Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

FinCEN Advisory on cybercrime, new definitions of MRBs as medical marijuana laws expand

By Jennifer Morrison, VP, Senior Risk Manager

FinCEN Cybercrime Advisory

On October 25, 2016, the Financial Crimes Enforcement Network (FinCEN) issued Advisory 2016-A005, directing all financial institutions to more frequently and thoroughly investigate, report, and exchange data on cyberattacks against them. The Advisory directed financial institutions, including credit unions, to include cyberattacks among the illegal activities resulting in SAR filings. This is NOT a change in the Bank Secrecy Act (BSA). Instead, take the Advisory as a reminder of your Suspicious Activity Report (SAR) obligations.

However, the Advisory does “encourage” us to voluntarily report “egregious, significant or damaging” attacks that did not or would not have involved transactions, including Denial of Service attacks that might not have previously triggered the filing of a SAR because there was no potential loss of funds. Note – this might be a change for your BSA/AML program because of the lack of a dollar amount.

Cyber-event defined

The Advisory defines a cyber-event as “an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.”

The important nugget to take from the Advisory is that SAR filing obligations include attempts that were not successful. Therefore, cyber-events that generate a SAR filing ARE NOT REQUIRED TO MEET the $5,000 or $25,000 SAR-filing thresholds.

A cyber-enabled crime is defined in the Advisory as “illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems or devices, such as networks and computers.” Many credit unions have members that have been victims of identity theft. It is important in your future SAR reporting to also identify the cyber-crime component of that compromise and to attempt to obtain the relevant information. The Advisory specifies information to include in the SAR under section II of the Advisory, Including Cyber-Related Information in SAR Reporting, beginning on page six.

Actions to take now

Update your BSA/AML policies and procedures to ensure that a cyber-event is classified as a red flag meriting further investigation, regardless of whether the objective was financial or not. And do it NOW. The Advisory has already taken effect.

Compliance with the Advisory requires your BSA/AML Officer and department to work together with your IT professionals. Communication lines must be established now to ensure that your credit union’s suspicious activity referral process contemplates how a cyber-event can and will be reported, including all of the salient details included in the Advisory for your SAR filing.

Other thoughts to keep in mind

It is possible with any cyber-event that your credit union will not initially have all of the details to determine if the attack targeted a payment system or your email. Melissa Goldstein, a former attorney-advisor with FinCEN suggests in a article from November 11, 2016, that given the penalties associated with BSA violations and the range of incidents that could be considered a cyber-event under the Advisory, many institutions targeted by a cyberattack will file a SAR regardless of whether the intrusion meets the standards set forth in current SAR regulations or new guidance.

The same article cited a “senior compliance officer” in the following quote: “If a year from now it comes out that there was an intrusion and you didn’t file a SAR on it, the concern is that you could be held criminally liable and certainly would be exposed to a [civil] monetary penalty.”

Remember, the Advisory has already gone into effect.

New definitions of MRBs as medical marijuana laws expand

As has been written previously in Solutions, federally chartered and/or federally insured credit unions must file a Suspicious Activity Report (SAR) when processing transactions for marijuana-related businesses (MRBs) and if a marijuana-related transaction flows through the credit union. This SAR obligation for federally regulated credit unions is REGARDLESS of your state’s legal status of marijuana (recreational and medical).

Florida was among a handful of additional states voting to legalize medical marijuana in November 2016. This follows Ohio, who, through its state legislature, legalized medical marijuana with a three-year phase-in, beginning this fall. As a result of these voter and legislative actions, if your credit union is supervised in any way by the NCUA, your credit union must address marijuana in your BSA/AML policies if you have not done so already.

The Controlled Substance Act (CSA) classifies marijuana as a Schedule I drug. Schedule I drugs include heroin, LSD, and ecstasy. The CSA makes it a federal crime to manufacture, distribute, or dispense marijuana, regardless of your state’s statutes. It is therefore illegal to facilitate these activities, including providing financial services to those who are engaged in a federal crime. Therefore, if you have a federal examiner, your credit union must comply with the CSA.

While there are possible actions in Congress that might reduce marijuana to a Schedule II drug, which are “drugs with a high potential for abuse,” the marijuana industry will probably continue to be perceived as high risk. This means that your credit union will still be subject to legal and regulatory scrutiny if you would choose to serve MRBs. Schedule II drugs include cocaine, opium, and methamphetamine.

Defining MRBs

Poorly constructed policies and procedures increase the risk that your compliance program might be deemed deficient. Definitions can be important to include when writing good policies and procedures.

In a recent article in ACAMS Today, the organization presented a Three-Tiered Approach created by MRB Monitor. In sum, the approach defines and categorizes MRBs into three risk-based categories that might be helpful, especially for those who naively believe their credit union has zero exposure. Your credit union has exposure. Corporate One has exposure, too.

Tier 1 MRBs generally encompass those that are licensed by a state or are a marijuana-related “legitimate business” as defined in proposed federal marijuana banking bills in Congress. Typically, these Tier 1 MRBs are licensed growers, providers of seeds, testing, packaging, wholesaling, and transportation.

Tier II MRBs are considered less risky than Tier I MRBs because they do not directly manufacture, distribute, or dispense marijuana. They are not typically licensed by a state. These are service providers to Tier I MRBs. Tier II MRBs are engaged in packaging supplies, advertising, training and education, licensing and legal services, and software sales. Remember that even shipping the equipment needed to grow marijuana is a violation of the CSA. That means the hydroponic supplies that a company like MiracleGro sells technically violates the CSA.

Tier III MRBs are the least risky. These are entities that are not focused on selling to Tier 1 MRBs or on serving the marijuana industry. Instead, Tier III MRBs are MRBs because of incidental services sold as a small percentage of the firm’s overall business revenue. These can be almost any type of business, including attorneys, accountants, and registered agents of any type. For example, your member who is the local CPA provides tax filing services to a Tier I MRB. That CPA is a Tier III MRB.

Be careful. If that CPA firm comes to “specialize” in providing tax filing services to MRBs, that CPA firm then becomes a Tier II MRB. If a member who is a local attorney specializes in providing state licensing advice to firms wanting to engage in legal medical marijuana dispensaries, that attorney is now a Tier II MRB, not a Tier III MRB.

Actions to take now

Financial institutions are specifically directed by FinCEN to “take a risk-based approach in assessing individual customer relationships, rather than declining to provide services to entire categories of customers without regard to the risks presented.” Most financial institutions have taken a “Just Say No” approach to serving MRBs. But there is no mandate. If your credit union is state-chartered, privately insured, confer with your state regulator before making the decision to serve a MRB to ensure your policies and procedures address your regulator’s position on serving MRBs.

If your credit union is federally regulated, and you are in a state with legalized marijuana in any form, OR if you have members living in or doing business in a state with legalized marijuana in any form, first go to your board of directors and senior management. Write into your policy a statement about your willingness to serve members engaged in marijuana, in any form. This sets the stage for your member identification program (MIP).

If your credit union chooses to serve MRBs, document how your MIP will need to change in order to identify MRBs at the point of opening new memberships. But, DO NOT FORGET how you will go about identifying MRBs in your current membership. Remember that if medical marijuana is now legal in your state, you may have members who, for example, are engaged in agriculture in some way and adding pot-growing operations. “Know Your Member” includes knowing your current members and recognizing opportunities for refreshing your MIP. MIP conducted just at the time of joining the credit union is insufficient.

If your credit union chooses to serve MRBs, make sure that you can manage the incremental volume of SARs that must be filed, and ensure that your SAR-filing staff knows how to file the two types of SARs required: marijuana limited and marijuana priority SARs.

If your credit union chooses not to serve MRBs, ensure that you still have the ability to identify a marijuana-related payment among your transactions, as well as overall changes in transaction volumes that might signal marijuana. For example, marijuana is often a cash business because most financial institutions will not serve MRBs. If a member’s cash activities increase, might this member now be engaged in the sale or distribution of marijuana? This includes monitoring your ATM transactions for increased cash deposits or withdrawals.

Other thoughts to keep in mind

Most states that have legalized marijuana in some form have done so under the terms of a robust marijuana-application process, adding rules and regulations generally culminating in the firm becoming licensed. However, some states have no framework for licensing MRBs. Those states include California, Michigan, and Montana. Clearly, Tier I-level MRBs exist in these states. If you choose to “tier” your MRBs, do not make licensure a requirement for Tier I.

Also, make sure to “know your membership”, including where your members conduct their business, not just where your credit union conducts its business. Most of us are exposed to marijuana-related transactions now, with or without some form of legalization in our state(s).