cuna regtrac - training.cuna.orgtraining.cuna.org/self_study/regtrac/member... · usa patriot...

© 2018 CUNA GENERAL OPERATIONS REGULATIONS i

GENERAL OPERATIONS REGULATIONS

CUNAREGTRAC

© 2018 CUNA GENERAL OPERATIONS REGULATIONS ii

TABLE OF CONTENTS

Legal Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Section 1—The Bank Bribery Act . . . . . . . . . . . . . . . . . . . . . . . 1-1

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

NCUA IRPS 87-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Suggested code of conduct considerations . . . . . . . . . . . . . 1-4

Penalties for Noncompliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Record Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Products and Services Affected by the Bank Bribery Act . . . . . . . . . 1-6

Appendix 1-A — Sample Bank Bribery Act Policy . . . . . . . . . . . . . . 1-7

Quiz/Study Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Section 2—The Right To Financial Privacy Act . . . . . . . . . . . . . . 2-1

General Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Compliance with the RTFPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Member’s written authorization (§3404) . . . . . . . . . . . . . . . 2-5

Administrative subpoena (§3405) . . . . . . . . . . . . . . . . . . . . 2-5

Search warrant (§3406) . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Judicial subpoena (§3407) . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Grand jury subpoena . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Formal written request (§3408) . . . . . . . . . . . . . . . . . . . . . . 2-7

Delayed notice (§3409) . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Certificate of Compliance (§3403(b)) . . . . . . . . . . . . . . . . . 2-8

Cost reimbursement (§3415) . . . . . . . . . . . . . . . . . . . . . . 2-8

Civil Penalties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

© 2018 CUNA GENERAL OPERATIONS REGULATIONS iii

Record Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

State Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Appendix 2-A — Sample Certificate of Compliance . . . . . . . . . . . . 2-11

Quiz/Study Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

Section 3—The Bank Secrecy Act . . . . . . . . . . . . . . . . . . . . . . . 3-1

General Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

The laws that form the “Bank Secrecy Act” . . . . . . . . . . . . . 3-3

Reporting Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Currency Transaction Reports . . . . . . . . . . . . . . . . . . . . . 3-5

Suspicious Activity Reports . . . . . . . . . . . . . . . . . . . . . . . 3-9

Report of International Transportation of Currency or Monetary Instruments . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

FinCEN Form 114 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Filing forms electronically . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Recordkeeping Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Filed reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13

Certain credit extensions . . . . . . . . . . . . . . . . . . . . . . . . 3-13

Certain transfers of currency or monetary instruments . . . . 3-13

Records regarding a geographic targeting order . . . . . . . . . 3-13

Sales of certain monetary instruments in amounts between $3,000 and $10,000 . . . . . . . . . . . . . . . . . . . 3-13

Certain wire transfers . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Other Bank Secrecy Act requirements . . . . . . . . . . . . . . . 3-15

Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16

USA PATRIOT Act’s Customer Identification Program Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

CIP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Member/customer due diligence . . . . . . . . . . . . . . . . . . . . 3-21

Checking government lists . . . . . . . . . . . . . . . . . . . . . . . . 3-21

Record Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

Penalties for Noncompliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

© 2018 CUNA GENERAL OPERATIONS REGULATIONS iv

Products and Services Affected by the Bank Secrecy Act . . . . . . . . 3-23

Quiz/Study Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24

Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27

Section 4— IRS Information Reporting and Withholding Requirements . . . . . . . . . . . . . . . . . . . 4-1

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Information Returns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

IRS Form 1098 — Mortgage interest . . . . . . . . . . . . . . . . . . 4-3

IRS Form 1098-E — Student loan interest statement . . . . . . . 4-4

IRS Form 1099-INT — Interest income . . . . . . . . . . . . . . . . 4-5

IRS Form 1099-C — Discharge of indebtedness . . . . . . . . . . 4-5

IRS Form 990 — Return of organization exempt from income tax . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Special mailing requirements . . . . . . . . . . . . . . . . . . . . . . 4-8

Electronic delivery of payee statements . . . . . . . . . . . . . . . . 4-9

Penalties for failure to file information returns . . . . . . . . . . . 4-9

Record retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Backup Withholding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Reportable payments . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11

Withholding conditions . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11

Withholding procedure . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11

TIN certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

Certificate of Foreign Status . . . . . . . . . . . . . . . . . . . . . . 4-14

New accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15

Repayment of erroneously collected tax . . . . . . . . . . . . . . 4-16

Information returns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16

Penalties for noncompliance . . . . . . . . . . . . . . . . . . . . . . 4-16

Record retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16

Products and services affected by backup withholding regulations . . . . . . . . . . . . . . . . . . . . 4-16

Quiz/Study Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17

Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19

© 2018 CUNA GENERAL OPERATIONS REGULATIONS v

Section 5—Privacy Regulations . . . . . . . . . . . . . . . . . . . . . . . . 5-1

CFPB, Regulation P – Privacy of Consumer Financial Information . . . . . . 5-2

General Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

All credit unions have to provide privacy notices . . . . . . . . . 5-2

“Opt out” option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Complying with Federal Privacy Regulations . . . . . . . . . . . . . . . . . . 5-3

All “financial institutions” . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Key Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Providing Privacy Disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Members and certain nonmembers . . . . . . . . . . . . . . . . . . 5-5

Consumers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

Termination of annual privacy notices . . . . . . . . . . . . . . . . 5-6

Alternative Method of Delivery for Annual Privacy Notices . . . . 5-6

Exemption to Annual Privacy Notice Requirements . . . . . . . . 5-7

Privacy Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

Format of privacy notices . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

The opt-out notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

Exceptions to the General Privacy Notice and Opt-Out Rules . . . . . 5-10

General overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

Prohibition On Sharing Account Numbers with Third Parties . . . . . 5-13

General prohibition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

Exception to the prohibition on sharing account numbers for marketing purposes . . . . . . . . . . . . . . . . . . . 5-13

The Fair Credit Reporting Act and the Privacy Regulation . . . . . . . 5-13

NCUA’s Confidentiality Bylaw and the Privacy Regulation . . . . . . . 5-14

Safeguarding Member Information — NCUA Part 748 . . . . . 5-14

Developing a security program . . . . . . . . . . . . . . . . . . . . . . 5-15

Response programs for data security breaches . . . . . . . . . . . 5-18

Components of a response program . . . . . . . . . . . . . . . . . . 5-18

Member notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

Content of member notice . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

Staff training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

© 2018 CUNA GENERAL OPERATIONS REGULATIONS vi

The Credit Union’s Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

Medical Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

State Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

Pretext Calling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22

NCUA Letter to Credit Unions 01-CU-09 . . . . . . . . . . . . . . 5-22

Checklist: Complying with the Federal Privacy Regulations . . . . . . . 5-23

Children’s Online Privacy Protection Act — COPPA . . . . . . . . . . . . . 5-24

Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Compliance with the Act . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

Quiz/Study Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30

Section 6—The Office of Foreign Assets Control . . . . . . . . . . . . . 6-1Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

What Does This Have to Do with Credit Unions? . . . . . . . . . . . . . . . 6-3

What is the SDN list? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

What must credit unions do to comply? . . . . . . . . . . . . . . . . 6-5

Reporting blocks and rejects to OFAC . . . . . . . . . . . . . . . . . . 6-5

What happens if the credit union fails to block the transaction? . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

So how do you avoid an OFAC violation? . . . . . . . . . . . . . . . 6-6

OFAC Compliance program . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

Record Retention Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

Quiz/Study Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

Section 7— Electronic Signatures in Global and National Commerce Act (ESIGN) . . . . . . . 7-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Validity of Electronic Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Transferable records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Oral communications not covered . . . . . . . . . . . . . . . . . . . . 7-4

© 2018 CUNA GENERAL OPERATIONS REGULATIONS vii

Specific exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

Consumer Disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

Hardware and software requirements . . . . . . . . . . . . . . . . . . 7-5

Other Consumer Protection Requirements . . . . . . . . . . . . . . . . . . . . 7-5

Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

What about consent obtained before ESIGN? . . . . . . . . . . . . 7-6

Verification and acknowledgment of receipt . . . . . . . . . . . . . 7-6

Notarization and acknowledgment . . . . . . . . . . . . . . . . . . . . 7-6

Electronic Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

Record Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

Member access and retention of electronic records . . . . . . . . 7-7

ESIGN and State Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

What is the NCCUSL? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

Applicability to federal and state regulators . . . . . . . . . . . . . . 7-7

Quiz/Study Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9

Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10

Section 8 — Unlawful Internet Gambling . . . . . . . . . . . . . . . . . 8-1

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Due Diligence Process for Non-Exempt Participants . . . . . . . . . . . . . 8-4

Appendix 8-A — Designated Payment systems Examples . . . . . . . . . . 8-7

Appendix 8-B — UIGEA Notice of Restricted Transactions . . . . . . . 8-11

© 2018 CUNA GENERAL OPERATIONS REGULATIONS viii

Legal Review

The RegTraC books are designed to provide general information regard-ing regulations affecting credit unions . They are not intended to substitute for legal advice based upon specific facts in any individual case, and credit unions with regulatory concerns are advised to consult with attorneys or specialists to obtain advice directed to their specific circumstances .

With respect to the content of the RegTraC books, neither Credit Union National Association (CUNA) nor its employees — nor any of its affiliates or their respective employees — make any express or implied warranty or assume any legal liability or responsibility for the accuracy, completeness, merchantabil-ity, fitness for a particular purpose or usefulness of any information . Neither do these books constitute an endorse-ment, recommendation or warranty of any product, service or provider men-tioned herein . The views and opinions of the authors do not necessarily reflect those of CUNA . The books shall not be used for advertising or product endorse-ment purposes . To the maximum extent permitted by law, CUNA shall not be liable for any damages whatsoever aris-ing out of the use, or inability to use, the books .

Material contained in the books is protected by copyright law . No part of any copyrighted materials may be repro-duced or distributed without the prior written permission of the owner .

If you have further questions, please contact CUNA at 800-356-9655, ext . 4249, or e-mail [email protected].

Acknowledgments

In developing this certification pro-gram, comments and ideas were solic-ited from an extensive number of expe-rienced league and credit union people throughout the U .S . This network of credit union-oriented reviewers provided a wealth of information that produced this manual . True to credit union phi-losophy, the reviewers volunteered their efforts . Their work was time-consuming and tremendously helpful . The authors and publisher of this book wish to acknowledge their contributions with great appreciation .

Contributors include:

• Andrea Stritzke, PolicyWorks

• Jeff Andersen, PolicyWorks

• Jennifer Anderson-Kapke, PolicyWorks

• Jeremy Smith, PolicyWorks

mailto:RegTraC%40cuna.com?subject=

© 2018 CUNA GENERAL OPERATIONS REGULATIONS 1-1

SECTION 1 – THE BANK BRIBERY ACT


Background

In many parts of the world, bribery is considered a usual part of the overall business process. Greasing the palm of a key employee or officer of a corpora-tion or a government official is viewed in many countries as standard operating procedure — a legal way to “cut through the red tape” in order to get things done. Bribery, however, does not enjoy such revered status in the U.S. Plainly and simply, it is illegal here.

And because Congress views the integrity of the nation’s banking system as a high priority, bribery involving fed-erally insured credit unions and other financial institutions is addressed sepa-rately in the federal Bank Bribery Act (BBA), 18 U.S.C. 215.

From the newly hired teller to a mem-ber of the board of directors, credit union employees, attorneys, and official families are subject to the requirements of the BBA. This criminal statute makes it a felony for any officer, director, employee, agent, or attorney of a feder-ally insured financial institution to cor-ruptly solicit or corruptly agree to accept anything of value from any person, if that officer, director, employee, agent, or attorney intends to be influenced or rewarded in connection with any busi-ness or transaction of the financial insti-tution. (Section 215(a)(1) and (2).)

A key term in that prohibition is the word “corruptly.” Prior to the amend-ment of the BBA in 1985 which added

that word, the statute appeared to pro-hibit legitimate payments for services rendered, or insignificant gift-giving or entertaining that did not involve a breach of fiduciary duty or dishonesty. Such is not the case.

Another key phrase to consider in terms of BBA violations is “influenced or rewarded.” When we think of “brib-ery” we usually think of a payment in advance of special favors or services rendered. But the BBA prohibits corrupt gifts received after performing special favors or services as well. Consider as an illustration the case of Ryan v. U.S., C.A. Cal. 1960, 278 F.2d 836, where the defendant (Ryan), a commercial loan officer at a bank, bent over backward to help customers procure loans then was rewarded with cash payments from some of the parties who benefited from his special services. The court held that the statute was clearly violated even though the loans to the borrowers were com-pleted before the defendant received the gifts from the borrowers.

The BBA gave federal agencies with responsibility for regulating financial institutions a mandate to establish guidelines to assist officers, directors, agents, and attorneys for those finan-cial institutions in complying with this law. (Section 215(d).) These guidelines were developed by the Interagency Bank Fraud Working Group, of which the National Credit Union Administration (NCUA) was a part. The NCUA issued its Interpretive Ruling and Policy Statement

Section 1 – The Bribery Act

http://www.cuna.org/Compliance/Compliance-E-Guide/E-Guide-Entries/Bank-Bribery-Act/



(IRPS) No. 87-1 in late 1987 to pro-vide federally insured credit unions with guidelines to use in complying with the BBA. To see this statement, go to www.ncua.gov/Legal/Documents/IRPS/IRPS1987-1.pdf

NCUA IRPS 87-1

IRPS 87-1 provides credit unions with some background on the BBA, then recommends procedures which federally insured credit unions should implement to ensure compliance. Although these guidelines do not have the force of law, the Justice Department (which pros-ecutes violations of the BBA) will con-sider a credit union’s reliance on these guidelines in making the determination whether an activity should or should not be prosecuted. Therefore, credit unions are well-advised to abide by the rec-ommendations of IRPS 87-1 to guard against the risk of BBA violations.

IRPS 87-1 encourages all federally insured credit unions to adopt internal codes of conduct or written policies that, among other things, explain the gen-eral prohibitions embodied in the BBA. Keep in mind, internal codes of conduct should also address conduct which is prohibited by other statues or regula-tions — for example, NCUA’s Rules and Regulations regarding loan officer incentives, loans to officials, restrictions regarding credit union investments, and certain CUSO activities. IRPS 87-1 also directs credit unions to establish and enforce written policies on acceptable business practices.

The NCUA recommends that each credit union’s code of conduct include a prohibition against any employee,

officer, director, committee member, agent, or attorney (a group which the NCUA collectively terms “Credit Union Officials”) from:

• Soliciting for themselves or for a third party (other than the credit union itself) anything of value from anyone in return for any business, service, or confidential information of the credit union; and

• Accepting anything of value (other than bona fide salary and fees) from anyone in connection with the busi-ness of the credit union either before or after a transaction is discussed or consummated.

The NCUA recognizes that such a broad prohibition against accepting anything of value in connection with the business of the credit union — other than bona fide salaries and fees — is some-what harsh. Under that strict definition, a credit union manager who accepts a lunch or dinner from a vendor — or lets the vendor pick up his greens fees at the local golf course — would violate this code. To address this, IRPS 87-1 recom-mends that each credit union’s code of conduct specify appropriate exceptions to the general prohibition of accepting something of value in connection with credit union business.

In general, there is no threat of vio-lating the BBA if a credit union official accepts something of value from some-one:

• When the acceptance is based on a family or personal relationship that exists independently of any business of the credit union;

• If the benefit is available to the general

www.ncua.gov/Legal/Documents/IRPS/IRPS1987-1.pdf

www.ncua.gov/Legal/Documents/IRPS/IRPS1987-1.pdf



public under the same conditions on which it is available to the credit union official; or

• If the benefit would be paid by the credit union as a reasonable business expense if it was not paid by the other person.

IRPS 87-1 does not fix an objec-tive standard as to how much can be received or given in the areas of busi-ness-purpose entertainment or gifts. As the IRPS points out, what is reasonable in one part of the country may appear lavish in another part of the country. Thus it is up to each credit union to establish acceptable standards within its own code of conduct — NCUA’s official guidance is that credit unions “should seek to embody the highest ethical stan-dards” in their codes of conduct. Credit unions are encouraged to establish a range of dollar values that cover the vari-ous benefits that its officials may receive from those doing or seeking to do busi-ness with the credit union.

A credit union’s code of conduct should provide some, but not too much, flexibility. For example, whatever acceptable range is established in terms of what benefits can be received by credit union officials, the code can allow the limit to be reasonably exceeded, as long as any time a credit union official is offered or receives something of value beyond what is authorized in the code of conduct, the official is required to disclose that fact to the official at the credit union charged with ensuring Bank Bribery Act compliance.

Each credit union should develop a reporting mechanism to prevent situa-tions that might otherwise lead to impli-

cations of corrupt intent or breach of trust. IRPS 87-1 makes clear, however, that simply disclosing those instances when a credit union official receives something of value beyond what the code of conduct authorizes is not enough. Management must then review these disclosures and determine what has been accepted is reasonable and does not pose a threat to the integrity of the credit union. These reviews should be documented.

In addition, IRPS 87-1 recommends that each credit union’s code of con-duct require that all credit union offi-cials disclose all potential conflicts of interest, including those in which they have been inadvertently placed due to business or personal relationships with members, suppliers, business associ-ates, or competitors of the credit union. The NCUA recognizes that a credit union official who is involved in outside busi-ness interests or employment that gives rise to a potential conflict of interest can pose a threat to the integrity of a credit union.

Suggested code of conduct considerations

IRPS 87-1 recommends that each credit union’s code of conduct or Bank Bribery Act policy include a general pro-hibition against acceptance by credit union officials of things of value in con-nection with credit union business. The code or policy can then define excep-tions to that general prohibition includ-ing permission to accept:

• Gifts, gratuities, or favors based on an obvious family or personal relationship where the circumstances make it clear



that it is such a relationship — not the business of the credit union — which is the motivating factor.

• Meals, refreshments, or entertainment, all of reasonable value and in the course of a legitimate business meet-ing, provided these expenses would be paid for the credit union if they were not paid by the other party (the credit union can, and should, establish a specific dollar limit for such an occa-sion).

• Loans from banks or financial institu-tions on customary terms to finance proper and usual activities of credit union officials, such as home mortgage loans, except where prohibited by law.

• Advertising or promotional material of nominal value, such as pens, pencils, note pads, key chains, calendars, and similar items.

• Discounts or rebates on merchandise or services that do not exceed those available to other members.

• Gifts of reasonable value that are relat-ed to commonly recognized occasions, such as a promotion, new job, wed-ding, retirement, Christmas, or bar or bat mitzvah (the credit union can, and should, establish a specific dollar limit for these types of gift).

• Civic, charitable, educational, or reli-gious organizational awards for recog-nition of service and accomplishment (the credit union can, and should, establish a specific dollar limit for these types of awards).

IRPS 87-1 also allows the code of conduct to provide that credit union’s

may approve — on a case-by-case basis — situations in which a credit union official accepts something of value in connection with credit union business, provided such approval is made in writing on the basis of a full written disclosure of all relevant facts and is consistent with the Bank Bribery statute.

Finally, IRPS 87-1 recommends that in order to ensure compliance with the BBA, each credit union should:

• Maintain a copy of any code of con-duct or written policy it establishes for its officials.

• Require an initial written acknowledg-ment from all credit union officials of the code of conduct, along with written acknowledgment of any subsequent material changes, and the officials’ agreement to comply with the code.

• Maintain written reports of any disclo-sures made by its credit union officials in connection with a code of conduct or written policy.

Again, although the guidelines in IRPS 87-1 do not have the force of law, the Justice Department will con-sider a credit union’s reliance on these guidelines in making the determination whether an activity should or should not be prosecuted under the BBA.

Penalties for Noncompliance

The BBA is a criminal statute. If a thing of value corruptly offered to or received by a credit union official is worth $100 or less, both the person



making the offer and the credit union official can be convicted of a misde-meanor and punished by up to one year’s imprisonment and be fined. If the thing of value is worth more than $100, the offense is a felony and is punishable by up to 30 years’ imprisonment and a fine of $1,000,000, or three times the value of the bribe or gratuity. Section 215(a).

Record Retention

Credit unions should retain all evi-dence of compliance with the BBA per-manently. It is recommended that all credit union officials be given a written code of conduct or policy that addresses the general prohibition against accept-ing anything of value in connection with the business of the credit union. Each official should sign an acknowledg-ment of receipt of this policy. The credit union’s policy should require that any official who receives something of value in excess of the established guidelines should submit a written disclosure to an individual designated as the BBA com-pliance officer. These disclosures should be presented to the full board of direc-tors for a determination whether they are reasonable and thus not in violation of the BBA. These disclosures should then be retained permanently.

Products and Services Affected by the Bank Bribery Act

Because the prohibitions of the BBA apply across the board to all officers — directors, employees, agents, or attorneys of a federally insured credit union — virtually all of the products and services offered by the credit union could in some way be impacted by this law. Staff training for every credit union department should include a discussion about the ramifications of violating the Bank Bribery Act.



Appendix 1-A – Sample Bank Bribery Act Policy

Definition

For purposes of this Bank Bribery Act Policy of XYZ Credit Union, the term “credit union official” means any employee, officer, director, committee member, agent, or attorney of XYZ Credit Union.

Summary of Bank Bribery Act

The federal Bank Bribery Act, 18 U.S.C. 215, provides that whoever corruptly gives, offers, or promises anything of value to any person, with intent to reward a credit union official in connection with any business or transaction of a financial institution or as a credit union official, corruptly solicits or demands for the benefit of any person, or corruptly agrees to accept anything of value from any person intending to be influenced or rewarded in connection with any business or transaction of such institution, shall be guilty of a misdemeanor if the thing of value is worth $100 or less or a felony if the thing of value is worth more than $100.

Intent to Comply

It is the intent of XYZ Credit Union to comply with the requirements of the Bank Bribery Act.

Designation of BBA Compliance Officer __________________________ is hereby designated as the BBA Compliance Officer for XYZ Credit Union.

General prohibition

No credit union official of XYZ Credit Union shall:

• Solicit anything of value for himself or for a third party (other than the credit union itself) in return for any business, service, or confidential information of the credit union.

• Accept anything of value (other than bona fide salary and fees for services rendered) from anyone in connection with the business of the credit union either before or after a transaction is discussed or consummated.

Exceptions

Despite the general prohibitions listed above, an official of XYZ Credit Union is per-mitted to accept:

• Gifts, gratuities, or favors based on an obvious family or personal relationship where the circumstances make it clear that it such a relationship — not the business of the credit union — which is the motivating factor.



• Meals, refreshments, or entertainment, all of reasonable value and in the course of a legitimate business meeting, provided these expenses would be paid by the credit union if they were not paid by the other party, provided the price of those meals, refreshments, or entertainment do not exceed $________ on any single occasion.

• Loans from banks or financial institutions on customary terms to finance proper and usual activities of credit union officials, such as home mortgage loans, except where prohibited by law.

• Advertising or promotional material of nominal value, such as pens, pencils, note pads, key chains, calendars, and similar items.

• Discounts or rebates on merchandise or services that do not exceed those available to other members.

• Gifts of reasonable value that are related to commonly recognized occasions, such as a promotion, new job, wedding, retirement, Christmas, or bar or bat mitzvah, pro-vided the value of those gifts do not exceed $_______.

• Civic, charitable, educational, or religious organizational awards for recognition of service and accomplishment (the credit union can, and should, establish a specific dollar limit for these types of awards).

If a credit union official of XYZ Credit Union is offered or receives something of value beyond that which is authorized in this policy, the credit union official must dis-close that fact in writing to the BBA compliance officer. The BBA compliance officer will then report this disclosure to the board of directors at its next regularly scheduled meeting at which time the board will determine whether the disclosed thing of value is reasonable and that it does not pose a threat to the integrity of the credit union. This determination will be noted in the minutes of the board meeting.

On an annual basis, each credit union official will sign a written statement in acknowledgment of the official’s receipt of a copy of this Bank Bribery Act Policy.

Disclosures of conflicts of interest

On an annual basis, each credit union official will submit, on a form developed by the XYZ Credit Union BBA Officer and approved by the board of directors, an acknowl-edgment of all conflicts of interest including those in which they have been inadver-tently placed due to either business or personal relationships with members, suppli-ers, business associates, or competitors of the credit union.

Record retention

The XYZ Credit Union BBA compliance officer shall maintain a file containing

• Each credit union official’s annual acknowledgment of the official’s receipt of the XYZ Bank Bribery Act Policy.



• Each credit union official’s annual acknowledgment of the official’s potential con-flicts of interest.

• Each written disclosure made by a credit union official that the official has received something of value beyond that which is authorized in this policy, including a notation thereon indicating the date on which the board of directors reviewed the disclosure.

These records shall be maintained permanently.

Review

This policy shall be reviewed annually.

Revised/Adopted this ______ day of __________, 20__.

Secretary of the Board



The Bank Bribery Act

Quiz/Study Guide

1. If NCUA’s Interpretive Ruling and Policy Statement No. 87-1 does not have the force of law, what was NCUA’s purpose in publishing it?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

2. The NCUA Interpretive Ruling and Policy Statement 87-1 provides credit unions with Bank Bribery Act guidelines. The credit union employees affected by the Act and guidelines are named in that letter. List the six groups named.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

3. Why doesn’t IRPS 87-1 establish an objective standard as to how much can be received or given in the areas of business-purpose entertainment or gifts?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

4. Are there ever any circumstances when a credit union official can accept something of value over the credit union’s established guidelines?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



5. List three types of “things of value” a credit union’s Bank Bribery Act Policy can allow a credit union official to receive without violating the BBA.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

6. The NCUA guidelines discuss conflict of interest for credit union officials. What does it say the credit union official must do when a conflict of interest situation arises?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



The Bank Bribery Act

Answer Key

1. Although these guidelines do not have the force of law, the Justice Department (which prosecutes violations of the BBA) will consider a credit union’s reliance on these guidelines in making the determination whether an activity should or should not be prosecuted. (Page 1-3)

2. The guideline lists: 1) employees; 2) officers; 3) directors; 4) committee members; 5) agents; and 6) attorneys. (Page 1-3)

3. IRPS 87-1 does not fix an objective standard as to how much can be received or given in the areas of business purpose entertainment or gifts. NCUA’s official guidance to credit unions is to seek to set the highest ethical standards in their codes of conduct. As the IRPS points out, what is reasonable in one part of the country may appear lavish in another part of the country. (Page 1-4)

4. The NCUA guidelines state that a credit union official may accept something of value in connection with credit union business if the credit union makes the approval in writing based on a full written disclosure of the relevant fact and if the acceptance does not violate the Bank Bribery statute. (Page 1-5)

5. Any of the following:

Gifts, gratuities, or favors based on an obvious family or personal relationship where the circumstances make it clear that it is those relationships – not the business of the credit union – which provide the motivating factor.

Meals, refreshments, or entertainment, all of reasonable value and occurring in the course of a legitimate business meeting provided these expenses would be paid for by the credit union if they were not paid for by the other party (the credit union can, and should, establish a specific dollar limit for such an occasion).

Loans from banks or financial institutions on customary terms to finance proper and usual activities of credit union officials such as home mortgage loans except where prohibited by law.

Advertising or promotional material of nominal value such as pens, pencils, note pads, key chains, calendars, and similar items.

Discounts or rebates on merchandise or services that do not exceed those available to other members.



Gifts of reasonable value that are related to commonly recognized occasions such as a promotion, new job, wedding, retirement, Christmas, or bar or bat mitzvah (the credit union can, and should, establish a specific dollar limit for these types of gifts).

Civic, charitable, educational, or religious organizational awards for recognition of service and accomplishment (the credit union can, and should, establish a specific dollar limit for these types of awards). (Page 1-4 to 1-5)

6. The NCUA guidelines recommend that the credit union’s code of conduct require all credit union officials to disclose all potential conflicts of interest including any they are inadvertently placed in due to business or personal relationships with members, suppliers, business associates, or competitors of the credit union. (Page 1-4)


SECTION 2 – THE RIGHT TO FINANCIAL PRIVACY ACT


General Overview

Mary Smith is a teller at Anytown Community Credit Union in Anytown, USA. She’s in all ways an exemplary member of her community. Like all good citizens, Mary is very interested in doing her part to help law enforcement keep the streets of Anytown crime- free. One day Mary is approached by Agent Hoover from the Anytown branch of the FBI. Mary has known Agent Hoover for years, as he has been a longtime member of ACCU. On this day, Agent Hoover is all business. “Good afternoon, Mary,” Hoover begins. “Let me get right to the point. We’ve been following up leads on an individual by the name of John Doe, who we believe may be running an illegal gambling ring right here in Anytown. I think we can nail this guy, but we’ll need your help. We know this guy opened an account here at ACCU. If I can have a look at his past few months of account history I believe I can put together a solid case against him.” What’s a good, law-abiding teller to do? If she’s been trained to recognize a potential violation of the federal Right to Financial Privacy Act, she’ll most likely bid Agent Hoover a pleasant day and ask him to come back when he’s ready to comply with that statute.

Generally speaking, the Right to Financial Privacy Act (RTFPA) (12 USC 3401 et seq.) prohibits a credit union — whether federally or state-char-tered — from disclosing its members’ financial records to any federal agency

except in limited circumstances. With some exceptions, a credit union can only provide federal agencies access to the financial records of a member when the federal agency has reasonably described the records sought and:

• The member has provided written authorization allowing the credit union to disclose the information per Section 3402(1).

• The records are disclosed in response to an administrative subpoena per Section 3402(2).

• The records are disclosed in response to a validly issued search warrant per Section 3402(3).

• The records are disclosed in response to a judicial subpoena per Section 3402(4).

• The records are disclosed in response to a formal written request which is described in the statute per Section 3402(5).

Even if a federal agency has reason-ably described the records sought and has produced one of the five documents referred to above, the credit union may not disclose the information unless the agency seeking the information certifies in writing that it has complied with the requirements of the RTFPA. (Section 3403(b).) In this section we will discuss these various documents to give the reader an idea of what to look for, but first it is important to understand there

Section 2 – The Right to Financial Privacy Act

http://www.cuna.org/Compliance/Compliance-E-Guide/E-Guide-Entries/Right-To-Financial-Privacy-Act/




are several notable exceptions to these general RTFPA rules.

Exceptions

Although the general rule of the RTFPA seems to provide individuals very broad protection of their financial privacy, the statute has a number of exceptions. Several of the more com-monly used exceptions are listed in this section. If a federal agency seeks infor-mation from a credit union about one of its members and claims that it need not comply with the RTFPA due to an exception, the agency should provide the specific statutory authority for that exception to the credit union so that the credit union and its attorney can review the specific exception as set forth in the law to ensure that the agency is correct.

As a general rule, when a credit union has doubts about whether it should turn over information about its members to a federal agent, it is better to err on the side of caution. Most federal agents should not mind waiting 24 hours or so to obtain the information sought to allow the credit union to review their request with their own attorney.

With that background, here are a few of the more common exceptions from the RTFPA that are built right into the statute.

Suspicious Activity Reports

As is discussed elsewhere in this book (see “Bank Secrecy Act”), credit unions have a duty to report information to fed-eral law enforcement officials when that information may be relevant to a pos-sible violation of any statute or regula-tion. This information is to be reported

through the completion of a Suspicious Activity Report (SAR). It would seem that a submission of an SAR is directly at odds with the general prohibition against disclosures of this nature set forth in the RTFPA.

The RTFPA addresses this problem by providing an exception to its general rule. If a credit union notifies any federal authority regarding information which may be relevant to a violation of any stat-ute or regulation, the credit union will not be liable to its member — under any law, state or federal — for such a disclo-sure or for failure to notify its member that it has disclosed the information. This special protection is only extended, however, if all the credit union reveals is the member’s name or other identi-fying information (for example: name, address, account number, and type of account), and the nature of the suspect-ed illegal activity. (Section 3413(g).)

Certain lending activities

Suppose a credit union files a fed-eral lien on a boat which is security on a member’s loan. In filing the lien, the credit union will necessarily divulge information to a federal agency about its member. So too, if the credit union attempts to prove a claim in a bank-ruptcy proceeding, it will usually divulge information from its files to the bank-ruptcy trustee’s office. These activities are a necessary part of the credit union’s business, and their efforts would be hampered if they were required each time to comply with the cumbersome processes of the RTFPA. Fortunately, the Act provides an exception from its general prohibition if the credit union divulges information to a federal agency



as an incident to perfecting a security interest, proving a claim in bankruptcy, or otherwise collecting on a debt owing to the credit union. (Section 3413(d).) Similarly, a credit union will not risk violating the RTFPA if it divulges infor-mation about its member to a federal agency during the processing of a gov-ernment loan — for example, a guar-anteed student loan, or a loan insured by the Small Business Administration. (Section 3413(h)(1)(B).)

Examinations

All credit unions undergo regular examinations through their state regula-tor and/or the NCUA. The RTFPA does not apply with respect to disclosures made during the course of these exami-nations. (Section 3413(b).)

IRS reporting

Credit unions routinely issue reports to the Internal Revenue Service pursu-ant to their duties under the Internal Revenue Code. The RTFPA does not apply to any reports made to the IRS which are required under the IRS Code (for example, Information Returns). (Section 3413(c).)

Federal reporting

Some federal statutes require credit unions to make reports to various agen-cies of the federal government. The Home Mortgage Disclosure Act (HMDA), for example, requires credit unions to provide a great deal of personal infor-mation about their members in their annual HMDA reports. The RTFPA does not apply to disclosures made by credit unions in complying with their vari-

ous federal regulatory requirements. (Section 3413(d).)

Federal rules of civil or criminal procedure

If a credit union’s member and a fed-eral agency are legal parties to a civil or criminal lawsuit and the federal agency requests information from the credit union about one of its members under appropriate court rules, the credit union may turn the information over without violating the RTFPA. Credit unions are well-advised to seek the opinion of their retained counsel to determine whether the federal agency has complied with the court rules in these situations. (Section 3413(e).)

Special procedures

An exception to the general prohibi-tion against producing member records also arises in two extraordinary situa-tions — when a federal agency is engag-ing in foreign intelligence activities, and when the Secret Service seeks informa-tion as part of its protective function. Although the government agencies need not produce one of the five documents discussed above in conjunction with a request for information about a member, they must still provide the credit union with a certificate of compliance with the RTFPA. In addition, in these two circum-stances the credit union is absolutely prohibited from disclosing to its mem-ber that the information was sought or obtained. (Section 3414.)



Compliance with the RTFPA

As was mentioned earlier, under the RTFPA a credit union can only provide federal agencies access to the financial records of any member when the fed-eral agency has reasonably described the records sought and provided writ-ten authorization from the member; produced an administrative subpoena; delivered a validly executed search war-rant; produced a judicial subpoena; or provided a “formal written request.”

Member’s Written Authorization (§3404)

A credit union will be safe in dis-closing information about a member’s account when the member in question provides written authorization for the disclosure. This authorization must be in the form of a signed and dated state-ment which:

• Authorizes the credit union to disclose the information for a period which does not exceed three months.

• States that the member may revoke the authorization at any time prior to the credit union’s disclosure of the information.

• Identifies the records authorized to be disclosed.

• Specifies the purpose for which the records may be disclosed along with the agency to which they may be dis-closed.

• States the member’s rights under the RTFPA.

If a member provides this written authorization, he generally has the right to receive a copy of whatever records are disclosed pursuant to his authoriza-tion. There are exceptions to this general notice provision as we will discuss in the following paragraphs.

Administrative Subpoena and Summons (§3405)

An administrative subpoena is a for-mal request for information issued by an executive branch agency of the fed-eral government. The credit union may release member information pursuant to an administrative subpoena only if:

• The credit union has reason to believe that the records sought are related to a legitimate law enforcement inquiry;

• The member has been served with a copy of the subpoena on or before the credit union is served with it, and the credit union receives a copy of a notice sent to the member specifically describing the nature of the inquiry; and

• The credit union waits 10 days from the date the member was served the subpoena (or 14 days if the member was served by mail) to see if notice is received that the member has filed a motion to stop the subpoena.

Search Warrant (§3406)

The Fourth Amendment of the United States Constitution protects Americans against unreasonable searches and seizures of their persons or papers. Throughout the history of jurisprudence in this country courts have sought to



balance this fundamental right with the needs of law enforcement personnel to investigate and deter possible criminal activity. The issue is, of course, to define what is an “unreasonable” search. Federal Rules of Criminal Procedure pro-vide a procedure by which law enforce-ment officials can obtain the right to conduct a search of an individual’s otherwise protected residence, car, credit union accounts, etc. — the search warrant. A valid search warrant will be signed by a judge (or in some cases a magistrate) only after she has been presented (by law enforcement person-nel seeking the warrant) with probable cause that a crime has been committed. A credit union presented with a validly executed search warrant can surrender only the information described in the warrant.

No later than 90 days after the government authority serves the search warrant, the RTFPA requires that authority to mail to the individual’s last known address a copy of the search warrant along with a special notice. (Section 3406(b).)

Judicial Subpoena (§3407)

A judicial subpoena is similar in most respects to an administrative subpoena, except that it will be issued by a court as opposed to an executive branch agency. The procedures in terms of compliance with the RTFPA are identical whether a subpoena is administrative or judicial in nature. That is, the credit union may release member information pursuant to a judicial subpoena only if:

• The credit union has reason to believe that the records sought are related to a

legitimate law enforcement inquiry;

• The member has been served with a copy of the subpoena on or before the credit union is served with it, and the credit union receives a copy of a notice sent to the member specifically describing the nature of the inquiry; and

• The credit union waits 10 days from the date the member was served the subpoena (or 14 days if the member was served by mail) to see if notice is received that the member has filed a motion to stop the subpoena.

Grand Jury Subpoena

If member financial records are requested by grand jury subpoena, spe-cial instructions and restrictions apply that must be closely followed.

• The credit union is prohibited from notifying the member that the records have been requested and disclosed.

• The requested records must be pre-sented in person to the grand jury.

• The records can only be used for con-sidering an indictment or presentment by the grand jury.

• The records must be destroyed or returned to the credit union if not used.

• The records or a description of the records can only be kept in the sealed records of the grand jury unless they are used in the prosecution of the crime they were requested in relation to.



Formal Written Request (§3408)

A federal law enforcement official seeking private financial information about a credit union member has one final option if he is unable to obtain a written authorization from the member, a judicial or administrative subpoena, or a search warrant. He can issue a formal written request for the informa-tion. This option is only available to the law enforcement agent if there is no administrative subpoena authority to suit his purpose, the request is autho-rized by regulations of his particular agency, and there is reason to believe that the records sought are relevant to a legitimate law enforcement inquiry. It is important to note that those are some substantial, and very fact-specific,

hurdles for the law enforcement official to overcome.

A credit union presented with a request for member records pursuant to a “formal written request” should care-fully document these conditions have been met. It would probably be a good idea to get the help of retained counsel in doing so. Assuming those conditions are present, the credit union must also receive proof that a copy of the formal written request was served on the mem-ber in question, along with a notice con-taining the language in Figure 2.1.

As is the case with an administrative or judicial subpoena, the information should not be divulged until 10 days have expired from the date the member was served or 14 days from the date the notice was mailed to the member.

Figure 2.1 Sample Language for Formal Written Request

Records or information concerning your transactions held by the financial institution named in the attached subpoena or summons are being sought by the (agency or department) in accordance with the Right to Financial Privacy Act of 1978 for the following purpose:

[state reason]

If you desire that such records or information not be made available, you must:

• Fill out the accompanying motion paper and sworn statement or write one of your own stating you are the mem-ber whose records are being requested by the government and giving other reasons why you believe the records are not relevant to the legitimate law enforcement inquiry stated in this notice or cite any other legal basis for objecting to the release of the records.

• File the motion and statement by mailing or delivering them to the clerk of the following U.S. district court(s):

[state courts]

• Serve the government authority requesting the records by mailing or delivering a copy of your motion and state-ment to:

• Be prepared to come to court and present your position in further detail.

You do not need to have a lawyer although you may wish to employ one to represent you and protect your rights.

If you do not follow the above procedures upon the expiration of 10 days from the date of service or within 14 days from the date of mailing this notice, the records or information requested will be made available. These records may be transferred to other government authorities for legitimate law enforcement inquiries in which event you will be noti-fied after the transfer.



Delayed Notice (§3409)

When records are turned over to fed-eral agents under any of the procedures discussed above the affected member is typically entitled to know what exactly was turned over. With certain excep-tions, the agency obtaining the informa-tion has a duty to let the member know that it has obtained information from the credit union and the member can then learn from the credit union exactly what was divulged. The credit union should not, however, voluntarily advise the member that records have been turned over. There may be instances where the federal agency requesting the infor-mation may be permitted to delay the notice it is required to provide the mem-ber. In those cases, the federal agency will ask a court to delay its required notice to the credit union’s member, and the court may then issue an order pro-hibiting the credit union from disclos-ing to its member the records that were shared with law enforcement or even dis-closing that records were sought by law enforcement.

If the request for information comes in the form of a federal grand jury sub-poena, the credit union is prohibited from notifying its member that the infor-mation was requested and submitted — even without a court order.

Certificate of Compliance (§3403(b))

Even when a government agent has reasonably described the records sought and provided written authorization from the member, produced an administrative subpoena, delivered a validly executed

search warrant, produced a judicial subpoena, or provided a “formal written request,” the credit union may not pro-duce the records sought until the agent provides the final piece of the puzzle— a certificate of compliance with the requirements of the RTFPA. A sample of a certificate of compliance can be found in Appendix 2-A to this section.

Cost Reimbursement (§3415)

A credit union that complies with a request for information from a federal agency under the RFTPA will no doubt incur some costs. In some instances credit unions may charge the requesting agency a fee as reimbursement for the reasonable costs incurred in terms of time spent in assembling the requested records. In Section 3415, the RTFPA directs the Federal Reserve Board (the FRB) to develop rules setting forth the procedures for determining what costs are recoverable. The FRB’s rules regard-ing reimbursement for costs associated with gathering records in response to a request from a federal agency are set forth in Regulation S (12 CFR 219.1 et seq.).

Expenses in connection with requests for records under the following situations cannot be reimbursed:

• Security interest, bankruptcy claims, and debt collection — costs for records provided to perfect a security interest, prove a claim in bankruptcy, or collect a debt.

• Government loan programs — costs for records requested in order to process loans under government loan, loan guaranty, or loan insurance programs.



• Nonidentifiable information — records not identifiable as specific to a particular member.

• Financial supervisory agencies — records released to supervisory agen-cies as part of their supervisory duties (NCUA, state regulators).

• Internal Revenue summons — records requested by the IRS as authorized by the Internal Revenue Code.

• Federally required reports — records required to be reported by federal statute or rule.

• Government civil or criminal litigation — requests for information authorized by law for cases where the government authority and the member are parties to the case.

• Administrative agency subpoenas — records requested by administrative subpoena issued by an administrative law judge as part of a legal proceeding where the agency and the member are parties to the case.

• Investigation of the financial institu-tion or its non-member

• General Accounting Office requests

• Federal Housing Finance Board requests

Regulation S includes a schedule to help calculate the “reasonably necessary costs” directly incurred in searching for, reproducing, and transporting records to the agency requesting the information. Credit unions can recover the costs of searching for the material — including personnel time spent to locate it —

Figure 2.2 Reimbursable Costs Provided in Regulation S

The schedule of reimbursable costs set forth in Reg S include:

• Reproduction Costs:

Photocopies $.25 per page

Paper copies of microfiche $.25 per frame

Duplicate microfiche $.50 per microfiche

Storage media actual cost

• Search and Processing Costs:

Clerical/Technical, hourly rate $22.00

Computer Support Specialist hourly rate $30.00

Manager/Supervisory, hourly rate $30.00

Figure 2.2 lists the costs that can be recovered by credit unions for compliance with requests for infor-

mation about their members’ finances under the RTFPA.



copying the material, and shipping it. They may not obtain reimbursement for analysis and legal advice regarding the information. Figure 2.2 includes a schedule of reimbursable costs under Regulation S.

Civil Penalties

A credit union that discloses finan-cial records or information to a federal agency in violation of the requirements of the RTFPA can be civilly liable to the affected member for the sum of:

• $100 regardless of the volume of records involved per Section 3417(1);

• Any actual damages sustained by the member as a result of the disclosure per Section 3417(2);

• Any punitive damages allowed by a court if the violation was willful or intentional per Section 3417(3); and

• All costs incurred by the member— including reasonable attorney’s fees— in bringing a lawsuit for the violation if the lawsuit is successful per Section 3417(4).

Credit unions do have one legal defense granted in the RTFPA. Any financial institution, its agent, or its employee that discloses a member’s financial information in good-faith reli-ance on the written certification of com-pliance provided by the requesting fed-eral agency cannot be held liable to the member for releasing that information. That’s why it is so important to have a copy of the Certificate of Compliance on file before releasing the requested infor-mation.

Record Retention

A credit union member who believes his rights were violated under the RTFPA has three years to bring a lawsuit to enforce those rights. According to the statute, that three-year period begins to run either from the date on which the violation occurs or the date the mem-ber discovers the violation, whichever is later. Theoretically, then, a member could file a lawsuit under the RTFPA several years after the credit union has complied with a request for information.

Because of this open-ended statute of limitations, credit unions should retain all records of requests for information — including copies of all information pro-vided to federal agencies, all notes taken by staff, and all evidence of compliance with the RTFPA — forever.

State Laws

The Right to Financial Privacy Act that is the subject of this chapter applies to requests for information made by federal agencies. It does not address requests for information made by state and local authorities. Many states have passed their own laws regarding the dis-semination of information to state and local government officials. Credit unions should contact their state leagues or retained counsel for procedures to use in handling requests received from those authorities.





Appendix 2-A Sample Certificate of Compliance

UNITED STATES JUSTICE DEPARTMENTWashington, D.C.

CERTIFICATE OF COMPLIANCE WITH THE RIGHT TO FINANCIAL PRIVACY ACT

TO: ________________________________________________________________(name and address of financial institution)

FROM: _____________________________________________________________(name of government agency)

I hereby certify that the applicable provisions of the Right to Financial Privacy Act of 1978, 12 USC sections 3401-3422, have been complied with as to the

___________________________________________________________________(summons, subpoena, or formal written request)

presented on ____________________, 20____ for the following financial (date)records of _________________________, 20____ . (date) ___________________________________________________________________

(signature)

___________________________________________________________________

(address) (name and title of official)

___________________________________________________________________

(telephone) (government agency)

Pursuant to the Right to Financial Privacy Act of 1978, good-faith reliance on this certificate relieves your institution and its employees and agents of any possible liability to the member in connection with the disclosure of these financial records.

Section 1103(b) of the Right to Financial Form DOJ-461 Privacy Act, 12 USC Section 3402(b) 3-10-79



The Right to Financial Privacy Act

Quiz/Study Guide

1. Which of the following do not fall under the requirements of the Right to Financial Privacy Act?

A. Suspicious Activity Reports

B. Subpoenas

C. NCUA or state regulator examination requests

D. IRS information reporting

E. Filing liens in connection with a loan

_____________________________________________________________________

_____________________________________________________________________

2. After a government agency has presented your credit union with one of the valid forms to request member information and has followed all the Right to Financial Privacy Act requirements for that particular request, what final piece of information must the credit union receive before releasing the requested information?

_____________________________________________________________________

_____________________________________________________________________

3. If there are any doubts about releasing member information to federal agents, what is the credit union’s best course of action?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



4. List the information that must be included in a member’s written authorization before a credit union can safely turn over information to federal authorities based on that authorization.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

5. What records are credit unions required to turn over when presented with a validly executed search warrant?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

6. Can a credit union charge a requesting federal agency a fee for preparing and releasing information requested?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

7. What is the statute of limitations on a consumer’s right to bring a suit against a credit union for violation of the consumer’s rights under the RTFPA and how does this affect the record retention requirements?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



The Right To Financial Privacy Act

Answer Key

1. Not affected by the Right to Financial Privacy Act requirements are: A. Suspicious Activity Reports, C. NCUA or state regulator examination requests, D. IRS information reporting, and E. Filing liens in connection with a loan. (Page 2-3 to 2-4)

2. Certificate of Compliance. (Page 2-8)

3. If there are any doubts about turning over member information, a credit union should check with legal counsel. (Page 2-3)

4. This authorization must be in the form of a signed statement which: 1) authorizes the credit union to disclose the information for a period which does not exceed three months; 2) states that the member may revoke the authorization at any time prior to the credit union’s disclosure of the information; 3) identifies the records authorized to be disclosed; 4) specifies the purpose for which the records may be disclosed along with the agency to which they may be disclosed; 4) states the member’s rights under the RTFPA. (Page 2-5)

5. Only the information described in the search warrant. (Page 2-6)

6. Yes, the Act allows credit unions to recover what it calls “reasonable costs” for expenses incurred in preparing the records through Regulation S. These costs can include: 1) costs for searching for the information; 2) copying records; 3) personnel time spent searching for the information; and 4) mailing costs. (Page 2-9)

7. A credit union member who believes his rights were violated under the RTFPA has three years to bring a lawsuit to enforce those rights. According to the statute, that three year period begins either from the date on which the violation occurs or the date the member discovers the violation, whichever is later. Because of this, it is recommended that credit unions retain records of requests for information forever. (Page 2-10)


SECTION 3 – THE BANK SECRECY ACT


General Overview

We’ve no doubt all heard the expres-sion: “Crime doesn’t pay.” Indeed, when a perpetrator of crimes is apprehended, indicted, convicted, and sentenced he or she learns that lesson the hard way. Sad but true, however, is the fact that some crime does pay—at least until the bad guys are apprehended. Or, perhaps more accurately, crime reaps payments. And crime doesn’t usually accept credit cards—it takes its payment in cold, hard cash. Whether the crime is blackmail, drug dealing, tax evasion, illegal gam-bling, loan sharking, embezzlement, or a wide range of other types of activity that our laws have defined as criminal, the “successful” (the term is used loosely) criminal eventually winds up, somewhere along the line, with a pile of currency.

But that currency can present a prob-lem for the typical bad guy. In order to put his loot to work for him, a criminal must eventually re-enter that currency into circulation. And for as long as there has been a banking system, the bad guys have sought to use it to “launder” their ill-gotten gains by transforming their dirty money into legitimate sources of funds.

Law enforcement has its hands full tracking various bad actors (there never seems to be a shortage) in a never-ending effort to bring them to justice. Because of the banking system’s large, if unwanted, role in allowing criminals to launder their money, Congress has passed a collection of laws which are

referred to as the “Bank Secrecy Act.” In an effort to provide assistance to law enforcement, “banks” are required to keep certain records and to make certain reports regarding currency (and other) transactions.

The Bank Secrecy Act (BSA) is per-haps misnamed. It applies to much more than just “banks” (as that term is com-monly used), and it has more to do with divulging secrets than keeping them. Be that as it may, “Bank Secrecy Act” is a term now firmly entrenched in the par-lance of the financial services industry, and it is not likely to be changed any time soon.

In this section, we will briefly discuss the various laws that together make up the Bank Secrecy Act. Next we will turn our attention to the NCUA regulation which generally mandates BSA com-pliance for all federally insured credit unions. Finally, we will discuss the particular recordkeeping and reporting requirements that are at the heart of BSA compliance.

When one thinks of regulatory compli-ance the first thing that usually comes to mind is consumer protection. Many of the various statutes and regulations with which financial institutions must comply are ultimately created with that end in mind. The BSA is not, however, about consumer protection — it is a law enforcement tool. Violations of the vari-ous Bank Secrecy Act laws and regula-tions can, consequently, expose credit unions to both civil and criminal penal-

Section 3 – The Bank Secrecy Act



ties. We will address those penalties separately below.

The laws that form the “Bank Secrecy Act”

As mentioned in the introduction, terms like “Bank Secrecy Act,” or “BSA,” are frequently used in connec-tion with the compliance duties of finan-cial institutions, but they do not usually refer to a single statute (although, as we will discuss, there is a federal law called the Bank Secrecy Act). Actually, a number of laws and regulations come into play when discussing BSA compli-ance. Among these laws and regulations are the Anti-Drug Abuse Act of 1986; the Money Laundering Control Act of 1986; the Bank Secrecy Act of 1970; the Currency and Foreign Transactions Reporting Act; US Patriot Act, Title III; NCUA Rules and Regulations Part 748.2; and the Financial Recordkeeping and Reporting of Currency and Foreign Transactions rules developed by the U.S. Treasury Department and found in 31 C.F.R. Part 103.

Anti-Drug Abuse Act of 1986

This law was enacted to help fed-eral law enforcement’s efforts to thwart illicit drug crops, to stop international drug trafficking, to improve the enforce-ment of the antidrug laws already on the books, and to establish more effective drug abuse and prevention programs. Among the antidrug enforcement provi-sions of the Anti-Drug Abuse Act are the provisions which make up the Money Laundering Control Act of 1986.

Money Laundering Control Act of 1986

The Money Laundering Control Act of 1986, part of the Anti-Drug Abuse Act of 1986, made money laundering a federal crime. The Act resulted in the following:

• Criminalized the act of money laundering;

• Prohibited the act of structuring trans-actions to evade currency transaction report (CTR) filings; and Introduced civil and criminal forfeiture for BSA violations.

The penalties for those offenses include imprisonment for a maximum of 20 years, fines up to $500,000 or two times the amount laundered, and forfei-ture of assets.

Bank Secrecy Act of 1970

Perhaps best-known among these various statutes is the Bank Secrecy Act of 1970. This is the federal statute that mandates, among other things, that financial institutions — including credit unions — maintain certain financial records about their members’ and cus-tomers’ transactions and that they report certain transactions in currency which involve more than $10,000.

The Currency and Foreign Transactions Reporting Regulation

This law requires that persons file a Report of International Transportation of Currency or Monetary Instruments (FinCEN Form 105) whenever they send or receive more than $10,000 in cur-rency or monetary instruments out of or into the U.S. As we will discuss later, this statute rarely directly affects credit unions.

http://www.fincen.gov/forms/files/fin105_cmir.pdf



The USA PATRIOT Act, Title III: Inter-national Money Laundering Abatement and Anti-Terrorist Financing Act of 2001

This law amends the Bank Secrecy Act and targets money-laundering issues. One provision of this law will require financial institutions, including credit unions, to have minimum standards to verify the identity of its members when opening accounts. Another provision requires financial institutions to have antimoney-laundering programs in place. NCUA regulations already require feder-ally insured credit unions to have a com-pliance program in place that is similar to the antimoney-laundering programs required by this Act. Therefore, credit unions that are in compliance with these requirements will be in compliance with the antimoney-laundering programs required by this act. Financial institu-tions are required to search their records (if requested by FinCEN) to determine if the financial institution maintains or has maintained accounts for, or has engaged in transactions with, individuals or orga-nizations listed on the request.

NCUA Rules and Regulations §748.2

Although the original Bank Secrecy Act of 1970 applied to credit unions, their compliance with that statute was sparse, at best, for many years. But in 1986, the NCUA adopted a regulation which specifically provided rules that credit unions were required to follow to evidence their compliance with the BSA.

NCUA Rules and Regulations Section 748.2 sets forth those specific require-ments. Under 748.2 all federally insured credit unions must develop and provide for the continued administration of a pro-

gram reasonably designed to assure and monitor compliance with the recordkeep-ing and reporting requirements set forth in the Bank Secrecy Act. NCUA requires that credit unions’ compliance programs adhere to the requirements set forth in 31 C.F.R. Part 103—the BSA regulations adopted by the U.S. Treasury Department with regard to BSA. Each credit union’s plan must be in writing and must be approved by their board of directors.

Section 748.2 requires that the for-mal BSA compliance plan must:

• Provide for a system of internal con-trols to assure ongoing compliance per Section 748.2(c)(1).

• Provide for independent testing for compliance to be conducted by credit union personnel or outside parties per Section 748.2(c)(2).

• Designate an individual responsible for coordinating and monitoring day- to-day compliance per Section 748.2(c)(3).

• Provide training for appropriate per-sonnel per Section 748.2(c)(4).

31 CFR Chapter X

Chapter X of the Code of Federal Regulations contains the nuts and bolts of compliance with credit unions’ and banks’ reporting and recordkeeping requirements under the BSA. These Treasury rules broadly define the term “bank” — and that definition clearly includes all credit unions, both state- and federally chartered.

FinCEN transferred the BSA regulations found in 31 CFR 103 to a new chapter (Chapter X) as of March 1, 2011.



Reporting Requirements

A number of different reporting requirements are set forth in the BSA regulations. For credit unions and other traditional financial institutions, the Currency Transaction Report (FinCEN Form 104, or CTR) is far and away the most familiar of these reports. Other reports required under the regulations include Suspicious Activity Reports and Reports of International Transportation of Currency or Monetary Instruments. As of April 2013, credit unions must use the Financial Crimes Enforcement Network (FinCEN) reports available only electronically through the e-filing system.

Currency Transaction Reports

The Currency Transaction Report (FinCEN Form 104 or CTR) is a corner-stone of BSA compliance. In general, a

credit union must complete and submit a CTR each time it takes a deposit, gives a withdrawal, or exchanges currency if the transaction involves currency of more than $10,000 per Section 1010.311.

In addition, multiple same-day trans-actions which are completed at any branch of a credit union must be treated as a single transaction if the credit union has knowledge that those transactions are by or on behalf of the same individ-ual. If those multiple transactions result in total cash into or out of the credit union in excess of $10,000, a CTR must be filed. In addition, deposits made at night or over a weekend or holiday must be treated as if they were made on the next business day following the deposit. (Section 1010.313(b).)

It is worth considering a couple of points with respect to the general rule. First, no CTR is ever required unless the transaction or transactions amount to

Figure 3.1

CTR or No CTR?

Q. A member deposits a check made out to cash for $15,000 and deposits it into her credit union account. Must a CTR be filed?

A. No. A check — even one made payable to cash — is not currency.

Q. A member deposits $10,000 worth of $100 bills into his credit union account. Must a CTR be filed?

A. No. Although the transaction is in currency, it does not exceed $10,000.

Q. A member withdraws $9,000 in currency in the morning from her credit union account. Later that day her teller discovers the same member withdrew $3,000 in currency that same day at another branch of the same credit union. Must a CTR be filed?

A. Yes. Same-day withdrawals are aggregated.

Q. A member deposits $9,000 in currency in the morning to his credit union account. Later that day his teller discovers the same member withdrew $3,000 in currency that same day at another branch of the same credit union. Must a CTR be filed?

A. No. Same-day deposits and withdrawals are not aggregated with each other (although same-day multiple withdraw-als are aggregated and same-day multiple deposits are aggregated among themselves).



more than $10,000 in currency com-ing into or going out of the credit union. Thus, a cash deposit of $10,000 on the nose would not trigger CTR filing. Figure 3.1 lists a few examples of transactions and describes whether or not a CTR would be required.

Next, the transaction must be in cur-rency to be reportable. “Currency” is defined in the BSA regulations to include the coin and paper money of the U.S., as well as the coin and paper money of any other country that is designated as legal tender. (Section 1010.100(m).) Currency includes U.S. silver certificates, U.S. notes and Federal Reserve notes, and official foreign notes that are cus-tomarily used and accepted as a medium of exchange in a foreign country.

Reportable CTR transactions must be filed by the credit union within 15 days following the date of the transaction. CTRs must be filed electronically. You can access the BSA E-Filing website at http://bsaefiling.fincen.treas.gov/main .html.

Under the BSA regulations, credit unions have an affirmative duty to verify and record the name and address of a member presenting a transaction that will be reportable on a CTR, along with the identity, account number, and Social Security or taxpayer identification number of the person on whose behalf a reportable transaction is to be made. (Section 1010.312.) If the individual claims to be an alien or not a resident of the U.S., the credit union must verify his or her identification by reviewing a pass-port, alien identification card, or other official document evidencing nationality or residence.

Exemptions

Recognizing that not all transactions involving more than $10,000 in cur-rency are likely to have value in assisting law enforcement officials investigating potential criminal activity, the BSA regu-lations allow credit unions to exempt certain transactions from the general CTR reporting requirements. A credit union is not required to file a CTR with respect to a transaction completed by an exempt person, provided the transaction falls within the exempt person’s stated limits. There are two categories (Phase I and Phase II) of potential “exempt persons” listed in the BSA regulations. (Section 1020.315(b).) Under the Phase I designation, transactions in excess of $10,000 in currency made by certain entities are eligible for exemp-tion. FinCEN identifies two categories of Phase I exempt persons:

• Any entity (other than a credit union or bank) whose common stock is listed on the New York, American or NASDAQ stock exchanges (with some excep-tions) e.g., public or listed entities.

• Any subsidiary (other than a credit union or bank) of any “listed entity” that is organized under U.S. law and at least 51 percent of its stock is owned by the listed entity.

FinCEN issued a final rule in December 2008 that simplified the Phase I CTR exemption process. Before the final rule, credit unions were required to complete either currency transaction reports or file a Phase I exemption for triggering transactions between itself and another depository institution, U.S. or State governments or entities acting with governmental

http://bsaefiling.fincen.treas.gov/main.html


https://www.fincen.gov/sites/default/files/shared/frnCTRExemptions.pdf

https://www.fincen.gov/sites/default/files/shared/frnCTRExemptions.pdf



authority. This required credit unions to file CTRs or file an exemption form for operating cash transfers between the credit union and another institution act-ing in a “credit union’s credit union” capacity. This is no longer the case. Most important, transactions between a credit union and any of these parties would receive an automatic exemption from CTR filing — similar to that granted to transactions between a credit union and one of the twelve Federal Reserve Banks.

FinCEN identifies two categories of Phase II exempt persons:

• A business—other than a publicly list-ed corporation or subsidiary as listed above—that has maintained a trans-action account with the credit union for at least 2 months; “frequently” (at least five per year) engages in transac-tions in currency with the credit union in excess of $10,000; and is organized or incorporated under the law of the U.S. or a state. (Section 1020.315(b)referred to in the regulation as “non-listed businesses”).

• A person or business that has main-tained a transaction account with the credit union for at least 2 months; operates a firm that regularly with-draws more than $10,000 (in curren-cy) in order to pay its employees; and is incorporated or organized under the laws of the U.S. or a state. (Section 1020.315(b) referred to in the regula-tion as “payroll customers”).

Alternatively, the rule gives a credit union the ability to forego the 2 month waiting period (normally required before a Phase II exemption is granted) and enables the credit union to make a risk-

based determination of whether or not the exemption is appropriate.

Credit unions are expected to per-form an annual review of its exemptions (Phase I and II) to determine whether or not the exemption is still appropri-ate. There is no longer a requirement to biannually renew or report any change of control for Phase II exemptions. Credit unions used to be required to renew Phase II exemptions every two years and report any changes in the control of its Phase II exemption members.

To apply for CTR exemption, credit unions must complete the “Designation of Exempt Person Form” (FinCEN form 110) within 30 days of the triggering transaction. Until the exemption has been filed, the credit union would be required to complete CTR forms for each applicable transaction.

A number of businesses are ineli-gible under BSA regulations to receive “exempt person” status. A business is ineligible if it is engaged in one or more of the following activities (Section 1020.315):

• Service as financial institutions or agents of financial institutions of any type (examples of financial institutions that are not banks include securities brokers, check cashers, sellers or trav-eler’s checks, or telegraph companies that wire funds).

• Purchase or sale to customers of motor vehicles of any kind, vessels, aircraft, farm equipment, or mobile homes.

• The practice of law, accountancy, or medicine.

• The auctioning of goods.



• The chartering or operation of ships, buses, or aircraft.

• Gaming of any kind except licensed parimutuel betting at race tracks.

• Investment advisory services or invest-ment banking services.

• Real estate brokerage.

• Pawn brokerage.

• Title insurance and real estate closing.

• Trade union activities.

• Any other activities that may be specified by the Financial Crimes Enforcement Network (FinCEN) — the division of the U.S. Treasury charged with BSA enforcement.

The method by which a credit union designates a member as an “exempt per-son” was substantially revised in 1998. Under the regulations prior to 1998, credit unions were permitted to grant exemptions to various types of members by having the member sign—under pen-alty of perjury— a request for exemption that listed the reasons the exemption was sought and that was retained on file by the credit union. Credit unions were also required to maintain a cen-tralized “Exempt Transactions Log” which included all those members who were exempted from CTR require-ments. Credit unions had until July 1, 2000, to designate those members as “exempt persons” under the new rules (for example, by completing a CTR as described above). If those members who were exempt under the old rules were not redesignated as “exempt persons” under the new rules by the appointed

time, credit unions were required to file CTRs with regard to transactions in cur-rency exceeding $10,000 completed by those members.

It is important to note that even though a credit union might designate a member as an “exempt person” under these rules, it still has an obligation to file Suspicious Activity Reports (as discussed below) when circumstances dictate. FinCEN can revoke the status of a member as an “exempt person” upon written notice.

Geographic targeting

From time to time, FinCEN may determine reasonable grounds exist for requiring additional recordkeeping and/or reporting requirements under the BSA regulations within a certain geographical area. (Section 1010.370 (a).) In these cases, the Secretary of the Treasury is empowered to issue an order requiring any domestic financial institution or a group of financial institutions in a geo-graphic area to file CTRs for specially described dollar thresholds. For exam-ple, the Secretary could issue an order for all financial institutions in a given area to file CTRs for cash transactions which exceed, say, $6,000 in currency, as opposed to the usual $10,000.

Section 1010.370 describes a spe-cial order of this nature will be directed to the chief executive officer of an affected credit union, and it will clearly describe the types of transactions that must be reported, including the follow-ing:

• Dollar amount of transactions subject to special reporting.

• Type of transactions subject to or



exempt from special reporting.

• Appropriate form to use if filing special reports.

• Address to which special reports must be filed or which they will be picked up.

• Starting and ending dates by which such transactions are to be reported.

• Name of a Treasury official to be con-tacted for any additional information or questions.

• Amount of time reports and records of reports generated in response to the order will have to be retained by the financial institution.

These special orders may not last more than 60 days unless they are renewed in exactly the same fashion as described above. (Section 1010.370.) Unless directed otherwise, a credit union that receives an order of this nature may continue to use the exemp-tions it has already granted members as discussed above.

Suspicious Activity Reports

A Suspicious Activity Report (SAR) (Section 1020.320) must be filed with regard to any transaction that involves or aggregates more than $5000 when the credit union knows, suspects, or has rea-son to suspect that the transaction...”

• Involves funds derived from illegal activities, is intended or conducted in order to hide or disguise funds or assets derived from illegal activities as part of a plan to violate or evade any Federal law or regulation, or to avoid any CTR requirement.

• Transaction is designed to evade any requirements of any regulations set forth under the Bank Secrecy Act.

• Offers no business or apparent law-ful purpose or is not the sort in which the particular member would normally be expected to engage, and the credit union knows of no reasonable explana-tion for the transaction after examining the available facts including the back-ground and possible purpose of the transaction.

These provisions make it illegal to “structure” a transaction — that is, to break up a single transaction above the reporting threshold into two or more separate transactions — if the purpose in structuring the transaction is to evade the reporting requirement. It is a crimi-nal violation to “willfully violate” the antistructuring provisions of the BSA. In 1993 the United States Supreme Court held that in order to convict a defendant accused of structuring transactions, the prosecution must prove the defendant acted with knowledge that the structur-ing he or she undertook was unlawful, not simply that the defendant’s purpose was to circumvent the financial insti-tution’s reporting requirement. (See Ratzlaf v. United States, 510 U.S. 135, 114 S. Ct. 655.)

A SAR must generally be filed within 30 days of the time in which the credit union is aware of the facts that might constitute a basis for filing the form. If no suspect was identified at the time the credit union first discovered facts which might lead to the filing of an SAR, the filing can be delayed up to an additional 30 days. (Section 1020.320.)

In addition to the rules in Chapter X



regarding SAR filing, the NCUA requires that credit unions file an SAR in the fol-lowing situations (NCUA Final Rule No. 06-RA-07, 12 CFR Part 748):

• Whenever any known or suspected criminal violation has been committed against a credit union regardless of the amount of money involved if the credit union believes the violation was com-mitted by an “insider” — for example, a director, officer, employee, agent, or other institution-affiliated party.

• Whenever any known or suspected criminal violation has been commit-ted against a credit union involving $5,000 or more, if the credit union can identify a possible suspect who is not an insider.

• Whenever there are transactions aggre-gating $5,000 or more that involve potential money laundering or viola-tions of the Bank Secrecy Act.

• Whenever any known or suspected criminal violation has been commit-ted against a credit union involving $25,000 or more regardless whether any suspects have been identified.

The SAR must be filed electronically with FinCEN through the BSA E-Filing system. Supporting documentation is not to be filed with the SAR. Instead the credit union must maintain records of all SAR supporting documentation for five years from the filing date. (Section 1020.320.)

FinCEN issued guidance (FIN-2007- G003), which clarified how credit unions should handle requests for supporting documentation related to a previously filed suspicious activity report (SAR). According to FinCEN, financial institu-

tions must provide all documentation supporting the filing of a SAR upon request by FinCEN, appropriate law enforcement, or a supervisory agency. The guidance makes clear that no legal process is required for such a request. In other words, the Right to Financial Privacy Act requirements (subpoena, summons, search warrant, etc.) aren’t applicable if: (i) such a request is made by FinCEN or a supervisory agency dur-ing the exercise of its “supervisory, regulatory, or monetary functions” or (ii) FinCEN, an appropriate agency, or law enforcement requests a copy of the SAR or supporting documentation underlying a SAR filing.

So, what is “supporting documenta-tion”? This refers to all documents or records that assisted a financial insti-tution in determining that the activity in question warranted a SAR filing. Examples include account transac-tion records, new account information, e-mail communication, and written cor-respondence. Supporting documentation varies in each situation. Note, however, that if the information requested goes beyond the scope of what was detailed in the SAR or the SAR’s supporting documentation, the Right to Financial Privacy Act protections apply.

A credit union need not file an SAR for a robbery or burglary committed or attempted as long as that robbery or burglary is reported to appropriate law enforcement authorities. When complet-ing the SAR, credit unions should be sure to indicate whether the underly-ing cause of the criminal activity is the result of identity theft, pretext calling, or computer intrusion.



https://www.fincen.gov/sites/default/files/shared/Supporting_Documentation_Guidance.pdf

https://www.fincen.gov/sites/default/files/shared/Supporting_Documentation_Guidance.pdf



SAR confidentiality

FinCEN recently updated the BSA regulations to further clarify its expecta-tion with regard to SAR confidentiality. Under the previous regulation, a credit union and its officers, directors, employ-ees, etc. were prohibited from notify-ing any person involved in a suspicious transaction that was the subject of a SAR report. To further clarify the scope of confidentiality surrounding SAR reports, FinCEN issued a final rule and accompanying guidance clarifying SAR confidentiality. According to the final rule, credit unions are not to disclose the SAR or any information revealing the existence of a SAR to parties other than those authorized to receive this informa-tion such as appropriate law enforce-ment, regulators, etc. FinCEN notes that it was important to clarify the scope of the confidentiality provision due to the potentially serious consequences of an unauthorized disclosure. Guidance on SAR confidentiality may be found at https://www.gpo.gov/fdsys/pkg/FR-2010-12-03/pdf/2010-29869.pdf.

A credit union that files a SAR may not notify any person involved in the reported transaction. And, should an individual inquire of the credit union about whether a SAR has been filed, the credit union is required to report this inquiry to FinCEN. (Section 1020.320.)

In December 2006, NCUA issued a final rule (12 CFR Part 748) that now requires credit union management to “promptly” notify its board of directors (or designated committee) of any SAR filings. Notification must be at least monthly (usually at the monthly board meeting), unless the activity is serious enough to warrant immediate notifica-

tion. In instances where the target of a SAR filing is a board member or desig-nee, the credit union must not notify the SAR target. However, the credit union is expected to notify the remaining direc-tors or designees who are not suspects. Finally, the final rule does not specify a particular format and credit unions have ample flexibility in tailoring a for-mat that suits their particular needs. The Federal Financial Institutions Examination Council’s (FFIEC) Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual gives a number of reporting options such as pro-viding the actual SAR documents (which CUNA does not recommend), providing a report that summarizes the SAR filings, providing tables of SARs filed for spe-cific violation types, etc.

Report of International Transportation of Currency or Monetary Instruments

BSA regulations also require that a Report of International Transportation of Currency or Monetary Instruments (FinCEN form 105) be filed whenever a person sends or receives more than $10,000 in currency or monetary instruments (checks, money orders, traveler’s checks, etc.) into or out of the U.S. A credit union must file a FinCEN form 105:

• When the credit union physically trans-ports, mails, or ships currency and/or monetary instruments in excess of $10,000 at one time into, or out of, the U.S. per Section 1010.340; or

• When the credit union receives cur-rency and/or monetary instruments

http://www.ncua.gov/Legal/Documents/Regulatory%20Alerts/RA2006-07.pdf

http://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm

https://www.fincen.gov/resources/filing-information



in excess of $10,000 at one time, which has been transported, mailed, or shipped to it by a member from some-where outside the U.S. per Section 1010.340.

It is important to note that a credit union does not “receive” the currency or monetary instruments from outside the U.S. if a member deposits the cur-rency or instruments into a credit union account even if the credit union knows that the currency or instruments were received or transported from a place outside the U.S. In such a case, the member would have the duty to file the report, assuming the member was the person who transported, shipped, or received the currency and monetary instruments. The credit union has no duty to inform the member of its duty to file the report, but FinCEN asks that the credit union do so.

FinCEN Form 114

Although beyond the scope of this book, there is one more reporting requirement under the BSA. Those cred-it unions that have financial account relationships outside the U.S. that exceed $10,000 are required to file a FinCEN Form 114 on an annual basis. Credit unions that have such foreign accounts should call FinCEN at 212-901-5265 for more information about this form.

Filing forms electronically

The Financial Crimes Enforcement Network (FinCEN) provides credit unions access to the BSA E-Filing system (go to bsaefiling.fincen.treas.gov/main.html.) The system supports secure electronic filing of Bank Secrecy Act (BSA) forms (either singly or in batches) such as Currency Transaction Reports (CTRs), Suspicious Activity Reports (SARs) and Designation of Exempt Person forms (DEP). In addition, institutions can use this system to send secure messages to FinCEN and receive responses, when appropriate. Finally, FinCEN can use the BSA E-Filing system to issue advisories and BSA E-Filing system updates to the user community.

Recordkeeping Requirements

Part of the initial purpose behind the various BSA statutes and regulations was the fact that, until the original Bank Secrecy Act was passed in 1970, law enforcement officials were frequently frustrated in their attempts to convict perpetrators of financial crimes due to the lax recordkeeping practices of many banks. As such, a great deal of the BSA compliance burden lies in its recordkeeping requirements. A number of specific records that must be retained by financial institutions are listed in the regulations, all of which must be retained for five years. The good news from the standpoint of compliance bur-dens, is that these types of records are now commonplace for financial institu-tions. Each of the specific recordkeeping

https://www.efilefbar.com/?gclid=CIHvttrNutICFYS1wAod3MsO

bsaefiling.fincen.treas.gov/main.html



requirements will be discussed in the following paragraphs. Credit unions are required to retain either the original, or a microfilm, or other copy of each of them for at least the five-year period.

Filed reports

Records of any report filed pursu-ant to the BSA regulations—Currency Transaction Reports, Suspicious Transaction Reports, or Reports of International Transportation of Currency or Monetary Instruments—must be retained on file for at least five years.

Certain credit extensions

Records of each extension of credit in an amount that exceeds $10,000 must be maintained, unless the credit is secured by real property. These records must include the name and address of the borrower, the amount of the loan, the nature or purpose of the loan, and the date of the loan per Section 1010.410.

Certain transfers of currency or monetary instruments

Credit unions must maintain either the original or some reproduced form of each advice, request, or instruction received or given regarding any transac-tion resulting in the transfer of currency or other monetary instruments, funds, checks, investment securities, or credit of more than $10,000 to or from any person, account, or place outside the United States. Credit unions are also required to maintain records of similar cancelled requests, advice, instructions, etc., per Section 1010.410.

Records regarding a geographic targeting order

As was discussed earlier, there may be instances when the Secretary of Treasury will require a financial institu-tion or a group of financial institutions within a geographic area to maintain special records with respect to cur-rency transactions. The BSA regulations require that any such records—including any CTRs filed under such an order—must be retained for as long as is speci-fied in the corder. This record retention period may not exceed five year per Section 1010.410.

Sales of certain monetary instruments in amounts between $3,000 and $10,000

If a credit union sells a draft, cashier’s check, teller’s check, money order, or other monetary instrument to a person and the purchase is made in cur-rency, it must maintain certain records with regard to such sales. The specific requirements depend on whether a credit union sells such instruments to a member or a nonmember. (Section 1010.415.) If a credit union sells one of these instruments to a member in an amount of $3,000 to $10,000, it must maintain a record of:

• The member’s name.

• The date of purchase.

• The type of instrument purchased.

• The serial number of the instrument purchased.

• The dollar amount of the transaction.



When a nonmember makes such a purchase, the credit union is required to retain a record of the above informa-tion and the purchaser’s address, Social Security Number (or alien identifica-tion number), and date of birth. Credit unions are free to implement policies by which they require a member who wishes to purchase one of these mon-etary instruments in cash to first deposit the cash into his account (completing the actual purchase of the instrument via a debit to that account). This is per-missible as long as the credit union’s policy in this regard is written, includes formal procedures for implementation, and applies to all deposit account hold-ers without exception. However, the implementation of such a policy does not eliminate the record keeping require-ments for such purchases. According to the Financial Crime Enforcement Network’s (FinCEN) November 2002 guidance on this issue, credit unions are still subject to the record keeping require ments under Section 1010.415. As a practical matter, however, credit unions will typically not have any dif-ficulty retaining a record of the name, date of purchase, type of instrument purchased, and the dollar amount of the transaction.

Note: When this recordkeeping requirement was first mandated by Congress in 1988, it included a require-ment that credit unions and other finan-cial institutions retain a centralized log which contained records of these sales of monetary instruments for cash in amounts of $3,000 to $10,000. In 1994, this centralized log requirement was eliminated.

Certain wire transfers

In mid-1996, new rules took effect under BSA regulations that mandate the retention of certain wire transfer records. The records recorded under these new rules are to be retained for five years as is the case with all other BSA record-keeping requirements.

Records of wire transfers for less than $3,000 are exempt from these recordkeeping requirements as are records of wired transfers governed by the Electronic Fund Transfer Act and Regulation E and those made through an automated clearinghouse, automated teller machine, or point of sale system.

Under these rules, recordkeep-ing requirements differ depending on whether the credit union is the “originat-ing bank” or the “beneficiary bank” in a wire transfer.

When a credit union acts as an origi-nating bank, it executes a wire transfer on behalf of its member. In this case, the credit union must retain a record of:

• The originator’s name and address.

• The amount, date, and payment instructions received.

• The beneficiary bank identification.

• The beneficiary’s name and address or the beneficiary’s account number if received with the payment order.

When a credit union serves as the beneficiary bank in a wire transfer, it is required to keep a copy of each payment order received.

Under these wire transfer recordkeep-ing requirements, if the beneficiary is not an “established customer” of the credit union, the credit union must verify



his or her name and address and retain a record of the means used to identify the person (for example, driver’s license, passport, etc.), and a record of the ben-eficiary’s Social Security number, alien identification number, or employer iden-tification number. An “established cus-tomer” is a person with an account with the credit union or a person from whom the credit union has obtained and main-tains on file the person’s name, address, and taxpayer identification per Section 1020.410.

There are additional identity verifica-tion rules with respect to individuals who are not “established customers,” but because credit unions have histori-cally limited wire transfers to members or joint owners, many credit unions may not be familiar with these additional procedures. However, credit unions that intend to offer limited services to certain nonmembers (in light of authority to offer such services under the 2006 Regulatory Relief Act) should familiarize themselves with these additional procedures.

When these rules regarding records of wire transfers were first introduced, there was widespread concern that cred-it unions would have to invest in sophis-ticated software through which they could instantaneously retrieve records of wire transfers which fall within the scope of these rules. However, Section 1020.410 makes clear that the required records must be retrievable by reference to the name and or account number of the member who originated the transfer or who was the beneficiary of the trans-fer within a reasonable period of time.

Other Bank Secrecy Act requirements

Credit unions are required to retain either the original records or copies of all of the following records with respect to any account:

• The signature card.

• Each statement or other record for each deposit or share account, show-ing each transaction made on the account.

• Each check, draft, or money order for more than $100 drawn on the credit union or issued and payable by it.

• Each debit of each member’s account in excess of $100.

• Each check, draft, or transfer of credit of more than $10,000 remitted or transferred to a person, account, or place outside of the U.S.

• Each check, draft, or transfer of credit for more than $10,000 received directly from a bank, broker or dealer in foreign currency exchange outside the U.S.

• Each receipt of currency, other mon-etary instruments, investment securi-ties or checks, and each transfer of funds or credit of more than $10,000 received on any one occasion from a bank, broker, or dealer in foreign cur-rency exchange outside the U.S.

• Records in the ordinary course of busi-ness which would be needed for the credit union to reconstruct a transac-tion (checking) account and to trace a check in excess of $100 deposited in such account through its domestic pro-



cessing system or to supply a descrip-tion of a deposited check in excess of $100.

• A record containing the name, address, and TIN, if available, of the purchaser of each term share certificate along with a description of the certificate, a notation of the method of payment, and the date of the transaction.

• A record containing the name, address, and TIN, if available, of any person presenting a term share certifi-cate for payment along with a descrip-tion of the certificate and the date of the transaction.

• Each deposit slip or credit ticket reflecting a transaction, wire transfer deposit, or other direct deposit which exceeds $100.

For extensions of credit (not secured by real property) in excess of $10,000, a credit union must also retain record of:

• Name of the borrower

• Address of borrower

• Amount of credit extended

• Nature or purpose of the loan

• Date of the loan

While these record-retention require-ments amount to a rather lengthy list, it is difficult to imagine a credit union not retaining all of these records, regardless of the regulatory requirement to do so. As with all other recordkeeping require-ments under Bank Secrecy Act regula-tions, these records must be maintained for at least five years.

Information Sharing

The USA PATRIOT Act of 2001 encourages information sharing among financial institutions for purposes of identifying and reporting activities that may involve terrorist acts or money-laundering activities. Credit unions and associations of financial institutions may share information with other financial institutions after they provide notice to FinCEN and agree to maintain adequate procedures to protect the security and confidentiality of the information that is shared.

In order to share information (as allowed by the USA PATRIOT Act and FinCEN) with other financial institu-tions, credit unions must provide an annual notice to Treasury. A new notice must be completed each year.

The notification requires credit unions to provide:

• Federal ID number;

• Primary Federal Regulator;

• Mailing address;

• Contact person’s name;

• Contact person’s title;

• Contact person’s e-mail, telephone, and facsimile number.

Once the notification is submitted to FinCEN, credit unions may share infor-mation (regarding money laundering and terrorist financing only) with other financial institutions and not be liable to anyone for this type of information shar-ing. The notification may be revoked or suspended by NCUA.

If there are any suspicious transac-tions relating to money laundering or



terrorist activity, credit unions may vol-untarily report that information to law enforcement by completing the SAR and calling FinCEN’s Financial Institution’s Hotline for terrorist activity at 866-556-3974.

The information sharing regulations also require credit unions to expeditious-ly search their records when they receive a request from FinCEN. FinCEN will act on behalf of federal law enforcement agencies investigating money laundering or terrorist activity. FinCEN may require any credit union to search its records to determine whether the credit union maintains an account for or has main-tained an account during the preced-ing 12 months for anyone listed in the request. The credit union also needs to determine if it has engaged in transac-tions conducted by, and funds transfers involving, a named suspect during the preceding six months that is required under law or regulation to be recorded by the credit union or is recorded and main-tained electronically by the institution.

Each credit union is required to sign up in order to receive the FinCEN information requests. Signing up for a FinCEN request is done with NCUA as part of the Form 5300 call report. Section 314(a) contact information was added to the March 31, 2003, call report, so every credit union will have registered a contact person. If a credit union needs to change or update its contact information, it should do so on the next call report. If changes occur between cycles, the changes or updates need to be given to the appropriate regional office or NCUA examiner. Credit unions can have more than one contact person and should add the information

of a second contact person by sending an e-mail or fax to NCUA or FinCEN, if privately insured.

The Financial Crimes Enforcement Network (FinCEN) implemented its Web-based USA Patriot Act Section 314(a) secure communication system in March 2005. The system provides FinCEN with the ability to issue secure delivery of Section 314(a) subject infor-mation to financial institutions via the web. Credit unions who receive Section 314(a) requests electronically should have already completed the registration process.

When a credit union receives a request, it must expeditiously search its records to determine whether it main-tains or has maintained any account for, or has engaged in any transaction with any individual, entity, or organi-zation named in the FinCEN request during the time period specified. If the credit union has any questions relating to the scope or terms of the request, it should contact the Federal law enforce-ment agency directly. However, if the credit union identifies a matching account or transaction, it must report to FinCEN—not the Federal law enforce-ment agency—the name or account number of each individual as well as a Social Security number, date of birth, or other similar identifying informa-tion that was provided by the member or organization when the account was opened or transaction conducted.

https://www.ncua.gov/regulation-supervision/Pages/regulatory-reporting/cu-online.aspx



USA PATRIOT Act’s Customer Identification Program Requirements

The USA PATRIOT Act of 2001 requires the U.S. Treasury Department to issue regulations setting forth mini-mum standards for financial institutions to identify and verify any person who opens an account.

CIP Requirements

Section 326 of the USA PATRIOT Act requires financial institutions to:

• Implement reasonable procedures to verify the identity of any person seek-ing to open an account, to the extent reasonable and practicable.

• Maintain records of the information used to verify the person’s identity.

• Determine whether the person appears on any lists of known or suspected terrorists or terrorist organizations pro-vided to the financial institution by any government agency.

• Provide the customer opening a new account with notice of the information collection requirement.

The Treasury Department, National Credit Union Administration, and other federal agencies issued final regula-tions implementing Section 326 of the USA PATRIOT Act in 2003. The aim of the final rule is to protect the U.S. financial system from money laundering and terrorist financing. According to the regulators, this rule will have the added benefit of helping to protect consumers

against various forms of fraud, including the growing incidence of identity theft involving new accounts.

The final regulation requires all finan-cial institutions, including credit unions, to implement a “Customer Identification Program” or “CIP” that requires them to have procedures in place to get identify-ing information from anyone opening an account and to verify that informa-tion. The CIP procedures must enable the credit union to form a reasonable belief that it knows the true identity of the accountholder. The CIP is supposed to be risk based. This means that the final regulations do not impose specific requirements but only minimum stan-dards, and a credit union must tailor its CIP based on its size, location, and membership base.

A credit union must apply its CIP to each person establishing a new account relationship. This includes not only members but joint accountholders, co-borrowers, and businesses.

Required information

The final regulation requires credit unions to get at least four pieces of information from each new member/cus-tomer. At a minimum, the credit union must obtain the person’s:

1. Name

2. Date of birth (for an individual)

3. Address

• Credit unions must get a residen-tial or business street address. P.O. Boxes are not acceptable. In those instances where a member has to be contacted by a government investi-gator of some sort, there is a physi-cal address on file.



• If the prospective individual mem-ber or customer is unable to pro-vide a residential or business street address, the credit union may accept an address of a friend or relative, or an Army Post Office (APO) or Fleet Post Office (FPO) box number.

• If the member is participating in an address confidentiality program, the credit union can take the street address of the ACP office that is assisting the member.

• The address for a business can be either the principal place of busi-ness, local office, or other physical location of the business.

• The credit union, of course, can get additional addresses, such as a mailing address, to meet its own or the member’s needs.

4. Identification number

• For a U.S. person this means a Social Security number (SSN) for an individual or an employer identifica-tion number (EIN) for a business. The definition of U.S. person is a U.S. citizen or a business, part-nership, or other legal entity that is established or organized under federal or state law. Note that this definition of U.S. person is different than the one used by the IRS which includes resident aliens.

• For any non-U.S. person which is simply any person or entity not qualifying as a U.S. person, the credit union has more flexibility. It can obtain:

1. a Social Security number from a resident alien;

2. an individual taxpayer identification number (ITIN);

3. a passport number and the country of issuance;

4. an alien identification card number; or

5. a number and country of issuance on any other foreign government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard (perhaps a “similar safeguard” may be looking down the pike whereby technology readily exists to identify thumbprints or eye scans).

• If someone has applied for a tax-payer identification number but has not yet received it, the credit union can still open an account as long as it confirms that the TIN applica-tion was filed before the member/customer opens an account, and the credit union gets the TIN within a reasonable period of time after the account is opened.

Beneficial Owner Rule

Effective May 11, 2018, credit unions will be required to collect the required CIP information for individuals that are considered a beneficial owner of a legal entity that is opening a new account. A legal entity includes:

• corporations,

• imited liability companies,

• other entities that are created by filing a public document with a Secretary of State or similar office, and



• general partnerships or any similar business entities formed in the US or a foreign country.

The new rule does not apply to:

• sole proprietorships,

• unincorporated associations (youth sports leagues), or

• natural persons opening accounts on their own behalf.

There is a two prong test in determin-ing if someone is a beneficial owner of a legal entity. The first is “owner-ship”. Each individual, if any, that owns 25% or more of the equity interest of the entity is considered an “owner” in regard to the rule. This can be direct or indirect ownership. The second test is “control”. This is an individual with significant responsibility for managing the legal entity. For example, CEO, COO, President, etc. Based off the two prongs here, the number of individuals that meet this definition could be anywhere from 1 to 5. That means you will always have one person defined under the “con-trol” prong, and could have up to four under the “ownership” prong.

The rule requires that you collect the information on a form that properly documents that the individuals meet the above requirements. FinCEN created a form that credit unions can use for col-lecting this information. It can be found under Appendix A of the rule. Once the beneficial owners have been identified, you would follow your standard CIP pro-cess.

Identity verificationOnce the credit union gets all the

required information from the member/customer, it must verify identity enough to establish a reasonable belief that it knows the true identity of the person. Credit unions have the flexibility to determine when verification will be done and what methods it will use. Credit unions should assess their membership base and the methods used to open accounts to determine how they will verify identity.

There are two methods credit unions can use to verify identity: through docu-ments or nondocumentary methods. Documents are generally any unexpired government-issued identification evi-dencing nationality or residence and bearing a photograph or similar safe-guard such as a driver’s license or pass-port. Once the credit union verifies the member/customer through a document, it does not have to take steps to deter-mine whether the document is valid (unless it’s obviously fraudulent).

If a credit union chooses this method, its CIP must specify the documents it will use. This will require the credit union to conduct a risk-based analysis of the types of documents it believes will enable it to know the true identity of its members.

The credit union can also rely on nondocumentary methods of verifying the identity of its members/customers. Nondocumentary methods can be things like independently verifying the mem-ber’s identity by comparing information provided by the member/customer with information obtained from a consumer reporting agency, public database, or other source, checking references with

https://www.drinkerbiddle.com/-/media/files/insights/publications/2016/06/fincen-amlduediligenceappendix.pdf?la=en



other financial institutions, or obtaining a financial statement.

Nondocumentary methods are those actions that enable a credit union to form a reasonable belief that it knows the true identity of the member/custom-er by relying on something other than an unexpired government-issued iden-tification. These terms can be tricky because nondocumentary methods can include things that would typically be called documents like a financial statement. Just keep in mind that as a general rule for individuals, a documen-tary method of verification is relying on government-issued documents (such as a driver’s license or passport) while a nondocumentary method is relying on something that is not a government-issued document.

The nondocumentary method will probably be used to verify the identity of anyone applying for membership through the mail, Internet, or fax. If the credit union relies on nondocumentary methods, its CIP must have procedures that describe the nondocumentary meth-ods the credit union will use.

Member/customer due diligence

NCUA, along with the joint banking agencies, released the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual. The manual is intended to provide comprehensive guid-ance to examiners and financial insti-tutions regarding BSA/AML regulatory requirements and best practices.

According to the manual, financial institutions (including credit unions) are expected to develop and maintain member/customer due diligence poli-

cies. These policies would require credit unions to collect additional member information (beyond CIP requirements) during account opening, which would give the credit union an indication of the types of transactions a member is likely to engage in. In addition, the Beneficial Owner Rule added a requirement that credit unions should also create a risk profile for all members. The manual emphasizes the importance of such poli-cies in aiding in the detection of unusual or suspicious activity and suggests that member/customer due diligence policies be applied to all members. This includes the ongoing monitoring of members, as well as maintaining updated member information.

Enhanced due diligence procedures should be applied to members and products/services that present a higher risk for money laundering and terrorist activity. The type and degree of informa-tion sought will vary based on the risks presented by a particular member and the products/services provided. Credit unions should consider collecting the following information when opening higher-risk accounts: purpose of account; source of funds and wealth; beneficial owners of the accounts (if applicable); member’s occupation or type of business; etc. For additional guidance, see “Core Overview —Customer Due Diligence,” in the BSA/AML Examination Manual.

Checking government lists

Credit unions must have procedures in place for determining whether a member/customer appears on any list of known or suspected terrorists or terrorist organizations. Currently, no

https://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm



http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2010.pdf

http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2010.pdf



additional guidance had been issued on this USA PATRIOT Act requirement. Note, these lists are separate and dis-tinct from the Office of Foreign Assets and Control (OFAC) list.

Record retention

Credit unions are required to make and maintain a record of all the informa-tion they receive from their member. This includes name, address, date of birth, and identification number. These records must be retained for five years after the date the account is closed.

A credit union’s records must also include a description or copy (depending on if permitted by state law) of any docu-ment the credit union relied on. This will be the information it records when veri-fying a member’s identity and it must be kept for five years after the record is made. The credit union must keep:

• A description of any document that was relied on to verify the member’s identity;

• Any identification number in the document;

• The place the document was issued; and

• The date of issuance and expiration, if any.

The credit union must also keep a description of the methods and the results of any measures that were taken to verify the member’s identity and a description of the resolution of any substantive discrepancy that was dis-covered when verifying the information received from its member. These records must also be kept for five years after the

record is made.

Notice requirements

A credit union must provide adequate notice to its members that it is request-ing information to verify identities. A notice is adequate if the credit union generally describes the identification requirements of the final rule and pro-vides notice in a manner designed to make sure that a member views the notice, or is otherwise given notice, before opening an account.

This means that depending on the way in which an account is opened, the credit union can provide notice by post-ing the notice in the lobby or on its Web site including the notice on its account application or using any other form of written or oral notice. The regulation provides sample language that the credit union can use in its notice.

Penalties for Noncompliance

Credit unions, as corporate entities, as well as individuals (classified as “institution-affiliated parties”) can be subject to a wide range of penalties for BSA violations. For example, if a CTR is incomplete or inaccurate, a credit union can be fined $500. If it appears that a pattern of negligent violations has devel-oped, the credit union can be fined up to $50,000. In addition, a credit union convicted of money-laundering crimes or willful evasion of currency-transaction reporting laws can be put into receiver-ship or conservatorship by NCUA (and state-chartered credit unions can lose



their share insurance coverage).“Institution-affiliated parties” (a

term which includes credit union direc-tors, officers, employees, agents, and even, in some situations, independent contractors like attorneys, appraisers, or accountants) can be suspended if they are charged with a violation of the BSA, and permanently removed if the Treasury Department finds that the indi-vidual intentionally violated BSA regu-lations or knew that another individual violated BSA regulations. In addition to suspension or removal, an individual could be subjected to a number of civil penalties. Depending on the type of vio-lation, a person could face a minimum fine of $1,000, up to a maximum fine of $100,000. Finally, individuals convict-ed of violating the BSA can face crimi-nal penalties of up to $250,000 and/or imprisonment for up to five years unless the amount of illegal activity involves more than $100,000 in a 12-month period. In that case, the individual can be subject to a fine of up to $500,000 and/or 10 years in prison.

As the reader can see by the range of penalties, violations of the BSA can be severe and thus credit unions are well-advised to make BSA compliance a top priority.

Products and Services Affected by the Bank Secrecy Act

As mentioned above, one of the requirements of the NCUA’s rules regarding BSA compliance is that the credit union’s compliance program pro-vide for training of appropriate person-nel. Appropriate personnel include the BSA Compliance Officer, all tellers, the BSA auditor (if the credit union meets its annual audit requirement by utilizing credit union personnel), and any front-line staff who handle member’s trans-actions (for example, member service representatives). The BSA Compliance Officer should document all training and retain training records for at least five years.

http://www.irs.gov/irm/part4/irm_04-026-007.html



The Bank Secrecy Act

Quiz/Study Guide

1. What triggers the filing requirements for the Currency Transaction Report (CTR) and what is the time frame for filing the report?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

2. The BSA allows credit unions to exempt certain transactions from the general CTR reporting requirements. These transactions generally have little value in assisting law enforcement investigations. List the categories of potential “exempt persons” listed in the Act.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

3. From time to time, FinCEN may determine that circumstances warrant additional recordkeeping and reporting requirements under the BSA within a certain geographic area. This is called “geographic targeting.” What are some of the special reporting requirements that might be involved as part of this special order?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



4. What does BSA require credit unions to do when a member purchases cashier’s checks, teller’s checks, money orders, or other monetary instruments in amounts of $3,000 to $10,000 if the purchase is made in currency?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

5. The BSA specifically excluded certain businesses from qualifying for exempt person status if they engage in certain business activities. List five of these business activities.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

6. Under the USA PATRIOT Act, what form must be filed with FinCEN before a credit union can share information with another financial institution?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

7. NCUA requires all federally insured credit unions to have a written Bank Secrecy Act compliance plan that has been approved by the board of directors. This plan must include four separate items. List three of those requirements.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

8. What four pieces of personal information must be collected from a member opening their first account with the credit union?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



9. The credit union is only required to verify the new member’s identity to the extent that it forms a “reasonable belief that it knows the true identity of the person.”

p True p False

10. After the person’s identity has been verified, are there any other requirements of the CIP rules?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

11. Posting a notice of the identity verification requirements in the credit union lobby is all the regulation requires.

p True p False



The Bank Secrecy Act

Answer Key

1. A credit union must complete and submit a CTR each time it takes a deposit, gives a withdrawal, or exchanges currency if the transaction involves currency of more than $10,000. Also, if multiple same-day transactions result in total cash into or out of the credit union in excess of $10,000, a CTR must be filed. (Page 3-5)

The report must be filed within 15 days after the transaction takes place. (Page 3-6)

2. Potential exempt persons categories: 1) Any entity (other than a credit union or bank) whose common stock is listed on the New York, American or NASDAQ stock exchanges (with some exceptions) i.e., “public” or “listed entities”; 2) Any subsidiary (other than a credit union or bank) of any “listed entity” that is organized under U.S. law and at least 51 percent of its stock is owned by the listed entity; 3) A business—other than a publicly listed corporation or subsidiary as listed above—that has maintained a transaction account with the credit union for at least 2 months; “frequently” (at least five per year) engages in transactions in currency with the credit union in excess of $10,000; and is organized or incorporated under the law of the U.S. or a state. (Section 1020.315 referred to in the regulation as “non-listed businesses);” 4) A person or business that has maintained a transaction account with the credit union for at least 2 months; operates a firm that regularly withdraws more than $10,000 in order to pay its employees in currency; and is incorporated or organized under the laws of the U.S. or state. (Section 1020.315 referred to in the regulation as “payroll customers”). (Page 3-6 to 3-7)

3. The credit union will receive a special order clearly describing the transactions to be reported as well as: 1) dollar amount of transactions subject to the special reporting; 2) types of transactions subject to the special reporting; 3) use of special forms for filing the reports; 4) the address to send the reports to; 5) starting and ending dates for reporting the transactions; 6) name of a Treasury official to contact with questions; and 7) the length of time to retain the information and reports generated. (Pages 3-8 to 3-9)

4. The credit union must maintain a record of: 1) the member’s name; 2) the date of purchase; 3) the type of instrument purchased; 4) the serial number of the instrument; and 5) the dollar amount of the transaction. (Page 3-14)



5. Groups engaged in the following businesses are ineligible for exempt person status: 1) service as a nonbank financial institution or agents of nonbank financial institutions; 2) purchase or sale to customers of motor vehicles of any kind, vessels, aircraft, farm equipment, or mobile homes; 3) the practice of law, accountancy, or medicine; 4) auctioning of goods; 5) chartering or operation of ships, buses, or aircraft; 6) gaming of any kind except licensed parimutuel betting at race tracks; 7) investment advisory or investment banking services; 8) real estate brokerage; 9) pawn brokerage; 10) title insurance and real estate closing; 11) trade union activities; and 12) any other activities that may be specified by FinCEN. (Page 3-7 to 3-8)

6. An annual notification. (Page 3-16)

7. The Bank Secrecy Act plan must include: 1) a system of internal controls to ensure continuing compliance, 2) provide for independent testing for compliance by either credit union personnel or outside parties, 3) designate an individual to coordinate and monitor daily compliance, and 4) provide training for appropriate personnel. (Page 3-4)

8. The credit union must collect: 1) name, 2) date of birth (for an individual), 3) a residential or business street address, 4) identification number (SSN, EIN, ITIN, passport number, etc.) (Page 3-19)

9. True (Page 3-20)

10. Yes. The name must be checked against government lists. (Page 3-21)

11. False. The notice must be placed or given so that members opening accounts through the various methods the credit union offers see the notice prior to opening the account. (Page 3-22)


SECTION 4 – IRS INFORMATION REPORTING AND

WITHHOLDING REQUIREMENTS


Background

Credit unions, as most people know, are exempt from paying federal income tax. As not-for-profit cooperatives, Congress has seen fit to grant them this exemption in Section 501(c) of the Internal Revenue Code (the Code). Although credit unions are exempt from the payment of federal income tax, they are subject to a wide variety of provi-sions within the Code and the Internal Revenue Service (IRS) Regulations. This section will address some of the more common ways in which the Internal Revenue Code and the IRS Regulations impact the daily operations of credit unions.

The section begins with a discussion of the various information-reporting requirements to which credit unions are subjected, and then addresses backup withholding requirements.

Information Returns

Since the Sixteenth Amendment to the U.S. Constitution was ratified in 1913, Americans have been paying federal income tax. The general premise is, if income is earned, a tax must be paid on it. As we know, things are never as simple as what they might seem. From that general premise we now have an amazingly complex set of rules and regulations to which we must adhere in determining our annual tax burden.

Those rules and regulations impose duties both on the individuals and cor-porations who ultimately pay their taxes, as well as on the various entities which provide income to those individuals and corporations.

For example, if John Smith is a mem-ber at XYZ Credit Union, he most likely earns a dividend on his share account through XYZ. At the end of each year, John has a duty under the Code to report that dividend as income when he com-pletes his tax return the following spring. The Code places an additional burden on XYZ, however, as the credit union is required to report to the IRS how much it paid Smith in dividends for the year. This reporting provides a method by which the IRS can verify the income reported by Smith is accurate (at least with respect to his credit union dividends). This report of dividends paid to Smith , and the rest of the members of XYZ Credit Union, is one of a number of “information returns” which are required of credit unions and other entities.

We will address four types of infor-mation returns in this section — IRS Forms 1098 (Mortgage Interest); 1098-E (Student Loan Interest); 1099-INT (Dividends and Interest); and 1099-C (Discharge of Indebtedness). Credit unions have other information-reporting requirements as well — including infor-mation about wages paid to employees (IRS Form W-2); individual retirement account contributions (IRS Form 5498); and acquisition of abandoned property

Section 4 – IRS Information Reporting and Withholding Requirements


SECTION 4 – IRS INFORMATION REPORTING AND WITHHOLDING REQUIREMENTS

(IRS Form 1099A) — but these are beyond the scope of this book.

IRS Form 1098 — Mortgage interest

Each calendar year in which a credit union receives $600 or more in mortgage interest and points as defined below from a member (including a sole propri-etor), the credit union must report the total amount of interest received to the IRS using IRS Form 1098. The $600 threshold applies separately to each mortgage, which means you should file a separate Form 1098 for each mort-gage loan. It is optional for credit unions to file a Form 1098 to report mortgage interest of less than $600. Any interest (other than points) received from a line of credit or credit card obligation tied to a mortgage (such as a home equity line of credit) must be reported regardless of how you classify that obligation. In addi-tion, the Tax Relief and Health Care Act of 2006, Section 6050H(h) provides for the treatment of premiums paid or accrued for qualified mortgage insurance (during the taxable year) with respect to a qualified residence of the taxpayer to be consider “interest” under specified circumstances.

A copy of Form 1098 must be deliv-ered to each affected member and the IRS. A Form 1098 can be viewed at www.irs.gov/pub/irs-pdf/f1098.pdf.

But not all interest paid on a mort-gage is simple interest. Many credit unions offer mortgage loans to members where the member prepays interest in the form of “points.” The IRS adopted new regulations to address prepaid inter-est in 1994. These rules took effect for

the taxable year 1995 (in other words, they apply to points paid after Jan. 1, 1995).

Under IRS regulations, an amount paid is considered “points” — and thus reportable on the 1098 — to the extent the amount is:

• Clearly designated as points on the Closing Disclosure (the amount should be listed as a loan origination fee, loan discount, discount points, or points).

• Computed as a percentage of the stat-ed principal amount of the loan.

• Conforms to an established practice of charging points in the geographic area and does not exceed the amount gen-erally charged in the area.

• Paid in connection with the acquisition of the principal residence that secures the loan.

• Paid directly by the borrower.

An amount is not considered points to the extent that it is paid:

• In connection with a home improve-ment loan.

• In connection with a loan to purchase or improve a residence that is not the principal residence of the member.

• In connection with a home equity loan or line of credit even if the loan is secured by the member’s principal residence.

• In connection with a refinancing (including a refinance of a debt under the terms of a land contract or other form of seller financing).

• In lieu of amounts that are ordinar-

www.irs.gov/pub/irs-pdf/f1098.pdf



ily stated separately on the Closing Disclosure, such as appraisal fees, title fees, attorney fees, and property taxes.

In many instances, sellers of homes agree to pay a portion of the buyer’s points. The IRS has decided to treat this type of payment as a series of two trans-actions; the first being a transaction by the seller to the buyer, and the second being the payment of the points by the buyer to the lender. Thus, points paid by the seller of a principal residence must be reported by the credit union on the buyer’s (that is, the borrower’s) 1098.

Note: The credit union’s duty to report mortgage interest on a 1098 does not affect its member’s tax liability. Whether or not the member will be able to claim all interest paid as a deduction on his income tax return is a matter for the member, his tax advisers, and the IRS. Credit unions should never provide tax advice to their members.

IRS Form 1098-E — Student loan interest statement

Beginning in 1999 (for the 1998 tax year), if, during any calendar year, a cred-it union receives at least $600 in interest from a member on a “covered student loan,” the credit union must report the total amount of interest received from that member on that loan to the IRS using IRS Form 1098-E. A copy of this form must be delivered to each affected member and the IRS. A Form 1098-E may be viewed at www.irs.gov/pub/irs-pdf/f1098e.pdf.

A loan does not necessarily need to be made as part of a guaranteed student loan program in order to be a “covered student loan” for tax purposes. A “cov-

ered student loan” is one that is made to a member solely for that member’s (or that member’s spouse’s or dependent’s) educational expenses paid within a rea-sonable time before or after the loan was taken out and that either:

1. Qualifies as part of a guaranteed student loan program of the federal, state, or local government; or

2. Documents by the member’s certifi-cation on IRS Form W-9S (Request for Student’s or Borrower’s Social Security Number and Certification) that the loan proceeds were used sole-ly for educational expenses.

Credit unions can use the W-9S (located online at www.irs.gov/pub/irs-pdf/fw9s.pdf) to make student loans using either closed-end or open-end credit as long as the loans in question are used by the member solely for edu-cational purposes. In the case of open-end credit, the member must certify that all advances will be used for educational expenses.

Use of Form W-9S is optional; you may collect the information using your own forms and procedures. You may col-lect the student or borrower’s informa-tion on paper or electronically. To col-lect the information electronically, your credit union must establish a system for students and borrowers to submit Form W-9S electronically including by fax. If an electronic Form W-9S is used, your electronic system must require as the final entry in the submission an elec-tronic signature by the borrower whose name is on the Form W-9S that authen-ticates and verifies the submission.

www.irs.gov/pub/irs-pdf/f1098e.pdf

www.irs.gov/pub/irs-pdf/f1098e.pdf

www.irs.gov/pub/irs-pdf/fw9s.pdf

www.irs.gov/pub/irs-pdf/fw9s.pdf



IRS Form 1099-INT — Interest income

Although federal (and many state-chartered) credit unions pay members “dividends” by definition, for purposes of IRS information returns, credit union dividends are treated as “interest” and must be reported to the government each year on IRS Form 1099-INT. This form should be filed for (1) each person paid at least $10 in interest or dividends and (2) each person from whom Federal income tax was withheld under the backup withholding rules regardless of the amount withheld. As is the case with 1098s, a 1099 must be delivered to each affected member and to the IRS. A form 1099-INT may be found at http://www.irs.gov/pub/irs-pdf/f1099int.pdf

IRS Form 1099-C — Discharge of indebtedness

Credit unions are in the business of making loans. As a simple matter of accounting (and common sense) a loan from one entity to an individual is not “income” to the individual. But what happens if the loan is not repaid? For decades, the Internal Revenue Code has considered a debt that was not repaid to be “income” to the nonrepaying bor-rower. Each year millions of dollars worth of debts are charged off as losses by financial institutions. At some point, it occurred to the IRS that there was a high degree of likelihood that some of those charged-off debts were not being reported by the individual taxpayers as income. As such, in 1996 the IRS finalized regulations requiring lenders,

including credit unions, to report certain discharges of indebtedness each year on IRS Form 1099-C (Cancellation of Debt). A Form 1099-C may be found at www.irs.gov/pub/irs-pdf/f1099c.pdf.

These forms, like the information returns discussed above, are due to affected members must be delivered to the affected member as well as the IRS. That’s the simple part. What presents a bit more of a problem is the determina-tion as to what is and what is not report-able as a discharge of indebtedness.

Identifiable events

The final IRS regulations have described eight “identifiable events” which trigger a need for a 1099-C. In a manner of speaking, each of these “identifiable events” represents an occurrence that indicates a debt will not be repaid. The eight “identifiable events” included in the IRS regulations are:

1. A debt discharged in bankruptcy, but only if the credit union knows from its books and records that the debt was for business or investment purposes.

2. A discharge of indebtedness pursuant to an agreement between the credit union and the member.

3. A discharge of indebtedness as a result of a credit union decision to discon-tinue its collection activity against the debtor.

4. A debt for which the 36-month “non-payment testing period” has expired.

5. A debt that is canceled or extinguished due to the expiration of the statute of limitations.

http://www.irs.gov/pub/irs-pdf/f1099int.pdf

http://www.irs.gov/pub/irs-pdf/f1099int.pdf

www .irs.gov/pub/irs-pdf/f1099int.pdf

www.irs.gov/pub/irs-pdf/f1099c.pdf



6. A debt that is canceled or extinguished in receivership or foreclosure in a state or federal court.

7. A debt that is canceled or extinguished pursuant to the credit union’s election of foreclosure remedies.

8. A debt that is canceled or extinguished, rendering it unenforceable, pursuant to a probate or similar hearing.

Most debts discharged in bankruptcy must not be reported as income to members on a Form 1099-C — only those that the credit union knows were for business or investment purposes. This knowledge can only be based on the official records of the credit union (mere speculation about what a member did with the proceeds of a loan are not enough). Thus, if a credit union routinely inquires as to the purpose of each loan it grants, that credit union would “know” whether or not a loan was granted for a business or investment purpose. Reporting is not required for consumer debts discharged in bankruptcy or in cases where the credit union is not aware of the purpose of the loan.

Perhaps the most likely scenario that would give rise to the need for a 1099-C would be when the member and the credit union agree to settle a debt for less than the full amount owed, and the amount not paid is $600 or more. So, for example, if John Smith owes a $3,000 balance to XYZ Credit Union, and XYZ agrees to accept a lump sum of $2,000 from Smith to settle the debt, an “identifiable event” occurs when Smith makes the $2,000 payment, and the credit union must file a 1099-C to report the $1,000 in income earned by

Smith. It is important to note that the duty to report comes when Smith, in our example, makes the payment, not when the settlement arrangement is made.

In this scenario, an issue could arise as to whether the credit union has a duty to advise Smith that it must file a 1099-C to report the $1,000 as income. Suppose the credit union, in our hypo-thetical situation, does not inform Smith about the reporting requirement. When it subsequently files its 1099-C the following January or February, does it open itself up to claims of harass-ment of Smith? The issue has not yet been litigated, and it would seem the credit union would have a perfectly valid defense — after all, it has a legal duty to report the income. But to avoid the possibility that a member would bring some sort of a lawsuit under these cir-cumstances, it may be best to include a discussion of the credit union’s 1099-C reporting duty in any settlement situa-tion. In some cases, the reporting duty might actually serve as leverage for the credit union to convince the member to settle for a few hundred dollars more than he or she might have. Bear in mind, however, that the credit union’s duty to report is not negotiable — in other words, the credit union cannot agree to not report in exchange for the member’s settlement (unless, of course, the credit union excuses less than $600 of the debt).

If a credit union, pursuant to an established policy or business practice, decides to discontinue collection activ-ity and discharge a debt, an “identifi-able event” has occurred and a 1099-C must be filed. This is not to say that all charged-off loans must, per se, be



reported as discharges of indebtedness. Only those charged-off loans that the credit union has made an affirmative decision not to attempt to collect must be reported due to this “identifiable event.”

The “identifiable event” involving the “nonpayment testing period” can subject many charged-off loans to the rule for reporting discharges of indebt-edness. At the close of each year, credit unions are required to identify all loans on which they have not received pay-ments for at least 36 months. These debts are presumed reportable but that presumption can be overcome. The pre-sumption is overcome and thus a debt is not reportable as income to the member despite the credit union’s not having received payments for three years or lon-ger if during the prior 12-month period the credit union engaged in “bona fide collection activity” with respect to the debt. Although there is no specific defi-nition of “bona fide collection activity,” it means more than merely nominal or ministerial collection action such as an automatic mailing to the member. Credit unions can avoid having to report debts under this identifiable event by diligent-ly working their charged-off loans either in-house or through the services of an outside collector.

Although the expiration of the statute of limitations can give rise to a report-able discharge of indebtedness, the mere passage of time is not enough, in and of itself, to create a duty on the part of the credit union to report a debt as discharged. The IRS rules clarify that the statute of limitations is an “identifi-able event” only if:

• The member/debtor has raised the

affirmative defense that the statute of limitations has expired.

• That defense is upheld in a final judg-ment of a judicial proceeding.

• The period for appealing the judgment has expired.

Each state sets its own general statute of limitations with regard to debt collec-tions but they generally range from four to 15 years.

When it comes to foreclosures, dif-ferent states allow creditors to pursue alternative methods to foreclose on delinquent real estate-secured debt. A common method allowed in most states is known as “judicial foreclosure.” A judicial foreclosure is one that is essen-tially supervised by a court of competent jurisdiction. In most judicial foreclosure statutes, any deficiency balance remain-ing after the foreclosure sale is a debt owed by the delinquent debtor to the financial institution. Some states’ stat-utes also allow nonjudicial foreclosure remedies (foreclosure by advertisement, for example), but many such statutes provide that in a nonjudicial foreclosure the lender is not entitled to pursue the debtor for any deficiency balance. The IRS treats such instances as “identifi-able events” which trigger the need for a 1099-C.

The rules regarding reporting discharg-es of indebtedness make clear that only principal must be reported as income; credit unions may, but need not, report unpaid interest on Form 1099-C. Credit unions should adopt a policy whereby they affirmatively decide whether or not they will report discharged interest, and then abide by that policy to ensure con-sistent treatment of debtors.



This discussion focuses on credit union loans, but discharges of indebted-ness can also arise in other ways. Should a member overdraw his account, there is a duty to report the overdrawn amount if it, together with all overdraft fees, amounts to $600 or more, and one of the eight identifiable events discussed earlier occurs.

As noted earlier, debt forgiveness may result in taxable income. Congress enacted the Mortgage Forgiveness Debt Relief Act of 2007 that allows taxpayers to exclude debt forgiven on their principal residence if the balance of their loan was less than $2 million. The limit is $1 mil-lion for a married person filing a separate return. The debt must have been used to buy, build or substantially improve the taxpayer’s principal residence and must have been secured by that residence. Debt used to refinance qualifying debt is also eligible for the exclusion subject to certain restrictions. Additional informa-tion about this relief can be found on the IRS’s resources on this Act found at https://www.irs.gov/uac/home-foreclosure-and-debt-cancellation.

IRS Form 990 — Return of Organization Exempt from Income Tax

State-chartered credit unions are required to file this form annually. It is a public document and is used by the public to obtain information about the operations of tax-exempt organizations. Federal credit unions are not required to file Form 990 because they are not sub-ject to unrelated business income taxes. The IRS recently redesigned this form in an effort to increase transparency,

promote tax compliance, and minimize the burden on filing organizations. Most importantly, the updated form requires state-chartered credit unions to provide disclose information about their gover-nance procedures, as well as compensa-tion of highly paid employees.

Special mailing requirementsAs discussed in this section, when-

ever any of these various information returns are required, a copy must also be provided to the taxpayer. IRS regu-lations refer to such copies as “state-ments.” The statement must be either on an IRS Form (1098, 1099-INT, etc.) or on a substitute form that is substan-tially similar to the IRS form. The state-ments must be either hand-delivered or sent by first-class mail to the mem-ber’s last known address. They can be attached by perforation to a member’s year-end statement, or sent separately. If an information return is attached to a member’s year-end credit union state-ment, the credit union statement must be stamped in bold and conspicuous type: “IMPORTANT TAX DOCUMENT ATTACHED.”

IRS rules generally require that information returns be sent separately. Thus, a credit union may not include marketing materials in the envelope that includes a member’s information return. There are limited exceptions to this rule. A mailing to a member that contains an information return may include:

• A letter explaining why a check is not included with the statement (for example, when a dividend is declared, but not yet paid).

• A letter explaining the tax conse-



quences of the information contained in the statement.

• All other information returns due to the member.

• A check from the account being reported.

No other enclosures are permitted with a mailing of an information return to a credit union member although the credit union’s logo may appear on the statement.

Finally, the envelope that contains a member’s information return(s) must include on its face, also in bold and conspicuous type: “IMPORTANT TAX DOCUMENT ENCLOSED.” A credit union logo may also appear on the envelope.

Electronic delivery of payee statements

Credit unions can furnish IRS Form W-2, “Wage and Tax Statement,” Form 1098-T, “Tuition Payments Statement,” and Form 1098-E, “Education Loan Statement” through a secured Web site rather than sending a paper form through the mail.

Members who choose electronic delivery are required to “opt in” and affirmatively consent to receiving their forms in an electronic format. The member’s consent must be made elec-tronically and must demonstrate that the member has access to the state-ment electronically. Prior to or at the same time a member or employee con-sents to receive a statement electroni-cally, the credit union must provide a “clear and conspicuous” statement containing certain disclosures that are similar to the consumer consent pro-

visions in the Electronic Signatures in Global and National Commerce (E-SIGN) Act.

Statements may be furnished through any electronic means with the member’s consent including attachments to an e-mail. There are provisions designed to protect members that specify:

• what disclosures must be provided to the payee before the statement may be delivered electronically,

• how member consent must be obtained,

• the manner in which the electronic payee statement must be delivered, and

• retention requirements for statements posted on websites.

Penalties for failure to file information returns

Credit unions can be subject to pen-alties for any failure to file information returns including those discussed here. In the eyes of the IRS, a “failure” can be a “failure to timely file” or a “failure to include correct information” on an information return. If a credit union fails to file an information return on time, the credit union will face a penalty depend-ing on when the return is eventually filed. If a required information return is filed:

• Within 30 days of the filing date, then the penalty is a maximum of $30 per return, with the total penalty not to exceed $250,000.

• After 30 days, but by August 1 of the year the return is required, then



the penalty is a maximum of $60 per return with the total penalty not to exceed $500,000.

• After August 1 of the year the return is required, then the penalty is $100 per return, with the total penalty not to exceed $1,500,000.

If the credit union fails to furnish a member with his or her information return by the due date, the penalties will vary based on when the payee statement is provided. If the credit union inten-tionally disregards the payee statement requirement, it can be penalized $250 per statement and no maximum penalty amount has been set.

The IRS regulations provide some measure of relief to credit unions for “inconsequential errors,” which are defined as failures that do not prevent the IRS from processing a return, cor-relating the information with an individ-ual’s tax return, or otherwise putting the return to its extended use. However, by definition, some errors are never incon-sequential. These may be related to:

• The member’s taxpayer identification number.

• The member’s surname.

• Any dollar amounts.

• Significant omissions in the member’s address, if the member provided them previously to the credit union (with respect to the copy provided to the member).

• The manner in furnishing the infor-mation returns to the member (with respect to the copy provided to the member).

The IRS can waive penalties if a credit union shows that its failures are due to “reasonable cause” as opposed to willful neglect. “Reasonable cause” is present if the credit union can show that it acted in a responsible manner, both before and after the failure occurred, and either

• There were significant mitigating factors; or

• The failure was caused by events beyond the credit union’s control.

Record retentionUnder IRS regulations, credit unions

must retain all records that contribute to the creation of each member’s informa-tion returns — and a copy of each infor-mation return itself — for four years. Because some of the records which con-tribute to the creation of each member’s information returns also fall within the scope of the Bank Secrecy Act, credit unions are well-advised to retain these records for five years, consistent with the requirements of the BSA.

Backup Withholding

Another area of IRS regulations requir-ing credit unions’ attention involves backup withholding. Under these rules, credit unions are required to withhold a percentage of “reportable payments” when certain conditions exist. As a result of The Jobs and Growth Tax Relief Reconciliation Act of 2003, the backup withholding rate is reduced from 30% to 28% for payments made after May 28, 2003. The conditions under which credit unions are required to backup withhold-ing will be discussed later.



Reportable payments

In general, “reportable payments” include any dividends (and/or interest for state-chartered credit unions permit-ted to pay interest on member deposits) paid by a credit union to its members, unless the amount of a dividend paid to an individual member is less than $10 on an annualized basis. Thus, for exam-ple, a quarterly dividend of $1.50 is not a “reportable payment” (since four quar-terly dividends of $1.50 would not equal $10 or more), while a quarterly dividend of $2.51 is a “reportable payment.”

Reportable payments can also arise if a credit union redeems a U.S. Savings Bond and the person redeeming the bond does not provide a taxpayer iden-tification number, or furnishes one that is obviously incorrect (for example, does not contain nine digits). To com-plete this type of transaction (known as a “window transaction”), the person redeeming the bond is required to pro-vide his or her TIN, but the individual need not certify under penalty of perjury that the TIN is correct. (A discussion regarding TIN certification more gener-ally appears below.)

Withholding conditions

There are five situations in which backup withholding from reportable pay-ments is required. The credit union must apply backup withholding when:

1. A member fails to provide a TIN or certify that the TIN is correct.

2. The IRS notifies the credit union that backup withholding must begin due to a missing or incorrect TIN (CP2100 or CP2100A).

3. The IRS notifies the credit union that the member is subject to backup withholding (“C-Notice”).

4. The member fails to certify that he or she is not subject to backup withhold-ing (unless the member qualifies for an exemption).

5. The member fails to provide a W-8 BEN or does not renew the form after three years.

Withholding procedure

The procedure you must follow depends on the circumstance that trig-gers backup withholding on a member’s account.

IRS CP2100 or CP2100A notice

This notice comes to you in the form of a letter outlining the steps you must take and includes a listing of the accounts that may be subject to backup withholding. Credit unions receive this notice when an IRS return is filed with a missing, incorrect, and/or not currently issued TIN. The first step is to compare the list attached to the notice with your account records.

For missing TINs. The IRS considers a TIN missing if it isn’t provided or it is obviously incorrect. For example:

• The TIN has more than or less than nine digits — (SSN)123-45-678 or 123-45-67899 (EIN) 12-345678 or 12-34567899

• The TIN has a mixture of digits and let-ters — (SSN) 123-45-678Z or (EIN) 12-345678P

Make sure that backup withholding has already begun and continues until



you receive a TIN from the member. If backup withholding hasn’t started:

1. Start to withhold and continue until you receive a TIN.

2. Do not send a “B-Notice,” but request a completed W-9 by December 31 of the year the account is opened and (if a TIN is not received) make a second request by December 31 of the next year.

3. Report any amounts you withhold on IRS Form 945, Annual Return of Withheld Federal Income Tax along with the required deposit.

For incorrect name and TIN Combinations. If the name and TIN combination reported to the IRS does not match or cannot be found on either the IRS or Social Security Administration (SSA) files, it is consid-ered to be incorrect. The procedure to follow depends on whether the informa-tion on the IRS list agrees with or dis-agrees with your account records. In the following situations it is not necessary to notify the IRS.

If the list does not agree with your account records because:

1. You put the wrong TIN on the 1099-INT: Correct your records, be sure future returns have the correct TIN, and do not send the member a “B-Notice”.

2. The information changed after the return was filed: Include the correct TIN on future returns and do not send the mem-ber a “B-Notice”.

3. The IRS listing is wrong: Note this on your records and take no further action.

If the information on the IRS list agrees with your account records and this is the first time in three calendar years you have received notice from the

IRS for the member:

1. Send the First “B-Notice” and a W-9 within 15 business days of either the date of the IRS Notice or the date you received the notice (whichever is later). Be sure the date and the account num-ber are on the “B-Notice.” If you include a return envelope be sure it is clearly marked “Important Tax Information Enclosed” or “Important Tax Return Document Enclosed.”

2. Update your account record when the cor-rect information is received and include that information on future returns.

3. If the member does not respond to your request within 30 days of either the date of the IRS notice or the date you receive the notice (whichever is later), begin backup withholding. Or you can start backup withholding on these accounts the day after the date you receive the notice from the IRS.

If this is the second notice from the IRS on an account you must:

1. Send the second “B-Notice” to the mem-ber within 15 business days of either the date of the IRS Notice or the date you received the notice (whichever is later). You can provide a return envelope as long as it is clearly stamped as described earlier.

2. Begin backup withholding after 30 busi-ness days if you have not received either a SSA Form 7028 or Letter 147C from the member validating the TIN.

In these circumstances you do not need to notify the IRS unless the dollar amount you reported changes.

“C-Notice.” If you receive a “C-Notice” or Backup Withholding Notification from the IRS you must begin backup with-



holding within 30 days of receipt of the notice. These notices are issued for mem-bers who have been notified by the IRS of underreporting of payments.

The member does not provide a TIN or signed W-9. If a member does not provide a TIN or a signed W-9 Certification, you must begin backup withholding immediately. You must also request a W-9 by December 31 of the year the account is opened and, if the W-9 is not provided, again by December 31 of the following year.

The member does not renew a W-8 BEN. When a member completes a W-8 BEN claiming foreign status and exemp-tion from backup withholding, the origi-nal form is valid until the last day of the third calendar year from the date it is signed. If a new form is not filed, backup withholding must begin for that account.

When can backup withholding end?

When you can stop backup withhold-ing depends on what triggers the need to start it.

• If the member failed to provide a TIN and W-9 you can stop backup with-holding when you receive the TIN and a signed W-9.

• If you receive an IRS 2100 or 2100A Notice:

1. For missing TINS, backup withholding can stop when you receive the correct TIN and W-9 certification.

2. For incorrect Name/TIN combinations, backup withholding can stop when you receive either SSA Form 7028 Notice to Third Party of Social Security Number Assignment or IRS Letter 147C from the member.

• If you receive a “C-Notice” Backup Withholding Notification you can stop backup withholding when you receive an official notice from the IRS to stop.

• If the member does not provide or renew IRS Form W-8BEN you can stop backup withholding when you receive a signed W-8BEN from the member.

What is a TIN?

A TIN is either a social security num-ber (SSN) issued by the Social Security Administration or an employer identifi-cation number (EIN) issued by the IRS. An official TIN has only nine numbers, no more or no less, and can only be made up of numbers, not a combination of numbers and letters. The SSN and EIN are the most common TINs.

Occasionally a member may have an ITIN or an ATIN.

• ITIN — an individual taxpayer identi-fication number issued by the IRS to aliens, both resident and nonresident, who are not eligible for SSNs. This number is made up of nine digits, is in the same format as an SSN, and always starts with the number 9. An ITIN is requested using Form W-7, IRS Application for Individual Taxpayer Identification Number.

• ATIN — an adoption taxpayer identi-fication number issued by the IRS as a temporary tax identification number for children born in the U.S. These numbers are a series of nine numbers, are in the same format as an SSN, and are closed when an SSN is issued. An ATIN is requested using Form W-7A, IRS Application for Taxpayer



Identification Number for Pending U.S. Adoptions.

TIN certification

When a member opens a new account at a credit union, the account will not be subject to backup withholding if the member certifies, under penalty of per-jury that:

• The TIN provided by the member is correct;

• The member is not subject to backup withholding; and

• The member is a U.S. person (includ-ing a U.S. resident alien).

Note: Members with an ITIN also use Form W-9 Certification.

This certification is obtained in one of two ways: (1) the member can complete IRS Form W-9 which provides the certifi-cation, or (2) the member can complete a “substitute W-9.” A sample W-9 can be viewed at www.irs.gov/pub/irs-pdf/fw9.pdf. Substitute W-9s are forms created by credit unions to obtain the essential certifications described above from their member. IRS regulations allow credit unions to use substitute W-9s only if the certifications are “clearly set forth.” The term “clearly set forth” has been clarified in recent years. The dual certifications are “clearly set forth” on a W-9 if a sepa-rate signature line is provided solely for the certifications; or a single signature line is provided for the certifications as well as other provisions unrelated to the certifications, but only if:

• The language of the required certifi-cations is presented in a way (high-lighted, boxed, printed in bold type,

etc.) that the language stands out from all other information contained on the substitute W-9, and

• The following statement appears immediately above the single signature line: “The Internal Revenue Service does not require your consent to any provisions of this document other than the certifications required to avoid backup withholding.”

A credit union may not require a mem-ber to agree to other provisions included in a substitute W-9 as a condition for avoiding backup withholding, nor may a credit union threaten backup withholding in order to get the member’s acceptance of provisions in the document unrelated to the required certifications.

Certificate of Foreign Status

In some cases, credit unions may be serving members that are not U.S. citizens that do not have resident alien status in the U.S. and may not even have a tax identification number. These members can claim an exemption from tax withholding by completing Internal Revenue Service (IRS) Form W-8BEN, “Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding.”

This form allows nonresident aliens to certify their foreign status and is used in place of a Form W-9 TIN certifica-tion. The credit union would request the member to complete Parts I and IV of the Certificate. The form must be retained by the credit union but is not required to be sent to the IRS, and it is valid for three calendar years after the year it was signed. In other words, if it

www.irs.gov/pub/irs-pdf/fw9.pdf

www.irs.gov/pub/irs-pdf/fw9.pdf



is signed in September 2000, it expires on Dec. 31, 2003, and if the member still maintains an account at the credit union, a new form would be requested prior to that date.

When a valid W-8BEN is on file for all owners of an account, no 1099-INT reporting is required at year-end; how-ever, IRS Form 1042-S may be required. This form is discussed below. If any one of the account owners cannot claim for-eign status, then the IRS does require the account to be reported under the U.S. taxpayer identification number for that account owner. See a sample W-8BEN at www.irs.gov/pub/irs-pdf/fw8ben.pdf.

Reporting Interest Paid to Nonresident Aliens

The IRS adopted a final rule in 2012 that requires credit unions to file IRS Form 1042-S for interest payments of $10 or more paid to a nonresident alien. Although the rule specifically covers nonresident aliens who are resi-dents of a country with which the U.S. has an information-sharing agreement, as specified in the IRS revenue proce-dure, it is operationally most efficient for credit unions to file the form for all nonresident aliens, which is acceptable under the rule. Credit unions may gen-erally rely on the permanent residence address provided on the W-8BEN for purposes of determining the residence of a nonresident alien. The regulation applies to interest paid after January 1, 2013. Instructions for IRS Form 1042-S may be viewed at www.irs.gov/pub/irs-pdf/i1042s.pdf.

New accounts

When an account is opened, if the member fails to certify that his TIN is correct, that he is not subject to backup withholding, and that he is a U.S. per-son, the credit union must generally begin backup withholding immediately. An exception to this general rule arises when an account is established by elec-tronic transmission — telephone, per-sonal computer, or wire transfer transac-tion. If a member opens an account via electronic transmission and provides a TIN, the credit union can give the member 30 days to provide the certifi-cations (in other words, the statements made under penalty of perjury that the TIN is correct and that the member is not subject to backup withholding) before beginning backup withholding. Note however, that in these situations, the credit union may not allow the new member to withdraw more than 69 per-cent of a reportable payment (that is, dividends or interest) before the certifi-cations are received.

If a member does not have a TIN but has applied for one, or plans to apply for one, his or her new account will be exempt from backup withholding requirements during the 60-consecutive-day period beginning the day the credit union receives from the member his or her “awaiting TIN certificate.” An “awaiting TIN certificate” is a written statement, signed by the new member under penalty of perjury, that indicates:

• The member has not been issued a TIN.

• The member has applied for or intends to apply for a TIN.

• The member understands that if he or

www.irs.gov/pub/irs-pdf/fw8ben.pdf

www.irs.gov/pub/irs-pdf/fw8ben.pdf

www.irs.gov/pub/irs-pdf/i1042s.pdf

www.irs.gov/pub/irs-pdf/i1042s.pdf



she does not provide his or her TIN to the credit union within 60 days, back-up withholding will begin.

As an alternative to this statement, the member can complete a W-9 or a substitute W-9 but instead of writing in a TIN, the words “applied for” would fill in the space reserved for that purpose.

Credit unions are not required to open accounts for potential members who do not have TINs. However, credit unions may not refuse to open an account (nor close an account) simply because a member is subject to backup withhold-ing (or will not certify that he or she is not subject to backup withholding).

Repayment of erroneously collected tax

If the credit union makes an error in its withholding calculation and with-holds more than was required, it may refund the difference to the member provided the refund is made before the end of the year in which the dividend is reported as income to the member. If the mistake is discovered after the end of the year, the member must receive his refund, if any, directly from the IRS.

Information returns

When an account is subject to backup withholding during a year, information about the backup withholding must also appear on the member’s year-end 1099-INT (or acceptable substitute). (Information returns are discussed in greater detail above.)

Penalties for noncompliance

Penalties for failure to provide TINs or for providing incorrect TINs on infor-mation returns and for failing to backup withhold can be severe. The penalty for missing or incorrect TINs can be up to $100 for each instance. The credit union can also be liable for the amount of taxes that should have been withheld. In addition, the credit union can face civil and criminal penalties if the failure to backup withholding was willful.

Record retention

Under IRS regulations, credit unions must retain all records involving backup withholding for four years. Because some of the records that pertain to a member’s account history also fall within the scope of the Bank Secrecy Act, credit unions are well-advised to retain these records for five years, con-sistent with the requirements of the BSA. Membership cards that also serve as substitute W-9s should be retained permanently.

Products and services affected by backup withholding regulations

All deposit-side products offered by the credit union, as well as some teller window transactions (in the case of cashing of some U.S. Savings bonds) can be impacted by the rules regard-ing backup withholding. As such, it is important to keep tellers and especially member service representatives trained about the various rules regarding backup withholding.



IRS Information Reporting and Withholding Requirements

Quiz/Study Guide

1. Describe the general types of information required on IRS Forms 1098, 1098E, 1099-INT, and 1099-C.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

2. What types of loans create a duty for credit unions to file Form 1098-E Student Loan Interest Statement?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

3. There are eight “identifiable events” that trigger a duty to file a Form 1099-C Discharge of Indebtedness. List three of them.

_____________________________________________________________________

_____________________________________________________________________

4. There are six special mailing requirements for IRS Information Returns. List four of them.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



5. Credit unions can be subject to penalties for failing to file information returns timely. The IRS provides some relief to credit unions for what they call “inconsequential errors.” Define “inconsequential error” and list three errors that would NEVER fall under that definition.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

6. List two of the five circumstances when a member’s account will be subject to backup withholding.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

7. When can a credit union stop backup withholding once it has begun?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

8. When a member opens a new account, that account will not be subject to backup withholding if the member certifies that the TIN is correct , that he/she is not subject to backup withholding, and that he/she is a U.S. person (including U.S. resident alien). How does the credit union obtain that certification from the member?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



IRS Information Reporting and Withholding Requirements

Answer Key

1. IRS Form 1098 Mortgage Interest — Each calendar year in which a credit union receives $600 or more in mortgage interest from a member, the credit union must report the total amount of interest received from the member to the IRS.

IRS Form 1098E Student Loan Interest Statement — Beginning in 1999 for the 1998 tax year, if during the calendar year, a credit union receives at least $600 in interest from a member on a “covered student loan,” the credit union must report the total amount of interest received from that member on that loan to the IRS.

IRS Form 1099-INT Interest Income — dividends paid to members must be reported to the IRS.

IRS Form 1099-C Discharge of Indebtedness — lenders must report certain discharges of indebtedness each year to the IRS. (Pages 4-3 to 4-5)

2. “Covered student loan” — loans made to members solely for that member’s or member’s spouse or dependent’s educational expenses paid within a reasonable time before or after the loan was taken out and that either: 1) qualifies as part of a guaranteed student loan program for federal, state, or local government; or 2) documents by the member’s certification on IRS Form W-9S that the loan proceeds were used solely for educational expenses. (Page 4-4)

3. The eight identifiable events include: 1) a debt discharged in bankruptcy if the credit union knows the debt was for business or investment purposes; 2) a debt discharged pursuant to an agreement between the credit union and the member; 3) a debt discharged as a result of a credit union decision to discontinue its collection activity against the member; 4) a debt for which the 36 month nonpayment testing period has expired; 5) a debt canceled or extinguished due to the expiration of the statute of limitations; 6) a debt canceled or extinguished in receivership or foreclosure in state or federal court; 7) a debt canceled or extinguished pursuant to the credit union’s election of foreclosure remedies; and 8) a debt canceled or extinguished rendering it unenforceable pursuant to a probate or similar hearing. (Page 4-6)



4. Requirements for tax statements: 1) must be printed on the forms provided by the IRS or substantially similar forms; 2) must be hand delivered or sent by first class mail to the member’s last known address; 3) can be attached to the year-end statement if accompanied by the statement: “IMPORTANT TAX DOCUMENT ATTACHED” or sent separately; 4) may not include marketing materials unless they fall under the exceptions listed in the regulation; 5) the envelope must be stamped: “IMPORTANT TAX DOCUMENT ENCLOSED”; and 6) the credit union logo must appear on the envelope. (Page 4-9)

5. “Inconsequential errors” — errors that do not prevent the IRS from processing a return, correlating the information with an individual’s tax return, or putting the return to its intended use.

Errors involving these types of information would never be considered “inconsequential errors”: 1) member’s taxpayer identification number; 2) member’s surname; 3) dollar amounts; 4) significant omissions in the member’s address; and 5) the manner in which the information returns are furnished to the member. (Page 4-10)

6. The credit union must apply backup withholding when: 1) a member fails to provide a TIN or certify that the TIN is correct; 2) upon receipt of a B-Notice from the IRS which notifies the credit union that the name and TIN provided by the credit union on a previously filed 1099-INT do not match IRS and Social Security Administration records; 3) upon receipt of a C-Notice from the IRS which notifies the credit union that the member has underreported interest and dividend income; or 4) the member fails to certify that he or she is not subject to backup withholding. (Page 4-11)

7. Withholding must continue until the credit union receives specific notification from the IRS to stop. This can take the form of: 1) a notice received directly from the IRS or 2) the member can present to the credit union a copy of the written certification received directly from the IRS stating that the withholding is to stop. (Page 4-13)

8. You can obtain this certification by having the member complete an IRS Form W-9 or a “substitute W-9” that meets the IRS requirements. (Page 4-14)


SECTION 5 – PRIVACY REGULATIONS


CFPB, Regulation P— Privacy of Consumer Financial Information

General Overview

Title V, Subtitle A of P.L. 106-102, the Gramm-Leach-Bliley Act, addresses “Disclosure of Nonpublic Personal Information.” In accordance with GLB, NCUA issued regulations for federal credit unions to implement the new pri-vacy requirements in 2000. The Federal Trade Commission (FTC) and the other federal banking agencies issued sub-stantially similar regulations for the organizations that they govern. Although non-federally insured credit unions are subject to the FTC regulations, the FTC agreed that all credit unions can look to NCUA for guidance.

The Dodd-Frank Act of 2010 established the Consumer Financial Protection Bureau (CFPB) and trans-ferred certain consumer financial pro-tection regulations from seven agen-cies, including NCUA and the FTC, to the CFPB on July 21, 2011. The CFPB issued an interim final privacy rule effective December 30, 2011, which basically incorporated the existing regu-lations of the transferor agencies. It did not impose any new substantive obliga-tions on credit unions.

Generally, the privacy regulation is a disclosure rule and does not prohibit a credit union from sharing information

with businesses outside of the credit union (“affiliates” and “nonaffiliated third parties”). However, proper disclo-sures are required before the information can be shared.

The one prohibition in the law is that every credit union is forbidden from providing an account number or similar access number for a credit card account, share account, or transaction account of any consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing efforts.

All credit unions have to provide privacy notices

Generally, all credit unions are required to provide an annual privacy notice to people using their products and services even if a credit union does not share information with a third party for marketing purposes.

If a credit union meets certain con-ditions, it may be exempt from the annual privacy notice requirement. See “Exemption to Annual Privacy Notice Requirement” on page 5-7.

“Opt-out” option

Generally, before a credit union can share information with a nonaffiliated third party for marketing purposes, the credit union will have to give the person a reasonable opportunity to request that the information not be shared — that is, the person has a right to “opt out” of the planned information sharing. However,

Section 5 – Privacy Regulations

http://www.stlouisfed.org/regreformrules/RuleSummary.aspx?id=352





this “opt-out” right does not exist when the credit union shares information with a third party to complete the requested transactions (such as sharing with a data processor), has a “joint agreement” (marketing contract) with a third party that is a financial institution, or has the member’s consent to share the informa-tion. The credit union, however, can provide the opt-out option to anyone, if it chooses to do so.

Complying with Federal Privacy Regulations

CFPB’s regulations [12 CFR 1016] apply to all credit unions. Although credit union service organizations (CUSOs) are not directly under the juris-diction of the CFPB, and therefore not subject to the agency’s privacy regula-tions, depending on what activities the CUSO engages in, it may be subject to the privacy regulations issued by the Securities and Exchange Commission (SEC), the CFPB’s rules or state insur-ance commission regulations.

All “financial institutions”

All “financial institutions” are sub-ject to the federal privacy regulations. This means that banks, securities firms, insurance companies, finance compa-nies, mortgage brokers, check cashers, debt collectors, tax preparation firms, wire transferors, and other businesses defined as “financial institutions” by the Bank Holding Company Act are subject to privacy disclosure rules. This broad definition of “financial institution” is also important in determining what com-

panies credit unions can make “joint agreements” with and have fewer restric-tions under the privacy regulations.

Key Definitions

“Member” and “member relation-ship” — A “member” for purposes of this regulation is more than the concept of “member” used by credit unions (the person with voting rights). In this regulation the term will include some nonmembers. A “consumer” who has a continuing relationship with the credit union has a “member relationship” with the credit union. Examples include:

• A member as defined in the credit union’s bylaws.

• A nonmember who has a share, share draft, credit card account, or other loan jointly with a member.

• A nonmember who has a loan serviced by the credit union.

• A nonmember served by an NCUA-designated low-income credit union.

• A nonmember with an account in a state-chartered credit union, if allowed by state law.

“Consumer” — A consumer means “an individual who obtains or has obtained a financial product or service from you [the credit union], that is to be used primarily for personal, family, or household purpose, or that individual’s legal representative.” A consumer does not have a member relationship with the credit union if, for instance, the person uses the credit union’s ATM to make a withdrawal from an account the person



maintains with another financial insti-tution; an individual merely purchases traveler’s checks at the credit union; or if the credit union owns the person’s loan but does not have the rights to ser-vice that loan.

“Personally identifiable financial information,” “nonpublic personal information,” and “publicly available information” — “Personally identifi-able financial information” means information that an individual gives to your credit union (or you get elsewhere) in order to obtain a product or service, or that results from any transaction between you and the member. It does not include “publicly available informa-tion,” that is, information that the credit union has a reasonable basis to believe is lawfully made available to the general public (such as from government records or widely distributed media such as tele-phone listings).

The credit union is required to make specific disclosures about its sharing of “nonpublic personal information,” that is, any personally identifiable financial information it possesses. The fact that a person is a credit union member is nonpublic personal information, even if the person’s name and address would appear to be publicly available infor-mation. So any list of members’ names is “nonpublic personal information.”

“Affiliate,” “control,” and “nonaffili-ated third party” — There is a distinc-tion between “affiliate” and “nonaffili-ated third party.” An affiliate of a credit union is a company “controlled” by the credit union. For federal credit unions,

the only possible type of company is a CUSO; state chartered credit unions may have some other types of business arrangements authorized. “Control” is defined as:

• A credit union having ownership or the power to vote at least 25% of the out-standing shares.

• Control in any manner over the elec-tion of a majority of the directors.

• The power to exercise a controlling influence over the company as CFPB determines. CFPB will presume a credit union has a controlling influence if the CUSO is 67% owned by credit unions. This means an individual credit union does not have to have a 25% ownership interest, if a group of credit unions own at least two-thirds of the stock.

• Credit unions that believe they have control over a CUSO/company that does not fall within these definitions of control can petition the CFPB for a determination.

A company that does not fall within the definition of “affiliate” will be classi-fied as a “nonaffiliated third party.”

“Opt out” — Opt out means a direc-tion by the consumer that the credit union is not to disclose nonpublic per-sonal information about that consumer to a nonaffiliated third party. The regu-lation, however, allows credit unions to engage in many instances of information sharing without having to provide the opt-out option, as long as there is proper disclosure of the information practices.



Providing Privacy Disclosures

Members and certain nonmembers

The credit union must provide initial and annual privacy disclosure notices to all individuals who receive services from the credit union for personal or house-hold use. These include:

• Natural person members

• Natural person nonmembers served by NCUA low-income designated credit unions or allowed to be served by state law

Each joint accountholder does not need to receive a separate copy of the privacy and opt out notices. A credit union may provide one initial notice to those consumers jointly.

The credit union is generally not required to provide separate notices to nonmember individuals who are co-borrowers, co-makers, or guarantors. However, if the credit union shares nonpublic personal information about them to non-affiliated third parties not covered by one of the opt out exceptions, a one-time privacy notice will have to be provided. Refer to the opt-out require-ments for co-borrowers later in this section. In addition, no annual notices are required for each co-borrower and guarantor. However, if a co-borrower, co-maker, or guarantor is also a member, the credit union must provide initial and annual privacy notices as it would any other member.

The credit union must provide initial disclosures for new member relationships

and annually (“once every 12 months”) after the initial notices are given. New member relationships include:

• Not later than when the person becomes a member of the credit union.

• Not later than when a nonmember receives any credit union services, in the case of a NCUA designated low-income credit union or a state-char-tered credit union authorized to serve nonmembers.

• In the occasional case of a consumer nonmember requiring a disclosure, before the credit union discloses any nonpublic personal information if the information is disclosed to a nonaffili-ated third party for marketing purposes (Example: A person buying traveler’s checks at the credit union and the credit union plans to share that per-son’s purchase information — a pri-vacy notice must be first given.)

• In the case of the credit union pur-chasing the servicing rights of a non-member’s personal loan when the person has not otherwise received the credit union’s privacy notice.

“After-the-fact” disclosures are pos-sible under certain circumstances. If the credit union purchases a loan (that is, a “membership relationship is established not at the member’s election”), the credit union can provide the notice to the person “within a reasonable period.” Additionally, if a person orally agrees to a financial service, and providing the disclosure would cause a “substantial delay” in providing the service, the per-son can agree to get the privacy notice within a reasonable period after the ser-vice is provided.



Consumers

In some unusual circumstances, even occasional users of credit union services (called consumers) will have to be given a privacy notice.

For example, the notice and possible opt-out requirement is triggered if the credit union chooses to provide non-public personal financial information to third parties for marketing purposes about a person who is not a member of the credit union but uses the credit union’s ATM machine. Before the credit union can share this information, it will have to provide its privacy notice. Other examples of credit union “nonmember consumer” transactions are: traveler’s checks, credit card cash advances, sav-ings bonds, or cashing payroll checks of the credit union’s sponsor.

If the credit union adopts a policy (and follows that policy) to never share information in these circumstances, the credit union will never have to provide disclosures to those who do not have an ongoing “member relationship”.

Termination of annual privacy notices

The credit union can stop providing annual notices only:

• When a person is no longer a member.

• For a nonmember with a share or share draft account, when the account is con-sidered inactive by the credit union.

• In the case of a closed-end loan to a nonmember, when the loan is paid in full, charged off, or is sold without the credit union retaining servicing rights.

• In the case of an open-end loan to a nonmember (including credit cards), when the credit union no longer pro-vides any statements or notices, or the loan is sold without the credit union retaining servicing rights.

• In the case of a nonmember customer, when the credit union has not commu-nicated with the person for 12 consec-utive months other than sending pri-vacy notices or promotional materials.

• When a member has requested that no member information be mailed (such as a “no-mail” flag on the account) as long as the privacy notice is available to the member on request.

Alternative Method of Delivery for Annual Privacy Notices

Instead of mailing its annual privacy notice to members, under certain cir-cumstances credit unions may post the notice online. In order to utilize this alternative method of delivery, credit unions must satisfy the following condi-tions:

• It cannot share the non-public personal information of its members with non-affiliated third parties in a manner that triggers opt-out rights;

• It cannot include in its annual privacy notice information about certain opt-out rights available under Section 603 of the FCRA;

• Its annual privacy notice is not the only notice provided by the credit union to satisfy the requirements of Section 624 of the FCRA (related to affiliate marketing solicitations);



• The information on the privacy notice has not changed since the last time it was distributed to the member; and

• It utilizes the model form available under Regulation P as the template for its privacy notice.

At least annually, the credit union must communicate to its membership that the notice is available on its web-site. For example, the credit union may include this notification in the mailing of a member’s monthly account state-ment. The annual privacy notice must be posted on the credit union’s website continuously and on a page that does not require a log-in or other conditions to access it. Should a member request a paper copy of the privacy notice, the credit union must provide it within 10 business days.

Exemption to Annual Privacy Notice Requirement

The Fixing America’s Surface Transportation Act (FAST Act) was signed into law on December 4, 2015.

The FAST Act amended Section 503 of the Gramm-Leach-Bliley Act to elimi-nate the requirement that credit unions send an annual privacy notice to its members under certain conditions. In order to qualify for the exemption, credit unions must:

• Share non-public personal information with non-affiliated third parties only in accordance with one of the exceptions provided for in Subpart C of Regulation P; and

• Not have changed its privacy policies and practices since the last time it

provided an annual privacy notice to members.

While the CFPB has yet to amend Regulation P to account for the changes promulgated by the FAST Act, in its Letter to Credit Unions (16-CU-03) issued in January 2016, the NCUA advised credit unions that it considered the new exemption to be effective imme-diately.

Privacy Notices

The credit union is required to deliver a written privacy notice (oral notices are insufficient) in such a way that receipt can reasonably be expected and in a form that can be retained. The disclo-sure notice does not have to be mailed separately from other credit union mate-rial. Examples of acceptable means pro-vided by the agency are:

• Hand-delivered

• Mailed to last known address

Some examples of unacceptable means are to provide a general advertise-ment or merely post the notice in the credit union’s lobby.

The notice must be “clear and con-spicuous” which means that it must be reasonably understandable and designed to call attention to the nature and signif-icance of the information in the notice. This notice can be combined with other information, such as including it as part of the credit union’s newsletter, if the notice uses distinctive type size, style, and graphics.

The credit union can deliver the initial notice electronically only if the person to whom it is addressed agrees to receipt

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2016/03.aspx



in an electronic form. If there is this agreement, the credit union can post the notice on its website and require acknowledgment of receipt as a step before the person can obtain a particular product or service electronically. The notice cannot be sent electronically if the person does not obtain financial products or services electronically.

Note that all credit unions will have to provide a privacy notice to their mem-bership, even if there is no information sharing with anyone outside of the credit union or sharing with only third party transaction processors. The CFPB’s reg-ulations provide for a simplified notice for these situations.

A credit union will be allowed to reasonably expect that a member will receive actual notice of the privacy dis-closure without doing an annual mailing if certain requirements are met. The member must use the credit union’s web site to access financial services, agree to receive notices at the web site, and the credit union must continuously post its privacy notice in a clear and conspicu-ous manner. If the member has asked the credit union to refrain from sending any information to him and the privacy notice is available upon request, the credit union does not need to mail a dis-closure annually.

Format of privacy notices

In 2006, regulators were directed to adopt a standardized, easier to understand privacy notice under the Financial Services Regulatory Relief Act. Specifically, the Act requires the model form shall: (i) be understandable in format and design; (ii) provide clear

and conspicuous disclosures; (iii) enable consumers to easily comprehend and compare privacy practices among finan-cial institutions; and (iv) be succinct and in an easily readable font.

As a result, NCUA, along with the other federal regulators, issued a final rule (effective December 31, 2009) that provided credit unions with a model form that can be used to comply with the initial and annual notice requirements. This final rule is included in the CFPB’s privacy rule. There are multiple versions of the model form available, depending on whether or not an opt-out is provided and the manner in which the opt out may be exercised.

The model form has two pages and agencies are providing some format flexibility. The agency is not mandat-ing a particular paper size, however, the notice has to be provided in portrait format and the notice must be sufficient to accommodate font size, spacing and content requirements. The form is bro-ken out as follows:

Page one features:

• The title

• Introductory section, called the “key frame”, that provide context to help members understand the required dis-closures

• Disclosure table that describes the types of permissible sharing by credit unions under Federal law; which of those types of sharing the credit union engages in; and whether the con-sumer can limit or opt out of the credit union’s sharing

• Information on how to limit sharing via



opt-out (if applicable). If the credit union provides a mail-in opt-out form, that form appears on the bottom of the first page.

• Credit union’s member service contact information

Page two provides:

• Additional explanatory/supplemental information in a “Frequently Asked Questions” format.

The model form will replace the model language or sample clauses that most credit unions were using in their privacy notices. Credit unions using the model form will be deemed to have satisfied the content requirements for Privacy notices and therefore granted a safe harbor with regard to Privacy com-pliance.

It should be noted that use of the model forms is voluntary. According to the final rule, credit unions would still have the ability to use other types of notices, as long as they comply with the privacy rule. However, the safe harbor will not be available for these notices.

The opt-out notice General rule

When applicable, the credit union must provide a conspicuous notice that explains the right of the person whose nonpublic personal information is going to be shared with certain nonaffiliated parties to “opt out,” and must provide a reasonable means by which and a rea-sonable time in which the person may exercise the opt-out right.

Contents of the opt-out notice

The credit union will need to identify all categories of nonpublic personal information that it discloses or reserves the right to disclose and identify the financial products or services the con-sumer obtains which the opt-out direc-tion would apply to. The credit union can allow the consumer/member to exercise a “partial opt out” (for instance, the per-son objects to credit card solicitations but would be interested in hearing about insurance products).

Reasonable opt-out means

The regulation suggests a number of methods for opting out: via toll-free number, via Internet, or by mail-in form. The initial or annual notice must accom-pany the opt-out form. The model forms also include the model opt-out language to be included in the privacy form.

Timing of the opt-out option

If the opt-out option is applicable, the credit union must give the consumer “a reasonable opportunity” to opt out before the nonpublic personal infor-mation is shared with a nonaffiliated third party. The regulation’s examples describes 30 days as a reasonable waiting period. The credit union must comply with the consumer’s opt-out direction “as soon as reasonably practi-cable” after the credit union receives the notice. The consumer/member can exer-cise his right to opt out at any time, and the opt-out direction remains in place until revoked in writing by that person.



Opt-out directions by joint accountholders

The opt out notice must explain how the credit union will treat an opt-out direction by one or more of the joint account holders. The credit union can choose to:

• Treat an opt-out direction by any one of the joint accountholders to apply to everyone on the account; or

• Permit each joint accountholder to opt out separately.

However, the credit union must allow one person to opt out on behalf of all joint accountholders if the person so requests, and it cannot require all accountholders to opt out before it will honor the opt-out direction of one of the accountholders.

Opt-out directions for co-borrowers, co-makers, and guarantors

If the credit union shares information about a co-borrower, co-maker, or guar-antor to a third party that would trigger an opt-out notice, the credit union must provide a separate initial notice and opt-out notice to all borrowers and guaran-tors. Therefore, if information sharing is permissible without generating an opt-out notice under any of the exceptions listed in the following paragraphs, the credit union is not required to provide privacy and opt-out notices to such indi-viduals. In addition, no annual notice is required.

Exceptions to the General Privacy Notice and Opt-Out Rules

General overview

Sections 1016.13, 1016.14, and 1016.15 contain important exceptions to some of the privacy disclosures and opt-out requirements that otherwise apply to the information sharing of financial institutions with third parties. Congress provided for liberal information sharing between affiliates. Generally, no opt-out option is provided under the Privacy Act to prevent affiliate information sharing. However, credit unions need to bear in mind that the Fair Credit Reporting Act (FCRA) does enable consumers to opt out of affiliate information sharing under limited circumstances. And because Congress conceded that smaller financial institutions, such as credit unions, would be put at a competitive disadvantage to the large financial conglomerates autho-rized by the financial modernization law, Congress added special treatment for the third-party service providers and other financial institutions credit unions con-tract with to provide an array of services to their membership.

CUNA suggests that each credit union will want to place the affiliates and non-affiliated third-party businesses with which you share information into one of five categories. Each category has differ-ent rules concerning:

• What disclosure language must be included on the privacy notice;

• If the opt-out option legally has to be given; and

http://www.cuna.org/Compliance/Compliance-E-Guide/E-Guide-Entries/Fair-Credit-Reporting-Act/

http://www.cuna.org/Compliance/Compliance-E-Guide/E-Guide-Entries/Fair-Credit-Reporting-Act/



• If sharing account numbers is permis-sible.

The five categories are:1. Information sharing with affiliates

(which generally will be CUSOs).

• The credit union must disclose the categories of affiliates by the types of businesses they engage in (exam-ples: mortgage lending, life insur-ance, securities brokerage).

• A credit union can share informa-tion with an affiliate without having to give the person the opportunity to opt out unless that sharing triggers protections under the FCRA.

• A credit union can share account numbers with an affiliate.

• A credit union and its affiliate can send out a joint privacy notice as long as the notice accurately reflects information for all credit unions and affiliates represented on the disclosure.

2. Information sharing with nonaffiliated third parties for purposes of process-ing and servicing transactions; with the consumer’s consent; to protect against fraud; or to comply with the law. If the credit union discloses nonpublic per-sonal information “necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes,” the credit union is exempt from certain requirements of the regulation. This exception also covers

• Servicing or processing a financial product or service that a consumer/member requests or authorizes (the person using the ATM).

• Maintaining the member’s account.

• A proposed or actual securitization or sales of servicing rights.

Based on the text of the regula-tion, the supplementary information section, and CUNA’s conversations with agency staff, the following are examples of third parties with which credit union information sharing activi-ties are anticipated to fall under this exception:

• Data processors

• Mortgage servicers

• IRA service suppliers

• Check printers

• Collection companies

• Collateral protection insurers

• Statement mailers

The regulation includes an addition-al lengthy list of exceptions from the disclosure rules for information sharing with third parties that are not market-ing products. The exceptions include:

• With the consumer/member’s con-sent (such as payroll deductions)

• To protect the confidentiality of the credit union’s records

• To protect against fraud

• To provide information to organiza-tions involved in rating or assessing standards

• To attorneys, accountants, and auditors

• To the extent permitted by the law to enforcement agencies and other official bodies



• To and from consumer reporting agencies

In cases of information sharing allowed under both Sections 1016.14 and 1016.15, special privacy rules apply:

• For these parties, the credit union does not have to list them or their general services on their disclosures. The credit union only has to say that it makes “disclosures to other nonaf-filiated third parties as permitted by law.”

• For information sharing with these parties, no opt-out option is required.

• Sharing of account numbers is allowed.

3. Information sharing with nonaffili-ated third-party financial institu-tions (banks, insurance companies, CUSOs, brokerage firms, other credit unions, etc.) with whom the credit union has a joint marketing agree-ment. A “joint agreement” means a writ-ten contract the credit union has with another financial institution where the parties jointly offer, endorse, or sponsor a financial product or service. The con-tract must contain provisions requiring confidentiality and forbidding use by the third party of the information for any-thing other than what is provided in the contract.

• For these nonaffiliated third parties, the credit union must separately dis-close the general lines of business.

• The credit union does not have to pro-vide the opt-out option for the person whose information is being shared, the most important variation from the

general privacy requirements.

• The credit union cannot share account numbers with these third parties, although encrypted num-bers without the decoding key can be provided.

4. Nonaffiliated third parties that per-form services or functions on the credit union’s behalf but do not fall under either exceptions (2) or (3) above. There must be a formal agree-ment requiring confidentiality and for-bidding reuse of the information by the third party. An example would be when a credit union uses a mailing house to send out marketing information to the membership.

• For these parties, the credit union must separately disclose the general lines of business.

• The credit union does not have to provide the opt-out option for the person whose information is being shared.

• The credit union can provide account numbers to its agent or ser-vice provider, as long as the agent or service provider cannot directly initiate charges to the account.

• A service provider may disclose or use nonpublic personal information for processing transactions.

5. Nonaffiliated third parties that do not fall within any of the other exceptions. Before information can be shared by the credit union with these third parties, there must be full disclo-sure and the opportunity for the person to opt out of the information sharing. Additionally, if the credit union shares



information it has on co-borrowers, co-makers, or guarantors with these third parties, the credit union must give each co-borrower and guarantor a separate ini-tial notice and opt-out notice.

Prohibition on Sharing Account Numbers with Third Parties

General prohibition

The regulation states that a credit union “must not, directly or through an affiliate, disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a consumer’s credit card account, share account, or transac-tion account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.”

Exception to the prohibition on sharing account numbers for marketing purposes

The credit union can share an account number in the following circumstances:

• With an affiliate;

• With an agent or service provider solely for the purposes of marketing the cred-it union’s own products and services, as long as the agent/service provider cannot directly initiate charges to the account;

• To a participant in a private label credit card program or an affinity or a similar program where the participants in the program are identified to the member

upon entering into the program; or

• When the account number is in an encrypted form and the recipient third party is not given the means to decode the number.

The Fair Credit Reporting Act and the Privacy Regulation

In 1996 Congress amended the Fair Credit Reporting Act (FCRA) to allow for more customer information sharing among financial institution affiliates. Affiliated companies may share “experi-ence” information without limitation. This is any information that consists of transactions or experiences between one of the affiliates and the consumer to whom the information relates. This information may be shared directly or through a shared data base. “Any other information” may also be shared among affiliated institutions if (a) the mem-ber receives a clear and conspicuous disclosure that the information may be shared among the affiliates, and (b) the member is given an opportunity to opt out of the sharing before it takes place. Examples of information that might be shared with prior disclosure and an opportunity to opt out include informa-tion derived from the member’s applica-tion and consumer reports from consum-er reporting agencies.

The Fair and Accurate Credit Transactions Act (FACTA) of 2003 amended the federal FCRA to require a new notice and opt-out provision that applies to a person’s use of certain infor-mation that it receives from an affiliate

NOTE:

NCUA’s Information Systems & Technology Examination Program was announced in October 2000 in Letter to Credit Unions #00-CU-07, and is now in force. In December 2000 NCUA sent to all federally insured credit unions Letter #00-CU-11 providing guidance on risk management of outsourced technology services. The agency sent out Letter #01-CU-04 in March 2001 entitled “Integrating Financial Services and Emerging Technology”. The agency encourages credit unions to consider the benefits of offering Internet-based electronic financial services.



to market its products and services to consumers. Although there is a certain degree of overlap between the two opt outs, they are distinct and serve differ-ent purposes.

Section 624 of the FCRA generally provides that, if a person shares certain information about a consumer with an affiliate, the affiliate may not use that information to make or send solicitations to the consumer about its products or services, unless the consumer is given notice and a reasonable opportunity to opt out of such use of the information and the consumer does not opt out. Section 624 governs the use of informa-tion by an affiliate, not the sharing of information with or among affiliates. As such, this affiliate marketing opt-out right is distinct from the FCRA opt-out right for affiliate sharing (under section 603 of the FCRA), although they overlap to some extent. See the FCRA discussion in the Regtrac Consumer Lending book for more information on affiliate sharing.

NCUA’s Confidentiality Bylaw and the Privacy Regulation

In October 1999 the NCUA Board revised the Federal Credit Union Bylaws applicable to federal credit unions. Federal credit unions (FCUs) were not required to adopt any or all of the 1999 bylaw provisions, but all FCUs should have adopted the language of the revised Article XVI, Section 2. This section was specifically amended to recognize the new privacy regulation that was adopted by NCUA in May 2000, and it clears up any questions about FCUs being able to

share member information with business partners for marketing purposes. Article XVI, Section 2 (revised) reads:

“Section 2. The officers, directors, mem-bers of committees, and employees of this credit union must hold in confidence all transactions of this credit union with its members and all information respect-ing their personal affairs, except when permitted by state or federal law.”

Safeguarding Member Information — NCUA Part 748

The first section of the privacy law requires that the federal agencies, including NCUA, “shall establish appro-priate standards ... relating to admin-istrative, technical, and physical safe-guards:

1. to insure the security and confidentiality of customer records and information;

2. to protect against any anticipated threats or hazards to the security or integrity of such records; and

3. to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”

The security program established by the credit union must include admin-istrative, technical, and physical safe-guards appropriate to the size and complexity of the credit union and the nature and scope of its activities. These standards were incorporated in the NCUA Rules and Regulations Part 748 — Security Program, Report of Crime and Catastrophic Act and Bank Secrecy Act Compliance. In addition to the safe-guards listed above, your security pro-



gram must also address how the credit union will:

• Protect each credit union office from robberies, burglaries, larcenies, and embezzlements.

• Assist in the identification of persons who commit or attempt to commit such actions and crimes.

• Prevent destruction of vital records, as defined in 12 CFR Part 749.

If a credit union fails to establish an adequate security program, the NCUA Board may take administrative action.

Board duties

It is the responsibility of the credit union’s board of directors to approve and exercise general oversight over the mem-ber information security program. The board’s responsibilities include approving the written information security policy and program, overseeing efforts to devel-op, implement, and maintain an effective security program, and reviewing manage-ment reports. The board can, however, assign specific implementation responsi-bilities to a committee or an individual. A sample “Policy on Safeguarding Member Information” can be found in the CUNA e-Guide section discussing Privacy. The e-guide can be accessed through the CUNA website at www.cuna.org.

Statement of Compliance

The president or managing official of each federally-insured credit union must certify compliance with the requirements in Part 748, including maintaining a security program. This certification is generally done through the credit union’s online profile on an annual basis.

Developing a security programWhen developing and implementing the

security program, a credit union should assess its risk, manage and control that risk, oversee service provider arrange-ments, adjust the security program as needed, and make reports to the board.

The security program should be a comprehensive written information secu-rity program that includes administra-tive, technical, and physical safeguards appropriate to the size and complexity of the credit union as well as the nature and scope of its activities. The appendix to NCUA Part 748 provides assistance in developing meaningful and effective security programs. These programs will be reviewed as part of NCUA’s safety and soundness examinations.

Assessing risk

All information requires protection but not necessarily to the same degree. A credit union can decide to treat all member information the same or in vary-ing degrees to match the level of protec-tion required. However, when assessing risk, discretion should be used to deter-mine the levels of protection necessary for different categories of information and that the level of protection provided is adequate for all of the credit union’s information.

To begin assessing risk, credit unions should identify the reasonably foresee-able internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member infor-mation systems. Then consider the potential damage that a compromise of member information from an identified threat would have on that information.

NOTE:

NCUA Letters to Credit Unions Nos.: 01-CU-20 and 07-CU-13 (found online at www.ncua.gov/Resources/Documents/LCU2001-20.pdf and www.ncua.gov/Resources/Documents/LCU2007-13.pdf provide guidance to credit unions on exercising due diligence when entering into a relationship with third party service providers.

https://www.ncua.gov/Resources/Documents/LCU2001-20.pdf








After completing this step, credit unions should assess the adequacy of current policies, procedures, member informa-tion systems, and other arrangements designed to control any identified risks.

Service provider agreements

When overseeing outsourcing arrange-ments with service providers, credit unions should:

• Exercise due diligence in selecting ser-vice providers.

• Require service providers by contract to implement appropriate measures designed to meet the objectives of the NCUA Guidelines.

• If indicated through the risk assess-ment process, monitor the service pro-viders to ensure that they have imple-mented the appropriate measures. As part of this monitoring, the credit union should review audits, summa-ries of test results, or other equivalent evaluations. On-site inspections are not necessary.

Internet based financial services

Credit unions that offer Internet based financial services (electronic banking for example) must develop an effective authentication program to reduce the chances of doing business with unau-thorized or incorrectly identified parties. Authentication methods include:

• using passwords and personal identifi-cation numbers (PINs),

• digital certificates using public key infrastructure (PKI), and

• biometrics (such as digitally storing a

fingerprint, scanning a retina, or using voice recognition software).

But remember the success of a par-ticular authentication tool or method depends on more than just technology – it depends on the credit union’s policies, procedures and controls.

NCUA Letter to Credit Unions No. 01-CU-10, “FFIEC Guidance on Authentication in an Electronic Banking Environment,” provides detailed infor-mation on what constitutes an effec-tive authentication program. The letter emphasizes the following:

• The authentication process should be consistent and support the credit union’s overall security and risk assessment programs. Implementation of an appropriate authentication meth-od should start with a thorough assess-ment of the risk posed by the credit union’s electronic banking systems.

• Reliable methods should be used to verify a member’s identity during the account origination process, as well as authenticating members before allow-ing access to on-line banking systems.

• A sound authentication system should include audit and monitoring features that can assist in detecting fraud, unusual activities, compromised pass-words, or other unauthorized activities.

• The credit union’s authentication pro-cess should be reviewed periodically to assess their adequacy in light of changing or new risks.

Additional guidance regarding online member authentication was issued in NCUA Letter to Credit Unions 11-CU-09. See this letter online at www.ncua.gov/Resources/Documents/LCU2011-09.pdf

http://ithandbook.ffiec.gov/media/resources/3419/ncu-01-cu_10_authentication_in_electronic_bank_envirn.pdf

http://ithandbook.ffiec.gov/media/resources/3419/ncu-01-cu_10_authentication_in_electronic_bank_envirn.pdf

http://www.ncua.gov/Resources/Documents/LCU2011-09.pdf




Security program safeguards

As credit unions develop their security programs, they should determine wheth-er the following measures are appropri-ate taking into consideration the identi-fied risks, the sensitivity of the informa-tion involved, and the complexity and scope of the credit union’s activities.

1. Access controls on member information systems, including controls to authen-ticate and permit access only to autho-rized individuals as well as controls to prevent employees from providing mem-ber information to unauthorized indi-viduals seeking this information through fraudulent means.

2. Restrictions to access by authorized indi-viduals only to physical locations storing member information, such as buildings, computer facilities, and record storage facilities.

3. Encryption of electronic member infor-mation during storage or transmission on networks or systems making sure unau-thorized individuals do not have access to the information.

4. Procedures designed to ensure that member information system modifica-tions are consistent with the credit union’s information security program.

5. Dual control procedures, segregation of duties, and employee background checks for staff responsible for or with access to member information.

6. Monitoring systems and procedures designed to detect actual and attempted attacks on or intrusions into member information systems.

7. Response programs specifying what actions to take when the credit union suspects or detects that unauthorized

individuals have gained access to mem-ber information systems that include reports to regulatory and law enforce-ment agencies.

8. Measures to protect against the destruc-tion, loss, or damage of member infor-mation from potential environmental hazards, such as fire and water damage or technical failures.

Each credit union must consider whether the security elements discussed here are appropriate and if so adopt them. Security program for electronic data

Credit unions must include the elec-tronic protection of member information in their security program. The first step is to identify the hardware and software configurations used to deliver electronic services to determine what issues or weaknesses the systems may have.

Next identify any reasonably foresee-able internal and external threats based on the credit union’s information tech-nology (IT) environment and the types of systems and services provided. Rank any foreseeable threats that are discov-ered. The ranking system should take into consideration the risk of the threat actually occurring as well as the impact on the credit union if the threat occurs. Based on this ranking determine what action to take to lessen the threat.

These steps will help in the develop-ment of policies and procedures. Then be sure to frequently monitor those policies and procedures, especially with regard to your IT Systems. Because the IT environment changes so frequently, security procedures and practices need to be updated to reflect those changes.

The Supervisory Committee should

NOTE:

NCUA issued a Letter to Credit Unions No. 02-CU-02 on NCUA’s examination procedures including exam objectives and a checklist





review, at least annually, the credit union’s security policies and procedures and should provide a report of their findings to the board of directors. The frequency of this review should be based on the level of risk the credit union assumes and how that risk is managed.

Response programs for data security breaches

Part 748 of NCUA’s regulations also requires federally insured credit unions to develop and implement “risk-based” response programs to address instances of unauthorized access to member infor-mation. Appendix B to Part 748 pro-vides credit unions with direction on how to meet this regulatory requirement.

When a credit union becomes aware of an incident of unauthorized access to “sensitive member information,” the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.

Sensitive member information includes data such as:

• A member’s name, address, or tele-phone number used in conjunction with the member’s social secu-rity number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member’s account.

• Any combination of components of member information that would allow someone to log onto or access the member’s account, such as user name and password or password and account number.

The credit union’s response program should also include procedures to notify members about incidents of unauthor-ized access to member information systems that could result in substantial harm or inconvenience to the member (e.g., identity theft).

Components of a response program

At a minimum, a credit union’s response program should contain proce-dures for:

• Assessing the nature and scope of an incident, and identifying what mem-ber information systems and types of member information have been accessed or misused;

• Notifying the appropriate NCUA Regional Director, and, in the case of federally insured state-chartered credit unions, its applicable state supervisory authority, as soon as possible when the credit union becomes aware of an inci-dent involving unauthorized access to or use of “sensitive” member information.

• Notifying appropriate law enforcement authorities, in addition to filing a time-ly Suspicious Activity Report (SAR) in situations involving Federal criminal violations requiring immediate atten-tion, such as when a reportable viola-tion is on-going;

• Taking appropriate steps to contain and control the incident to prevent fur-ther unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evi-dence; and



• Notifying members when warranted.

When an incident of unauthorized access to member information involves member information systems maintained by a contracted service provider(s), it is the credit union’s responsibility to notify its members and regulator. However, a credit union may authorize or contract with its service provider to notify the credit union’s members or regulators on its behalf.

Member notice

When a credit union becomes aware of an incident of unauthorized access to sensitive member information, the credit union should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.

If the credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member(s) as soon as possible. If the credit union can determine which members’ information has been improperly accessed, it may limit notification to only those members. However, if the credit union is unable to identify which specific member’s infor-mation has been accessed, the credit union should notify all members in the group of files in question.

The credit union may deliver the notice in “any manner designed to ensure that a member could reasonably be expected to receive it.” Therefore, the credit union may choose to contact affected members by mail, telephone, or by e-mail for those members with a valid e-mail address and who have agreed to receive communications electronically.

Member notice may be delayed if an appropriate law enforcement agency determines that notification will inter-fere with a criminal investigation and provides the credit union with a writ-ten request for the delay. However, the credit union should notify its members as soon as member notification will no longer interfere with the investigation.

Content of member notice

The guidance states that member notice should be given in a “clear and conspicuous” manner. The notice should explain the incident in general terms and:

• Describe the type of member informa-tion that was the subject of unauthor-ized access or use;

• Generally describe what the credit union has done to protect the mem-bers’ information from further unau-thorized access;

• Include a telephone number that members can call for further informa-tion and assistance; and

• Remind members of the need to remain vigilant over the next twelve to twenty-four months, and to promptly report incidents of suspected identity theft to the credit union.

The notice should also include the following, when appropriate:

• A recommendation that the member review account statements and imme-diately report any suspicious activity to the credit union;

• A description of fraud alerts and an explanation of how members may place



a fraud alert in their consumer reports to put their creditors on notice that the member may be a victim of fraud;

• A recommendation that the mem-ber periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;

• An explanation of how the member may obtain a credit report free of charge; and

• Information about the availability of the Federal Trade Commission’s (FTC) online guidance regarding steps a con-sumer can take to protect against iden-tity theft. The notice should encourage the member to report any incidents of identity theft to the FTC, and should provide the FTC’s website address and toll-free telephone number that mem-bers may use to obtain the identity theft guidance and report suspected incidents of identity theft.

NCUA encourages credit unions to notify the nationwide consumer report-ing agencies prior to sending notices that include contact information for the reporting agencies to a large number of members.

Staff training

Credit unions are required by NCUA to train their staff to properly imple-ment the safeguards included in their member information security program. As part of this training, staff should be instructed on how to recognize, respond to, and where appropriate, report any unauthorized or fraudulent attempts to obtain member information. As part

of an ongoing training program, credit unions should provide staff with annual policy updates and consider having each employee sign a security acknowledg-ment form.

The Credit Union’s Liability

Under the federal privacy law, a credit union’s disclosures will be evaluated as part of the normal supervisory overview by examiners. There is no civil liability provision in the new privacy law such as found in the Truth-in-Lending or Truth-in-Savings laws. However, there may be instances where state law provides a basis for an individual to sue the credit union for compliance problems.

Medical Privacy

Credit unions should also be aware of the privacy provisions contained in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA’s privacy provisions cover health plans, health care providers that con-duct certain transactions electronically, health care clearinghouses, and busi-ness associates of these covered enti-ties. Although HIPAA contains a statu-tory exemption for financial institutions, some credit unions may still find them-selves covered by the law as sponsors of self-administered group health plans, healthcare clearinghouses if they pro-cess certain ACH payments, or business associates of covered entities.

The Department of Health and Human Services (HHS) wrote the regulations to implement HIPAA. The privacy regula-



tion limits the use and disclosure of “protected health information” (PHI), which is information, in any medium, that identifies a specific individual and relates to the individual’s past, present or future physical or mental health, the provision of health care or the payment for the provision of health care, and that is maintained or transmitted by a covered entity. In general, a covered entity may only use PHI for treatment, payment, or health care operations (TPO). PHI may be disclosed for other purposes pursuant to an individual’s written authorization. However, there are some cases where no authorization is required, such as those relating to public health, safety, or law enforcement and oversight.

In addition, HIPAA requires covered entities to designate a privacy officer, set up a training program for employees for the proper handling of PHI, estab-lish written policies and procedures to safeguard PHI, develop authorizations and notices of the credit union’s privacy practices and develop procedures for receiving, documenting and investigat-ing complaints.

Although the privacy rule establishes national standards, it does not super-cede state laws that offer more protec-tion of individual health information. Credit unions should check with their leagues to see if there are additional state requirements.

In addition to HIPAA, Section 411 of Fair and Accurate Credit Transactions Act (FACTA) of 2003 amended the Fair Credit Reporting Act to restrict the circumstances under which consumer-reporting agencies could furnish con-sumer reports that contain medical infor-mation about consumers. The amended

FCRA prohibits creditors from obtaining or using medical information pertaining to a consumer in connection with eligibil-ity for credit. However, the Act authorized the NCUA and the federal banking agen-cies to prescribe regulations to permit creditors to obtain and use medical information for credit eligibility purposes when necessary and appropriate to pro-tect legitimate operational, transactional, risk, consumer, and other needs.

The agencies jointly published an interim final rule, effective March 7, 2006, that created exceptions to the general statutory prohibition on obtaining and using medical information, including exceptions for the use of medical infor-mation that is also financial information typically considered in credit underwrit-ing. The interim rule also created limited exceptions to permit affiliates to share medical information with each other without becoming consumer-reporting agencies. See “Fair Credit Reporting Act” in the RegTraC Consumer Lending book for more information on FACTA’s medical information rule.

State Privacy Laws

The federal law specifically recog-nizes that states may have their own privacy protections and requirements. If those state laws and regulations are determined by the Federal Trade Commission, in consultation with the other agencies, to provide greater con-sumer protection, credit unions affected by the state law will have to reconcile those provisions and comply with both sets of requirements.



Pretext CallingIn addition to the privacy provisions,

the Gramm-Leach-Bliley Financial Modernization Act of 1999 makes it a fed-eral crime to make a fraudulent statement or representation to a financial institution to obtain nonpublic personal informa-tion about another person. Those found guilty of these crimes are subject to heavy fines and imprisonment up to 10 years. Commonly referred to as pretexting or pretext calling, this Act involves someone posing as a member or someone autho-rized to have member information in order to obtain confidential member data.

NCUA Letter to Credit Unions 01-CU-09

NCUA issued Letter to Credit Unions No. 01-CU-09 to provide guidance on how to protect member information against identity theft and pretext calling. The letter suggests the following safe-guards to prevent pretext callers from gaining access to member information:

• In accordance with Part 748 of NCUA’s Rules and Regulations (Guidelines for Safeguarding Member Information), credit unions should establish writ-ten policies and procedures to control access to member information.

• Other measures that may reduce the incidence of pretext calling include limiting the circumstances under which member information may be disclosed by telephone. For example, a credit union may not permit employees to release information over the tele-phone unless the requesting individual provides a proper authorization code

(other than a commonly used identi-fier). Credit unions can also use Caller ID or a request for a callback number.

• Credit unions should train employees to recognize and report possible indi-cators of attempted pretext calling. They should also implement testing to determine the effectiveness of controls designed to thwart pretext callers, and may consider using independent staff or third parties to conduct unsched-uled pretext phone calls to various departments.

The letter also includes informa-tion on completing Suspicious Activity Reports (SARs) to report offenses associ-ated with identity theft and pretext call-ing. Credit unions are instructed to com-plete the SAR in the following manner:

• In Part III, Box 35, of the SAR, check all appropriate boxes that indicate the type of known or suspected violation being reported and, in addition, in the “Other” category, write in “identity theft” or “pretext calling,” as appropriate.

• In Part V of the SAR, in the space provided for the narrative explanation of what is being reported, include the grounds for suspecting identity theft or pretext calling in addition to the other violation being reported.

• In the event the only known or sus-pected criminal violation detected is the identity theft or pretext calling, then write in “identity theft” or “pre-text calling,” as appropriate, in the “Other” category in Part III, Box 35, and provide a description of the activ-ity in Part V of the SAR.

http://ithandbook.ffiec.gov/media/resources/3302/ncu-01-cu_09_identity_theft_and_pretext_calling.pdf



Checklist: Complying with the Federal Privacy Regulation

The following list should help your credit union formulate its compliance plan and ensure that you have the nec-essary policies and procedures in place:

• Determine what members and non-members will be covered by the pri-vacy regulations.

• Determine what policy your credit union will have concerning sharing personal financial information about nonmember consumers who are occa-sional users of credit union services.

• Determine what information you collect about your members and other individu-als who use credit union services.

• Determine what businesses outside the credit union you share member infor-mation with, and categorize each busi-ness in order to understand what rules will apply before you can share per-sonal information about your members with them. [Five categories: Affiliate; transaction processor/or member con-sent; other financial institution with a “joint agreement” for marketing ser-vices; service provider for marketing purposes; other]

• Review your contracts with those busi-nesses to see whether there are provi-sions to assure confidentiality and prohi-bition on the reuse of the credit union’s information for any other purpose.

• Determine if you have any business arrangements that legally require a member be given the opportunity to

opt out before information is shared with that business partner.

• Discuss with your data processor what, if any, changes will be required in the data processing system to comply with the regulation.

• Review your procedures for protect-ing the confidentiality and security of member records and information.

• Determine what additional staff train-ing will be needed in order to assure there is no unauthorized access to or use of members’ records, either by staff or outsiders.

• Prepare, or revise as necessary, your credit union privacy policy.

• Prepare a privacy notice that both complies with the regulatory require-ments and assures your membership that the credit union protects their per-sonal financial information.

• Review the membership packet so that the initial privacy notices and any necessary opt out notices are routinely provided to new members.

• Assure that procedures are in place to monitor that the credit union’s prac-tices conform to the credit union’s policies on privacy.

There will be business decisions involving privacy beyond what is specifi-cally required by the regulations. For instance, credit union boards of direc-tors may want to consider whether the credit union will provide the opt out option for information sharing with third parties marketing products and services, even if not legally required to do so. Credit union management will undoubt-edly also want to evaluate (although not



required by the privacy regulation) what procedures to follow if members ask to review the personal financial information the credit union has about them.

Children’s Online Privacy Protection Act — COPPA

The Children’s Online Privacy Protection Act (COPPA) prohibits unfair or deceptive acts or practices (on the Internet) in connection with the collection, use, and/or disclosure of personal informa-tion from and about children under the age of 13. If your credit union operates a website or provides online services and you have actual knowledge that the per-son you are seeking information from is a child, you must comply with COPPA.

Definitions

Here are some key terms as defined by COPPA.

Child – an individual under the age of 13.

Operator – any person who for commer-cial purposes:

• operates an Internet website or an online service and collects or main-tains personal information from or about visitors to or users of that web-site or service, or

• on whose behalf information is col-lected or maintained.

This also applies to any person offering products or services for sale through that website or online service.

Disclosure – (A) releasing personal infor-mation collected from a child in an iden-

tifiable form for any purpose, unless the information is provided to someone (other than the operator) who provides support for the internal operations of the website and the information will not be disclosed or used for any other purpose; and (B) making personal information collected from a child (either through a website or online service directed to children) publicly available in an identifiable form through any of the following means:

• a public posting;

• the Internet;

• a website home page;

• a pen pal service;

• an electronic mail service;

• a message board; or

• a chat room.

Parent – includes a legal guardian.

Personal information – identifiable information about an individual collect-ed online, such as:

• A first and last name;

• A home or other physical address including street name and name of a city or town;

• Online contact information;

• A screen or user name where it func-tions in the same manner as online contact information;

• A telephone number;

• A Social Security number;

• A persistent identifier that can be used to recognize a user over time and across different websites or online services. Such persistent identi-fier includes, but is not limited to, a

http://www.cuna.org/Compliance/Compliance-E-Guide/E-Guide-Entries/Children-s-Online-Privacy-Protection-Act---COPPA/

http://www.cuna.org/Compliance/Compliance-E-Guide/E-Guide-Entries/Children-s-Online-Privacy-Protection-Act---COPPA/



customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;

• A photograph, video, or audio file where such file contains a child’s image or voice;

• Geolocation information sufficient to identify street name and name of a city or town; or

• Information concerning the child or the parents of that child that the oper-ator collects online from the child and combines with an identifier.

Online contact information – an e-mail address or any other substantially simi-lar identifier that permits direct contact with a person online, including but not limited to, an instant messaging user identifier, a voice over internet protocol (VOIP) identifier, or a video chat.

Notices

The following notices are required by COPPA:

• a website notice,

• parental notification, and

• parental consent.

Both your website notice and the notice to the child’s parents must out-line what information will be collected, how that information will be used, and your disclosure practices regarding the collected information. These notices must be written in a clear and under-standable manner and be complete. Credit unions are prohibited from includ-ing any unrelated, confusing, or contra-dictory materials in the notice.

The website notice

The notice on your website must be posted in a prominent place with a clearly labeled link on the home or landing page or screen of your website or online service, and, at each area of the website or online service where personal information is collected from children. The link must be in close proximity to the requests for informa-tion in each such area. If you have a separate children’s area on the website, you must post a link to a notice of your information practices with regard to children on the home or landing page or screen of the children’s area.

Parental notification

In addition to your website notice, you must also provide parental notification before you begin to collect, use, and/or disclose any information from the children visiting that site. This includes making reasonable efforts to ensure that the parent receives the notice. You must also include any material change in your practices that would affect a parent who has previously given their consent.

The following information must be included in the notice if the credit union will collect, use or disclose a child’s per-sonal information:

• That the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;

• That the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any per-



sonal information from the child if the parent does not provide such consent;

• The additional items of personal infor-mation the operator intends to collect from the child, or the potential oppor-tunities for the disclosure of personal information, should the parent provide consent;

• A hyperlink to the operator’s online notice of its information practices required under the rule;

• The means by which the parent can provide verifiable consent to the col-lection, use, and disclosure of the information; and

• That if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records.

Note: If you plan to disclose this information to third parties, your notice must contain additional information including information about the third party.

Parental consent

In addition to notifying the parents you must also get “verifiable paren-tal consent” before you begin to col-lect, use, and/or disclose any personal information from their children. This includes any collection, use, and/or disclosure the parent has not previously consented to. Keep in mind that the par-ent is allowed to refuse any further con-tact with the child and can require you to delete the information that you have already collected.

You must also give the parent the

option of separately consenting to the collection and use of their child’s infor-mation and the sharing of that informa-tion with third parties.

The parent must be allowed access to the information that has been collected. Upon receiving that request, you must tell the parent what types of informa-tion have been collected as well as any specific personal information you have. Parents must be given the opportunity to review and/or have their children’s information deleted from your database and to prohibit any further collection of information. Also, you must establish a procedure that is not overly burdensome to verify that the person wising to review the information is actually the child’s parent.

Exceptions. Parental consent is not required in the following circumstances:

• Collecting a parent’s or child’s name and online contact information in order to obtain parental consent or to pro-vide the parental notice.

• Collecting a child’s online contact information in order to respond on a one-time basis to a specific request from the child.

• Collecting a child’s online contact information in order to respond directly more than once to a child’s specific request if the information is not used beyond the scope of that request. In this situation, you must provide the parent with a notice and an opportu-nity to opt out.

• Collecting the child’s name and online contact information when reasonably necessary to protect the safety of the child participating on the website and



when the information is not disclosed there, used to recontact the child, or for any other purpose.

• Collecting, using, or disseminating information: (1) necessary to protect the security or integrity of the site or service, (2) as a precaution against lia-bility, (3) to respond to judicial process, or (4) under other provisions of law.

• Collecting a persistent identifier and no other personal information where such identifier is used for the sole pur-pose of providing support for the inter-nal operations of the website or online service

Compliance with the Act

COPPA prohibits you from requiring more information than is reasonably necessary before allowing a child to par-ticipate in online activities (such as, par-ticipating in a game or offering a prize.) Credit unions are required to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the child’s personal informa-tion. Also, policies and procedures must be in place to protect that information from loss, misuse, unauthorized access, or disclosure.

In the case of enforcement actions against your credit union for violating the Act, compliance with Commission-approved self-regulatory guidelines will serve as a safe harbor.

For more information about COPPA, the FTC has issued a small entity com-pliance guide, “Complying with COPPA: Frequently Asked Questions.”

http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions

http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions



NCUA Privacy Regulation

Quiz/Study Guide

1. What is the definition of “member” used in the privacy regulation?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

2. What is the requirement for delivering the privacy notice?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

3. If the credit union does not share information with a third party for marketing purposes, is a privacy notice still required?

_____________________________________________________________________

4. List at least two of the features of the model privacy notice.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

5. Is the credit union required to give a separate privacy and opt out notice to each joint account holder?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

6. The Board of Directors is responsible for the general oversight of the credit union’s information security program.

p True p False



7. While developing and implementing the information security system, credit unions are required to assess any risks to member information. List the other four duties that credit unions have in connection with the information security system.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

8. What are the three actions required when overseeing arrangements with service providers?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

9. The parental notice required by COPPA must include specific information. Name three pieces of information that must be in that notice.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

10. You must get a parent’s consent before collecting, using, and disclosing a child’s personal information.

p True p False

11. Credit unions must develop procedures to respond to the unauthorized access to sensitive member information. What are the five necessary components of such a response program?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



NCUA Privacy Regulation

Answer Key

1. This definition includes some nonmembers. A “member” is defined as a consumer who has a continuing relationship with the credit union. (Page 5-3)

2. Credit unions must deliver written privacy notices (oral notices are not sufficient) in a form the member can retain. (Page 5-6)

3. Yes, the regulations require all credit unions to provide privacy notices to those people using their products and services even if the credit union does not share information with third parties. (Page 5-7)

4. Some of the features of the model privacy notice include:

• The title

• The Introductory section, called the “key frame”, that provides context to help-members understand the required disclosures

• The disclosure table that describes the types of permissible sharing by credit unions under Federal law; which of those types of sharing the credit union engages in; and whether the consumer can limit or opt out of the credit union’s sharing

• Information on how to limit sharing via opt-out (if applicable). If the credit union provides a mail-in opt-out form, that form appears on the bottom of the first page.

• Credit union’s contact information

• Additional explanatory/supplemental information in a “Frequently Asked Questions” format. (Page 5-5 to 5-8)

5. No, the credit union can provide one initial notice to them jointly. (Page 5-10)

6. True. (Page 5-14)

7. Manage and control risk; oversee service provider arrangements, adjust the security program as needed, and make reports to the board. (Page 5-14)

8. Exercise due diligence in selecting service providers, require service providers to implement appropriate measures designed to meet the objectives of the NCUA Guidelines, and if necessary, monitor service providers to ensure they have implemented the appropriate measures. (Page 5-15)



9. The notice must include:• That the operator has collected the parent’s online contact information from the

child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;

• That the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any per-sonal information from the child if the parent does not provide such consent;

• The additional items of personal information the operator intends to collect from the child, or the potential opportunities for the disclosure of personal information, should the parent provide consent;

• A hyperlink to the operator’s online notice of its information practices required under the rule;

• The means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and

• That if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online con-tact information from its records. (Page 5-25)

10. True. (Page 5-24)

11. A response program should contain procedures for:

1. Assessing the nature and scope of an incident, and identifying what member information systems and types of member information have been accessed or misused;

2. Notifying the appropriate NCUA Regional Director, and, in the case of federally insured state-chartered credit unions, its applicable state supervisory authority, as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of “sensitive” member information.

3. Notifying appropriate law enforcement authorities, in addition to filing a timely Suspicious Activity Report (SAR) in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is on-going;

4. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence; and

5. Notifying members when warranted. (Page 5-17 to 5-18 )


SECTION 6 – OFFICE OF FOREIGN ASSETS CONTROL

(OFAC)


The Office of Foreign Assets Control (OFAC) is a division of the U.S. Treasury Department. This division is responsible for administering and enforcing economic and trade sanctions against targeted hos-tile countries and their agents, terrorism sponsoring agencies and organizations, and international narcotics traffickers. These sanctions are based on U.S. for-eign policy and national security goals. The sanctions are governed by presiden-tial wartime powers, national emergency powers, and authority granted by legisla-tion. OFAC can impose controls on trans-actions and freeze foreign assets under the jurisdiction of the U.S. Many of these sanctions are based on United Nations and other international mandates, involve many nations, and require close coopera-tion with allied governments.

Definitions

The following definitions apply to the OFAC regulation:

Annual Report of Blocked Property – an annual report filed with OFAC that lists the accounts and property that the financial institution has blocked.

Blocking (Freezing) – A method used to control assets under U.S. jurisdiction. The title to any blocked property remains with the designated country or national but the exercise of powers and privileges normally associated with ownership is prohibited without authorization from OFAC. An across-the-board prohibition

against transfers or transactions of any kind is placed on the property.

Blocked Account – An account that has been blocked from making payments, transfers, withdrawals, or other dealings unless licensed by OFAC or authorized by the Treasury Department. Debits to the account are prohibited but credits can be made.

Census – A comprehensive statistical survey of blocked assets conducted from time to time by OFAC, response to this survey is considered mandatory.

Foreign Terrorist Organization (FTO) – the Antiterrorism and Effective Death Penalty Act of 1996 grants the Secretary of State the authority to designate organizations as Foreign Terrorist Organizations. It is a criminal offense for U.S. persons to provide material sup-port or resources to these organizations. It also requires financial institutions to block all funds in which these organiza-tions or their agents have an interest.

General License – Certain transactions are allowed without filing an application with OFAC. These are transactions con-sistent with normal financial institution practices and are frequently permitted by general license. Contact OFAC at (202) 622-2520 for questions on gen-eral licenses.

Hostile countries – countries thought to be hostile toward the United States or U.S. citizens.

Non-governmental Organization (NGO) – designation that can be given

Section 6 – Office of Foreign Assets Control (OFAC)


SECTION 6 – OFFICE OF FOREIGN ASSETS CONTROL (OFAC)

to non-governmental organizations on a case-by-case basis who are involved in humanitarian or religious activities.

Offset – The right of offset is a prohibit-ed transfer of frozen assets in situations of blocked property.

Person Subject to the Jurisdiction of the United States – This includes: 1) American citizens and permanent res-ident aliens wherever they are located; 2) any individuals and entities located in the U.S. (including all foreign branches, agencies, representative offices); 3) corporations organized under U.S. law, including foreign branches; and 4) (under the Trading With the Enemy Act sanctions) entities owned or controlled by any of the above, the most important being foreign-organized subsidiaries of U.S. corporations.

Property – Anything of value, including money, checks, drafts, debts, obliga-tions, notes, warehouse receipts, bills of sale, evidences of title, negotiable instruments, trade acceptance, con-tracts, and anything else real, personal, or mixed, tangible or intangible.

Specially Designated Global Terrorists (SDGT) – a new designation on the SDN list effective Sept. 24, 2001, that was added by Executive Order 13224.

Specially Designated Narcotics Traffickers (SDNT) – foreign narcotics traffickers and foreign persons desig-nated by the Secretary of the Treasury by the authority granted by Executive Order 12978.

Specially Designated Narcotics Traffickers under the Kingpin Act (SDNTK) – significant foreign narcot-ics traffickers and foreign persons

named in the Foreign Narcotics Kingpin Designation Act of 1999.

Specially Designated Nationals and Blocked Persons – Individuals and groups owned or controlled by, or acting for or on behalf of, the Governments of target countries or who are associated with international narcotics trafficking or terrorism. These persons are listed on the Treasury Department’s Specially Designated Nationals and Blocked Persons list.

Specially Designated Terrorists (SDT) – persons designated jointly by the Secretary of State, Secretary of the Treasury, and the Attorney General of the United States as someone who poses a significant risk of disrupting the peace process in the Middle East or who assists, sponsors, or provides financial, material, or technological support or ser-vices in support of such acts of violence. This power is granted by Executive Orders from the president of the United States and the various antiterrorism regulations.

Specific license – On a case-by-case basis OFAC can issue permission to indi-viduals or companies allowing account activity that would otherwise be prohib-ited. These licenses are always printed on U.S. Treasury Department stationary and will contain a control number.

What Does This Have to Do with Credit Unions?

The fact that a member wants to wire money to family members overseas would normally be considered a routine transaction. However, if that member or

http://www.treasury.gov/resource-center/sanctions/Programs/Documents/terror.pdf

http://www.treasury.gov/resource-center/sanctions/Documents/12978.pdf

http://www.treasury.gov/resource-center/sanctions/Documents/12978.pdf



the country, organization, or person the money is being wired to is subject to an OFAC sanction, the credit union should not transact that wire and should take the actions outlined in the appropriate section of the OFAC rules. Penalties for violating the OFAC requirements are dis-cussed later.

Wire transfers, however, are just one of the many transactions subject to OFAC requirements. New accounts and mem-ber loans should also be screened against a current OFAC Specially Designated National (SDN) list.

The following accounts, products, and services are subject to the OFAC require-ments.

• Deposit accounts of any kind

• Checking or share draft accounts of any kind

• Money orders, teller checks, travelers checks, or similar monetary instru-ments

• Wire transfers

• ACH transactions

• Loans of any kind (consumer, mort-gage, or business loans)

• Visa accounts

• Trust accounts

• Sales of repossessed vehicles

• Collateral held as security

• Safety deposit boxes

Each time a new SDN list is released, member information files should be screened to see if any current members are listed. Remember to check not only the names of account owners but also

beneficiaries, collateral owners, guaran-tors/co-signers, and receiving and send-ing parties on transfer requests.

What is the SDN list?

The United States Treasury Department prepares the Specially Designated Nationals and Blocked Persons (SDN) list, which contains the names of targeted countries, persons, or organizations. SDN lists are designed to alert persons subject to the jurisdic-tion of the U.S. that they cannot have dealings with anyone appearing on the list and that they must block all prop-erty within their possession or control in which any individual or entity on the list has an interest.

Additions or deletions can be made to these lists at any time. Credit unions need to check the OFAC website on a regular basis to ensure they are using the most current version. The SDN list is available through the OFAC website at www.treasury.gov/about/organizational-struc-ture/offices/Pages/Office-of-Foreign-Assets-Control.aspx

Names that appear on the SDN list might be followed by one of the follow-ing designations. A description of each of these is included in the definitions at the beginning of this section.

• SDN–Specially Designated National

• SDT–Specially Designated Terrorist

• SDGT–Specially Designated Global Terrorist

• SDNT–Specially Designated Narcotics Trafficker

• SDNTK–Specially Designated

www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-Foreign-Assets-Control.aspx





Narcotics Trafficker under the Kingpin Act

• FTO–Foreign Terrorist Organization

What must credit unions do to comply?

All financial institutions, includ-ing credit unions, are required to block or “freeze” (and in some cases reject) property, payment of any funds transfer, or transactions involving blocked coun-tries or individuals, and to report the blocks or rejections within 10 days of the occurrence. Keep in mind that dif-ferent sanctions apply to each blocked country and that separate restrictions exist for narcotics traffickers and ter-rorists. Credit unions should continu-ously monitor current SDN lists, block or freeze accounts belonging to anyone appearing on those lists, report the hits to OFAC, and file the required reports. Here is a list of questions you can use in setting up an OFAC compliance review and procedure.

1. Do you have an OFAC policy in place and someone designated as an OFAC officer?

2. Do you have the most current OFAC list-ing or access to it?

3. How do you handle OFAC compliance in overseas branches (if applicable)?

4. Do you check your new accounts against the OFAC list? This should be done for all accounts not just when a share draft account is involved.

5. Do you check existing accounts against the OFAC list?

Credit unions cannot assume that because they don’t do international pay-ments that they are exempt from OFAC.

Some people on the SDN or SDNT lists have American names and addresses.

Interdiction software is a filtering sys-tem that contains every name on OFAC’s SDN list along with generic words for countries and cities and generally screens every field in incoming payment orders. If a designated name is identified, the transfer is rejected and an alert is direct-ed to the appropriate credit union official. Keep in mind that interdiction software will not completely protect the credit union from liability, but can be very help-ful in monitoring accounts.

Due diligence is required to determine whether a “match” is really a match. Be sure to document when someone has been eliminated as a match or con-firmed as a match and that the appropri-ate steps have been taken. Each listing has a different set of sanctions; in some cases, you open the account, freeze the funds, and notify OFAC, and in other cases you must refuse the account or transfer.

Reporting blocks and rejects to OFAC

In general, reports on blocked accounts must be filed within 10 days by faxing them to OFAC’s Compliance Program Division at (202) 622-2426. There are no required forms for filing these reports, but they should include:

• identity of the account owner(s),

• description of the property,

• location of the property,

• actual or estimated value of the property,

• date it was blocked,



• if a payment or transfer of funds is involved, a photocopy of the payment or transfer instructions,

• confirmation that the payment has been deposited into a new or existing blocked account established in the name of the individual or entity sub-ject to blocking,

• name and address of your credit union, and

• the name and telephone number of a contact person at your credit union.

Reports on any rejected items must also be filed within 10 days in the same way that reports of blocked accounts are filed. These reports should include:

• name and address of your credit union,

• date and amount of the transfer,

• photocopy of the payment or transfer instructions,

• reason for the rejection, and

• name and telephone number for a con-tact person at your credit union.

Annual report on blocked property

Credit unions are required to file an Annual Report of Blocked Property held as of June 30 of each year by September 30 of that year with the OFAC. These reports must be filed using OFAC’s form TDF 90-22.50. See www.treasury.gov/resource-center/sanctions/Pages/forms-index.aspx for a sample of this report as well as other OFAC-related documents and reports.

What happens if the credit union fails to block the transaction?

OFAC violations are serious business. Penalties include corporate and personal fines of up to $1 million and 12 years in jail, civil penalties of up to $250,000 per incident, and forfeiture of funds or other property involved in the violation. OFAC has had to impose millions of dollars in civil penalties involving U.S. financial institutions. The majority of the fines resulted from financial institutions’ fail-ure to block illicit transfers when there was a reference to a targeted country or Specially Designated National (SDN).

When OFAC learns of an illicit trans-action processed through a U.S. finan-cial institution, without being blocked or rejected, as appropriate, OFAC normally sends an administrative demand (602 letter) to the institution requesting an explanation of how the transaction was processed. Upon receipt of the institu-tion’s response, a “Prepenalty Notice” may be issued citing the violation and the amount of the proposed penalty. The institution then has 30 days to respond in writing as to why the penalty should not be imposed or why it should be reduced. It is very important for credit unions to respond to any “Prepenalty Notices” since failure to respond may result in a default judgement levying maximum fines.

So how do you avoid an OFAC violation?

By keeping a current “OFAC List,” declining any member requests involv-ing any person or entity appearing on that list, and by utilizing the following

www.treasury.gov/resource-center/sanctions/Pages/forms-index.aspx





resources:

• NCUA’s Regulatory Alerts listing blocked persons and countries

• OFAC’s website located at www.treasury .gov/about/organizational-structure/offices/Pages/Office-of-Foreign-Assets-Control.aspx.

• OFAC’s 24-hour fax-on-demand service at 202-622-0077;

• OFAC’s compliance hotline 1-800-540-OFAC (6322); and

• OFAC’s interdiction software available through the OFAC website (keep in mind that the software will not com-pletely protect the credit union from liability, but is usually considered favorably in civil penalty proceedings).

OFAC compliance program

A credit union’s OFAC compliance program should:

• Identify high-risk areas;

• Provide for appropriate internal controls for screening and reporting;

• Establish independent testing for compliance;

• Designate a credit union employee(s) as responsible for OFAC compliance; and

• Create training programs for appropri-ate personnel in all relevant areas of the credit union.

In addition, the credit union’s OFAC compliance program should be com-mensurate with its respective OFAC “risk profile” based on the credit union’s field

of membership; products and services offered; location of main and branch offic-es; parties involved in opening accounts and conducting transactions; etc.

The Federal Financial Institution Examination Council’s (FFIEC) “Bank Secrecy Act/Anti-Money Laundering Examination Manual” provides the fol-lowing examples of products, services, “customers” and geographic locations that carry a higher level of risk:

• International funds transfers;

• Nonresident alien accounts;

• Foreign customer accounts;

• Cross-border automated clearinghouse (ACH);

• Commercial letters of credit;

• Transactional electronic banking;

• Foreign correspondent bank accounts;

• Payable through accounts;

• International private banking; and

• Overseas branches or subsidiaries.

Credit unions should be sure to check out Appendix M in the FFIEC’s BSA/AML Manual (“Quantity of Risk Matrix– OFAC Procedures”) at www.ffiec.gov/bsa_aml_infobase/default.htm. The appen-dix provides guidance to examiners on assessing OFAC risks facing a financial institution. Examiners will expect that the credit union’s policies and proce-dures adequately address the risks asso-ciated with the institution’s operations. OFAC has a uniform requirement that all records must be maintained for five years.

http://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-Foreign-Assets-Control.aspx








www.ffiec.gov/bsa_aml_infobase/default.htm

www.ffiec.gov/bsa_aml_infobase/default.htm



Record Retention Requirements

OFAC’s general record retention period is five years. For items that are rejected in accordance with OFAC regu-lations, credit unions must maintain records for five years from the date of the transaction. For blocked accounts, credit unions must maintain records for five years after the date that the account is unblocked. In addition, credit unions are required to maintain a full and accu-rate record of the blocked account for as long as the credit union is holding the blocked property.



Office of Foreign Assets Control (OFAC)

Quiz/Study Guide

1. What is the function of OFAC?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

2. What is the best way to avoid an OFAC violation?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

3. Does OFAC require any reports from a credit union?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



Office of Foreign Assets Control (OFAC)

Answer Key

1. To administer and enforce a series of laws imposing economic and trade sanctions against targeted hostile foreign countries and their agents, terrorism sponsoring agencies and organizations, and international narcotics traffickers. (Page 6-2)

2. Keep a current OFAC list; decline member requests involving persons or entities appearing on that list; check NCUA’s Regulatory Alerts listing blocked persons and countries; and utilize the resources offered by OFAC. (Page 6-5)

3. Any blocked or rejected transactions must be reported to OFAC within 10 days of the block or rejection and an annual report of blocked property must be filed each September 30 with OFAC. (Page 6-5)


SECTION 7 – ELECTRONIC SIGNATURES IN GLOBAL AND

NATIONAL COMMERCE ACT (ESIGN)


Overview

The Electronic Signatures in Global and National Commerce Act of 2000 (ESIGN) mandates that electronic sig-natures and records have the same legal validity and enforceability as paper records and handwritten signatures. ESIGN is “technology neutral” — it does not require or recommend the use of any particular technology for electronic records or signatures. The decision of which technology to use is left up to the parties wanting to conduct business electronically.

Credit unions are impacted by ESIGN in several ways. First is with respect to dealings between the credit union and third parties (such as insurance compa-nies) where the credit union negotiates and eventually signs a contract or other agreement. The second area involves transactions between the credit union and its members where the member may be required to sign an account agree-ment or a loan agreement or the credit union may be required to send the mem-ber certain disclosures.

Under ESIGN, members must “affirmatively consent” or “opt in” to receive records in electronic form. The credit union must provide members with a clear and conspicuous statement informing them of their rights regard-ing electronic transactions, as well as a statement of the hardware and software requirements for access and retention of electronic records. Members must be

given these disclosures prior to provid-ing their consent. Once these disclosure requirements are met, the member must either send the consent electronically, or confirm the consent electronically in order to demonstrate that he or she can access information in the electronic form required to successfully conduct the transaction.

ESIGN became effective on Oct. 1, 2000, with the exception of the record retention requirements, which became effective on March 1, 2001.

Definitions

Here are some key terms used throughout this summary. (Section 106 of the ESIGN statute has additional defi-nitions.)

Consumer — an individual who obtains, through a transaction, any product or ser-vice used primarily for personal, family, or household purposes, as well as the legal representative of such an individual.

Electronic — relating to technology having electrical, digital, magnetic, wireless, opti-cal, electromagnetic, or similar capabilities.

Electronic agent — a computer program or other electronic or automated means used independently to initiate an action or respond to electronic records that takes place either entirely or partially without a review or other action by any individual at the time the action or response takes place.

Electronic record — a contract or other record created, generated, sent, commu-

Section 7 – Electronic Signatures in Global and National Commerce Act (ESIGN)

http://www.cuna.org/Compliance/Compliance-E-Guide/E-Guide-Entries/Electronic-Signatures/




SECTION 7 – ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT (ESIGN)

nicated, received, or stored by electronic means.

Electronic signature — an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

Information — data, text, images, sounds, codes, computer programs, software, data-bases, or the like.

Person — an individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, governmental agency, public cor-poration, or any other legal or commercial entity.

Record — information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retriev-able in perceivable form.

Transaction — an action or set of actions relating to the conduct of business, con-sumer, or commercial affairs between two or more persons, including:

• the sale, lease, exchange, licensing, or other disposition of personal property including goods and intangibles, ser-vices, or any combination; and

• the sale, lease, exchange, or other dis-position of any interest in real property, or any combination.

Validity of Electronic Signatures

Under ESIGN, a signature, contract or other record relating to a consumer transaction may not be denied legal effect, validity, or enforcement solely because it is in electronic form. In plain

English, this means that electronic sig-natures and records have the same legal status as handwritten signatures and paper records.

As mentioned above, an “e-signature” is simply an electronic sound, symbol, or process, attached to or associated with a contract or other record that was execut-ed by a person with the intent to sign the record. An electronic record is a contract or other record created, generated, sent, communicated, received, or stored by electronic means. Other than providing these broad definitions, ESIGN does not specify any technical requirements for e-signatures or records. This means that credit unions can use any number of dif-ferent technologies to facilitate “e-con-tracts” with their members. Today, these technologies include:

• digital signatures that link a person’s identity to an encrypted private key issued only to that individual (public key infrastructure or PKI);

• biometrics that use a person’s unique physical characteristics (such as face, voice and/or fingerprints) for authenti-cation purposes; or

• smart cards — credit-card sized plas-tic cards with an embedded computer chip.

Transferable records

ESIGN also permits “transferable records” to be executed using an elec-tronic signature. A transferable record is an electronic record that would be considered a note under Article 3 of the Uniform Commercial Code if that record was in writing, transferable, and secured by real property.



Under the statute, “control” of a transferable record depends on the person having a system in place for evi-dencing the transfer of interests which “reliably establishes” that individual or entity is the person the transferable record was intended to be issued or transferred to. The person deemed to have control of the transferable record has the same rights and defenses as a holder of a note under the UCC.

Note: ESIGN also includes provisions addressing insurance agents and bro-kers, the security industry, government studies on e-signatures and electronic consent, and the promotion of e-sig-natures in international transactions. Please refer to Appendix 1 of the ESIGN statute for detailed information on these provisions.

Oral communications not covered

ESIGN makes clear that an oral com-munication or a recording of an oral communication does not qualify as an electronic record, except as otherwise provided under applicable law.

Specific exceptions

There are a number of circumstances where the new ESIGN law does not apply. These include:

• wills, codicils, or testamentary trusts;

• laws governing adoption, divorce, or other matters of family law; or

• the Uniform Commercial Code except for Section 1-107 (claims arising out of an alleged breach can be dis-charged without consideration by a

written waiver by an aggrieved party), Section 1-206 (contracts for the sale of personal property are not enforce-able beyond a specified dollar amount unless they are in writing), Article 2 (sales), and Article 2A (leases).

In addition, ESIGN does not apply to:

• court orders or notices, or official court documents (including briefs, pleadings, and other writings) required to be executed in connection with court proceedings;

• any notice of 1) cancellation or ter-mination of utility services (including water, heat, and power); 2) default, acceleration, repossession, foreclo-sure, eviction, or the right to cure, under a credit agreement secured by, or a rental agreement for, a primary residence of an individual; 3) the cancellation or termination of health insurance or benefits or life insurance benefits (excluding annuities); or 4) recall of a product, or material failure of a product, that risks endangering health or safety; or

• any document required to accompany any transportation or handling of haz-ardous materials, pesticides, or other toxic or dangerous materials.

These exceptions are subject to review by the Secretary of Commerce. Over a period of three years the Secretary will evaluate whether the exceptions con-tinue to be necessary to protect consum-ers. In addition, if a federal regulatory agency determines that one or more of the exceptions are no longer neces-sary for consumer protection and that their elimination would not increase the material risk of harm to consumers, that



agency may extend the application of ESIGN to the identified exceptions.

Consumer Disclosures

Before any electronic transaction takes place, the credit union member must first “affirmatively consent” (see section on Consent below) to conduct business elec-tronically. Before providing consent, the credit union must provide the member a “clear and conspicuous” statement con-taining the following information:

• any right or option the member has to have the record provided or made available on paper or in a nonelectron-ic form;

• the member’s right to withdraw their consent;

• any conditions, consequences, or fees that would result in the event the member withdrew their consent;

• whether the consent applies only to a particular transaction or to identified categories of records during the life-time of the member’s account relation-ship;

• the procedures the member must fol-low to withdraw consent;

• the information the credit union needs in order to contact the member elec-tronically;

• how the member may request a paper copy of an electronic record after con-sent to receive them electronically has been given; and

• whether a fee will be charged for receiving a paper copy of a record.

Hardware and software requirements

In addition to the above disclosures, the member must also receive a descrip-tion of the hardware and software requirements necessary to access and retain electronic records prior to giving consent.

If at any time there is a change in the hardware or software requirements that creates a “material risk” the member will not be able to access or retain an electronic record of the transaction, the credit union must provide the member with a statement that includes:

• the revised hardware and software requirements for access to and reten-tion of the electronic records, and

• the member’s right to withdraw their consent without the imposition of any fees or conditions that were not origi-nally disclosed.

Other Consumer Protection Requirements

Congress made it clear that ESIGN does not affect the content or timing of any disclosures or records required to be provided to consumers under other con-sumer protection laws, such as Truth In Lending, Truth In Savings, Equal Credit Opportunity Act.

Consent

The member must consent electroni-cally, or confirm his or her consent elec-tronically, in a manner that “reasonably



demonstrates” that he or she can access the information in the electronic form that will be used to conduct the trans-action. Thus, the member must first consent to receive records electronically, then consent to the actual contract. If this is the case, the credit union must clearly explain this to the member so that he or she understands the reason for consenting more than once.

ESIGN states that the legal validity or enforceability of a contract may not be denied solely because the credit union failed to obtain the member’s consent or confirmation of that consent. If a member withdraws his or her consent, it is considered effective within a “reason-able period of time” (not defined in the Act) after the credit union receives the withdrawal.

What about consent obtained before ESIGN?

ESIGN’s consumer disclosure provi-sions do not apply to records that have been provided or made available to a con-sumer who gave consent to receive elec-tronic records prior to June 30, 2000, in accordance with any other law or regulation. For example, the credit union does need not to provide these additional disclosures to a member who has already agreed to the electronic delivery of peri-odic statements under NCUA’s Truth In Savings (TIS) regulation.

Note: The interim rule amending NCUA’s TIS regulation (NCUA Rules and Regulations Part 707) to permit the delivery of periodic statement disclo-sures in electronic form if the member agrees became effective May 22, 2000.

Verification and acknowledgment of receipt

If a law enacted prior to ESIGN expressly requires the verification or acknowledgment of the receipt of a record, the credit union can make that record available electronically only if the method used provides verification or acknowledgment of receipt — whichever the law in question requires.

Notarization and acknowledgment

If the law requires that a signature or record be notarized, acknowledged, verified, or made under oath that requirement is satisfied if the electronic signature authorized to perform those acts, together with all the other required information, is attached to or “logically associated” with the signature or record.

Electronic AgentsA contract or other record relating to a

member’s transaction may not be denied legal effect solely because its formation, creation, or delivery involved using one or more “electronic agents.” This is true as long as the action of the electronic agent is legally attributable to the person being bound by the signature. An “elec-tronic agent” is a computer program or other electronic or automated means as defined in the key definitions found at the beginning of this section.

Record RetentionAn electronic record satisfies the record

keeping requirements if the record:



• accurately reflects the information contained in the paper contract or other record; and

• can be accessed by all persons legally entitled to access in a form that can be accurately reproduced for later refer-ence, whether by transmission, print-ing or otherwise.

Member access and retention of electronic records

The law makes it clear that a contract or record may be denied if the elec-tronic record is not in a form that can be retained and accurately reproduced for later reference by all parties legally entitled to retain that contract or record.

An electronic record that meets the requirements listed above will satisfy any law or regulation that requires con-tracts or other records to be retained in their original form.

In addition, any requirement to retain checks or share drafts is satisfied by an electronic record of the informa-tion on the front and back of the check. However, the law states that these requirements are not applicable to infor-mation whose sole purpose is to enable the contract or other record to be sent, communicated, or received. The law has no effect on any warning, notice, disclosure or other record required to be posted, displayed or publicly affixed.

ESIGN and State Law

ESIGN generally preempts state e-sig-nature laws, except with regard to a state that has adopted the Uniform Electronic Transactions Act (UETA). If a state’s leg-

islature has made any exceptions to the scope of UETA, the federal statute will preempt these exceptions to the extent that they are inconsistent with ESIGN. However, if a state has adopted UETA as approved by the National Conference of Commissioners on Uniform State Laws (NCCUSL), the state law will gov-ern e-signatures and records. Be sure to check with your state league to see if your state has adopted UETA.

Apart from UETA, ESIGN allows a state law to modify, limit, or supercede the federal statute only if the state law provisions: 1) are consistent with ESIGN; 2) do not favor one specific technology for e-signatures or records; and 3) make reference to the federal statute if the state law was enacted after June 30, 2000.

What is the NCCUSL?

The NCCUSL is an organization comprised of lawyers, judges and law professors, appointed by the states as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands. This organization drafts proposals for uniform and model laws such as the Uniform Commercial Code (UCC) and works toward the enactment of those laws in legislatures. You can access the NCCUSL web site at www.nccusl.org for a copy of UETA and a list of the states that have adopted the statute.

Applicability to federal and state regulators

ESIGN preserves the rulemaking authority of state and federal regulatory agencies to issue regulations that are



consistent with but do not add to the law’s requirements. Under ESIGN, there must be a substantial justification for any regulation. Any regulatory require-ments must be substantially equivalent to those imposed on non-electronic records and may not impose “unrea-sonable” costs on the acceptance and use of electronic records. In addition, regulatory agencies may not give greater legal status or effect to any particular technology or technical specification for “creating, storing, generating, receiving, communicating, or authenticating” elec-tronic records or electronic signatures.

ESIGN also allows state or federal regulatory agencies to specify perfor-mance standards to help assure the accuracy, integrity, and accessibility of records that must be retained. However, regulators do not have the authority to

require the use of any particular type of hardware or software to comply with its record retention requirements. In addition, the Act prohibits federal and state regulatory agencies from imposing or reimposing any requirement that a record be in a tangible printed or paper form.

Federal regulators

Under the Act, a federal regulatory agency may exempt a specified cat-egory or type of record from the ESIGN requirements relating to consent if that exemption is considered necessary to “eliminate a substantial burden on elec-tronic commerce and will not increase the material risk of harm to consumers.”



Electronic Signatures in Global and National Commerce Act (ESIGN)

Quiz/Study Guide

1. Before a member can give their consent, ESIGN requires the credit union to provide a “clear and conspicuous” statement containing specific disclosures. List three of the disclosures that statement must contain.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

2. If at any time there is a change in the hardware and software requirements for accessing electronic records that may prohibit the member from accessing or retaining an electronic record of the transaction, the credit union is required to make new disclosures. The new disclosure must contain the new hardware and software requirements and what other piece of information?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

3. ESIGN’s record keeping provisions lists two requirements for electronic records. One requirement is that the record be accessible by anyone legally entitled to the record in a form that can be accurately reproduced for later reference. What is the other requirement?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

4. ESIGN requires members to provide their consent in a specific manner. How must consent be given and why must it be given in this manner?

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________



Electronic Signatures in Global and National Commerce Act (ESIGN)

Answer Key

1. The statement that must be provided to the member must contain the following information:

• any right or option the member has to have the record provided or made available on paper or in a nonelectronic form;

• the member’s right to withdraw their consent;

• any conditions, consequences, or fees that would result in the event the member withdrew their consent;

• whether the consent applies only to a particular transaction or to identified categories of records during the lifetime of the member’s account relationship;

• the procedures the member must follow to withdraw consent;

• the information the credit union needs in order to contact the member electronically;

• how the member may request a paper copy of an electronic record after consent to receive them electronically has been given; and

• any a fee that will be charged for receiving a paper copy of a record. (Page 7-5)

2. A statement of their right to withdraw consent without the imposition of any fees or conditions not originally disclosed. (Page 7-5)

3. That the electronic record accurately reflects the information contained in the contract or other record. (Page 7-7)

4. Members must provide their consent electronically or confirm their consent electronically to demonstrate their ability to conduct transactions in the required format. (Page 7-6)


SECTION 8 – UNLAWFUL INTERNET GAMBLING


Background

The Unlawful Internet Gambling Enforcement Act (UIGEA) of 2006 was enacted as Title VIII of the Security and Accountability for Every Port Act of 2006 and signed into law on October 13, 2006. UIGEA prohibits persons engaged in the business of betting or wagering from knowingly accepting pay-ments from another engaged in unlawful Internet gambling.

The Federal Reserve Board and Department of the Treasury issued a joint regulation on November 18, 2008, to implement the UIGEA. The regula-tions took effect on January 19, 2009, and compliance was required as of June 1, 2010.

UIGEA prohibits persons engaged in the business of betting or wagering from knowingly accepting payments from another person engaged in unlaw-ful Internet gambling. The term “unlaw-ful Internal gambling” means “to place, receive, or otherwise knowingly transmit a bet or wager by any means which involves the use, at least in part, of the Internet where such bet or wager is unlawful under any applicable Federal or State law in the State or Tribal lands in which the bet or wager is initiated, received or otherwise made.” Online state lotteries, horse racing and fantasy football are not considered illegal under the statute. The UIGEA regulations do not define the term beyond the Act’s definition.

Definitions

Actual knowledge – With respect to a trans-action or commercial customer, refers to a particular fact about that transaction or commercial customer which is known by, or brought to the attention of, an officer of the organization or individual in the organiza-tion responsible for the compliance func-tion of that transaction or customer.

Automated clearing house system or ACH system – A funds transfer system, primarily governed by the ACH rules. The terms used in this proposal when referring to ACH sys-tems are those terms that are defined in the ACH Rules.

Card Issuer – Any person who issues a credit, debit, or pre-paid card as well as any stored value products, issued or authorized by the operator of the system.

Money transmitting business or ser-vice – A business other than a depository institution which provides check cashing, currency exchange, or money transmitting or remittance services, or issues or redeems money orders, travelers’ checks, and other similar instruments.

Commercial Customer – A person that is not a natural person and that accesses or contracts with a non-exempt participant to receive payment transaction services. This means that credit union natural per-son members who open “doing business as accounts” with their personal social secu-rity numbers should be excluded from the due diligence requirements.

Section 8 – Unlawful Internet Gambling

The regulations originally required credit unions’ compliance by December 1, 2009. But before the compliance deadline, under pressure from Congress, the agencies postponed the requirements. House Financial Services Committee Chairman Barney Frank, D-Mass., proposed legislation to legalize and regulate Internet gambling, but his bill wouldn’t repeal UIGEA. However, CUNA believes postponing the UIGEA regulations beyond June is likely so the agencies can assess whether Chairman Frank’s legislation will gain traction.ww



Operator of a designated payment system – An entity that provides central-ized clearing and delivery services between participants in the designated payment system and maintains the operational framework for the system. In the case of an automated clearinghouse system, the term ‘‘operator’’ has the same meaning as pro-vided in the ACH Rules.

Participant in a designated payment system – An operator of a designated pay-ment system, a financial transaction pro-vider that is a member of or has contracted for financial transaction services with, or is otherwise participating in a designated payment system or a third party processor. This term does not include a customer of the financial transaction provider unless the customer is participating in the designated payment system on its own behalf.

Restricted (payment) transaction – One which a person engaged in the business of betting or wagering is prohibited from know-ingly accepting in connection with another person’s participation in unlawful Internet gambling. Such transactions include credit or the proceeds of credit, electronic fund transfers, funds transmitted by or through a money transmitting business, the proceeds of such transfers, and any check, draft or similar instrument that is drawn by or on behalf of the other person and is drawn on or payable at or through any financial institution. A restricted transaction does not include funds going to a gambler, and would only include funds going to an Internet gambling business.

Unlawful Internet Gambling – The regu-lation does not define “unlawful Internet gambling” beyond the Act’s definition. Under UIGEA, the term means “to place, receive, or otherwise knowingly transmit a

bet or wager by any means which involves the use, at least in part, of the Internet where such bet or wager is unlawful under any applicable Federal or State law in the State or Tribal lands in which the bet or wager is initiated, received or otherwise made.”

Unlawful Internet gambling transac-tion — To place, receive or otherwise know-ingly transmit a bet or wager by any means that involves the use, at least in part, of the Internet where such a bet or wager is unlaw-ful under any applicable Federal or State law where the bet or wager is initiated, received or otherwise made.

Requirements

As required by UIGEA, the implement-ing regulations designate payment sys-tems that could be used in connection with a restricted transaction. They are:

• Automated clearing house (ACH) systems;

• Card systems;

• Check collection systems

• Money transmitting businesses; and

• Wire transfer systems.

Participants in card systems and money transfer business operators are covered by the rule. Most participants in ACH, check collection and wire trans-fer systems are exempt from the rule. However, the exemptions are rather complicated and contain a number of exceptions.

Any entity covered by the rule (called a “non-exempt participant”) is required to establish and implement policies and



procedures to identify and block, pre-vent or prohibit restricted transactions, or rely on and comply with the policies and procedures established by the pay-ment system (e.g., VISA™ policies and procedures). See “Due diligence process for non-exempt participants.”

Federal financial institution regula-tors, including the National Credit Union Administration (NCUA) will enforce the rule for the institutions they supervise. NCUA will enforce the rule for all feder-ally insured credit unions. The Federal Trade Commission (FTC) will enforce the rule for privately insured stated char-tered credit unions.

Exemptions

The participants in each of the follow-ing payment systems are exempt from the requirements to establish written policies and procedures to prevent or prohibit restricted transactions:

• ACH system participants, except for:

1. The receiving depository financial institu-tion (RDFI) and any third-party processor receiving the transaction on behalf of the receiver in an ACH credit transaction;

2. The originating depository financial insti-tution (ODFI) and any third-party proces-sor initiating the transaction on behalf of the originator in an ACH debit transac-tion; and

3. The receiving gateway operator and any third-party processor that receives instructions for an ACH debit transac-tion directly from a foreign sender (which could include a foreign banking office, a foreign third-party processor, or a foreign originating gateway operator).

• Check collection system participants, except for the depository financial institution.

• Wire transfer system participants, except for the beneficiary’s financial institution.

• Money transmitting business partici-pants, except for the operator.

Due Diligence Process for Non-Exempt Participants

As previously mentioned, the regula-tions require “non-exempt participants” to establish and implement policies and procedures to identify and block, pre-vent or prohibit restricted transactions, or rely on and comply with the policies and procedures established by the pay-ment system as long as they comply with the UIGEA regulations. Participants may rely on a payment system operator’s writ-ten statement that it has designed its policies and procedures to comply with the regulation, unless notified otherwise by its regulator.

The regulations provide “non-exclu-sive” examples of policies and proce-dures for each designated payment system which includes a due diligence process that a non-exempt participant may utilize to comply with the rules. (See Appendix 8-A)

The regulations also provide a safe harbor to anyone who:

• identifies and blocks a transaction when it is restricted;

• the participant believes the transaction is restricted; or



• the transaction is blocked in reli-ance on the policies and procedures of the payment system (e.g., VISA™, NACHA, etc.).

For the designated payment systems other than card systems, the policy and procedure examples focus on the due diligence process in establishing and maintaining a “commercial customer” relationship (i.e., business accounts). A commercial customer is “a person that is not a consumer, and that contracts with a non-exempt participant in a des-ignated payment system to receive, or otherwise accesses, payment transaction services through that non-exempt par-ticipant.” A consumer means a natural person.

Generally speaking, a credit union that finds itself covered by the regu-lation must conduct risk-based due diligence of “commercial customers” at account opening to determine the risk that member presents of engaging in restricted transactions. If the credit union cannot make a determination that the member presents a minimal risk of presenting restricted transactions, it must ask for further documentation, such as a certification from the member that it does not engage in an Internet gambling business.

If it turns out that the member does engage in an Internet gambling busi-ness, the credit union will need docu-mentation to show that the Internet gambling business is lawful, as well as a written commitment by the member to notify the credit union of any chang-es in its legal authority to engage in its business.

The due diligence process also includes notification to commercial cus-tomers that restricted transactions are prohibited. A participant/credit union may notify all of its commercial cus-tomers that restricted transactions are prohibited through a term in the account agreement, a simple notice sent to the member, or through some other method.

The policies and procedures for par-ticipants in card systems, including card system operators (e.g., VISA™) and card issuers (e.g., credit unions) will be considered compliant if they sat-isfy the due diligence requirements; or if they use a code system that enables the participant to identify and deny authorization for a restricted transac-tion. The system must also include ongoing monitoring and testing, and have procedures in place for partici-pants to follow when a restricted trans-action has actually made its way into the card system. A credit union may rely on a written statement or notice by the payment system operator that the system’s policies and procedures com-ply with the UIGEA regulations.

The regulation’s non-exclusive examples for card systems were devel-oped based on the transaction coding frameworks that were already instituted the operators of major card systems such as VISA™, MasterCard™, and American Express™. Credit unions (and their card processors) are likely already engaged in blocking the merchant cat-egory code(s) associated with Internet gambling transactions in accordance with the payment system’s procedures.



If the credit union is notified (by its regulator or law enforcement) that it was on the receiving end of a restricted cross-border transaction, the credit union will be expected to notify the foreign institution involved that the restricted transaction has occurred. The Agencies have included a model notice in the appendix to the regulation (see Appendix B).



Appendix 8-A Designated Payment System Examples

The rule includes non-exclusive examples of policies and procedures for each of the designated payment systems and sets out a specific due diligence process, detailed below.

A non-exempt participant could choose to follow the due diligence process to comply with these rules. While the process laid out may still require some judgment on the part of participants opening new accounts for commercial customers, the process would leave the primary responsibility for determining lawful and unlawful gambling activities with the State gambling commissions and other gambling licensing authorities.

A participant would conduct risk based due diligence of commercial customers when opening an account. When a participant has actual knowledge that a commer-cial customer is engaged in an Internet gambling business, it must determine the risk the commercial customer presents of engaging in restricted transactions.

Due Diligence Process

When a commercial account or relationship is established, the participant may conduct due diligence of the commercial customer and its activities. The participant should have a basic understanding of a new commercial customer’s business, based on normal account-opening procedures. If, based on its initial due diligence, the par-ticipant determines that the prospective commercial customer presents only a mini-mal risk of engaging in an Internet gambling business, the participant could open the account for the commercial customer without further action.

The following commercial customers may be considered as having minimal risk of engaging in an Internet gambling business without further investigation:

• entities that are directly supervised by the Federal functional regulators (NCUA, FTC) that are responsible for enforcing the Act; and

• agencies, departments, or divisions of the Federal government or a State government.

If the commercial customer’s description of its business or other factors cause the participant to suspect that it may present more than a minimal risk of engaging in an Internet gambling business (for example, the commercial customer offers games or contests over the Internet), the participant should ask for further documentation from the commercial customer.



Documentation may include:

• Certification from the commercial customer that it does not engage in an Internet gambling business; or

• If the commercial customer engages in an Internet gambling business, documenta-tion to show that the Internet gambling business is lawful and a written commit-ment by the commercial customer to notify the participant of any changes in its legal authority to engage in its business. Documents showing the business is lawful include:

• A copy of the commercial customer’s license that expressly authorizes the com-mercial customer to engage in the Internet gambling business issued by the appropriate State or Tribal authority; or

• A “reasoned legal opinion” that demonstrates that the commercial customer’s business does not involve restricted transactions. Note that a written legal opin-ion will not be considered “reasoned” if it only recites the facts and expresses a conclusion. The final rule defines “reasoned legal opinion” as a written expres-sion of professional judgment by a State-licensed attorney that addresses the facts of a particular client’s business and the legality of the client’s provision of its services under applicable federal and state law.

• In addition, the suggested due diligence process includes a third party certifica-tion that the commercial customer’s systems for engaging in the Internet gambling business are reasonably designed to ensure that the business will remain within the licensed or lawful limits, such as age and location verification.

The due diligence process also includes notification to commercial customers that restricted transactions are prohibited. A participant could notify all of its commercial customers that restricted transactions are prohibited through a term in the account agreement, a simple notice sent to the customer, or through some other method.

Automated Clearing House (ACH) Examples

Policies and procedures for non-exempt participants in the ACH system, including the ODFI and any third party processor in an ACH debit transaction and the RDFI and any third party processor in an ACH credit transaction should:

• Address methods for conducting due diligence, as described above; and

• Include procedures to be followed if the participant has actual knowledge that its commercial customer has received restricted transactions including circumstances under which the service should be denied and the account should be closed.



Check Collection System Examples

Policies and procedures for depository institutions in the check collection system should:



• A Depository institution that receives checks for collection from a foreign bank-ing office should include procedures to be followed when it has actual knowledge, obtained through notification by a government entity, such as law enforcement or a regulatory agency, that a foreign banking office sent checks that are restricted trans-actions. A Foreign banking office includes a foreign office of a U.S. bank and a non-U.S. office of a foreign banking organization.

Card Systems Examples

Policies and procedures for participants in card systems, including merchant acquirers, card system operators, and card issuers, such as credit unions should either:

• Address methods for conducting due diligence, as described above; or

• Implement a code system that is required to accompany the authorization request for a transaction. The code system should have the operational capability to enable the participant to identify and deny authorization for a restricted transaction. The procedures for a code system should include ongoing monitoring or testing to ensure authorization requests are coded correctly and analyzing payment patterns to detect suspicious payment volumes from a merchant customer.

• A merchant acquirer, card system operator, and third party processor must include procedures to be followed when the participant has actual knowledge that a mer-chant has received restricted transactions through the card system such as the cir-cumstances under which the access to the card system should be denied or closed.

Wire Transfer System Examples

The policies and procedures of a beneficiary’s financial institution in a wire transfer should:




• Include procedures to be followed if the financial institution has actual knowledge that its commercial customer has received restricted transactions including circum-stances under which the wire transfer service should be denied and the account should be closed.

Money Transmitting Business Operator Examples

The policies and procedures of an operator of a money transmitting business should:

• Address methods for conducting due diligence, as described above;

• Include procedures regarding ongoing monitoring or testing to detect potential restricted transactions, such as monitoring and analyzing payment patterns to detect suspicious payment volumes to any recipient; and




Appendix 8-B UIGEA Notice of Restricted Transactions

[Date] [Name of foreign sender or foreign banking office] [Address]

Re: U.S. Unlawful Internet Gambling Enforcement Act Notice

Dear [Name of foreign counterparty]:

On [date], U.S. government officials informed us that your institution processed payments through our facilities for Internet gambling transactions restricted by U.S. law on [dates, recipients, and other relevant information if available].

We provide this notice to comply with U.S. Government regulations implementing the Unlawful Internet Gambling Enforcement Act of 2006 (Act), a U.S. federal law. Our policies and procedures established in accordance with those regulations provide that we will notify a foreign counterparty if we learn that the counterparty has pro-cessed payments through our facilities for Internet gambling transactions restricted by the Act. This notice ensures that you are aware that we have received information that your institution has processed payments for Internet gambling restricted by the Act.

The Act is codified in subchapter IV, chapter 53, title 31 of the U.S. Code (31 U.S.C. 5361 et seq.). Implementing regulations that duplicate one another can be found at part 233 of title 12 of the U.S. Code of Federal Regulations (12 CFR part 233) and part 132 of title 31 of the U.S. Code of Federal Regulations (31 CFR part 132).