the individual qualifies for credit union membership and, if qualified, open an

account and verify the identity of the person. If the purchaser is not qualified for credit

union membership, the transaction should not be conducted.

Multiple purchases during one business day totaling $3,000 or more are treated as one

purchase. Similarly, purchases of different types of instruments totaling $3,000 or more

are treated as one purchase.

Your record of these transactions can be in either a manual or electronic format. The

record must be kept for five years. If your computer system has the ability to generate a

report that contains the required information, you do not need to maintain a separate log.

However, you must be able to generate this report for any currency transaction for the

purchase of credit union check, cashier’s check, money order, or traveler’s check. And,

you must be able to aggregate these currency transactions to determine if a member or

account made more than $10,000 in transactions during a day.

Page 7

Q11.) When must multiple currency transactions be aggregated and treated as a

single transaction?

A11.) In the case of financial institutions, multiple currency transactions shall be treated

as a single transaction if the financial institution has knowledge that they are by or on

behalf of any person and result in either cash in or cash out totaling more than $10,000

during any one business day. Deposits made at night or over a weekend or holiday shall

be treated as if received on the next business day following the deposit.

Example: A member places one deposit bag into the night depository at a credit union

on Friday night, two bags on Saturday and two on Sunday. Then on Monday morning, a

teller processes all five deposit bags and deposit slips at the same time, but posts each

individual deposit separately.

Because these deposits occurred at night and over the weekend they should be treated

as a single transaction for reporting purposes, having been received on Monday, the

following business day.

Example: Two employees representing the same small business in town each make a

$7,000 currency deposit to the company’s account during the same business day. The

deposits are made at different branches of the credit union. Because both deposits are

on behalf of the same company and made at the same credit union, they are subject to

aggregation. A CTR must be filed if the credit union is aware of both transactions.

Example: A member makes a $4,000 deposit at Branch “1”, a $4,000 deposit at branch

“2” and a $3,000 deposit through an ATM machine. A CTR must be filed if the credit

union is aware of the three transactions.

Q12.) My credit union would like to avoid filing CTRs by making a policy not to

accept currency transactions of more than $10,000; is that allowable? Can a

credit union ever have a policy not to accept currency transactions of more than

$10,000?

A12.) Yes. A financial institution is not prohibited by the relevant BSA statutes or

regulations from setting a limit on the dollar amount of transactions it accepts. The

decision to limit the dollar amount of transactions is a business decision each institution

may make. Limiting transactions to $10,000 or less, even if done for the purpose of

avoiding BSA reporting requirements, does not subject a credit union to charges of

structuring as prohibited by 31 U.S.C. § 5324. There are, however, certain additional

risks and burdens to the institution because of this policy.

While such a policy may seem to reduce the burden of filing Currency Transaction

Reports (CTRs), it also has the effect of increasing the burden to monitor member

activity to guard against structuring. The credit union remains subject to all of the

requirements contained in Title 31 of the U.S. Code, including the requirement to report

suspicious transactions. The credit union cannot turn a blind eye to potential structuring

by its members simply by limiting the amount of cash transactions.

For example, a cash deposit of $7,000 on one day by a member, followed by a $4,000

deposit the next day by the same member may be sufficient to trigger an obligation to file

a Suspicious Activity Report (SAR) for structuring. If the credit union has more than one

Page 8

office where cash transactions occur, its cash limitation policy may encourage members

to conduct transactions at more than one office. Thus, the credit union arguably has a

greater duty to analyze transactions at all such offices and make certain they are

properly aggregated for the purpose of determining if a CTR or SAR is required. Indeed

the credit union may be facilitating structuring if it fails to adequately analyze member

transactions and file SARs for suspected structuring.

Such a policy would also require the credit union to have a BSA training program for its

employees that is sufficient for the additional risks resulting from its policy. This training

program should be more detailed and comprehensive than the BSA training typically

given to credit unions without a similar transaction limitation. Back office employees

must be especially vigilant to monitor transactions occurring on subsequent days, as well

as from multiple branches, in order to detect suspicious activity that would trigger the

requirement to file a SAR.

Q13.) What entities can be exempted from CTR filings? When should we closely

investigate a business before awarding a Phase II exemption?

A13.) The regulations that specify eligibility for exempt status are found at 31 C.F.R. §

103.22(d). Generally entities seeking an exemption from the requirements to file a CTR

fall into three categories: (1) phase I; (2) phase II; and (3) non-eligible companies.

Phase I entities that may be eligible for exemptions include:

1. Credit unions, banks, listed companies on the stock exchange and their subsidiaries.

2. A department or agency of the United States, of any state, or of any political

subdivision of any state.

3. Any entity established under the laws of the United States, of any state, or of any

political subdivision of any state, or under an interstate compact between two or more

states, that exercises governmental authority on behalf of the United States or any such

state or political subdivision.

Credit unions must file a one-time Designation of Exempt Person form (TD F 90-22.53)

to exempt a “Phase I” entity from currency transaction reporting. The exemption of a

“Phase I” entity covers all transactions in currency with the exempted entity, not only

transactions in currency conducted through an account. The form must be filed with the

Internal Revenue Service (IRS) within 30 days after the first transaction in currency that

the credit union wishes to exempt. The information supporting each designation of an

exempt person must be reviewed and verified by the credit union at least once per year.

Phase II entities that may be eligible for exemptions include non-listed businesses and

payroll customers. Non-listed businesses include companies that are not listed on the

stock exchange and their subsidiaries.

In order to be eligible for an exemption a non-listed business must meet each of the

following requirements:

1. Commercial entity;

2. Maintained an account for at least 12 months;

3. Frequently has currency transactions in excess of $10,000;

4. Is incorporated or registered as a business in the US or a State;

And, the credit union must meet each of the following requirements:

Page 9

5. Must report exemption within 30 days of the first exempted transaction; and

6. Must review status of non-listed business annually and revoke if no longer

qualified.

Credit unions must make a biennial filing of Designation of Exempt Person Form (TD F

90-22.53) to exempt a non-listed business or payroll customer from currency transaction

reporting. Biennial renewals must include a statement certifying that the credit union’s

system of monitoring the transactions in currency of an exempt person for suspicious

activity has been applied as necessary but at least annually to the account of the exempt

person to whom the biennial renewal applies. This means that the credit union must

certify that it has monitored the account in question for suspicious activity. The credit

union’s obligation to monitor and report suspicious transactions on the account remains

regardless of whether there is an exemption in place. Thus, for example, a sharp

increase from one year to the next in the gross total of currency transactions made by an

exempt customer may trigger the obligations of the credit union to file a suspicious

activity report.

FinCEN no longer permits certain ineligible businesses be exempt from CTR reporting

requirements.

Examples of companies or businesses that are generally not eligible for an exemption

include those engaged in:

1. purchase or sale of motor vehicles of any kind;

2. purchase or sale of vessels, aircraft, farm equipment, or mobile homes;

3. the practice of law, accounting, or medicine;

4. Auctioneers;

5. Charter businesses;

6. Gaming businesses;

7. Real estate brokerage;

8. investment advisory or investment banking services;

9. title insurance and real estate closing; and

10. trade union activities.

Q14.) When a credit union requires the assistance of its corporate credit union to

wire transfer funds, which party has responsibility for record keeping?

A14.) Both the credit union, as the originator of the wire transfer, and the corporate

credit union, as an intermediary financial institution, have record keeping responsibilities

per 31 C.F.R. §103.33(e) of the regulations implementing the Bank Secrecy Act.

The credit union as originator must maintain records of all

wire transfers in the amount of

$3,000 or more with the following exceptions

(a) Funds transfers where the originator and the beneficiary are any of the following:

(1) a bank, thrift, or credit union;

(2) a wholly-owned domestic subsidiary of a bank, thrift, or credit union

chartered in the United Sates;

(3) a broker or dealer in securities;

(4) a wholly-owned domestic subsidiary of a broker or dealer in securities;

(5) a futures commission merchant or an introducing broker in commodities;

Page 10

(6) a wholly-owned domestic subsidiary of a futures commission merchant or

introducing broker in commodities;

(7) the United States;

(8) a state or local government; or

(9) a federal, state or local government agency or instrumentality

; and

(b) funds transfers where both the originator and beneficiary are the same person and

the originator’s bank, thrift, or credit union, and the beneficiary’s bank, thrift, or credit

union are the same.

The credit union originating the wire transfer must retain the original, a microfilm copy, or

some other copy or electronic record of the following information:

¾ Name and address of the originator of the payment order;

¾ Amount of the payment order;

¾ Execution date of the payment order;

¾ Any payment instructions received from the originator;

¾ Identity of the beneficiary’s financial institution; and

¾ As many of the following items as are received:

 Name and address of the beneficiary

 Account number of the beneficiary

 Any other specific identifier of the beneficiary

The corporate credit union, when acting as an intermediary financial institution, must

retain the original or a microfilm, other copy, or electronic record of the payment order for

each payment order it accepts.

In addition, before completing the transaction and transmitting funds, each credit union

has a responsibility to check the OFAC SDN list and to ensure there is no match.

Q15.) When is a credit union required to file a Suspicious Activity Report (SAR)?

A15.) In general, federally-insured credit unions must file a SAR whenever there is a

known or suspected violation of a federal law, a pattern of criminal violations, or a

suspicious activity committed or attempted against the credit union or involving a

transaction or transactions through the credit union meeting the following criteria:

¾ Insider abuse involving any amount;

¾ Violations aggregating $5,000 or more where a suspect can be identified;

¾ Violations aggregating $25,000 or more regardless of a potential suspect; and

¾ Transactions aggregating $5,000 or more that involve potential money laundering

or violations of the Bank Secrecy Act

A credit union must file a SAR for any transaction conducted or attempted by, at, or

through the credit union and aggregating $5,000 or more in funds or other assets, if the

credit union knows, suspects, or has reason to suspect that the transaction:

¾ May involve potential money laundering;

¾ Involves funds derived from illegal activities or is intended or conducted to hide or

disguise funds or assets derived from illegal activities;

¾ Is designed to evade the Bank Secrecy Act or its implementing regulations; and

Page 11

¾ Has no business or apparent lawful purpose, or is not the sort in which the

member would normally be expected to engage, and the credit union knows of

no reasonable explanation for the transaction after examining the available facts.

Per Section 748.1(c) of NCUA’s Rules and Regulations and 31 C.F.R. §103.18 ,

federally insured credit unions must file the SAR (NCUA Form 2362) with FinCEN within

30 days after discovery of a suspicious activity. If no suspect can be identified, the time

period for filing the SAR may be extended to 60 days. In all cases, the SAR must be

filed within 60 calendar days following the detection of a reportable transaction.

Q16.) Are credit unions required to file Form 4790, Report of International

Currency or Monetary Instruments (CMIR)?

A16.) 31 C.F.R.§103.23 establishes filing requirements for FinCEN Form 105 (formerly

Customs Form 4790). Generally credit unions will not be required to file this form.

A person (member) must file whenever he / she:

¾ Physically transports, mails, or ships;

¾ Causes to be physically transported, mailed, or shipped;

¾ Attempts to physically transport, mail or ship; or

¾ Attempts to cause to be physically transported, mailed or shipped

currency or other monetary instruments in an aggregate amount exceeding $10,000 at

one time from the United States to any place outside the United States, or into the

United States from any place outside the United States. A person is deemed to have

caused such transportation, mailing or shipping when he aids, abets, counsels,

commands, procures, or requests it to be done by a financial institution or any other

person.

While 31 C.F.R. §103.23(c) provides exceptions from filing, the exceptions generally do

not apply to member transactions. In summary, the credit union is not required to file

FinCEN Form 105, CMIR for transfers of funds, through normal credit union operations,

which do not involve the physical transportation

of currency or monetary instruments.

Enforcing the Bank Secrecy Act

Q17.) Who is responsible for BSA enforcement in both federal and state chartered

credit unions?

A17.) Both FinCEN and NCUA have enforcement responsibility.

Under Section 206 of the Federal Credit Union Act, NCUA has authority to ensure

compliance with all laws and regulations including the Bank Secrecy Act. FinCEN

administers the Bank Secrecy Act, but Bank Secrecy Act examination authority is

delegated to NCUA for insured credit unions. While examination authority is delegated,

FinCEN retains independent authority to take enforcement actions against credit unions

for violations of the Bank Secrecy Act.

In federally insured credit unions, NCUA enforces compliance with the Bank Secrecy

Act. Through agreement with NCUA, state supervisory authorities may take BSA

Page 12

enforcement action in federally insured state chartered credit unions. BSA compliance is

a condition of federal insurance.

In non-federally insured credit unions, FinCEN is responsible for BSA enforcement; state

supervisory authorities and the Internal Revenue Service examine and refer BSA

matters to FinCEN for enforcement.

Q18.) How long does a credit union have to resolve BSA deficiencies once

identified by the regulator?

A18.) When NCUA identifies BSA deficiencies at a credit union, the examiner-in-charge

will work with credit union management to establish mutually agreeable time frames and

expectations for resolution of the deficiencies. When possible, BSA deficiencies should

be corrected immediately, before conclusion of an examination.

If immediate correction is not possible, credit union management should be prepared to

take necessary action and resolve BSA deficiencies within less than 90 days. Credit

unions that are unable to resolve BSA deficiencies within 90 days, or the timeframe

established during the examination, will face administrative action. This action could

include, but may not be limited to, cease and desist orders and civil money penalties.

NCUA recognizes that some situations, such as the audit of historical transactions and

filing of delinquent currency transaction reports for an extended period, may require

more than 90 days to correct. In these rare cases, NCUA will expect to see measurable

and significant progress in the correction of deficiencies within each 90 day period, as

documented in the written agreement established during the examination process.

Q19.) What are the possible penalties if my credit union does not comply with the

Bank Secrecy Act or USA Patriot Act?

A19.) There are a wide range of possible penalties for non-compliance. The penalty for

a violation will depend on the facts involved.

For example, incomplete or inaccurate CTRs can bring fines of $500 each. Your credit

union could face fines of $10,000 if a required CTR is not filed within 15 days of the

transaction, with further fines of $10,000 for each day a required report is not filed. A

pattern of negligent violations is subject to a fine of up to $50,000, and your credit union

may also face forfeiture of the funds involved.

In addition, intentional violation of the BSA or USA Patriot Act can mean suspension or

permanent removal of institution affiliated individuals. Conviction of an intentional

violation of the Bank Secrecy or USA Patriot Act can bring a civil fine of between

$25,000 and $100,000, and criminal penalties of fines up to $500,000 and up to 10 years

imprisonment.

A detailed listing of possible civil and criminal penalties may be found at 31 C.F.R.

§103.57 and 31 C.F.R. §103.59. In additional to these penalties, a credit union could

face significant damage to its reputation if a violation of BSA or USA Patriot Act became

public knowledge.