Light ’em Up: FinCEN’s Cautionary Guidance About Banks Working With Marijuana Companies
The Financial Crimes Enforcement Network’s new guidance on how to work with marijuana-related businesses is unlikely to make it easier for banks that have been wrestling with the basic question of whether they can provide services to such companies. The guidance makes clear that Suspicious Activity Reports (SARs) must still be filed on transactions involving the proceeds of marijuana sales and provides details on what should be included in such SARs.
Although 20 states and the District of Columbia currently recognize the legal use of marijuana for either medicinal or recreational use, federal law still categorizes the drug as illegal. As a result, banks have been hesitant to engage with marijuana-related businesses.
FinCEN released the guidance hoping to ease concerns for institutions seeking to enter the market by setting out due diligence expectations and reporting requirements in the context of marijuana-related businesses, consistent with Bank Secrecy Act obligations.
A greater use of financial services could prove beneficial not just to marijuana companies (moving away from an all-cash business model) and financial institutions (broadening the customer base), but law enforcement as well, with greater insight into the activities of such businesses. The guidance was issued in conjunction with the Department of Justice, which concurrently issued a guidance memo for U.S. Attorneys.
The decision to engage with marijuana-related businesses should be made on a case-by-case basis by each financial institution, FinCEN stated. The most important factor to consider: an evaluation of the risks and the bank’s ability to effectively manage those risks. Due diligence should include verification that the business is licensed and registered with the appropriate state authorities (with a review of the license application and related documentation), developing an understanding of the business itself – such as the types of products and customers – and ongoing monitoring for suspicious activity and any other adverse information about the business.
Banks should also consider last year’s “Cole Memo,” a memorandum issued by the DOJ’s Deputy Attorney General James M. Cole to all U.S. Attorneys with guidance on enforcement of federal antimarijuana laws in light of growing state acceptance. The Cole Memo sets forth the DOJ’s enforcement priorities and can provide a reference point for institutions working with marijuana-related companies, FinCEN advised.
If an institution chooses to work with marijuana-related companies, FinCEN emphasized that obligations under the BSA – particularly the requirement to file a suspicious activity report – are unaffected by any laws legalizing marijuana-related activity. “Because federal law prohibits the distribution and sale of marijuana, financial transactions involving a marijuana-related business would generally involve funds derived from illegal activity,” according to FinCEN. “Therefore, a financial institution is required to file a SAR on activity involving a marijuana-related business (including those duly licensed under state law), in accordance with this guidance and FinCEN’s suspicious activity reporting requirements and related thresholds.”
To meet BSA requirements and conduct business with marijuana-related companies, FinCEN established three different categories of SARs: Marijuana Limited, Marijuana Priority, and Marijuana Termination.
First, a marijuana business that doesn’t implicate concerns in the Cole Memo or violate state law should be filed as a “Marijuana Limited” SAR. This type of report will make clear that the sole reason for filing the SAR is because the subject is engaged in the marijuana-related business and that no additional suspicious activity has been identified.
If a business does trigger one of the Cole Memo priorities or violates state law, the bank should file a “Marijuana Priority” SAR, FinCEN said. This type of SAR should contain much more information than the “Marijuana Limited,” particularly details like dates and amounts of the suspicious financial activity.
The final type of SAR: “Marijuana Termination,” which should be filed if the financial institution determines it must end its relationship with a marijuana-related business in order to remain in compliance with anti-money laundering laws.
FinCEN also imposes a new and unprecedented obligation on financial institutions. If the financial institution learns that, after terminating its relationship, the marijuana-related company seeks out a new financial institution, it should alert the second bank of the potential illegal activity, FinCEN said.
The guidance also provides a list of red flags for financial institutions dealing with marijuana-related companies based upon activity identified by law enforcement or previously described in SARs. For example, the business might be unable to produce satisfactory documentation to demonstrate its licensure and operations consistent with state law, or a customer could try to disguise or conceal involvement in a marijuana-related business activity by claiming to operate a legal commercial activity but deposit cash smelling of marijuana.
Another possibility: a state-licensed marijuana business may be a front to launder money derived from other criminal activity. FinCEN said banks should be on the lookout for “substantially more revenue” than could be reasonably expected, deposits of cash greater than what is being reported for tax purposes, rapid movement of funds such as cash deposits followed by immediate withdrawals, or deposits by third parties with no apparent connection to the accountholder.
Currency Transaction Reports must still be filed on the receipt or withdrawal of more than $10,000 in cash per day, FinCEN reminded financial institutions. Deposits that appear to be structured to avoid CTR requirements should also be a red flag for banks.
For the full text of the guidance, FIN-2014-G001, click here.
Why it matters: “The guidance is not likely to make a significant difference to financial institutions located in states that have legalized sales of marijuana. FinCEN director Jennifer Shasky Calvery stated that her agency “seeks to move from the shadows the historically covert financial operations of marijuana businesses, [n]ow that some states have elected to legalize and regulate the marijuana trade.” She also pointed out that “our guidance provides financial institutions with clarity on what they must do if they are going to provide financial services to marijuana businesses and what reporting will assist law enforcement.” Although the agency noted that enforcement in connection with the guidance “will focus on matters of systemic or significant failures, and not isolated lapses in technical compliance,” financial institutions and their regulators are unlikely to find solace in this statement as it does not address the underlying liability of a financial institution that continues to do business with an entity engaged in an illegal act. Technical compliance with the Bank Secrecy Act’s reporting and recordkeeping rules does not relieve a financial institution of its obligations under the federal money laundering laws and this liability has not been fully addressed.
Virtual Currency Regulation Inches Forward
New York’s Superintendent of Financial Services Benjamin M. Lawsky has announced his preliminary views on what regulation of digital currency may look like in his state when his department releases a proposed regulatory framework for the industry later this year.
Speaking at an event sponsored by the New America Foundation in Washington, D.C., earlier this month, Superintendent Lawsky provided the first glimpses of how New York will address licensing, examination and collateral requirements for digital currencies. This announcement comes after months of research and two days of hearings sponsored by his Department of Financial Services in late January. (To view our previous newsletter on this issue, click here.) (Our new partner, Carol Van Cleef, testified at the New York hearings and also spoke at the New America Foundation event.)
“[S]imply applying our existing money transmission regulations to virtual currency firms is not sufficient,” Lawsky said. Instead, the DFS will look to adapt existing regulations to fit a new “BitLicense” for virtual currency.
Lawsky emphasized that one important requirement is “a strong set of specially tailored, model consumer disclosure rules.” He further stated that “if virtual currencies ultimately garner wider adoption among the general public, it will be important for consumers to be armed with the information they need to make the financial choices that are best for them.”
To that end, consumers should be made aware that cryptocurrencies typically do not provide for chargebacks, for example, and consumers should be well-informed about the volatility of virtual currency and the potential for loss (akin to mutual fund warnings about holding onto the product for an extended period of time), he suggested.
Lawsky also addressed safety and soundness concerns. Virtual currency firms should be held to standards similar to traditional money transmitters and banks, which are subject to requirements for maintaining a certain net worth and limits on the types of investments they can hold. “But the question for regulators is how we structure those rules in light of the fact that the virtual currencies these firms hold are not denominated in dollars or other forms of traditional currency,” he explained, particularly as the value of cryptocurrency can fluctuate significantly on a day-to-day basis.
Should a new yardstick be established to determine how well capitalized virtual currency firms should be? Can cryptocurrency itself be allowed as a permissible investment for such firms? Regulators continue to struggle with these questions, Lawsky said, but they must be answered to establish regulations for the industry, as “[n]et worth, capital, and permissible investment requirements are among the most important consumer protection requirements we can put in place as regulators.”
One element of certain cryptocurrencies – public ledgers – presents a particularly challenging regulatory wrinkle in the virtual currency ecosystem, particularly in connection with “tumblers” – a technology used to “obscure the record and source of virtual currency transactions.” Lawsky noted that many virtual currencies have open ledgers on the Internet providing a record of transactions, but others do not. He asked whether regulations should mandate the use of such ledgers and whether the use of “tumblers” should be restricted or banned?
During a virtual currency-themed Reddit conversation a few days later, Lawsky elaborated on the issue of tumblers, noting it is “a question of getting the balance right.” He said, “[at] our hearing, it was clear the use of tumblers was something that had created issues for law enforcement in their investigations.” He noted that “[a]t the same time, we understand there can be legitimate uses for tumblers and we get that there can be real value in having privacy when it comes to financial transactions.”
Another point under consideration “is the types of firms and transactions that New York should regulate.” He pointed out that oversight of every single transaction would be nearly impossible, but opinions differ on where to draw the line. Some posit that transactions involving the exchange of virtual currency for cash should be the subject of regulation; others argue this leaves too many other transactions out, particularly if the use of cryptocurrency continues to increase.
Specific licensing and examination requirements and the existence of a regulatory safe harbor for virtual currency firms may also play a role in the proposed regulations, Lawsky said.
To read the full text of Lawsky’s remarks, click here.
To read Lawsky’s Reddit AMA, click here.
Why it matters: During his Reddit discussion, Lawsky predicted that “2014 is going to be a critical year for the future of virtual currencies.” He said “[t]hey are at a bit of a crossroads regarding whether they will become an important part of the future financial system – or primarily a tool for illicit activity.”
Lawsky’s discussion is the first clear enunciation of the specific issues regulators are struggling with regarding the possible boundaries of the regulation of virtual currency. When the proposed regulations are issued later in 2014, Lawsky said his office will attempt to strike a tough balance – “to provide appropriate guardrails to protect consumers and root out money laundering – without stifling beneficial innovation.”
During his Reddit discussion, Lawsky also responded to a question about concerns that regulation might chill innovation with his belief that regulation will have the opposite effect. “We hope regulatory clarity will attract exchanges to the United States. I suspect that [exchanges] are staying offshore right now because they don’t know what the rules of the road here are or will be,” he wrote, adding that he hopes that “regulation will create a level of certainty that could incentivize banks to promote not stifle these innovations.”
Banks Sue Target Over Cost of Massive Data Breach
In addition to consumer class actions, Target is now facing multiple suits filed by financial institutions across the country in the wake of the retailer’s massive data breach.
Frustrated at the administrative costs – refunding or crediting customers for unauthorized transactions; notifying cardholders of the breach; closing an account or blocking transactions on it and then opening a new account; and issuing new cards for an account, among other tasks – banks and credit unions are seeking payment from Target for the company’s alleged failure to use industry-standard security methods.
The facts commonly alleged in these actions are as follows: Between November 27 and December 15, the credit and debit card information of an estimated 40 million Target customers was stolen by hackers. The card information included cardholder names, card numbers, expiration dates, security validation codes, and even encrypted debit PINs. Despite becoming aware of the breach on December 11, Target did not notify customers until December 19. And while the retailer initially denied it, in January the company admitted that an additional 70 million customers had their personal information – names, mailing addresses, telephone numbers, and e-mail addresses – hacked.
The first to file suit: Alabama State Employees Credit Union, seeking to certify a national class of financial institutions allegedly affected by the breach, asserting claims for negligence and breach of contract. “Plaintiff has been swamped by customers and its members needing to close accounts due to Target’s data breach, resulting in Plaintiff exerting time, resources, and money to close out accounts and open new accounts with different account numbers,” according to the complaint. The credit union alleges the “cost in refunding loss deposits, time, and resources spent to remedy the situation of Plaintiff’s customers and members are untold.”
The credit union’s Alabama federal lawsuit was followed by similar complaints in Minnesota and Pennsylvania federal courts. Community Bank of Texas estimated the damages of the nation’s financial institutions to be in the “tens, if not hundreds, of millions of dollars as a result of Target’s failure to implement reasonable and industry-standard measures, Target’s otherwise willful and negligent conduct to protect its customers’ credit card and debit card information, and the resulting [s]ecurity [b]reach,” according to the bank’s complaint.
The suits allege that Target failed to maintain reasonable and industry-standard security measures, including credit card operating rules issued by Visa and MasterCard, for example, to the Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA-DSS). The company also retained magnetic stripe information and data from credit and debit cards issued by the banks more than 48 hours after a transaction, Pennsylvania-based First Choice Federal Credit Union alleges in its suit, in violation of Minnesota’s data breach law.
In addition to damages for common law negligence and breach of contract, two of the suits seek damages pursuant to Minnesota’s “Plastic Card Security Act,” which provides that a violator of the data breach statute who suffers a security breach must reimburse reasonable costs incurred by financial institutions as a result. Minnesota (where Target is based) is one of only a handful of states with such a law.
To read the complaint in Alabama State Employees Credit Union v. Target, click here.
To read the complaint in Community Bank of Texas v. Target, click here.
To read the complaint in First Choice Federal Credit Union v. Target, click here.
Why it matters: While a number of lawsuits brought by financial institutions have already been filed, many of which seek to certify a nationwide class of affected financial institutions, more suits are likely to follow. Plaintiff financial institutions in these sorts of suits typically face an uphill battle, given the contractual relationships between the financial institutions and the card brands, which allow for payment for expenses incurred as a result of a card breach. However, the banks here have the advantage of the Plastic Card Security Act, which could require Target to pay back the financial institutions if it is found to have failed to comply with credit card security standards.
OCC Releases Guidelines for Heightened Expectations Program
Large banks, take note – the Office of the Comptroller of the Currency has released proposed guidelines to formalize its “heightened expectations” program addressing risk management and board oversight.
All insured national banks, federal savings associations, and federal branches of a foreign bank with $50 billion or more in total consolidated assets would be subject to the guidance, which establishes a risk governance framework for banks as well as oversight standards for boards.
Triggered by the recent financial crisis, the heightened expectations program began informally in 2010 and evolved into part of OCC examinations. Because large, complex institutions have a “significant impact on capital markets and the economy,” the OCC said formal guidelines satisfy the “need to be supervised and regulated more vigorously.”
“Achievement and maintenance of the heightened expectations should help lessen the impact of future economic downturns on large institutions,” the OCC explained. “Therefore, we are proposing standards developed from the heightened expectations in the form of enforceable guidelines.”
The agency laid out the five heightened expectations for large institutions: (1) preserving the sanctity of the charter (or the duty of a board to ensure that the institution operates in a safe and sound manner); (2) the creation of a well-defined personnel management program; (3) defining and communicating an acceptable “risk appetite” across the organization; (4) the development and maintenance of reliable oversight programs; and (5) the willingness of directors to challenge decision making and address the bank’s risk profile.
To manage and control the bank’s risk-taking and achieve the OCC’s expectations, the guidelines advise that a formal, written framework should be developed to address each of the eight categories of risk identified by the agency: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk. The framework should be evaluated on at least an annual basis for any necessary tweaks and updates.
The guidelines also set forth the roles and responsibilities for frontline units, independent risk management, and internal audit (noting that none of the organizational units may delegate their responsibilities under the framework to an external party). The bank’s CEO should rely upon input from these individuals to develop a three-year written, strategic plan for the institution. Each institution also needs a written statement of the bank’s “risk appetite” – the aggregate level and types of risk the board and management are willing to assume to achieve strategic objectives and business plans – with both qualitative components and quantitative limits, the OCC said.
Standards for the board include oversight of the framework, the strategic plan, and the risk appetite statement. Board members also need to engage in active oversight of management and conduct an annual self-assessment that includes an evaluation of the board’s effectiveness in following the guidelines. In addition, the OCC suggested that at least two members of the board should be independent, defined as individuals who are not members of the bank’s or the parent company’s management. “This guideline would enable the bank’s board to provide effective, independent oversight of bank management,” the OCC said.
To read OCC-2014-0001, click here.
Why it matters: The proposed guidance is currently open for public comment “on all aspects,” although the OCC requested that industry members weigh in on specific issues, such as the number of independent board members and the scope of covered entities. While the stated covered entities are institutions with $50 billion or more, the guidance would continue to apply if a bank’s total assets dropped below that amount, the OCC said. The agency also reserved its authority to apply the guidelines to an entity with less than the threshold amount if the OCC determines that it is a highly complex institution or presents a heightened risk. These types of large bank proposals, in this case aimed at national banks, have a way of trickling down through the banking system as a whole and finding their way into the bank examination process in one form or another. Suffice it to say, this proposal reflects the continued pressure on all banks to update and tighten their risk management process across the board and to focus ultimate responsibility for its effectiveness on a bank’s board of directors.
CFPB Begins Rulemaking Process for HMDA Changes
Seeking to “gain greater insight into issues about access to credit,” the Consumer Financial Protection Bureau announced the launch of a rulemaking process to change reporting requirements under the Home Mortgage Disclosure Act.
“[T]hese efforts are about better information, better collection, and better access to mortgage loan data,” CFPB Director Richard Cordray said in a press call. He explained that the agency was tasked pursuant to the Dodd-Frank Act to improve HMDA reporting.
Currently, the HMDA collection rules require certain lenders to report residential mortgage information such as the type of loan being issued, the census tract where the property is located, and the race and ethnicity of the borrower.
The Dodd-Frank Act specified new data points to be collected and reported: namely, the total points and fees of the mortgage; property value and improved property location information; the length of any teaser interest rates, prepayment penalties, and non-amortizing features; lender information, including a unique identifier for the loan officer and the loan; and the borrower’s age and credit score.
And the CFPB intends to add to that list. The agency is considering requiring financial institutions to gather and share information such as an applicant’s debt-to-income ratio, the interest rate, the total origination charges, and the total discount points of the loan. “This will help regulators spot troublesome trends in mortgage markets around the country,” Cordray said.
In addition to pricing and underwriting information, the CFPB is weighing whether or not institutions should be required to explain why a loan application was rejected and whether lenders need to indicate if a loan is considered a “Qualified Mortgage.”
The process of collection and reporting for HMDA purposes may also undergo some changes, the agency said, undertaking a process of reviewing how financial institutions provide their data. Since an estimated 70 percent of all loans use the Uniform Loan Delivery Dataset of the Mortgage Industry Standards Maintenance Organization (MISMO), aligning HMDA information with this system may ease compliance burdens on lenders, the CFPB said.
A rule requiring all banks and nonbank lenders to report only if they meet a threshold number of loans in a given year (25 or more), exempting institutions that do not meet the triggering amount, is also being considered.
The first step: Gather feedback via the Small Business Review Panel. Community banks, credit unions, and other entities that may be affected by the changes are encouraged to respond to the CFPB’s suggested changes. Later in 2014, the agency plans to issue a proposed rule open for public comment.
As part of the rulemaking kickoff, the CFPB also announced a new online tool designed to improve public access to HMDA data. The new tool is loaded with data from 2007 to 2012 and allows users to filter and sift through data, download it, and create summary tables.
To read a fact sheet about the HMDA changes being considered by the CFPB, click here.
To read the CFPB’s proposed discussion issues about the changes, click here.
Why it matters: Expanded reporting will inherently be more burdensome, requiring system changes initially and more work on an annual basis thereafter. More data also means more chance of errors, and more manpower spent on preventing or reducing errors. The CFPB is inviting input on both the content and the method of reporting. Now is the time to speak up on these matters. The CFPB seems sincere in its interest in streamlining the reporting process.
Beyond trying to shape the future reporting requirements to ease the burden, though, there is a larger concern about how HMDA data are used. More detailed data could have the potential for greater interpretation and potential misinterpretation in connection with allegations of discriminatory practices. The costs of litigation in this arena – for both sides – could escalate as statisticians have more categories of data to manipulate and purport to interpret. Meanwhile, the issue of whether “disparate impact” is sufficient to prove unlawful discrimination remains in the hands of the courts. If that issue is resolved against “disparate impact,” the consequences of having more data points will be muted.