The Financial Crimes Enforcement Network's $300,000 fine againstNorth Dade Community Development Federal Credit Union has creditunion leaders wondering how North Dade wound up in the FinCEN hotseat.

Finding out what went wrong could prevent other credit unionsfrom winding up similar sticky situations, according to complianceexperts. Following are 10 costly mistakes the $3.9 million creditunion made.

First Offense: IgnoredFinCEN

Federal officials said one of North Dade's biggest mistakes wasviolating PATRIOT Act regulations requiring financial institutionsto review and respond quickly to FinCEN information requestssubmitted on behalf of law enforcement.

“It is of great concern that North Dade failed to even reviewthe 314(a) requests it received,” FinCEN Director Jennifer ShaskyCalvery said in a press release.

FinCEN's 314(a) requests are posted on a secure website everytwo weeks and must be downloaded, with responses verified by thefinancial institution within a specified deadline, the agencysaid.

North Dade had 314(a) requests sent to a single email addressaccessed by only one person, making timely responses dependent onthat person's availability, FinCEN said.

“These are time sensitive requests that, by their very nature,are intended to further criminal investigations into significantmoney laundering and terrorist financing activities,” Calverysaid.

Second Mistake:Stepped Outside FOM

North Dade's authorized field of membership was limited toindividuals and entities that live, work or worship in the NorthDade County area.

Yet, the cooperative handled transactions for money servicesbusinesses in known high-risk areas such as Central America, theMiddle East and Mexico.

“When a small institution opens its doors to the world, takes ongreater risks than it can manage, and puts profits before AMLcontrols, bad actors are bound to take advantage,” Calverysaid.

“This case raises pretty obvious questions that no one seems tohave asked: Why would MSBs located all over the world choose asmall Florida credit union to conduct close to $2 billion intransactions?”

For example, during a one-year period, the small credit unionhandled hundreds of millions of dollars in wire transfers toforeign bank accounts of MSBs located in Mexico and Israel, anddeposits in excess of $14 million in U.S. cash physically importedinto the country on behalf of nearly 40 Mexican currencyexchangers, the agency said.

Third Strike: Skimped onCompliance

The NCUA and U.S. Dept. of Treasury require federally-charteredcooperatives to implement AML programs. Credit unions are alsorequired to designate a person responsible for ensuring day-to-daycompliance, according to federal regulations.

At North Dade, no staff member was assigned to overseecompliance, FinCEN said.

The credit union could have easily avoided any problems,according to compliance experts.

“As flagged by FinCEN, North Dade should have designated aperson responsible to oversee BSA compliance,” attorney MartinKenney, an anti-money laundering expert, said. “However you firsthave to have compliance to oversee.”

“By all accounts, in this case there was none,” he continued.“This sounds like a case of hear no evil, see no evil, or theostrich sickness – sticking one's head in the sand.”

If a credit union is unable to appoint an staff member tooversee compliance, the institution's leaders should reach out andask for help for their fellow credit unions or look for a sharedresource person with compliance expertise, said RandyThompson, CEO of TCT Risk Solutions, a balance sheet and riskmanagement CUSO based in Eagle, Idaho.

Smaller credit unions like North Dade often have biggerchallenges in achieving BSA compliance, Thompson said.

TCT Risk Solutions will launch a newCompliance Officer in a Boxprogram next month, Thompson said.

Fourth Folly: Didn't AdequatelyTrain Staff

Federally-chartered cooperatives are required to train staff onspotting suspicious transactions, but North Dade's five-personstaff did not have sufficient resources or technical expertise toensure compliance, FinCEN said.

Employees at North Dade did receive annual BSA training, but itwas significantly deficient because it was not tailored for eachdepartment, and did not encompass all aspects of BSA, cover MSBcompliance or ensure employees had access to current compliancerules and guidance, the agency said.

In addition, North Dade did not have any records of compliancematerials for its board of directors as recommended by the FederalFinancial Institutions Examination Council Manual.

Plus, the credit union did not obtain outside assistance ortechnical resources in a timely manner to compensate for its smallstaff, the agency said.

Fifth Failure: Lacked RiskAssessment

Even though independent audits in 2012 identified moneylaundering and terrorist financing risks at North Dade, thecooperative did not perform a risk assessment until November 2013,FinCEN said.

“When NCUA examiners requested a copy of North Dade's riskassessment for its Dec. 31, 2011 exam, they were provided with anoutdated template from the 2006 Federal Financial InstitutionsExamination Council Manual, rather than an assessment of NorthDade's particular risks,” the agency's penalty assessment said.

“A solid BSA program is a vital component of any financialinstitutions compliance related activities,”JimVilker, VP of professional services at CU*Answers, said. “Astrong BSA program controls not only compliance risks buttransactional and reputation risks as well. A well-executed BSAprogram is not difficult to establish, with the foundation being arisk assessment.”

“Financial institutions must show they understand the risks ofmoney laundering and terrorist activity funding from both themembers doing business with the credit union as well as thecommunities the credit union does business in,” Vilker said. “Thisrisk assessment shoulders all other components of an appropriateBSA monitoring program including CIP, monitoring requirements,appropriate trainings, and outside audits to name a few.”

Sixth Sticky Situation:Inadequate Internal Controls

Until it instituted a new anti-money laundering policy inNovember 2013, North Dade lacked written procedures for importanttasks, such as opening accounts for members who did not have asocial security number, FinCEN said.

According to federal regulators, the most significant example ofNorth Dade's failure to have adequate internal controls was its2009 contract with a third-party vendor, an MSB that providedfinancial services to other high-risk MSBs, including check-cashingstores and currency exchangers.

“North Dade agreed to become the depository institution for thevendor's MSB clients, providing sub-accounts for each MSB toconduct deposits and transfer funds,” the agency said. “Under thecontract, the vendor was North Dade's member and customer and thevendor's MSB clients were not. However, in practice, 56 of theVendor's MSBs sub-accounts could receive financial servicesdirectly from North Dade.”

Although North Dade's own counsel cautioned the credit union itwould still have anti-money laundering compliance responsibilitiesfor the vendor's MSBs, the credit union relied on the vendor toconduct all related due diligence and suspicious activitymonitoring without conducting any verification or inspection of thevendor's compliance activities.

Seventh FinCEN Sin: Didn't KnowIts Customers

Credit unions are supposed to have a Customer IdentificationPrograms (CIP) that are suitable for the size and scope of thebusiness, but North Dade failed to verify customer identificationinformation for many members, including MSBs, according to federalregulators.

Although the credit union's internal policy required each MSB tobe properly registered with FinCEN and licensed with the state inwhich they conducted business, North Dade provided services to MSBslocated in the Middle East that were not registered with FinCEN,the agency said.

In one case, an individual connected to more than 60% of thebusinesses banking with North Dade conducted 2,036 cash withdrawalsfrom January 2010 and August 2013, but North Dade never identifiedthe person as potentially high-risk or reviewed his activities,FinCEN said.

In order to monitor for suspicious activities, employees had tomanually investigate accounts, but they lacked sufficient knowledgeto do so properly, the agency said.

Eighth Mistake: Slow orNo SARs

Between April 2010 and April 2013, North Dade filed only 15Suspicious Activity Reports, according to FinCEN.

“The SARs were filed late and the narrative sections lackedessential information explaining why the suspicious activity wasbeing reported,” the agency said. “Furthermore, North Dade failedto file SARs on customers engaged in suspicious activity, includinga customer that was arrested and charged with conspiring to laundermoney.”

In one case, law enforcement seized more than $1.5 milliondollars from an owner of an MSB who held an account at North Dade,yet the cooperative never filed a SAR, federal regulators said.

Ninth Naughty Move: GotGreedy

In 2013, the total transaction volume through North Dade by MSBsincluded $54.8 million in cash orders, $1.01 billion in outgoingwires, $5.3 million in returned checks, and $984.4 million inremote deposit capture, FinCEN said.

The MSB activity constituted 90% of North Dade's annual revenuein 2013, the agency said.

“This was not the expected business behavior of a small creditunion like North Dade and led to substantial BSA compliancefailures and violations,” FinCEN said.

The revenue generated by the questionable activity was vital toNorth Dade's survival, according to federal regulators.

“The substantial revenue generated by the Vendor's programappeared to outweigh any consideration by North Dade of associatedrisks and appropriate compliance measures,” FinCEN said. “Forexample, NCUA examined North Dade in 2010 and instructed the creditunion to ensure that its MSB members all met field of membershiprequirements.”

But, by December 2012, North Dade had accounts for 56 differentMSBs.

Tenth Mistake:No Independent Testing

A federally chartered credit union's anti-money launderingprogram must include independent compliance testing to monitorthe institution's program and ensure its adequacy, according toFinCEN regulations.

NCUA recommends annual testing of a credit union's complianceprogram when it serves high-risk clients.

North Dade did not have its anti-money laundering program testedon a regular basis until NCUA cited this shortfall, a failure ofparticular concern for an entity, like North Dade, engaged inhigh-risk business lines, federal regulators said.

The cooperative began receiving independent audits in December2011, but significant issues persisted almost two years later,FinCen said.