Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

AML/BSA hot topics

Serving MSBs, marijuana business members and cyber risks

By: Jennifer Morrison, VP, Senior Risk Manager

Jennifer Morrison December 29, 2014 -- BSA/AML compliance remains one of the biggest "hot buttons" on the list of regulatory compliance concerns and credit unions should be aware of the issues and determine if their institutions are treating BSA/AML compliance with appropriate concern and attention. What should your credit union do to limit its risk exposure? Keep reading for more information on how to keep your credit union in check. 

Serving MSBs:

On November 10, 2014, FinCEN issued a statement on providing banking services to Money Services Businesses (MSBs). The regulatory burdens and risks placed on financial institutions serving MSBs have caused a significant level of “pre-risking” and “de-risking,” resulting in the refusal of many financial institutions to provide banking services to MSBs. However, FinCEN in its statement highlighted that MSBs often provide financial services to the underserved. A transparent financial system includes all types of banking services, and FinCEN, state regulators and the IRS are in agreement that there is a risk-based approach to providing services to MSBs.  In other words, FinCEN is asking financial institutions not to wholesale drop all such customers/members.

Corporate One’s risk department recently sent out a Member Due Diligence Questionnaire. We took note of a number of our members that are serving MSBs that they consider to be of lower risk. We also noted that the majority of these members have policies and procedures that address the heightened AML risks of serving MSBs. 

As a risk-based institution, your Board of Directors has to make a decision about how much risk your credit union is willing to accept versus the cost to control and monitor the risk presented by members, like MSBs, as well the additional regulatory burdens that come with such members. I encourage you to price for the ALM risk if you choose to serve MSBs, much like you price credit risk when making loans. Should your credit union choose to serve MSBs, make sure that serving MSBs is bringing fee income commensurate with the AML risk being taken (including the human and system costs).

Marijuana Businesses:

With this month’s election, four states have now legalized marijuana for recreational use. Joining Colorado and Washington are Oregon and Alaska whose laws will become effective in 2015. In addition, 23 states and the District of Columbia have legalized certain marijuana-related activity.  All credit unions who conduct any transactions with members in these states or through these states must be familiar with the FinCEN requirements for monitoring and for filing SARs.  

The Controlled Substances Act (CSA) makes it illegal under federal law to manufacture, distribute, or dispense marijuana. Financial institutions operating in these states where recreational or medical use of cannabis is permitted find themselves caught between federal and state statutes. We must all comply with federal law with regard to FinCEN.

On February 14, 2014, FinCEN released guidance (FIN-2014-G001) to financial institutions in coordination with the U.S. Department of Justice on serving marijuana businesses. The guidance is focused on a memorandum issued by U.S. Department of Justice Deputy Attorney General James M. Cole (Cole Memo) to all U.S. Attorneys providing updated guidance to federal prosecutors concerning enforcement of the CSA. The Cole Memo places a priority on criminal activity that continues to surround marijuana businesses, particularly the significant source of revenue derived from the drug trade to large-scale criminal enterprises, gangs, and cartels. Priorities also include preventing the distribution of marijuana to minors, preventing the possession or use of marijuana on federal property, and preventing drugged driving, as well as various other priorities.

FinCEN’s guidance goes on to state that the decision to open, close, or refuse any particular account or relationship should be a risk-based decision made by financial institutions (much like the November FinCEN statement on serving MSBs). FinCEN and federal regulators are well-aware that financial institutions are regulatory risk-averse, leaving these state-authorized marijuana businesses with significant levels of cash, and putting their business and employees at risk if banking services are denied. The guidance specifically reminds us of the following:

The obligation to file a SAR is unaffected by any state law that legalizes marijuana-related activity. A financial institution is required to file a SAR if, consistent with FinCEN regulations, the financial institution knows, suspects, or has reason to suspect that a transaction conducted or attempted by, at, or through the financial institution:(i) involves funds derived from illegal activity or is an attempt to disguise funds derived from illegal activity;(ii) is designed to evade regulations promulgated under the BSA, or (iii) lacks a business or apparent lawful purpose.1 Because federal law prohibits the distribution and sale of marijuana, financial transactions involving a marijuana-related business would generally involve funds derived from illegal activity. Therefore, a financial institution is required to file a SAR on activity involving a marijuana-related business (including those duly licensed under state law), in accordance with this guidance and FinCEN’s suspicious activity reporting requirements and related thresholds.

However, the guidance went on to clarify that a financial institution providing financial services to a marijuana-related business that it reasonably believes, based on its customer due diligence, does not implicate one of the Cole Memo priorities or violate state law should file a “marijuana limited” SAR. However, if the financial institution filing the SAR reasonably believes, based on customer due diligence, that the marijuana-business activity implicates one or more of the Cole Memo priorities or violates state law, the SAR filed should be a “marijuana priority” SAR. The FinCEN-specified content of these particular SARs is included in the guidance and should be followed in filing a marijuana-related SAR.

On October 27, 2014 via a spokesman, the Federal Deposit Insurance Corporation (FDIC) confirmed that the agency is using the FinCEN guidance. An FDIC official went on to elaborate that marijuana is a “higher risk” business because of its dependence on cash, but that these businesses do not hold a reputational risk for banks in states that have legalized the drug.  However, it has been reported that in a recent NCUA examination, a New Mexico credit union closed its marijuana business accounts because of the negative reaction by an NCUA field examiner.2 While there may be some ambiguity over their treatment by federal regulators, it is clear that all members should be monitored for marijuana-related activities. Corporate One’s own recent independent BSA/AML review suggested that we monitor transactions in the pertinent states for marijuana-related business transactions.  Your credit union may come to the same conclusion.

Cyber Risks:

As we enter the holiday season, data breaches at retailers Target and Niemen Marcus still remain top of mind for many of our credit union members. If a data breach occurs, be sure your credit union reacts quickly and identifies any cards that might have been compromised. The standard of care consumers expect today is that they will quickly see a replacement card from the issuing institution, regardless of any verifiable fraud transactions on their card. In addition, make your members aware of how to monitor their accounts and protect their assets. Simple changes in their shopping habits, such as designating a single home PC and credit card for online shopping, can help limit their risk. Use your Web site, social media, and newsletters to remind your members to monitor their accounts using the online tools your credit union provides.

The latest malware aimed at credit unions and banks is Dridex, a descendent of Zeus malware.  Dridex joins Feodo, Geodo, and Cridex in a long line of attempts to steal users’ online financial credentials, personal information, and then their money. Many business and home PCs have inadequate security, leaving them vulnerable. A well-educated member base is the best defense. Use your Web site, social media, and newsletters to inform your members of the steps they can take to protect themselves, including anti-virus software, account alerts, and safe transaction and transfer limits. Make sure that businesses understand the value of dual controls for money transfers and advise your members against large, unsubstantiated limits for wire transfers and payroll files. Monitor wire transfers and do not be afraid to ask your member why they are sending the wire, especially foreign wires. “Personal” is not a reason, but a transaction type. Finally, remind your membership of the current schemes, including auto sales schemes from Craig’s List, email compromise, fake dating services, and fake lotteries.

As evidenced by some of the largest BSA/AML enforcement penalties in U.S. history, BSA/AML compliance continues to be integral to the success of every credit union, but the challenge is to remain current. Make sure you sign up for FinCEN updates to ensure that FinCEN guidance and statements are delivered immediately to your email inbox.

1 31 CFR 1020.320