Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

BSA/AML hot topics: Marijuana laws and suspicious activity reporting

By: Jennifer Morrison, VP, Senior Risk Manager

December 28, 2015 -- In October 2015, I wrote on the potential impact of November’s Issue 3 ballot initiative in Ohio. Issue 3 failed in November. Ohio voters did not support both recreational and medical marijuana sales and use. However, the marijuana issue is not dead in Ohio.

Signs the marijuana issue is not dead

Cliff Rosenberger, Speaker of the Ohio House of Representatives, stated that the Ohio legislature will take up various medical marijuana bills in the 2016 session, including efforts put forth by Representative Kirk Schuring and Senators Joe Chiavoni and Kenny Yuko. Senate President Keith Faber also supports a medical marijuana debate.

In addition, several groups are looking at ballot initiatives for 2016 in Ohio, including medical-only, as well as another attempt to legalize recreational use. The latter is targeted for the presidential election ballot in November 2016.

In 2016, the following five states are expected to have ballot issues to approve medical marijuana: Florida, Indiana, Nebraska, South Dakota, and Wyoming. Also in 2016, the following 12 states will likely consider initiatives similar to the failed Ohio ballot issue: Arizona, Arkansas, California, Georgia, Maine, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nevada, and New Mexico.

Four states have already completely legalized marijuana: Alaska, Colorado, Oregon, and Washington. The District of Columbia voted to legalize personal marijuana use but not its distribution or sale. In addition, 23 states plus the District of Columbia allow some degree of medical marijuana.

How does the marijuana issue apply to me?

It is relevant to remember to monitor where your members conduct their activities and business. Residency in Ohio, or any other state where marijuana remains illegal, does not mean that your member is not engaged in marijuana activities through business dealings in other states.

Monitor your member activities for marijuana-related transactions, including interstate transactions. An Internet search for marijuana-related terms and slang will yield over 320 words and phrases that should be included in your transaction monitoring. Review the purpose of wires, invoices and other payment references, and memo fields for the appearance of such terms in transactions, particularly where the term appears out of context.

For example, “broccoli” is a slang term. A wire referencing “broccoli” could be a marijuana purchase, unless of course your member is a broccoli farmer or grocer.

My previous article in October also included the SAR requirements: the filing of Marijuana-limited and Marijuana-priority SARs. Medical marijuana, in any form, still requires a SAR if you are federally chartered and/or federally insured. State-chartered, privately insured credit unions must check with your primary regulator regarding SAR obligations.

BEC scams: Still a top priority for the FBI

Business email compromise scams, also known as BEC scams, remain a priority for the FBI.

BEC scams often begin with a phishing email that gives a fraudster access to a company employee’s email account. Stu Sjouwerman, founder and CEO of IT security firm KnowBe4, explained that for an extended period of time—sometimes several months—the fraudster will monitor a compromised employee’s email and determine who initiates wires and who requests them. From there, the fraudster will either spoof an email or create a domain similar to the company they are targeting. “The domain will look really close to the domain of that particular company, and they’ll send an email from the CEO,” Sjouwerman said. “It looks like it’s totally real.”

Identifying the main problem: The human element

The crux of the problem, explained Brad Deflin, president and co-founder of Total Digital Security, is the human element. Business professionals need to be more aware of the telltale signs of these attacks rather than simply hoping IT will catch any and all questionable emails. 

For example, when you receive an email from one of your contacts, do you just accept that you are talking to that person? Do you know for sure that the person you’re communicating with is who they say they are? Even if you’re familiar with your contact’s writing style, remember that someone else could also be familiar with their style and could be copying them. 

Best practices for business professionals

One recommendation: instead of using “reply” when receiving an external email, retype the “sender’s” email from your contacts list, and then use “forward.” Subtle changes in the domain of the scam email are hard to detect, and the fraudster is counting on you not taking the time to notice. When you “forward” your response to the fraudulent email, you also notify the person being scammed when the recipient has no idea of the original email request.

Business professionals should be cognizant of putting too much personal information out on social media sites. Employees should not post current travel plans. If an employee posts on LinkedIn or Facebook that he or she going to be somewhere, just assume that the bad guys are going to know where he or she is and use that information. Social media is one of the ways where you can find out just enough about a person—where they went to high school, where they went to college—and then fraudsters create a phishing email, which someone will likely fall for.

Various types of BEC scams

Keep in mind that BEC scams don’t always consist of a fraudster impersonating a CEO or CFO. Fraudsters will also impersonate companies’ suppliers, sending them new payment instructions so that a routine transfer will be sent to a new account. If a fraudster is in your email system and knows the specific amount you regularly pay a supplier, when they impersonate that supplier and make a request for that amount from you, it’s less likely to set off a red flag.

Noticing unusual activity? Filing your reports

The FBI requests that businesses believing they are recipients of a compromised e-mail and victims of BEC file a report with IC3 (at regardless of the dollar amount. The FBI is asking for as much description as possible. Identify the complaint as “Business Email Compromise” or “BEC,” and try to include the following information:

  • Header information from e-mail messages
  • Identifiers for the perpetrators, such as names, email addresses, websites, bank account information (where payments are requested to be sent), and beneficiary names
  • Details on how, why, and when the fraud attempts occurred
  • Actual and attempted amounts of loss
  • Other relevant information you believe will support the complaint (IP addresses, for example)

Complainants are also encouraged to keep original documentation, emails, faxes, and logs of all telecommunications. You cannot upload or add documents to the IC3 complaint; however, you may be contacted later by law enforcement to provide the relevant documents.

Suspicious Activity Reports (SARs) are generally not filed for attempted electronic intrusion, such as attempted penetration of systems and distributed denial of service (DDoS) attacks. However, in the course of monitoring your business member’s activity, if you notice unusual clusters of activity, such as large atypical wire transfers or changes in the form of member contact, which suggest suspected account takeover, file a SAR1.

A SAR should be filed, checking Box 35-A, “account takeover,” and the reference to “account takeover” should appear in the SAR narrative along with a detailed description of activity.  Additional boxes in Blocks 39 and 40 of the SAR form should also be checked to enhance the usefulness of the SAR filing. If a member reports that a wire transfer was in fact fraudulent and caused by a BEC scam, “BEC scam” is relevant information to be included in the SAR narrative along with checking Box 31-J for “wire fraud.”


1Filing the SAR is also appropriate to dollar thresholds and the identification of a possible suspect (the criminal, not the victim).