These compliance obligations don't have fixed calendar dates. Instead, they are triggered by specific events, transactions, or circumstances. Missing these can result in regulatory violations and enforcement actions.

BSA/AML & Financial Crimes

Suspicious Activity Report (SAR) Filing

FinCEN
Trigger: Known or suspected violations involving $5,000+ or insider abuse at any amount
Deadline: 30 calendar days from initial detection (60 days if no suspect identified)

File FinCEN SAR when the credit union detects a known or suspected violation of law, or a suspicious transaction related to money laundering, terrorist financing, or other financial crimes. The 30-day clock starts when the transaction is first identified as suspicious, not when the transaction occurred.

Regulatory source →

Currency Transaction Report (CTR)

FinCEN
Trigger: Cash transactions exceeding $10,000 in a single business day (per member)
Deadline: 15 calendar days after the transaction date

File FinCEN CTR for each deposit, withdrawal, exchange, or other payment/transfer involving currency exceeding $10,000. Multiple same-day transactions by or on behalf of the same person must be aggregated.

Regulatory source →

OFAC Blocked Property Report

OFAC / Treasury
Trigger: Property of an SDN or blocked person/entity is identified in CU records
Deadline: 10 business days after blocking; annual report due September 30

When a credit union identifies property (accounts, funds, transactions) belonging to an individual or entity on the OFAC SDN list, the property must be blocked immediately and reported to OFAC within 10 business days. A 'negative' annual report is NOT required if no property was blocked.

Regulatory source →

Monetary Instrument Log (MIL)

FinCEN / BSA
Trigger: Purchase of monetary instruments (cashier's checks, money orders, traveler's checks) with $3,000-$10,000 in currency
Deadline: At time of purchase — log must be maintained for 5 years

Record the purchaser's name, date of birth, SSN/TIN, address, date and type of instrument, serial number, and dollar amount. This is a recordkeeping requirement, not a filing, but failure to maintain the log is a BSA violation.

Regulatory source →

Consumer Compliance & Disclosures

Regulation E — Error Resolution

CFPB
Trigger: Member reports an unauthorized EFT, billing error, or missing deposit
Deadline: 10 business days to investigate (may extend to 45 days with provisional credit); written results within 3 business days of completion

Upon receiving an oral or written error notice from a member, the CU must investigate promptly. If investigation takes more than 10 business days, provisionally credit the member's account. For new accounts (open <30 days), the CU has 20 business days. For POS/international/new-account transactions, 90 days.

Regulatory source →

Regulation Z — Right of Rescission Notice

CFPB
Trigger: Closed-end credit secured by member's principal dwelling (refinance, HELOC draw)
Deadline: Member has 3 business days to rescind; CU must provide 2 copies of rescission notice at closing

For applicable mortgage transactions, the borrower has 3 business days after closing (or after receiving required disclosures, whichever is later) to rescind. The CU must not disburse funds during the rescission period. Does not apply to purchase-money mortgages.

Regulatory source →

TILA-RESPA Loan Estimate (LE)

CFPB
Trigger: Receipt of a mortgage loan application (6 data points received)
Deadline: 3 business days after receiving the application

The Loan Estimate must be delivered or placed in the mail within 3 business days of receiving a mortgage application. The 6 data points triggering an 'application' are: name, income, SSN, property address, estimated property value, and loan amount sought.

Regulatory source →

TILA-RESPA Closing Disclosure (CD)

CFPB
Trigger: Mortgage loan is approved and closing is scheduled
Deadline: At least 3 business days before consummation (closing)

The Closing Disclosure must be received by the consumer at least 3 business days before closing. Certain changes to the CD (APR increase >0.125%, addition of prepayment penalty, or change in loan product) require a new 3-day waiting period.

Regulatory source →

Adverse Action Notice

CFPB / ECOA
Trigger: Denial, revocation, or unfavorable change in terms of credit application
Deadline: 30 days after taking adverse action (or 30 days after receiving a completed application if not acted upon within 30 days)

Written notice must include: the specific reasons for adverse action (or right to request reasons), ECOA notice, and credit bureau information if a credit report was used. Applies to all consumer and commercial credit decisions.

Regulatory source →

Regulation CC — Funds Availability Exception Hold Notice

Federal Reserve
Trigger: CU places an exception hold on deposited funds beyond normal availability
Deadline: Notice at time of deposit (or by first business day after deposit if not present)

When the CU invokes an exception hold (large deposit >$5,525, redeposited check, reasonable cause to doubt collectibility, new account, emergency), written notice must be provided specifying the reason, amount held, and date funds will be available.

Regulatory source →

FCRA — Furnisher Dispute Investigation

CFPB / FTC
Trigger: Consumer disputes the accuracy of information furnished to a credit bureau
Deadline: 30 days to investigate and respond (may extend to 45 days if consumer provides additional information)

When notified of a dispute by a CRA (credit reporting agency), the CU must conduct a reasonable investigation, review all relevant information provided, and report results back to the CRA. If information is found inaccurate, must correct or delete it.

Regulatory source →

Lending & Mortgage

ARM Rate Adjustment Notice

CFPB (Reg Z)
Trigger: Adjustable-rate mortgage (ARM) rate change approaching
Deadline: At least 60 days (and no more than 120 days) before the first payment at the new rate

For adjustable-rate mortgages, the CU must provide notice of the rate adjustment including the current and new interest rate, payment amount, and index information. For the initial rate adjustment, notice must be provided 210-240 days before the first payment change.

Regulatory source →

Flood Insurance Notice & Force-Placement

FEMA / Federal Reserve
Trigger: Loan secured by property in a Special Flood Hazard Area (SFHA)
Deadline: Notice at least 45 days before force-placing insurance; must verify flood zone at origination and when FEMA map changes

At loan origination, determine if collateral is in an SFHA and notify borrower. If flood insurance lapses, send a 45-day notice before force-placing coverage. Upon FEMA map revision, re-determine flood status and notify borrower within 45 days.

Regulatory source →

HMDA Reportable Event

CFPB
Trigger: Action taken on a mortgage application (origination, denial, withdrawal, incompleteness)
Deadline: Record within 30 calendar days of end of quarter in which action was taken; annual LAR submission by March 1

Each mortgage application action (origination, purchase, denial, withdrawal, file closed for incompleteness) must be recorded on the LAR. While the annual filing deadline is on the calendar, each individual event must be captured timely for accurate reporting.

Regulatory source →

Cybersecurity & Incident Response

NCUA Cyber Incident Notification

NCUA
Trigger: Substantial cyber incident affecting the CU's information systems, operations, or member data
Deadline: 72 hours after the CU reasonably believes a reportable incident has occurred

Under NCUA's cyber incident notification rule (effective September 2023), federally insured credit unions must notify NCUA within 72 hours of a substantial cyber incident. Report via NCUA's online portal or by calling the regional office. Includes ransomware, data breaches, and service disruptions.

Regulatory source →

Member Data Breach Notification

State / Federal
Trigger: Unauthorized access to member PII (name + SSN, account number, driver's license, etc.)
Deadline: Texas: 60 days from determination of breach; varies by member's state of residence

Under Texas Business & Commerce Code Ch. 521, the CU must notify affected individuals within 60 days. If >250 Texas residents affected, also notify the Texas AG. For members in other states, follow that state's breach notification law. Consider offering credit monitoring services.

Regulatory source →

Governance & Member Relations

Member Complaint Response

NCUA / CFPB
Trigger: Written complaint received from a member
Deadline: Acknowledge within 5 business days; substantive response within 15-30 days (varies by complaint type)

Maintain a complaint log. CFPB-forwarded complaints require a response within 15 days (or 60 days with explanation). NCUA examiners review complaint handling during examinations. Document all complaints, investigations, and resolutions.

Regulatory source →

Deceased Member Account Handling

State / Federal
Trigger: Notification of member's death (estate representative, family, or Social Security death file)
Deadline: Freeze account promptly; release funds per Texas Estates Code procedures

Upon notification of death, restrict account access to prevent unauthorized withdrawals. Require Letters Testamentary or Letters of Administration. For small estates under $75,000 (Texas), an affidavit may suffice. Report final interest to deceased member's SSN for the year of death, then to estate's EIN.

Subpoena / Legal Process Response

Court / Regulatory
Trigger: Receipt of subpoena, summons, garnishment, or regulatory request for member records
Deadline: Varies — typically 10-21 days from service; garnishment answers due per Texas Rules of Civil Procedure

Verify validity of legal process. For third-party subpoenas, provide member notice when legally permitted (Right to Financial Privacy Act for federal government requests). For garnishments, withhold funds per court order and file an answer. Consult legal counsel for regulatory subpoenas.

Account & Transaction Operations

Large Cash / Structuring Alert

FinCEN / BSA
Trigger: Pattern of transactions just below $10,000 suggesting intentional structuring
Deadline: File SAR within 30 days of detection; do NOT inform the member

Structuring (breaking transactions to avoid CTR filing) is a federal crime. When the CU identifies a pattern suggestive of structuring, file a SAR. Do not tip off the member that a SAR is being filed. Train tellers to recognize structuring patterns.

Regulatory source →

Dormant / Escheatment Processing

Texas Comptroller
Trigger: Account dormant for 3-5 years with no member-initiated activity and mail returned
Deadline: Annual report to Texas Comptroller by November 1; remit property by March 1 of following year

Under the Texas Property Code (Unclaimed Property), accounts dormant for the applicable period must be reported and escheated to the state. Send due diligence notice to last known address 30-60 days before the November 1 report. The dormancy period is 3 years for most accounts, 5 years for certain account types.

Regulatory source →

Reg D Savings/Money Market Monitoring

Federal Reserve (historical) / Internal
Trigger: Member exceeds 6 convenient transfers per statement cycle from savings/MMDA (pre-April 2020 rule)
Deadline: Monitor each cycle; contact member if pattern detected

While the Federal Reserve suspended the 6-transfer limit in April 2020, some CUs maintain these limits by policy. If your CU enforces transfer limits, monitor and notify members approaching the limit. If not enforced, ensure your account agreements reflect current policy.