Event-Triggered Compliance

File FinCEN SAR when the credit union detects a known or suspected violation of law, or a suspicious transaction related to money laundering, terrorist financing, or other financial crimes. The 30-day clock starts when the transaction is first identified as suspicious, not when the transaction occurred.

File FinCEN CTR for each deposit, withdrawal, exchange, or other payment/transfer involving currency exceeding $10,000. Multiple same-day transactions by or on behalf of the same person must be aggregated.

When a credit union identifies property (accounts, funds, transactions) belonging to an individual or entity on the OFAC SDN list, the property must be blocked immediately and reported to OFAC within 10 business days. A 'negative' annual report is NOT required if no property was blocked.

Record the purchaser's name, date of birth, SSN/TIN, address, date and type of instrument, serial number, and dollar amount. This is a recordkeeping requirement, not a filing, but failure to maintain the log is a BSA violation.

Upon receiving an oral or written error notice from a member, the CU must investigate promptly. If investigation takes more than 10 business days, provisionally credit the member's account. For new accounts (open <30 days), the CU has 20 business days. For POS/international/new-account transactions, 90 days.

For applicable mortgage transactions, the borrower has 3 business days after closing (or after receiving required disclosures, whichever is later) to rescind. The CU must not disburse funds during the rescission period. Does not apply to purchase-money mortgages.

The Loan Estimate must be delivered or placed in the mail within 3 business days of receiving a mortgage application. The 6 data points triggering an 'application' are: name, income, SSN, property address, estimated property value, and loan amount sought.

The Closing Disclosure must be received by the consumer at least 3 business days before closing. Certain changes to the CD (APR increase >0.125%, addition of prepayment penalty, or change in loan product) require a new 3-day waiting period.

Written notice must include: the specific reasons for adverse action (or right to request reasons), ECOA notice, and credit bureau information if a credit report was used. Applies to all consumer and commercial credit decisions.

When the CU invokes an exception hold (large deposit >$5,525, redeposited check, reasonable cause to doubt collectibility, new account, emergency), written notice must be provided specifying the reason, amount held, and date funds will be available.

When notified of a dispute by a CRA (credit reporting agency), the CU must conduct a reasonable investigation, review all relevant information provided, and report results back to the CRA. If information is found inaccurate, must correct or delete it.

For adjustable-rate mortgages, the CU must provide notice of the rate adjustment including the current and new interest rate, payment amount, and index information. For the initial rate adjustment, notice must be provided 210-240 days before the first payment change.

At loan origination, determine if collateral is in an SFHA and notify borrower. If flood insurance lapses, send a 45-day notice before force-placing coverage. Upon FEMA map revision, re-determine flood status and notify borrower within 45 days.

Each mortgage application action (origination, purchase, denial, withdrawal, file closed for incompleteness) must be recorded on the LAR. While the annual filing deadline is on the calendar, each individual event must be captured timely for accurate reporting.

Under NCUA's cyber incident notification rule (effective September 2023), federally insured credit unions must notify NCUA within 72 hours of a substantial cyber incident. Report via NCUA's online portal or by calling the regional office. Includes ransomware, data breaches, and service disruptions.

Under Texas Business & Commerce Code Ch. 521, the CU must notify affected individuals within 60 days. If >250 Texas residents affected, also notify the Texas AG. For members in other states, follow that state's breach notification law. Consider offering credit monitoring services.

Maintain a complaint log. CFPB-forwarded complaints require a response within 15 days (or 60 days with explanation). NCUA examiners review complaint handling during examinations. Document all complaints, investigations, and resolutions.

Upon notification of death, restrict account access to prevent unauthorized withdrawals. Require Letters Testamentary or Letters of Administration. For small estates under $75,000 (Texas), an affidavit may suffice. Report final interest to deceased member's SSN for the year of death, then to estate's EIN.

Verify validity of legal process. For third-party subpoenas, provide member notice when legally permitted (Right to Financial Privacy Act for federal government requests). For garnishments, withhold funds per court order and file an answer. Consult legal counsel for regulatory subpoenas.

Structuring (breaking transactions to avoid CTR filing) is a federal crime. When the CU identifies a pattern suggestive of structuring, file a SAR. Do not tip off the member that a SAR is being filed. Train tellers to recognize structuring patterns.

Under the Texas Property Code (Unclaimed Property), accounts dormant for the applicable period must be reported and escheated to the state. Send due diligence notice to last known address 30-60 days before the November 1 report. The dormancy period is 3 years for most accounts, 5 years for certain account types.

While the Federal Reserve suspended the 6-transfer limit in April 2020, some CUs maintain these limits by policy. If your CU enforces transfer limits, monitor and notify members approaching the limit. If not enforced, ensure your account agreements reflect current policy.