BY CINDY HAGAN
The deadline for compliance with enhanced due diligence looms. Is your credit union ready to meet the requirements? Keep reading for a rundown of the four key steps, along with some professional recommendations, your CU should be following in preparation of its due diligence process.
Beginning May 11, 2018, all covered financial institutions must comply with the Financial Crimes Enforcement Network’s (FinCEN’s) final rule for enhanced due diligence (EDD) requirements under the Bank Secrecy Act. The regulation became effective July 11, 2016, but institutions were given 22 months to institute procedures to provide the necessary identification, verification and monitoring.
A strong Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program includes member due-diligence policies that are comprehensive. It encompasses procedures for all members and special processes for those who present a higher risk for money laundering and terrorist financing. The EDD process is meant to help predict the types of transactions a member is likely to have and to pinpoint those that may be suspicious.
Member-related due diligence begins with understanding who your members are, along with the intended purpose and types of accounts and services they plan to use. At Sollievo, we have identified four key steps that are necessary for a due-diligence process:
- Ensure proof and verification of a member’s identity.Credit unions must verify enough information to form a reasonable belief that they know a member’s identity. Procedures should specify which documents to use for identification and when to use them,when to use non-documentary methods and when to use a combination of the two approaches.Because fake documents are easily available, Sollievo recommends that our clients’ processes call for a review of more than a single document.
- Researching unfamiliar documents to verify validity –Institutions must be able to reasonably assure a member’s identity; e.g.,if s/he provides a driver’s license from another state, check it out online since most states’ websites exhibit an example of their licenses. Birth certificates also vary from state to state and require extra checking. If the member uses a U.S. passport, check the expiration date. If s/he isn’t a U.S. citizen, require a passport and visa, noting expiration dates on both. Regardless of the documents used, your credit union should retain copies. A notable exception is if a member uses a military ID, which is illegal to photocopy. Instead, note address, date of birth and taxpayer ID number.
- Using non-documentary methods –Credit unions aren’t required to use non-documentary methods, but if such methods are used, the procedure must state which of them will be used and when. Examples include contacting a member, verifying information the member provides with a consumer reporting agency, researching a public database, checking references with other financial institutions or obtaining a financial statement.
- Identify and verify beneficial owners of legal entity members. This represents the enhanced portion of the new rule. Legal entities include a corporation, a limited liability company or any other type of organization created by filing with the state’s secretary of state or other public office, including an entity formed under the laws of a foreign jurisdiction.
FinCEN requires institutions to complete a form (obtained from the agency’s website)that provides the name, address, date of birth and Social Security number (or passport number for non-U.S. citizens) for each person who owns 25 percent or more equity interest in the legal entity. This requirement also extends to anyone with significant management responsibility (e.g., a CEO, CFO, COO, managing member, general partner, president, vice president, treasurer). Your credit union also may ask to see a driver’s license or other identifying document for each beneficial owner listed on the form. The person opening the account must also provide his/her name and title as well as the legal address of the entity.While the rule doesn’t require a credit union to validate the information collected on this form, Sollievo recommends to our clients that the information presented be documented and validated.
- Understand the nature and purpose of member relationships.After a member’s identity has been verified,ask additional questions to determine the risk level and establish expectations about the types of transactions that will be made. For example:
- Is the account for an individual or a business?
- Is the member retired, a child or a working adult?
- Is the business seasonal?
- How will deposits be made and will there be transfers from foreign banks?
- What types of credit union products/services will the business use?
Members may fall in the high-risk category because of their location, types of products/services they use or type of business owned. For example, a member might be involved in flea market activities or another cash-based business that brings large cash deposits. While the member may be in a high-risk category, it doesn’t mean s/he is high risk. It just means your credit union must perform extra due diligence to document steps taken in an effort to assess the activity and why it isn’t a risk concern.
- Monitor activity, update member information and report suspicious activity.Set up monitoring procedures and compare actual account activity to expected activity. Consider these steps:
- Flag changes in activity and contact the member to see if anything, such as employment, has changed. If so, such a change should be documented to ensure effective monitoring.
- Don’t ignore red flags even though you know the member. Note information received from outside sources, like newspaper reports of a member’s arrest. Analyze wire transfers or ACH activities that vary from the norm to protect not only the credit union but also members.Watch for behavior that may point toward money laundering, such as transactions in round dollar amounts or those that seem to be structured to not trigger the reporting threshold.
- Perform a “link analysis” to uncover hidden relationships between accounts, and monitor inter-account activity. Also identify common beneficiaries and payers among otherwise unconnected accounts; e.g., track when one account frequently receives checks from other accounts.
- Pay attention to employees who perform unusual transactions against members’ accounts or who perform abnormal checks and balances.
Creating an effective policy
Under the EDD, an effective BSA/AML policy will set clear, specific staff duties, including who is responsible for reviewing or approving changes to a member’s risk or rating profile. It also will include procedures to maintain current member information and will provide guidance for documenting due diligence. This includes steps taken to resolve issues regarding insufficient or inaccurate information.
While the EDD deadline isn’t until next year, examiners may soon be asking questions about how your credit union plans to be compliant. They will expect to see how the verification process for high-risk members is conducted and documented. They also will review monitoring procedures as well as actions taken when a red flag is raised. Is your credit union ready to answer these questions?
Cindy Hagan is a senior consultant in the Compliance Services group for Sollievo. The company, a wholly-owned subsidiary of Vizo Financial Corporate Credit Union, offers an array of risk management products and services to provide compliance relief for credit unions. She may be contacted at (855) 605-5664 or firstname.lastname@example.org.