Page 1


Bank Secrecy Act Risk Assessment In accordance with the Bank Secrecy Act requirements, SAMPLE CREDIT UNION has conducted a risk assessment of its operations to determine the risk that that the credit union could be used to facilitate money laundering related to activities such as drug trafficking, illegal gambling, organized crime, and terrorist financing. The assessment identifies and measures risks based on the credit union’s products, services, member base, and geographic area. SAMPLE CREDIT UNION is headquartered in ___________________________ and its asset size is $____________________. SAMPLE CREDIT UNION currently offers the following products and services: share accounts, share draft accounts, club accounts, share certificates, IRAs, money market accounts, direct deposit, payroll deduction, ACH debit, debit cards, audio response unit, courtesy pay for share draft accounts, wire transfers (outgoing and incoming), retail loans, website, home banking, bill pay, etc. (LIST SPECIFIC PRODUCTS OFFERED BY THE CREDIT UNION) SAMPLE CREDIT UNION’s membership is limited to LIST EMPLOYEE GROUPS IF CREDIT UNION HAS GEOGRAPHIC CHARTER, COMMUNITY CHARTER, OR HAS ADDED UNDERSERVED AREAS, LIST THE AREAS THE CREDIT UNION HAS BEEN AUTHORIZED TO SERVE (MAY BE COUNTIES, CITIES, OR CENSUS TRACTS WITHIN A COUNTY OR CITY) SAMPLE CREDIT UNION’s geographic area is limited to… SAMPLE CREDIT UNION serves this geographic area with _____ branch(es) located at: LIST BRANCH LOCATIONS RISK AREA

SAMPLE DEGREE OF RISK/ COMMENTS (degree of risk will be based on your credit union’s operations)

Member Base

LOW: Stable, known customer base MODERATE: Customer base increasing due to expansion to

SAMPLE MITIGATION FACTORS (mitigation factors should describe your credit union’s actual policies and procedures) Member ID program that includes government issued IDs along with secondary form of

2 community charter, decreased familiarity with members, and increased risk of fraudulent applications for membership and loans. An increase in branch locations also increases potential for exposure. Customer base increasing due to a merger also increases potential for exposure.

Electronic Commerce

HIGH: A large and growing customer base in a wide and diverse geographic area. LOW: No electronic banking services are offered; the web site is informational or non-transactional. MODERATE: The credit union offers online banking but not bill pay. Audio response is available. All transactions are conducted on a secure site, behind a firewall. Online member applications and loan applications are not accepted. Wire origination is not permitted via online banking. There is no direct access to the credit union’s database. The credit union’s web site is informational only. HIGH: The credit union offers a wide array of e-banking products and services such as account transfers, e-bill payment, or accounts opened via the Internet.

Large Currency Transactions or Structured Transactions

LOW: On the basis of information received from the BSA-reporting database, there are few or no large currency or structured transactions.

identification and/or non-documentary methods of ID. OFAC screening at time of membership application. Entire membership checked against the OFAC list on a monthly basis. No online membership applications accepted DESCRIBE TYPES OF SERVICES OFFERED AND WAYS MEMBER INFORMATION IS PROTECTED FOR EXAMPLE: Audio response requires a secure password. 3rd party site is protected behind a firewall. No access to accounts the member is not a signer on. No loan or membership applications available online. Member is in control of password. No access to credit union’s database. Only inquiries are allowed with transfers from checking to savings or loan payments. Daily large transaction reports are generated and reviewed to ensure CTRs and SARs are

3 MODERATE: moderate volume of large currency or structured transactions HIGH: significant volume of large currency or structured transactions

filed. CTRs and SARs are reviewed by upper management prior to submission. Wire log is kept.


High-risk Customers and Businesses

INCLUDE THE FOLLOWING INFORMATION: The credit union had ___ CTRs and ____ SARs during 2009. There are ____ exempt businesses. LOW: Few high-risk customers and businesses MODERATE: Moderate number of high-risk customers and businesses HIGH: Large number of high-risk customers and businesses

Foreign Correspondent Financial Institution Accounts

LOW: No foreign customer correspondent financial institution accounts. The credit union does not engage in pouch activities, offer special-use accounts, offer payable through accounts (PTAs), or provide U.S. dollar draft services. CREDIT UNIONS TYPICALLY DO NOT OFFER THESE SERVICES, SO RISK LEVEL TYPICALLY WILL BE LOW

DESCRIBE MITIGATION FACTORS IF CREDIT UNION HAS IDENTIFIED HIGHRISK CUSTOMERS AND BUSINESSES IF NONE, STATE NO MITIGATION NEEDED AS CREDIT UNION DOES NOT HAVE HIGH-RISK CUSTOMERS AND BUSINESSES The credit union does not offer foreign correspondent financial institution accounts, does not engage in pouch activities, does not offer special-use accounts, does not offer payable through accounts, or provide U.S. dollar draft services, so no risk


Private Banking Trust and Asset Management Services

International Accounts

LOW: The credit union offers limited or no private banking services or trust and asset management products and services. NOTE: private banking is typically defined as accounts in excess of $1 million. CREDIT UNIONS TYPICALLY DO NOT OFFER PRIVATE BANKING SERVICES. LOW: Few international accounts or very low volume of currency activity in the accounts. MODERATE: Moderate level of international accounts with unexplained currency activity. HIGH: Large number of international accounts with unexplained currency activity

Wire Transfers

LOW: A limited number of funds transfers for customers, noncustomers, limited third-party transactions, and no foreign funds transfers MODERATE: A moderate number of funds transfers. A few international funds transfers from personal or business accounts with typically low-risk countries. HIGH: A large number of noncustomer funds transfer transactions and payable upon proper identification (PUPID) transactions. Frequent funds from personal or business accounts to or from high-risk jurisdictions, and financial secrecy havens or jurisdictions.

mitigation is necessary. No risk mitigation is necessary since the credit union does not offer private banking services or trust and asset management products and services

DISCUSS MITIGATION FACTORS SUCH AS MEMBERSHIP CHECKED AGAINST OFAC LIST ON A MONTHLY BASIS, MONITORING CURRENCY ACTIVITY OF INTERNATIONAL ACCOUNTS Wire logs maintained for all outgoing and incoming wires Logs are reviewed periodically by the manager for suspicious patterns Also reviewed by independent auditors Discuss recurring wires such as payrolls, change funds


A total of incoming____ wire transfers in 2009, ___ were recurring wires ____ outgoing wires in 2009 HIDTA/HIFCA

_____ international wires in 2009 LOW: The credit union is not located in a High Intensity Drug Trafficking Area (HIDTA) or High Intensity Financial Crime Area (HIFCA). No fund transfers or account relationships involve HIDTAs or HIFCAs.

Describe mitigation factors utilized to minimize risk such as review of large currency transaction reports and other reports used to HIGH: The credit union is located determine structuring in an HIDTA or HIFCA. A large or unusual account number of fund transfers or account activity relationships involve HIDTAs or HIFCAs. LOW: No transactions with highDiscuss transactions risk geographic locations with high-risk geographic locations; MODERATE: Minimal transactions probably will be with high-risk geographic locations domestic high-risk locations such as HIGH: Significant volume of HIDTAs within transactions with high-risk Alabama or Florida geographic locations For credit unions with Definition of high-risk geographic debit and/or credit locations: cards, transactions blocked to countries Domestic (HIDTAs, HIFCAs) subject to OFAC sanctions (Cuba, Iran, Myanmar, and International: Countries subject to Sudan); credit union OFAC sanctions (Cuba, Iran, may block all foreign MODERATE: The credit union is located in an HIDTA or HIFCA. The credit union has some fund transfers or account relationships that involve HIDTAs or HIFCAs.

Geographic Locations

Conduct analysis of member data to determine level of account relationships with HIDTAs or HIFCAs


Staff Turnover

Myanmar, and Sudan), countries identified as supporting international terrorism, jurisdictions determined to be “of primary money laundering concern,” jurisdictions or countries identified as noncooperative by the Financial Action Task Force on Money Laundering, major money laundering countries and jurisdictions identified in the U.S. State Department’s annual International Narcotics Control Strategy Report, ( / 2009/vol1/index.htm), offshore financial centers (Andorra, Anguilla, Aruba, Bahamas, Belize, Bermuda, British Virgin Islands, Cayman Islands, Cook Islands, Cyprus, Gibraltar, Guernsey, Isle of Man, Jersey, Liechtenstein, Macao, Malaysia, Monaco, Montserrat, Netherlands Antilles, Palau, Panama, Samoa, Seychelles, Turks and Caicos Islands, and Vanuatu) LOW: Low turnover of key personnel or frontline personnel MODERATE: Low turnover of key personnel but frontline personnel may have changed HIGH: High turnover, especially in key personnel positions

transactions; describe credit union’s processes

Discuss level of experience of key personnel and frontline personnel Continued Bank Secrecy Act training for frontline employees is a priority. Provide detailed information on training program.

Conclusion: Through an analysis of the credit union’s size, location(s), products and services offers, methods of opening accounts, the customer base and operational issues, management has determined the credit union is at LEVEL OF RISK (low, moderate or high) of being used to launder money or finance terrorism. SAMPLE CREDIT UNION’s Bank Secrecy Act policy has been

7 developed to mitigate risks. In addition, the Bank Secrecy Act officer is charged with ensuring the risk assessment is adequately documented and represents the credit union’s current practices.