Loading…

A Bank’s Bid for Innovative AML Solutions: Innovation Remains A Perilous Endeavor

One Bank Asked the OCC to Have an “Agile Approach to Supervisory Oversight”

On September 27, 2019 the OCC published an Interpretive Letter answering an unknown bank’s request to make some innovative changes to how it files cash structuring SARs. Tacked onto its three technical questions was a request by the bank to do this innovation along with the OCC itself through something the bank called an “agile approach to supervisory oversight.” After qualified “yes” answers to the three technical questions, the OCC’s Senior Deputy Comptroller and Chief Counsel indicated that the OCC was open to “an agile and transparent supervisory approach while the Bank is building this automated solution” but he didn’t actually write that the OCC would, in fact, adopt an agile approach. This decision provides some insight, and perhaps the first public test, of (i) the regulators’ December 2018 statement on using innovative efforts to fight money laundering, and (ii) the OCC’s April 2019 proposal around innovation pilot programs. Whether the OCC passed the test is open to discussion: what appears settled, though, is that AML innovation in the regulated financial sector remains a perilous endeavor.

Regulators’ December 2018 Joint Statement on Innovative AML Efforts

On December 3, 2018 the five main US Bank Secrecy Act (BSA) regulators issued a joint statement titled “Innovative Efforts to Combat Money Laundering and Terrorist Financing”.[1] The intent of the statement was to encourage banks to use modern-era technologies to bolster their BSA/AML compliance programs. The agencies asked banks “to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their Bank Secrecy Act/anti-money laundering (BSA/AML) compliance obligations, in order to further strengthen the financial system against illicit financial activity” and “[t]he Agencies recognize[d] that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks” to do so.

The statement was a very positive step to encourage private sector innovation in fighting financial crime by testing new ways of using existing tools as well as adopting new technologies.

But it wasn’t the “green light to innovate” that some people have said it is. There was some language in the statement that made it, at best, a cautionary yellow light. And the September 27th OCC letter seems to clarify that banks can innovate, but the usual regulatory oversight and potential sanctions still apply.

The Agencies’ December 2018 statement included five things that bear repeating:

  1. “The Agencies recognize that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks identify and report money laundering, terrorist financing, and other illicit financial activity by enhancing the effectiveness and efficiency of banks’ BSA/AML compliance programs. To assist banks in this effort, the Agencies are committed to continued engagement with the private sector and other interested parties.”
  2. “The Agencies will not penalize or criticize banks that maintain effective BSA/AML compliance programs commensurate with their risk profiles but choose not to pursue innovative approaches.”
  3. “While banks are expected to maintain effective BSA/AML compliance programs, the Agencies will not advocate a particular method or technology for banks to comply with BSA/AML requirements.”
  4. Where test or implemented “artificial intelligence-based transaction monitoring systems … identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program”
  5. “… the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

Note the strong, unqualified language: “the Agencies are committed to continued engagement”, “the Agencies will not penalize or criticize”, “the Agencies will not advocate …”, “the Agencies will assess”, and “the implementation of innovative approaches will not result in additional regulatory expectations”.

The qualified “assurances” come in the paragraph about pilot programs (with emphasis added):

“Pilot programs undertaken by banks, in conjunction with existing BSA/AML processes, are an important means of testing and validating the effectiveness of innovative approaches.  While the Agencies may provide feedback, pilot programs in and of themselves should not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not automatically assume that the banks’ existing processes are deficient.  In these instances, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program.  Further, the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

Here there are the qualified assurances (a qualified assurance is not an assurance, by the way): “should not” is different than “will not”; “will not necessarily” is very different than “will not”; and “not automatically assume” isn’t the same as “not assume”.  These are important distinctions. The agencies could have written something very different:

“… pilot programs in and of themselves will not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not assume that the banks’ existing processes are deficient …”

The OCC’s April 2019 Innovation Pilot Program

On April 30, 2019 the OCC sought public comment on its proposed Innovation Pilot Program, a voluntary program designed to provide fintech providers and financial institutions “with regulatory input early in the testing of innovative activities that could present significant opportunities or benefits to consumers, businesses, financial institutions, and communities.” See OCC Innovation Pilot Program. As the OCC has written, the Innovation Pilot Program clearly notes that the agency would not provide “statutory or regulatory waivers and does not absolve entities participating in the program from complying with applicable laws and regulations.”

Twenty comments were posted to the OCC’s website. A number of them included comments that innovators needed some formalized regulatory forbearance in order to be able encourage them to innovate. The Bank Policy Institute’s letter (BPI Comment), submitted by Greg Baer (a long-standing and articulate proponent of reasonable and responsible regulation), provided that:

“… the OCC should clarify publicly that a bank is not required to seek the review and approval of its examination team prior to developing or implementing a new product, process, or service; that unsuccessful pilots will not warrant an MRA or other sanction unless they constitute and unsafe and unsound practice or a violation of law; and that innovations undertaken without seeking prior OCC approval will not be subject to stricter scrutiny or a ‘strict liability’ regime. We also recommend that the OCC revisit and clarify all existing guidance on innovation to reduce the current uncertainty regarding the development of products, processes and services; outdated or unnecessary supervisory expectations should be rescinded.”

The American Bankers Association comment ABA Comment also asks for similar guidance:

“For institutions to participate confidently in a pilot, there must be internal agreement that OCC supervision and enforcement will not pursue punitive actions. In other words, the program should produce decisions that have the full support of the OCC and bind the agency to those conclusions going forward … One way for the OCC to accomplish this is to clarify that a participating bank will not be assigned Matters Requiring Attention (MRAs) if it acts in good faith as part of a Pilot Program. The nature of technological innovation means that banks must try new things, experiment, and sometimes make mistakes. The Pilot Program has been designed as a short-term limited-scale test to ensure that any mistakes made are unlikely to have an impact on the safety and soundness of an institution. Clarifying that MRAs will not be issued for mistakes made in good faith may help give banks the certainty they need to participate in a Pilot Program.”

And the Securities Industry and Financial Markets Association (SIFMA) comment letter SIFMA Comment Letter included the following:

“Relief from strict regulatory compliance is a vital prerequisite to draw firms into the test environment, precisely so that those areas of noncompliance may be identified and remediated and avoid harm to the consumers. Without offering this regulatory relief, the regulatory uncertainty associated with participating in the Pilot Program could, by itself, deter banks from participating. Similarly, the lack of meaningful regulatory relief could limit the opportunity the program provides for firms to experiment and innovate.”

So where did that leave banks that were thinking of innovative approaches to AML?  For those that choose not to pursue innovative pilot programs, it is clear that they will not be penalized or criticized, but for those that try innovative pilot programs that ultimately expose gaps in their BSA/AML compliance program, the agencies will not automatically assume that the banks’ existing processes are deficient. In response to this choice – do not innovate and not be penalized, or innovate and risk being penalized – many banks have chosen the former. As a result, advocates for those banks – the BPI and ABA, for example – have asked the OCC to clarify that it will not pursue punitive actions against banks that unsuccessfully innovate.

How has the OCC replied? It hasn’t yet finalized its Innovation Program, but it has responded to a bank’s request for guidance on some innovative approaches to monitoring for, alerting on, and filing suspicious activity reports on activity and customers that are structuring cash transactions.

A Bank’s Request to Have the OCC Help It Innovate

The OCC published an Interpretive Letter on September 27, 2019 that sheds some light on how it looks at its commitments under the December 2018 innovation statement.[2]  According to the Interpretive Letter, on February 22, 2019 an OCC-regulated bank submitted a request to streamline SARs for potential structuring activity (the Bank also sought the same or a similar ruling from FinCEN: as of this writing, FinCEN has not published a ruling). The bank asked three questions (and the OCC responded):

  1. Whether the Bank could file a structuring SAR based solely on an alert, without performing a manual investigation, and if so, under what circumstances (yes, but with some significant limitations);
  2. Whether the proposed automated generation of SAR narratives for structuring SARs was consistent with the OCC’s SAR regulations (yes, but with some significant limitations);
  3. Whether the proposed automation of SAR filings was consistent with the OCC’s BSA program regulations (yes, but with some significant limitations).

The most interesting request by the Bank, though, was its request that the OCC take an “agile approach to supervisory oversight” for the bank’s “regulatory sandbox” initiative. Pages 6 and 7 of the OCC letter provide the particulars of this request. There, the OCC writes:

“Your letter also requested regulatory relief to conduct this initiative within a “regulatory sandbox.” Your regulatory sandbox request states ‘This relief would be in the form of an agile approach to supervisory oversight, which would include the OCC’s full access, evaluation, and participation in the initiative development, but would not include regulatory outcomes such as matters requiring attention, violations of law or financial penalties. [The Bank] welcomes the OCC to consider ways to participate in reviewing the initiative outcomes outside of its standard examination processes to ensure effectiveness and provide feedback about the initiative development.’”

NOTE: I had to read the key sentence a few times to settle on its intent and meaning. That sentence is “This relief would be in the form of an agile approach to supervisory oversight, which would include the OCC’s full access, evaluation, and participation in the initiative development, but would not include regulatory outcomes such as matters requiring attention, violations of law or financial penalties.”

Was the bank saying the relief sought was an agile approach to supervisory oversight that included the OCC’s full participation in the process and no adverse regulatory outcomes? Or was the bank saying the relief sought was an agile approach to supervisory oversight that included the OCC’s full participation in the process, but did not include anything to do with adverse regulatory outcomes?

I settled on the latter meaning: that the bank was seeking the OCC’s full participation, but did not expect any regulatory forbearance.

The OCC first reiterated its position from the December 2018 joint statement by writing that it “supports responsible innovation in the national banking system that enhances the safety and soundness of the federal banking system, including responsibly implemented innovative approaches to meeting the compliance obligations under the Bank Secrecy Act.” It then wrote that it “is also open to an agile and transparent supervisory approach while the Bank is building this automated solution for filing Structuring SARs and conducting user acceptance testing.” This language is a bit different than what the OCC wrote at the top of page 2 of the letter: “the OCC is open to engaging in regular discussions between the Bank and appropriate OCC personnel, including providing proactive and
timely feedback relating to this automation proposal.”

Notably, the OCC wrote that it is “open to an agile and transparent supervisory approach”, and “open to engaging in regular discussions between the Bank and appropriate OCC personnel”, but being open to something doesn’t mean you approve of it or agree to it. In fact, the OCC didn’t appear to grant the bank’s request. In the penultimate sentence the OCC wrote: “The OCC will monitor any such changes through its ordinary supervisory processes.”

How About Forbearance to Innovate Without Fear of Regulatory Sanctions?

As set out above, in June 2019 the BPI and ABA (and eighteen others) commented on the OCC’s proposal for an innovation pilot program. The BPI commented that “the OCC should clarify publicly that … unsuccessful pilots will not warrant an MRA or other sanction unless they constitute and unsafe and unsound practice or a violation of law”, and the ABA commented that the OCC should “clarify that a participating bank will not be assigned Matters Requiring Attention (MRAs) if it acts in good faith as part of a Pilot Program”.

The OCC seems to have obliquely responded to both of those comments. In its September 2019 Interpretative Letter, the OCC took the time to write that it “will not approve a regulatory sandbox that includes forbearance on regulatory issues for the Bank’s initiative for the automation of Structuring SAR filings.” Note that the OCC made this statement even though the bank appears to have specifically indicated that the requested relief did not include forbearance from “regulatory outcomes such as matters requiring attention, violations of law or financial penalties”. And the OCC letter includes a reference to both the Interagency statement on responsible innovation and the OCC’s April 2019 Innovation Pilot Program (see footnote 25 on page 7): “banks must continue to meet their BSA/AML compliance obligations, as well as ensure the ongoing safety and soundness of the bank, when developing pilot programs and other innovative approaches.”

So although the OCC hasn’t formally responded to the comments to its June 2019 innovation program to allow banks to innovate without fear of regulatory sanction if that innovation doesn’t go well, it has made it clearer that a bank still has the choice to not innovate and not be penalized, or to innovate and risk being penalized.

(In fairness, in its Spring 2019 Semiannual Risk Perspective Report, the OCC noted that a bank’s inability to innovate is “a source of significant strategic risk.” See OCC Semiannual Risk Perspective, 2019-49 (May 20, 2019)).

Timely Feedback – Is Seven Months Timely?

As set out above, the OCC wrote that it “is open to engaging in regular discussions between the Bank and appropriate OCC personnel, including providing proactive and timely feedback …”.  The bank’s request was submitted on February 22, 2019. The OCC’s feedback was sent on September 27, 2019. So it took the OCC seven months to respond to the bank’s request for an interpretive letter. In this age of high-speed fintech disruption, seven months should not be considered “timely.” What would be timely? I would aim for 90 days.

Conclusion

This unnamed OCC-regulated bank appears to have a flashing green or cautionary yellow light from the OCC to deploy some technology and process enhancements to streamline a small percentage if its SAR monitoring, alerting, and filing.  The OCC will remain vigilant, however, warning the bank that it “must ensure that it has developed and deployed appropriate risk governance to enable the bank to identify, measure, monitor, and control for the risks associated with the automated process. The bank also has a continuing obligation to employ appropriate oversight of the automated process.”

So the message to the 1,700 or so OCC banks appears to be this: there’s no peril in not innovating, but if you decide to innovate, do so at your peril.

[1] The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the Financial Crimes Enforcement Network (FinCEN), the National Credit Union Administration, and the Office of the Comptroller of the Currency. The statement is available at https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-130a.pdf

[2] https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2019/int1166.pdf

FinCEN’s Marijuana Banking Data … What Is Not There That Should Be There

FinCEN’s quarterly Marijuana Banking update: it is not what is being reported … it is what is NOT being reported!

I’ve hired, trained, coached, and mentored hundreds of AML analysts and investigators over the years. When it came to conducting AML investigations and scouring through thousands of transactions looking for patterns, trends, and anomalies, or reviewing publicly available information, I reminded them that they needed to look for:

  1. What is there that should be there
  2. What is there that should not be there
  3. What is not there that should not be there
  4. What is not there that should be there

Let’s apply that to FinCEN’s quarterly Marijuana Banking update – see FinCEN Marijuana Update 3Q 2019. Like the other quarterly updates, FinCEN gives us two charts showing the total number of banks and total number of credit unions that, according to FinCEN, are “actively banking” marijuana related businesses or MRBs in the United States. According to FinCEN, which looks at the number of Suspicious Activity Reports (SARs) filed by banks and credit unions that contain one or more of the required phrases – Marijuana Limited, Marijuana Priority, or Marijuana Termination – as of September 30, 2019 there were 563 banks and 160 credit unions actively banking marijuana businesses. Most observers have noticed that the total number of each type of depository institution seems to have flattened out: a quarter-by-quarter increase of only 10 banks to 563, and a decrease of 2 credit unions to 160.

FinCEN also provides the total number of “marijuana” SARs FinCEN has received. As of September 30, 2019 “FinCEN had received a total of 102,807 SARs using the key phrases associated with MRBs:

  • FinCEN received 76,203 SARs from filers using the key phrase “Marijuana Limited.”
  • FinCEN received 7,821 SARS from filers using the key phrase “Marijuana Priority.”
  • FinCEN received 25,288 SARs from filers using the key phrase “Marijuana Termination.”

So from this we know that about 723 banks and credit unions have filed over 102,000 SARs since April 2014 that have included the marijuana-related key phrases. That is what is there that should be there. There appears to be nothing that is there that should not be there, and there certainly isn’t anything that is not there that should not be there (let’s leave that to the AML analyst looking at transactional data). But what is not there that should be there? There are at least four key pieces of information that would be helpful to banks and credit unions trying to decide whether to provide financial services to marijuana related businesses, as well as to policymakers and regulators …

1. What Percentage of Depository Institutions Are Actively Banking MRBs?

First, what is not there that should be there is the percentages of banks and credit unions that are actively banking MRBs. Looking at FDIC and NCUA quarterly data (the most recent data is for 2Q 2019), there are 5,303 banks and 5,308 credit unions in the United States, and the number of each has been steadily dropping over the last 3 years. So as the number of banks and credit unions serving the marijuana industry is slowly going up and the total number of banks and credit unions is slowly going down, the percentage of banks and credit unions serving the industry is actually going up faster than the numbers. As of 2Q 2019, approximately 10.4% of banks and 3.1% of credit unions were actively banking MRBs. This is useful context for policymakers.

2. What Types of Financial Services Are Available to MRBs?

Second, what is not there that should be there is the types of financial services that these banks and credit unions are providing MRBs, and which of those services result in Marijuana Priority and Termination SARs. Depository institutions offer a broad array of products and services, from investment advice to insurance to treasury management to loans to deposit accounts: which of those products and services are riskier than others? Knowing that insurance or treasury management products are not leading to Marijuana Priority or Termination SARs may encourage more banks and credit unions to engage with MRBs.

3. What Types of Banks and Credit Unions Are Actively Banking MRBs?

Third, what is not there that should be there is the types and sizes of banks and credit unions that are providing banking services to MRBs: FinCEN could identify the number of banks by primary regulator, by size (community, mid-size, and large are designations used by the bank regulatory agencies), and by location (which state).

4. How Many, What Types of, and in Which States do MRBs Have Access to Banking Services?

Fourth, what is not there that should be there is the number and types and locations of marijuana related businesses that are receiving banking services. There is a clue in the FinCEN data as to the number of MRBs being banked: a Marijuana Limited SAR is required to be filed every quarter for every MRB that is simply receiving banking services, with nothing unusual or suspicious about its activity, and a Marijuana Priority SAR is required to be filed when a depository institution is providing banking services to the MRB while further investigation is being conducted to determine if the MRB is violating any of the Cole Memo priorities. What we do not know, though, is how many MRBs are being reported in each SAR. But assuming that each SAR reports one MRB, we can look at the total number of Marijuana Limited and Priority SARs over time to get a rough estimate (guess?) that there are less than 9,000 MRBs being actively banked in the United States:

  • Total Number of Marijuana Limited and Priority SARs 1Q 2019 – 61,036 + 6,067 = 67,103
  • Total Number of Marijuana Limited and Priority SARs 2Q 2019 – 68,378 + 6,894 = 75,272 (an increase of 8,169)
  • Total Number of Marijuana Limited and Priority SARs 3Q 2019 – 76,203 + 7,821 = 84,024 (an increase of 8,752)

If this “one SAR/one MRB” assumption is wrong – and it probably is wrong, then there may be many more MRBs with access to banking services. But without having the information, we simply don’t know.

Other Articles

For the background on these quarterly marijuana reports, see a number of articles I’ve written, most recently in a June 25, 2019 article titled “FinCEN Updates Its Marijuana SAR Data, But Actionable Information is Still Needed” FinCEN Marijuana Article 6-25-19.

USDA’s Interim Final Rules for Hemp Production – Summary & Highlights

“The future of the hemp industry in the United States is anything but certain.” – page 71

The Interim Final Rule

On October 31, 2019 the US Department of Agriculture published an Interim Final Rule titled “Establishment of a Domestic Hemp Production Program.” The Rule can be found at Hemp Interim Final Rule 10-31-19.

And the Department’s Secretary, Sonny Purdue, even took the time to sit down and film an announcement about the rule. There are lots of social media choices, but the YouTube version is as good as any and available at Secretary Purdue – YouTube Hemp .

Notwithstanding the “Interim” modifier, the Rule goes into effect immediately. The public has 60 days to comment. Those comments will be taken into consideration by the USDA, which is then required to publish a final rule within two years.

The Rule is a requirement of the 2018 Farm Bill, which de-scheduled hemp from the scheduling provisions of the Controlled Substance Act. The definition of hemp has not changed: it is the Cannabis Sativa L plant and its derivatives containing less than 0.3% THC on a dry weight basis.

The Interim Final Rule makes it clear that the FDA retains authority under the Food, Drug & Cosmetics Act to regulate hemp products marketed and sold as food (or as a supplement to food), dietary supplement, drug, or cosmetic. To date, the FDA has not issued regulations nor approved any hemp-derived CBD foods, food supplements, or dietary supplements. In California, the Department of Public Health issued an FAQ in July 2018 that provided that “the use of industrial hemp as the source of CBD to be added to food products is prohibited.”

The Rule sets out the standards for (i) the USDA’s approval of State and Tribal hemp production programs, and (ii) to the extent any State or Tribe does not have a program, the USDA’s hemp production program. At a minimum, the programs will include: (i) licensing requirements for hemp producers, (ii) requirements for reporting land used for hemp production, (iii) testing for total THC concentration, (iv) procedures for disposing of non-compliant plants (known in the trade as “hot hemp”), (v) ongoing compliance provisions, and (vi) procedures for handling violations.

To summarize: the 2018 Farm Bill and this Interim Final Rule legalize and provide rules for the production of hemp. Neither the Bill nor this rule deal with hemp-derived CBD products, which remain subject to FDA rules and approvals. No hemp or hemp-derived CBD foods, food supplements, dietary supplements, drugs, or beverages have been approved by the FDA, and many states, including California, have specifically prohibited the use of industrial hemp or hemp-derived CBD in food products.

State & Tribal Plan Requirements

The Supplementary Information section of the Interim Final Rule is 100+ pages (of the total 160 pages). It first goes through the requirements for the estimated 100 State and Tribal plans, then the requirements for the USDA plan.  The State/Tribal Plan section is probably the key section, however, as the USDA estimates that there will be 6,700 licensed producers under these plans, and only 1,000 under the USDA plan. Some of the key aspects of the State/Tribal Plans are set out in Parts A-D:

Part A describes the requirements for identifying the land to be used for hemp production: each field and greenhouse shall be identified, and each producer shall be identified. Producers must be licensed. Producers that are legal entities must provide the names of their “key participants”. I have written an article that describes the differences between “entities” and “key participants” in this proposed rule under Title 7, and the definitions of “legal entities” and “beneficial owners” in the existing CDD rule under Title 31. Failure to reconcile these differences will create confusion for banks and hemp producers seeking banking services. see RegTech Article October 31.

Part B describes the sampling and testing for THC. There are two controversial aspects here. First, the sampling must be done within 15 days of harvest, which will create logistical strains for producers, as any sample that comes back with a THC concentration of more than 0.3% will require that the entire crop be disposed of. Second, the THC test will be of the total THC, which is THC and THCA: it is believed that most current hemp strains that are currently be tested at under 0.3% THC will not be under when (what is known as) total THC is tested. However, there is a “Measurement of Uncertainty” or “MU” built into the testing standard, which is essentially a “plus or minus” based on the accuracy of the testing. That may alleviate some of the concerns. Finally, only DEA-approved testing labs will be used for testing. There are currently not enough of these labs to test expected crop yields in enough of the producing states.

Part C deals with the disposal of non-compliant plants, or “hot hemp”. This must be done by law enforcement or DEA registered reverse distributors. Note that these distributors could be treated as high risk customers for purposes of a financial institution’s CDD/EDD program.

Part D deals with compliance and enforcement procedures, including annual inspections of hemp producers. Given that the biggest issue with hemp is the 0.3% THC levels, there are interesting provisions for producers that are (frankly) unlucky with a non-compliant crop. The Interim Final Rule provides that a producer cannot be found to be negligent (the standard for sanctions) for growing hemp with less than 0.5% THC; a negligent violation requires a corrective action plan; and three negative violations in five years will result in a five-year ban from hemp production. Negligent violations cannot lead to criminal violations.

Parts E, F, and G deal with information sharing and other more technical issues.

Regulatory Impact Analysis

About one-third of the document (pages 71 to 117) is taken up by the required regulatory impact analysis that attempts to answer questions like what will it cost to implement the rule, what are the benefits, etc.  In answering those questions, the USDA goes to great length to describe the history and potential future for the hemp industry in the United States. For example, at page 82 the USDA provides that as of 2018 there were 3,543 licensed hemp producers in twenty-four states with ~78,000 acres of hemp under cultivation. The USDA estimates that 2/3 to ¾ of cultivated hemp is intended for “flower” or CBD production, with ~1/6 for fiber, and ~1/6 for grain. Flower can yield anywhere from a loss of $17,000 per acre to a profit of $6,000 per acre (according to the Supplemental Information) based on the following price ranges: hemp fiber $0.07 to $0.67 per pound; hemp grain or seed $0.65 to $1.70 per pound; and hemp flower $3.50 to $30.00 per pound, depending on the CBD Content. The USDA seems to conclude that hemp grown for fiber and grain is marginally profitable. Although state-by-state hemp acreage is not included in the interim final rule, other sites referred to by the USDA, including www.votehemp.com generally have acreage data that supports the USDA’s data that there was ~78,000 acres of hemp under cultivation in 2018.  Using the Vote Hemp data, it appears that production is concentrated in a few states:

Montana            22,000 acres                    North Dakota     2,778 acres

Colorado            21,578 acres                     New York           2,240 acres

Oregon               7,808 acres                      Nevada               1,881 acres

Kentucky            6,700 acres                      Wisconsin           1,855 acres

Tennessee          3,338 acres                      Vermont             1,820 acres

North Carolina   3,184 acres

The USDA believes that there is ~160,000 acres under cultivation in 2019, with more acreage expected to be planted in 2020. This is double what it was in 2018, which was double what it was in 2016.

NOTE: The November 2018 passage of the Farm Bill resulted in a surge in the number of registered hemp producers and acres under cultivation. Hemp cultivation figures are changing quickly, become dated very quickly, and are inconsistent. For example, the USDA acreage totals are consistent with those from www.votehemp.com, a pro-hemp site. That site shows California with zero acres of hemp cultivation. However, the California Department of Food & Agriculture (CDFA) reports that, as of August 2019, there are 258 registered hemp growers and 34 seed breeders with 16,899 acres under cultivation (there are 419 people and entities on the list of registered growers and seed breeders as of October 28, 2019).

Impact on Banking

Although the cultivation of hemp is now legal in the United States, hemp-derived CBD products (edibles, tinctures, beverages) remain subject to FDA regulations and approvals, and none have been approved. However, other than warning letters from the FDA, there is little in the way of federal enforcement. To my knowledge, there is no state or federal regulatory agency guidance on providing banking services to hemp producers or those that are selling hemp-derived CBD products.

As set out above, the “hemp” definition of “key participant” is different than the BSA definition of “beneficial owner” (I have written about the need to reconcile these definitions: see RegTech Article October 31 ). To the extent a bank has a program to knowingly provide financial services to a hemp producer, it will need to recognize that those producers may struggle to provide beneficial ownership information, and that information may not reconcile with what they provide to the USDA or their State or Tribal licensing authority under the key participant requirements. From a customer due diligence perspective, knowing which customers are licensed cannabis businesses as well as registered hemp growers (and possibly DEA registered reverse distributors), and tying the beneficial owners and key participants, will be challenging.

With the publication of the Interim Final Rule for hemp production, banks’ policies relating to cannabis – whether an outright prohibition, risk-based exceptions, or full program – should be reviewed to ensure that hemp producers and hemp-related “service providers” (also known as Tier 2 and Tier 3 entities) are properly accounted for.

The new Hemp Production Regulation

Pages 117 – 160 of the text is the actual new regulation or rule. This new rule is added onto title 7 of the Code of Federal Regulations as Part 990 – Domestic Hemp Production Program.

Hemp’s “Key Participants” ≠ Banking’s “Beneficial Owners” … Pick One!

On October 31st the US Department of Agriculture published proposed regulations (technically, an interim final rule with request for comments) establishing a federal hemp production program  Proposed Federal Hemp Production Program Regulations.

There is lots in there to consider, and even comment on, but one thing caught my eye. So much so that I submitted a formal comment through the Federal Register portal. What caught my eye was that the interim final rule for the establishment of a domestic hemp production program under the Department of Agriculture includes definitions for “entity” and “key participants” of entities for the purposes of licensing and, for the key participants, or individuals, criminal background checks. Those definitions are different from the definitions of “legal entities” and “beneficial owners” contained in Department of the Treasury anti-money laundering and Bank Secrecy Act (BSA) regulations requiring banks to perform customer due diligence on those legal entities, including verifying the identity or identities of the legal entities’ beneficial owner(s).

Proposed Hemp Producers’ “Key Participants” ≠ Existing Banking Customers’ “Beneficial Owners”

The definitions of “entity” and “key participants” in the proposed 7 CFR section 990.1 should be reconciled with the existing definitions of “legal entities” and “beneficial owners” in the existing 31 CFR section 1020.230. It is generally accepted that marijuana related businesses or cannabis related businesses, as well as producers and manufacturers of hemp and hemp-related products, are finding it challenging to get and maintain financial services. Financial institutions have existing requirements to perform risk-based customer due diligence on all customers and clients, including “legal entities” and the beneficial owner or owners of those legal entities.

A consistent definition of “legal entity” and “beneficial owner” in titles 7 and 31, or definitions of “entity” and “key participant” in title 7 that are consistent with the definitions of “legal entity” and “beneficial owner” in title 31 would encourage financial institutions to provide financial services to hemp producers, and ease the burden on hemp producers needing to meet their licensing and reporting obligations under title 7 and their due diligence obligations under title 31.

Background

The Supplementary Information section, Part I Introduction, at page 19, provides that “the State or Indian Tribe will need to review criminal history reports for each applicant. When an applicant is a business entity, the State or Indian Tribe must review the criminal history report for each key participant in the business.” And at page 20 is a description of the procedures for reporting specific information to USDA by the State and Tribal plans. That information “includes contact information for each hemp producer covered under the plan including name, address, telephone number, and email address (if available).  If the producer is a business entity, the information must include the full name of the business, address of the principal business location, full name and title of the key participants, an email address if available, and EIN number of the business entity.”

So the new hemp regulations refer to hemp producers’ “key participants”. And at page 94 the agency estimates that each producer would have three key participants (“the AMS estimates each producer to have three key participants that would submit criminal history reports to USDA.”).

The term “key participants” is defined in two different ways in two places. In the Supplementary Information section, Part IV Definitions, at page 43, it is defined as follows:

“A ‘key participant’ is a person or persons who have a direct or indirect financial interest in the entity producing hemp, such as an owner or partner in a partnership.  A key participant also includes persons in a corporate entity at executive levels including chief executive officer, chief operating officer and chief financial officer.  This does not include such management as farm, field or shift managers.”

However, the actual proposed regulations provide for a different definition. The draft 7 CFR Part 990 -Domestic Hemp Production Program begins on page 117. Subpart A – Definitions includes section 990.1 that lists terms alphabetically. At page 122 is the definition of “entity” and at page 124 is the definition of “key participants” (the Supplementary Information section does not include a definition of “entity”). They must be read together:

“Entity. A corporation, joint stock company, association, limited partnership, limited liability partnership, limited liability company, irrevocable trust, estate, charitable organization, or other similar organization, including any such organization participating in the hemp production as a partner in a general partnership, a participant in a joint venture, or a participant in a similar organization.”

 “Key participants. A sole proprietor, a partner in partnership, or a person with executive managerial control in a corporation.  A person with executive managerial control includes persons such as a chief executive officer, chief operating officer and chief financial officer.  This definition does not include non-executive managers such as farm, field, or shift managers.”

A side-by-side comparison of the definitions is set out in the table below:

Supplemental Information
Part IV Definitions
Page 43
7 CFR Part 990 -Domestic Hemp Production Program Subpart A – Definitions
Section 990.1 Pages 122, 124
 

 

 

 

 

“A ‘key participant’ is a person or persons who have a direct or indirect financial interest in the entity producing hemp, such as an owner or partner in a partnership.  A key participant also includes persons in a corporate entity at executive levels including chief executive officer, chief operating officer and chief financial officer.  This does not include such management as farm, field or shift managers.”

“Entity. A corporation, joint stock company, association, limited partnership, limited liability partnership, limited liability company, irrevocable trust, estate, charitable organization, or other similar organization, including any such organization participating in the hemp production as a partner in a general partnership, a participant in a joint venture, or a participant in a similar organization.”

 

“Key participants. A sole proprietor, a partner in partnership, or a person with executive managerial control in a corporation.  A person with executive managerial control includes persons such as a chief executive officer, chief operating officer and chief financial officer.  This definition does not include non-executive managers such as farm, field, or shift managers.”

 

Compare this definition of “key participants” and “entity” with the definitions of “beneficial owner” and “entities” used for purposes of customer due diligence in the various anti-money laundering and terrorist financing prevention laws in the US Code, Title 31, known as the Bank Secrecy Act, or BSA:

31 CFR 1010.230(d) Beneficial owner. For purposes of this section, beneficial owner means each of the following:

(1) Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of a legal entity customer; and

(2) A single individual with significant responsibility to control, manage, or direct a legal entity customer, including: (i) An executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) Any other individual who regularly performs similar functions.

31 CFR 1010.230 (e) Legal entity customer. For the purposes of this section:

(1) Legal entity customer means a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account.

(2) Legal entity customer does not include … [lengthy list]

Conclusion and Recommendation

The definitions of “entity” and “key participants” in the proposed 7 CFR section 990.1 should be reconciled with the existing definitions of “legal entities” and “beneficial owners” in the existing 31 CFR section 1020.230. A consistent definition of “legal entity” and “beneficial owner” in titles 7 and 31, or definitions of “entity” and “key participant” in title 7 that are consistent with the definitions of “legal entity” and “beneficial owner” in title 31 would encourage financial institutions to provide financial services to hemp producers, and ease the burden on hemp producers needing to meet their licensing and reporting obligations under title 7 and their due diligence obligations under title 31.

 

The Current BSA/AML Regime is a Classic Fixer-Upper … and Here’s Seven Things to Fix

A 1970 Holden “Belmont” … built the same year as the first BSA-related Act was passed in the United States: the Currency and Foreign Transactions Reporting Act, PL 91-508

There is a lot of media attention around the need for a new way to tackle financial crimes risk management. Apparently the current regime is “broken” (I disagree) or in desperate need of repair (what government-run programs are not in some sort of state of disrepair?), or, at the very least, not particularly effective nor efficient. And there are a lot of suggestions from the private and public sectors on how to make the regime more effective and more efficient.  I’ll offer seven things to consider as we all work towards renovating our BSA/AML regime, to take it from its tired, dated (the last legislative change to the three statutes we call the Bank Secrecy Act was made in 2004) state to something that provides a more balanced, effective, and efficient regime.

I. Transaction Monitoring Systems

Apparently, current customer- and account-based transaction monitoring systems are highly inefficient, because for every 100 alerts they produce, five or fewer actually end up being reported to the government in a Suspicious Activity Report. The transaction monitoring software is often blamed (although bad data is the more likely culprit), and machine learning and artificial intelligence are often touted (by providers of machine learning and artificial intelligence) as the solutions. Consider the following when it comes to transaction monitoring and false positives:

  1. If a 95% false positive rate is bad … what is good? Human-generated referrals will result in SARs about 50% of the time: that might be a good standard.
  2. We have to stop tuning our transaction monitoring systems against SARs filed with law enforcement, and start tuning them against SARs used by law enforcement. I’ve written about this on many occasions, and have offered up something called the “TSV” SAR – a SAR that law enforcement indicates has Tactical or Strategic Value.
  3. High false positives rates may not be caused by bad data or poor technology at all, but by regulatory expectations – real or imagined – that financial institutions can’t afford the audit, regulatory, legal, and reputational costs of failing to identify (alert on) something unusual or anomalous that could eventually be found to have been suspicious.

(I’ve written about this on a few occasions: see, for example, RegTech Consulting Article).

It may be that transaction monitoring itself is the culprit (and not bad data, outmoded technology, or unreasonable regulatory expectations). My experience is that customer- and account-based transaction monitoring is not nearly as effective as relationship-based interaction surveillance. Let’s parse this out:

  • Customer versus relationship – focusing on a single customer is less efficient than looking at the entire relationship that customer is or could be part of. Bank’s marketing departments think in terms of households as the key relationship: credit department’s think in terms of parent and subsidiary entities and guarantors as the needed relationship in determining credit worthiness. Financial crimes departments need to also think in the same terms. It is simply more encompassing and more efficient.
  • Transaction versus interaction – customers may interact with a bank many times, through a phone call, an online session, a balance inquiry, or a mobile look-up, before they will perform an actual transaction or movement of value. Ignoring those interactions, and only focusing on transactions, doesn’t provide the full picture of that customer’s relationship with the bank.
  • Monitoring versus surveillance – monitoring is not contextual: it is simply looking at specific transaction types, in certain amounts or ranges, performed by certain customers or customer classes. Surveillance, on the other hand, is contextual: it looks at the context of certain activity compared against all activity of that customer over time, and/or of certain activity of that customer compared to other customers within its class (Whatever that class may be).

So the public sector needs to encourage the private sector to shift from a customer-based transaction monitoring regime to a relationship-based interaction surveillance regime.

II. Information Sharing

Crime and criminal organizations don’t operate in a single financial institution or even in a single jurisdiction. Yet our BSA/AML regime still encourages single entity SAR filers and doesn’t promote cross-jurisdictional information sharing.  The tools are available to better share information across a financial institution, and between financial institutions. Laws, regulations, and regulatory guidance all need to change to specifically and easily allow a single financial institution operating in multiple jurisdictions to (safely) share more information with itself, to allow multiple institutions in a single and multiple jurisdictions to (safely) share more information between them, and to allow those institutions to jointly investigate and report together. Greater encouragement and use of Section 314(b) associations and joint SAR filings are critical.

III. Classical Music, or Jazz?

Auditors, regulators, and even a lot of FinTech companies, would prefer that AML continue to be like classical music, where every note (risk assessments and policies) is carefully written, the music is perfectly orchestrated (transaction monitoring models are static and documented), and the resulting music (SAR filings) sounds the same time and time again regardless of who plays it. This allows the auditors and regulators to have perfectly-written test scripts to audit and examine the programs, and allows the FinTech companies to produce a “solution” to a defined problem. This approach may work for fraud, where an objective event (a theft or compromise) produces a defined result (a monetary loss). But from a financial institution’s perspective, AML is neither an objective event nor a defined result, but is a subjective feeling that it is more likely than not that something anomalous or different has occurred and needs to be reported. So AML is less like classical music and more like jazz: defining, designing, tuning, and running effective anti-money laundering interaction monitoring and customer surveillance systems is like writing jazz music … the composer/arranger (FinTech) provides the artist (analyst) a foundation to freely improvise (investigate) within established and consistent frameworks, and no two investigations are ever the same, and similar facts can be interpreted a different way by different people … and a SAR may or may not be filed. AML drives auditors and examiners mad, and vexes all but a few FinTechs. So be it. Let’s acknowledge it, and encourage it.

IV. Before Creating New Tools, Let’s Use the Ones We Have

The federal government has lots of AML tools in its arsenal: it simply needs to use them in more courageous and imaginative ways. Tools such as section 311 Special Measures and 314 Information Sharing are grossly under-utilized. Information sharing is discussed above: section 311 Special Measures are reserved for the most egregious bad actors in the system, and are rarely invoked. But the reality is that financial institutions will kick out a customer or not (knowingly) provide services to entire classes of customers or in certain jurisdictions for fear of not being able to economically manage the perceived risk/reward equation of that customer or class of customer or jurisdiction. But that customer or class or jurisdiction simply goes to another financial institution in the regulated sector, or to an institution in an un- or under-regulated sector (the notion of “de-risking”). The entire financial system would be better off if, instead of de-risking a suspected bad customer or class of customer or jurisdiction, financial institutions were not encouraged to exit at all, but encouraged to keep that customer or class, and monitor for and report any suspicious activity. Then, if the government determined that the customer or class of customers was too systemically risky to be banked at all, it could use section 314 to effectively blacklist that customer or class of customers. Imposing “special measures” shouldn’t be a responsibility of private sector financial institutions guessing at whether a customer or class of customers is a bad actor: it is and should be the responsibility of the federal government using the tool it currently has available to it: Section 311.

V. … and Let’s Restore The Tool We Started With

The reporting of large cash transactions was the first AML tool the US government came up with (in 1970 as part of the Currency & Foreign Transactions Reporting Act).  Those reports, called Currency Transaction Reports, or CTRs, started out as single cash transactions on behalf of an accountholder, for more than $10,000.  They have since morphed to one or more cash transactions aggregating to more than $10,000 in a 24-hour period, by or on behalf of one or more beneficiaries.  There will be more than 18 million CTRs filed this year, and apparently law enforcement finds them an effective tool. But there is nothing more inefficient: simply put, CTRs are now the biggest resource drain in BSA/AML. Because of regulatory drift, CTRs are de facto SAR-lites … we need to get back to basic CTRs and redeploy the resources used to wrestle with the ever-expanding aggregation and “by or on behalf of” requirements, and deploy them against potential suspicious activity. And forget about increasing the threshold amount from the current “more than $10,000” standard: $10,000 is almost 5,000 times the amount of the average cash transaction in the United States today (which is $22, according to multiple reports from the Federal Reserve), and no one can argue that having a requirement to report a transaction or transactions that are 5,000 times the average is unreasonable. And it isn’t the amount that causes inefficiencies, it is the requirements to (i) aggregate multiple transactions totaling more than $10,000 in a 24-hour period, (ii) to identify and aggregate transactions “by or on behalf of” multiple parties and accountholders, and (iii) exempt, on a bank-by-bank basis, certain entities that can be exempted (but rarely are) from the CTR filing regime. If anything, we could save and redploy resources if the CTR threshold was the same as the SAR threshold – $5,000.

VI. The Clash of the Titles

And remember the “Clash of the Titles” … the protect-the-financial-system (filing great SARs) requirements of Title 31 (Money & Finance … the BSA) are trumped by the safety and soundness (program hygiene) requirements of Title 12 (Banks & Banking), and financial institutions act defensively because of the punitive measures in Title 18 (Crimes & Criminal Procedure) and Title 50 (War … OFAC’s statutes and regulations). There is a need to harmonize the Four Titles – or at least Titles 12 and 31 – and how financial institutions are examined against them. BSA/AML people are judged on whether they avoid bad TARP results (from being Tested, Audited, Regulated, and Prosecuted) rather than  on whether they provide actionable, timely intelligence to law enforcement. Today, most BSA Officers live in fear of not being able to balance all their commitments under the four titles: the great Hugh MacLeod was probably thinking of BSA Officers when he wrote: “I do the work for free. I get paid to be afraid …”

VII. A Central Registry for Beneficial Ownership Information

At the root of almost all large money laundering cases are legal entities with opaque ownership, or shell companies, where kleptocrats, fraudsters, tax evaders, and other miscreants can hide, move, and use their assets with near impunity.  Greater corporate transparency has long been seen as one of the keys to fighting financial crime (the FATF’s Recommendation 24 on corporate transparency was first published in 1993), and accessible central registries of beneficial ownership information have been proven to be the key to that greater transparency. Yet the United States is one of the few major financial centers that does not have a centralized registry of beneficial ownership information. I’ve written that without such a centralized registry, the current beneficial ownership requirements are ineffective.  See Beneficial Ownership Registry Article. Two bills currently before Congress – the Senate’s ILLICIT Cash Act (S2563) and the House’s Corporate Transparency Act (HR2513) both contemplate a centralized registry of beneficial ownership maintained by FinCEN. But both of those bills – and FATF recommendations and guidance on the same issue – fall short in that they only allow law enforcement (or “competent authorities” using the FATF term) to freely access that database. The bills before Congress allow financial institutions to access the database but only with the consent of the customer they’re asking about and only for the purposes of performing due diligence on that customer. I have proposed that those bills be changed to also allow financial institutions to query the database without the consent of the entity they’re asking about for the purposes of satisfying their suspicious activity reporting requirements.

Conclusion – Seven Fixer-Upper Projects for the BSA/AML Regime

  1. Shift from customer-centric transaction monitoring systems to relationship-based interaction surveillance systems
  2. Encourage cross-institutional and cross-jurisdictional information sharing
  3. Encourage the private sector to be more creative and innovative in its approach to AML – AML is like jazz music, not classical music
  4. Address de-risking through aggressive use of Section 311 Special Measures
  5. Simplify the CTR regime. Please. And forget about increasing the $10,000 threshold – in fact, reduce it to $5,000
  6. As long as financial institutions are judged on US Code Titles 12, 18, 31, and 50, expect them to be both ineffective and inefficient. Can Titles 12 and 31 try to get along?
  7. A central registry of beneficial ownership information that is freely accessible to financial institutions is a must have

Cannabis Banking Legislation – Will the SAFE Banking Act Actually Result in More Banks Providing Financial Services to Marijuana Related Businesses?

In the last two years, the percentage of banks actively banking (federally illegal and unregulated) marijuana related businesses (MRBs) has gone from 5% to more than 10% – why do we need Congress to interfere? Our experience with (federally legal and regulated) money services businesses (MSBs) shows that relief is hard to come by … and may not dramatically increase the number of banks willing to take on MRBs.

I have written three articles on FinCEN’s quarterly “marijuana banking update”. The most recent, published on June 25, 2019, is available at Richards article on FinCEN MRB reports.  Those reports, published by FinCEN since 1Q 2017 and tracking marijuana-related Suspicious Activity Reports (SARs) filed since the FinCEN guidance was published in February 2014, show two broad categories of data: (1) the total number of banks and credit unions that are “actively banking marijuana related businesses”; and (2) the number of each of the three types of SARs that FinCEN has directed financial institutions to file: Marijuana Limited, Marijuana Priority, and Marijuana Termination. I won’t describe what type of activity each type of SAR is meant to report, as the descriptions in the quarterly updates are inconsistent with the actual 2014 guidance. You’ll have to read the articles to find out about those inconsistencies.

I’ve also written about the proposed SAFE Banking Act – Richards article on SAFE Banking Act – which is the Democratic-controlled House of Representatives’ attempt at getting a federal law passed to give financial institutions some comfort that they simply by knowingly providing financial services to (what the bill describes as) “cannabis related legitimate businesses” and “service providers”, they won’t be sanctioned by their regulatory agencies.

Let’s put those two things together – FinCEN’s quarterly updates on the number of banks and credit unions “actively banking marijuana related businesses”, and the push in Congress (or at least one of the two chambers of Congress) to pass a law to encourage banks and credit unions to knowingly provide financial services to the federally illegal and unregulated “cannabis related legitimate businesses” and their “service providers”.

The most recent (June 2019) FinCEN update is available at FinCEN 2Q 2019 MRB Update. It shows that as of June 30, 2019, there were 553 banks and 162 credit unions “actively banking marijuana related businesses.” (I have put this phrase in quotes because industry experts believe that the number of banks and credit unions that are actively, knowingly providing depository or transactional services to licensed cannabis or marijuana businesses is much less than what FinCEN reports … and closer to 50 than 715. But let’s go with what FinCEN has been publishing.).  The slow but steady increase in the number of banks and credit unions providing banking services to MRBs is shown in the FinCEN chart below:

What is not shown, though, is the percentage of banks and credit unions that are providing financial services to marijuana related businesses. Using data provided by the FDIC, which insures all commercial banks and savings institutions, and the NCUA, which insures all credit unions, we can see that (1) the total number of banks and credit unions has been falling, while (2) the total number of banks and credit unions that are providing banking services to MRBs has more than doubled in the last two years:

The total number of banks and credit unions has been dropping over the last 2+ years (by about 9%), while the total number of banks and credit unions providing financial services to MRBs has been going up (by almost 200%). The result is that as of June 2019, about one in ten federally insured banks and more than one in sixteen depository institutions overall, are, according to the Treasury Department, “actively banking marijuana related businesses”. It’s perplexing why relatively so few credit unions are engaged in the MRB space.

Which begs the question: if the percentage of depository institutions actively banking marijuana related business has more than doubled in the last two years, and if one in ten federally insured banks and more than one in sixteen depository institutions overall, are actively banking marijuana related businesses, do we even need Congress to intervene and pass new laws to encourage those depository institutions? New laws mean new regulations. New regulations certainly mean new regulatory guidance and expectations, and probably mean more government expense and oversight.

A fair argument can be made that if only 10% of banks and 3% of credit unions are actively banking marijuana related businesses, we absolutely need Congress (and the President) to step in and pass a law or laws to encourage more banks and credit unions to participate in the marijuana/cannabis industry. But even if a SAFE Banking Act, or equivalent, is passed by Congress and signed into law by the President, regulations and regulatory guidance will still need to be published and written, and banks and credit unions will still need to have a risk-based program with the panoply of required preventative and detective controls. Those programs are expensive to build, more expensive to maintain, and bring uncertain regulatory, legal, and reputational risk to the institution. And, of course, MRBs will still be federally illegal, and remain unregulated by any federal agencies.

Money Services Businesses (MSBs) – a lesson for banking Marijuana Related Businesses (MRBs)?

Money Services Businesses, or MSBs (check cashers, money transmitters, currency exchangers) are all perfectly legal, state-licensed, federally-registered financial institutions that, since 2002 have been required to have their own BSA/AML compliance programs and to report suspicious activity. Just like banks and credit unions. And in March 2005 the financial services regulators issued guidance to the industry on how to provide banking services to MSBs. The FinCEN press release provided the following explanation:

“The Financial Crimes Enforcement Network (“FinCEN”), together with the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration (collectively, the “Federal Banking Agencies”) are jointly issuing this Statement to address our expectations regarding banking institutions’ obligations under the Bank Secrecy Act for money services businesses, such as check cashers and money transmitters. Money services businesses are losing access to banking services as a result of concerns about regulatory scrutiny, the risks presented by money services business accounts, and the costs and burdens associated with maintaining such accounts. Concerns may stem, in part, from a misperception of the requirements of the Bank Secrecy Act, and the erroneous view that money services businesses present a uniform and unacceptably high risk of money laundering or other illicit activity.”

Notwithstanding that MSBs are legal businesses, are federally-regulated, and the regulators have encouraged banks to provide financial services to them, the vast majority of financial institutions today will not bank MSBs. Why? The real or perceived regulatory burdens are too onerous, and the regulatory, legal, and reputational risks are too great. There may be some data on what percentage of banks and credit unions are knowingly, actively banking MSBs, but I haven’t seen it. Anecdotes suggest that less than one in five banks and credit unions have an MSB banking program and are knowingly, actively providing depository and transactional services for MSBs.

So if less than one in five depository institutions are banking federally legal and regulated Money Services Businesses more than fifteen years after given a Congressional “green light”, and if the percentage of depository institutions banking federally illegal and unregulated Marijuana Related Businesses has more than doubled in the last two years to one in sixteen … do we really need Congress to pass a law encouraging depository institutions to bank these illegal, unregulated businesses, or do we simply wait until marijuana is federally legal, and then regulate the marijuana industry … hopefully better than we’ve done with the money services industry?

In December 2018 I proposed an idea to provide relief to depository institutions looking at knowingly, actively providing financial services to MRBs: have the regulatory agencies publish guidance that would treat MRBs like MSBs. The idea was simple … replace the terms “money services business” and “MSB” in the interagency 2005 guidance on MSBs, with “marijuana related business” and “MRB”. At least we might find that 20% of banks and credit unions would be able to balance the meager rewards with the uncertain risks and provide financial services to marijuana related businesses. See Richards – 2005 MSB Guidance = 2019 MRB Guidance

Cryptocurrencies – A New Crypto Rating Council Tries to Handicap the Likelihood a Cryptocurrency is a Security

Crypto Rating Council

A group of crypto financial services firms and exchanges have formed the Crypto Rating Council, or CRC “to create a framework to consistently and objectively assess whether any given crypto asset has characteristics that make it more or less likely to be classified  as a security under the U.S. federal securities laws.” See their website at https://www.cryptoratingcouncil.com/#about-us

The founding members of the Crypto Rating Council are Anchorage, Bittrex, Circle Financial, Coinbase, Cumberland, Genesis, Grayscale, and Kraken.

‍According to the website:

“The important question of whether any given digital asset is a security—as opposed to a commodity, a currency, or something else—informs critical licensing, registration, and operating obligations for financial services firms that support cryptocurrency. The U.S. Securities & Exchange Commission has issued guidance that some crypto assets may be securities while others may not be.”

That guidance began with a Report of Investigation the SEC released in 2017 – https://www.sec.gov/litigation/investreport/34-81207.pdf and continued with Guidance on Initial Coin Offerings published on April 3, 2019 – https://www.sec.gov/news/public-statement/statement-framework-investment-contract-analysis-digital-assets

As the CRC notes:

“While the SEC’s guidance has been helpful in alerting the industry to complex legal issues, determining whether any particular token is a security remains highly circumstantial and difficult to resolve even with the help of leading legal and technical experts. This complexity has led to expensive, redundant, and frequently inconsistent compliance analysis among financial services firms and has generally slowed the launch of new cryptocurrency assets in the U.S.”

And

“The question of whether a crypto asset is a security—as opposed to a currency, a commodity, or something else—may trigger registration, licensing, and other operating obligations for financial services firms that offer digital asset services like exchange, investment management, and trading. Under federal U.S. law, this important question is generally answered by applying the four-factor Howey test, which requires painstaking “facts and circumstances” analysis which often leads to judgment calls, inconsistent results, and can lead to disagreement among legal experts (and government officials). The founding members formed the CRC to create a compliance tool which, in partnership with securities law experts, allows the members to consistently review assets supported in the ordinary course of their respective businesses.”

In addition to slowing the launch of new cryptocurrency assets in the US, there have been dozens (hundreds) of digital asset/ICO enforcement actions filed by the SEC. A list of those actions is available at https://www.sec.gov/spotlight/cybersecurity-enforcement-actions

So, as a result of this confusion, the Crypto Rating Council was formed “to create a framework to consistently and objectively assess whether any given crypto asset has characteristics that make it more or less likely to be classified  as a security under the U.S. federal securities laws.”

The Securities Rating Framework

According to the CRC, its securities rating framework is “a points-based rating system built upon a set of factual questions that assess each element of the legal test to determine whether an asset is a security. Our framework is derived directly from case law and SEC guidance and has been structured to emphasize objective, repeatable, and fact-driven responses that can be answered more consistently across different assets and across the same asset over time.”

‍In its FAQs section, the CRC described its securities rating framework as follows:

“At the core of the Council’s work is a points-based rating system centered around a set of factual questions. Working with legal and technical experts and members of the community, the CRC distilled a set of yes or no questions which are designed to plainly address each of the four, Howey test factors: (i) whether crypto purchasers invested money, (ii) in a “common enterprise”, (iii) with a reasonable expectation of profit, (iv) based on the efforts of others. The questions are tailored to assess the characteristics most likely to impact any given crypto asset’s treatment under the securities laws. These characteristics include circumstances of the asset’s issuance, governance features, third-party contributions to the project, and practical use of the asset by the general public. The questions are also structured to allow for objective, repeatable, and fact-driven responses that can be answered consistently across different assets and across the same asset over time.”

The Rating Explained

Again, according to the FAQs:

“Each question in the framework is assigned a points-based weighting to reflect its relative importance, the sum of which create scores for each Howey factor. Those scores are then scaled into a final rating between 1 and 5. A score of 5 results when an asset appears to have many characteristics that are consistent with the Howey-test factors. It is probably more likely, relative to lower-scored assets, to implicate the U.S. securities laws. A score of 1 results when an asset appears to have few characteristics that are consistent with the Howey-test factors. It is probably less likely, relative to higher-scored assets, to implicate the U.S. securities laws.”

How Did The Cryptocurrencies Fare Under the Rating System?

A useful graph published online (is “published online” necessary in 2019, or will “published” suffice?) by TheBlockCrypto.com provides the results of the CRC’s first efforts:

We can spotlight three of these to see how the scores were determined at a high level: Bitcoin at 1.00 (definitely not a security), Ethereum at 2.00 (probably not a security), and XRP at 4.00 (likely to be a security).

 

SAFE Banking Act of 2019 – Some Suggestions for the Senate

The SAFE Banking Act, HR 1595, was approved by the House on September 25, 2019. As written, it is a “bill to create protections for depository institutions that provide financial services to cannabis-related legitimate businesses and service providers for such businesses, and for other purposes.” There has been much written about the SAFE Banking Act, but as I went through it, I saw a number of things that need to be addressed.  So below are some general comments and observations – written in blue italics – and some suggestions for the Senate – written in red bold italics – as the Senate considers what, if any, changes to make to the House version, and whether to actually vote on their version of the SAFE Banking Act.

The link to the text is SAFE Banking Act – congress.gov

SAFE Banking Act, HR 1595 as approved by the House of Representatives, September 25, 2019

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE; PURPOSE.

(a) SHORT TITLE.—This Act may be cited as the ‘‘Secure And Fair Enforcement Banking Act of 2019’’ or the ‘‘SAFE Banking Act of 2019’’.

(b) PURPOSE.—The purpose of this Act is to increase public safety by ensuring access to financial services to cannabis-related legitimate businesses and service providers and reducing the amount of cash at such businesses.

Comment – The purpose statement focuses on public safety and getting cash out of cannabis businesses. But there is very little else in the Act that specifically addresses public safety or cash. Note the modifier “legitimate” (see section 14 definition)

SEC. 2. SAFE HARBOR FOR DEPOSITORY INSTITUTIONS.

(a) IN GENERAL.—A Federal banking regulator may not—

(1) terminate or limit the deposit insurance or share insurance of a depository institution under the Federal Deposit Insurance Act (12 U.S.C. 1811 et seq.), the Federal Credit Union Act (12 U.S.C. 1751 et seq.), or take any other adverse action against a depository institution under section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818) solely because the depository institution provides or has provided financial services to a cannabis-related legitimate business or service provider;

(2) prohibit, penalize, or otherwise discourage a depository institution from providing financial services to a cannabis-related legitimate business or service provider or to a State, political subdivision of a State, or Indian Tribe that exercises jurisdiction over cannabis-related legitimate businesses;

Comment – Section 2 is clearly a safe harbor from actions taken by a federal banking regulator – not from the Department of Justice. Compare this to section 4’s broader protections. Note that 12 USC 1818 is the “cease and desist” section. The phrase “solely because” is significant: the intent and effect of this is that a federal banking regulator can bring an adverse action against a depository institution providing financial services to a cannabis-related legitimate business if that institution otherwise violates banking laws or regulations.

(3) recommend, incentivize, or encourage a depository institution not to offer financial services to an account holder, or to downgrade or cancel the financial services offered to an account holder solely because— (A) the account holder is a cannabis-related legitimate business or service provider, or is an employee, owner, or operator of a cannabis-related legitimate business or service provider; (B) the account holder later becomes an employee, owner, or operator of a cannabis-related legitimate business or service provider; or (C) the depository institution was not aware that the account holder is an employee, owner, or operator of a cannabis-related legitimate business or service provider;

Comment – Section 2(a)(3) introduces protections for account holders who are employees, owners, and operators. Also, note that (2) provides that regulators cannot discourage financial institutions from providing services, and (3) provides that regulators cannot encourage financial institutions not to provide services. What was the legislative intent?

(4) take any adverse or corrective supervisory action on a loan made to— (A) a cannabis-related legitimate business or service provider, solely because the business is a cannabis-related legitimate business or service provider; (B) an employee, owner, or operator of a cannabis-related legitimate business or service provider, solely because the employee, owner, or operator is employed by, owns, or operates a cannabis-related legitimate business or service provider, as applicable; or (C) an owner or operator of real estate or equipment that is leased to a cannabis-related legitimate business or service provider, solely because the owner or operator of the real estate or equipment leased the equipment or real estate to a cannabis-related legitimate business or service provider, as applicable; or

(5) prohibit or penalize a depository institution (or entity performing a financial service for or in association with a depository institution) for, or otherwise discourage a depository institution (or entity performing a financial service for or in association with a depository institution) from, engaging in a financial service for a cannabis-related legitimate business or service provider.

(b) SAFE HARBOR APPLICABLE TO DE NOVO INSTITUTIONS.—Subsection (a) shall apply to an institution applying for a depository institution charter to the same extent as such subsection applies to a depository institution.

Comment – Section 2(a)(5) is interesting with the addition of “(or entity performing a financial service for or in association with a depository institution) …”. Subsections 2(a)(2) and (5) could be combined without loss of meaning.

SEC. 3. PROTECTIONS FOR ANCILLARY BUSINESSES.

For the purposes of sections 1956 and 1957 of title 18, United States Code, and all other provisions of Federal law, the proceeds from a transaction involving activities of a cannabis-related legitimate business or service provider shall not be considered proceeds from an unlawful activity solely because—

(1) the transaction involves proceeds from a cannabis-related legitimate business or service provider; or

(2) the transaction involves proceeds from— (A) cannabis-related activities described in section 14(4)(B) conducted by a cannabis-related legitimate business; or (B) activities described in section 14(13)(A) conducted by a service provider.

Senate Suggestion 1 – The title of section 3 is the only reference to “ancillary businesses”. This is a left-over from the original SAFE Banking Act. This section should be changed to  “Protections from Federal Laws Relating to Specified Unlawful Activity”

SEC. 4. PROTECTIONS UNDER FEDERAL LAW.

(a) IN GENERAL.—With respect to providing a financial service to a cannabis-related legitimate business or service provider within a State, political subdivision of a State, or Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis pursuant to a law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country, as applicable, a depository institution, entity performing a financial service for or in association with a depository institution, or insurer that provides a financial service to a cannabis-related legitimate business or service provider, and the officers, directors, and employees of that depository institution, entity, or insurer may not be held liable pursuant to any Federal law or regulation— (1) solely for providing such a financial service; or (2) for further investing any income derived from such a financial service.

Comment – Section 4’s protections extend more broadly than the narrower section 2 safe harbor, notably because individuals are protected.

(b) PROTECTIONS FOR FEDERAL RESERVE BANKS AND FEDERAL HOME LOAN BANKS.—With respect to providing a service to a depository institution that provides a financial service to a cannabis-related legitimate business or service provider (where such financial service is provided within a State, political subdivision of a State, or Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis pursuant to a law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country, as applicable), a Federal reserve bank or Federal Home Loan Bank, and the officers, directors, and employees of the Federal reserve bank or Federal Home Loan Bank, may not be held liable pursuant to any Federal law or regulation— (1) solely for providing such a service; or (2) for further investing any income derived from such a service.

(c) PROTECTIONS FOR INSURERS.—With respect to engaging in the business of insurance within a State, political subdivision of a State, or Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis pursuant to a law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country, as applicable, an insurer that engages in the business of insurance with a cannabis-related legitimate business or service provider or who otherwise engages with a person in a transaction permissible under State law related to cannabis, and the officers, directors, and employees of that insurer may not be held liable pursuant to any Federal law or regulation— (1) solely for engaging in the business of insurance; or (2) for further investing any income derived from the business of insurance.

(d) FORFEITURE.— (1) DEPOSITORY INSTITUTIONS.—A depository institution that has a legal interest in the collateral for a loan or another financial service provided to an owner, employee, or operator of a cannabis-related legitimate business or service provider, or to an owner or operator of real estate or equipment that is leased or sold to a cannabis-related legitimate business or service provider, shall not be subject to criminal, civil, or administrative forfeiture of that legal interest pursuant to any Federal law for providing such loan or other financial service. (2) FEDERAL RESERVE BANKS AND FEDERAL HOME LOAN BANKS.—A Federal reserve bank or Federal Home Loan Bank that has a legal interest in the collateral for a loan or another financial service provided to a depository institution that provides a financial service to a cannabis-related legitimate business or service provider, or to an owner or operator of real estate or equipment that is leased or sold to a cannabis-related legitimate business or service provider, shall not be subject to criminal, civil, or administrative forfeiture of that legal interest pursuant to any Federal law for providing such loan or other financial service.

SEC. 5. RULES OF CONSTRUCTION.

(a) NO REQUIREMENT TO PROVIDE FINANCIAL SERVICES.—Nothing in this Act shall require a depository institution, entity performing a financial service for or in association with a depository institution, or insurer to provide financial services to a cannabis-related legitimate business, service provider, or any other business.

(b) GENERAL EXAMINATION, SUPERVISORY, AND ENFORCEMENT AUTHORITY.—Nothing in this Act may be construed in any way as limiting or otherwise restricting the general examination, supervisory, and enforcement authority of the Federal banking regulators, provided that the basis for any supervisory or enforcement action is not the provision of financial services to a cannabis-related legitimate business or service provider.

Comment – Section 5(a) allows financial service providers to decide not to engage with cannabis-related legitimate businesses or service providers. It does not extend that to the employees, officer, or operators of those businesses, though. Section 5(b) gives teeth to the section 2 safe harbor language (“solely because the depository institution provides or has provided financial services to a cannabis-related legitimate business or service provider”). However, section 5(b) could be better written by including the “solely” term.

SEC. 6. REQUIREMENTS FOR FILING SUSPICIOUS ACTIVITY REPORTS.

Section 5318(g) of title 31, United States Code, is amended by adding at the end the following:

‘‘(5) REQUIREMENTS FOR CANNABIS-RELATED LEGITIMATE BUSINESSES.—

‘‘(A) IN GENERAL.—With respect to a financial institution or any director, officer, employee, or agent of a financial institution that reports a suspicious transaction pursuant to this subsection, if the reason for the report relates to a cannabis-related legitimate business or service provider, the report shall comply with appropriate guidance issued by the Financial Crimes Enforcement Network. The Secretary shall ensure that the guidance is consistent with the purpose and intent of the SAFE Banking Act of 2019 and does not significantly inhibit the provision of financial services to a cannabis-related legitimate business or service provider in a State, political subdivision of a State, or Indian country that has allowed the cultivation, production, manufacture, transportation, display, dispensing, distribution, sale, or purchase of cannabis pursuant to law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country.

Senate Suggestion 2 – Section 6 adds a new subsection (5). Subsection (1) doesn’t change: it provides “The Secretary may require any financial institution, and any director, officer, employee, or agent of any financial institution, to report any suspicious transaction relevant to a possible violation of law or regulation.” This section calls for “guidance” from FinCEN, not a regulation or regulations. First, is this the existing (2014) FinCEN guidance, or does it contemplate new, yet to be issued, guidance? If the latter, there is no time frame for issuing such guidance. I would make this clear: FinCEN guidance to be issued within 180 days. Compare this to section 7. And see comments on section 10. Second, question whether that guidance would satisfy the Administrative Procedures Act. See the (excellent) testimony of Margaret (Meg) Tahyar: https://www.banking.senate.gov/imo/media/doc/Tahyar%20Testimony%204-30-19.pdf and the federal banking regulators Interagency Statement on Clarifying the Role of Supervisory Guidance, https://www.fdic.gov/news/news/press/2018/pr18059a.pdf

‘‘(B) DEFINITIONS.—For purposes of this paragraph: ‘‘(i) CANNABIS.—The term ‘cannabis’ has the meaning given the term ‘marihuana’ in section 102 of the Controlled Substances Act (21 U.S.C. 802). ‘‘(ii) CANNABIS-RELATED LEGITIMATE BUSINESS.—The term ‘cannabis-related legitimate business’ has the meaning given that term in section of the SAFE Banking Act of 2019. ‘‘(iii) INDIAN COUNTRY.—The term ‘Indian country’ has the meaning given that term in section 1151 of title 18. ‘‘(iv) INDIAN TRIBE.—The term ‘Indian Tribe’ has the meaning given that term in section 102 of the Federally Recognized Indian Tribe List Act of 1994 (25 7 U.S.C. 479a). ‘‘(v) FINANCIAL SERVICE.—The term ‘financial service’ has the meaning given that term in section 14 of the SAFE Banking Act of 2019. ‘‘(vi) SERVICE PROVIDER.—The term ‘service provider’ has the meaning given that term in section 14 of the SAFE Banking Act of 2019. ‘‘(vii) STATE.—The term ‘State’ means each of the several States, the District of Columbia, Puerto Rico, and any territory or possession of the United States.’’.

SEC. 7. GUIDANCE AND EXAMINATION PROCEDURES.

Not later than 180 days after the date of enactment of this Act, the Financial Institutions Examination Council shall develop uniform guidance and examination procedures for depository institutions that provide financial services to cannabis-related legitimate businesses and service providers.

Senate Suggestion 3 – See the comments for section 6. Between these two sections, CRLB/SP program requirements, including SAR reporting guidance, won’t be available to financial institutions for ~6 months after the enactment of the Act. That creates problems for the section 10 report. And why is this language – FFIEC guidance and exam procedures in 180 days – different than the similar hemp section 11(b) – federal banking regulators to publish best practices within 90 days?

SEC. 8. ANNUAL DIVERSITY AND INCLUSION REPORT.

The Federal banking regulators shall issue an annual report to Congress containing—

(1) information and data on the availability of access to financial services for minority-owned and women-owned cannabis-related legitimate businesses; and

(2) any regulatory or legislative recommendations for expanding access to financial services for  minority-owned and women-owned cannabis-related legitimate businesses.

SEC. 9. GAO STUDY ON DIVERSITY AND INCLUSION.

(a) STUDY.—The Comptroller General of the United States shall carry out a study on the barriers to market-place entry, including in the licensing process, and the access to financial services for potential and existing minority-owned and women-owned cannabis-related legitimate businesses.

(b) REPORT.—The Comptroller General shall issue a report to the Congress—(1) containing all findings and determinations made in carrying out the study required under subsection (a); and (2) containing any regulatory or legislative recommendations for removing barriers to marketplace entry, including in the licensing process, and expanding access to financial services for potential and existing minority-owned and women-owned cannabis-related legitimate businesses.

SEC. 10. GAO STUDY ON EFFECTIVENESS OF CERTAIN REPORTS ON FINDING CERTAIN PERSONS.

Not later than 2 years after the date of the enactment of this Act, the Comptroller General of the United States shall carry out a study on the effectiveness of reports on suspicious transactions filed pursuant to section 15 5318(g) of title 31, United States Code, at finding individuals or organizations suspected or known to be engaged with transnational criminal organizations and whether any such engagement exists in a State, political subdivision, or Indian Tribe that has jurisdiction over Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis. The study shall examine reports on suspicious transactions as follows: (1) During the period of 2014 until the date of the enactment of this Act, reports relating to marijuana-related businesses. (2) During the 1-year period after date of the enactment of this Act, reports relating to cannabis-related legitimate businesses.

Senate Suggestion 4 – Why is this study limited to looking at whether SARs are effective at identifying transnational criminal organization connections to CRLBs? The study should look at whatever patterns, trends, typologies can be identified from all 5318(g)(5) SARs (as well as CTRs), not just connections to TCOs. This is a lost opportunity.

Senate Suggestion 5 – Comparing the MRB SAR regime to the CRLB SAR regime is a sound idea, but the mechanics or timing are not right. CRLB SARs won’t immediately be filed by financial institutions: FinCEN must first either enact a regulation or issue guidance relating to CRLB SAR filings. The triggering event cannot be until/after the date of enactment of this Act, but until/after a regulation or guidance is published or written.

SEC. 11. BANKING SERVICES FOR HEMP BUSINESSES.

(a) FINDINGS.—The Congress finds that— (1) the Agriculture Improvement Act of 2018 (Public Law 115–334) legalized hemp by removing it from the definition of ‘‘marihuana’’ under the Controlled Substances Act; (2) despite the legalization of hemp, some hemp businesses (including producers, manufacturers, and retailers) continue to have difficulty gaining access to banking products and services; and (3) businesses involved in the sale of hemp-derived cannabidiol (‘‘CBD’’) products are particularly affected, due to confusion about their legal status.

(b) FEDERAL BANKING REGULATOR HEMP BANKING GUIDANCE.—Not later than the end of the 90-day period beginning on the date of enactment of this Act, the Federal banking regulators shall jointly issue guidance to financial institutions—(1) confirming the legality of hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products, and the legality of engaging in financial services with businesses selling hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products, after the enactment of the Agriculture Improvement Act of 2018; and (2) to provide recommended best practices for financial institutions to follow when providing financial services and merchant processing services to businesses involved in the sale of hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products.

Senate Suggestion 6 – See section 7, which calls for FFIEC guidance and exam procedures in 180 days. Why is this section calling for the federal banking regulators to publish best practices within 90 days? Also, if a financial institution knows that its customer is selling unapproved hemp-derived CBD products in violation of the FFD&C Act, is it protected by this section?

Senate Suggestion 7 – Why are merchant processing services called out in this section, and nowhere else? If merchant processing services are not “financial services”, then this is a huge gap in the Act, as (arguably) the most important financial service a CRLB can obtain is merchant services. See section 14(7).

(c) FINANCIAL INSTITUTION DEFINED.—In this section, the term ‘‘financial institution’’ means any person providing financial services.

Senate Suggestion 8 – What is the purpose of subsection (c)?

SEC. 12. APPLICATION OF SAFE HARBORS TO HEMP AND CBD PRODUCTS.

(a) IN GENERAL.—Except as provided under subsection (b), the provisions of this Act (other than sections 6 and 10) shall apply to hemp (including hemp-derived cannabidiol and other hemp-derived cannabinoid products) in the same manner as such provisions apply to cannabis.

Senate Suggestion 9 – The House version excludes hemp from Section 6, the SAR reporting section, and Section 10, the study of SARs to determine if there are any transnational criminal organizations connections to the cannabis industry. Is it the intent of Congress that hemp and hemp products are not covered by the SAR reporting obligations but are otherwise covered by FFIEC guidance and examination procedures?

(b) RULE OF APPLICATION.—In applying the provisions of this Act described under subsection (a) to hemp, the definition of ‘‘cannabis-related legitimate business’’ shall be treated as excluding any requirement to engage in activity pursuant to the law of a State or political subdivision thereof.

(c) HEMP DEFINED.—In this section, the term ‘‘hemp’’ has the meaning given that term under section 297A of the Agricultural Marketing Act of 1946 (7 U.S.C. 1639o).

SEC. 13. REQUIREMENTS FOR DEPOSIT ACCOUNT TERMINATION REQUESTS AND ORDERS.

(a) TERMINATION REQUESTS OR ORDERS MUST BE VALID.—

(1) IN GENERAL.—An appropriate Federal banking agency may not formally or informally request or order a depository institution to terminate a specific customer account or group of customer accounts or to otherwise restrict or discourage a depository institution from entering into or maintaining a banking relationship with a specific customer or group of customers unless— (A) the agency has a valid reason for such request or order; and (B) such reason is not based solely on reputation risk.

(2) TREATMENT OF NATIONAL SECURITY THREATS.—If an appropriate Federal banking agency believes a specific customer or group of customers is, or is acting as a conduit for, an entity which— (A) poses a threat to national security; (B) is involved in terrorist financing; (C) is an agency of the Government of Iran, North Korea, Syria, or any country listed from time to time on the State Sponsors of Terrorism list; (D) is located in, or is subject to the jurisdiction of, any country specified in subparagraph (C); or (E) does business with any entity described in subparagraph (C) or (D), unless the appropriate Federal banking agency determines that the customer or group of customers has used due diligence to avoid doing business with any entity described in subparagraph (C) or (D), such belief shall satisfy the requirement under paragraph (1).

(b) NOTICE REQUIREMENT.—

(1) IN GENERAL.—If an appropriate Federal banking agency formally or informally requests or orders a depository institution to terminate a specific customer account or a group of customer accounts, the agency shall— (A) provide such request or order to the institution in writing; and (B) accompany such request or order with a written justification for why such termination is needed, including any specific laws or regulations the agency believes are being violated by the customer or group of customers, if any.

(2) JUSTIFICATION REQUIREMENT.—A justification described under paragraph (1)(B) may not be based solely on the reputation risk to the depository institution.

(c) CUSTOMER NOTICE.—

(1) NOTICE REQUIRED.—Except as provided under paragraph (2) or as otherwise prohibited from being disclosed by law, if an appropriate Federal banking agency orders a depository institution to terminate a specific customer account or a group of customer accounts, the depository institution shall inform the specific customer or group of customers of the justification for the customer’s account termination described under subsection (b).

(2) NOTICE PROHIBITED.— (A) NOTICE PROHIBITED IN CASES OF NATIONAL SECURITY.—If an appropriate Federal banking agency requests or orders a depository institution to terminate a specific customer account or a group of customer accounts based on a belief that the customer or customers pose a threat to national security, or are otherwise described under subsection (a)(2), neither the depository institution nor the appropriate Federal banking agency may inform the customer or customers of the justification for the customer’s account termination. (B) NOTICE PROHIBITED IN OTHER CASES.—If an appropriate Federal banking agency determines that the notice required under paragraph (1) may interfere with an authorized criminal investigation, neither the depository institution nor the appropriate Federal banking agency may inform the specific customer or group of customers of the justification for the customer’s account termination.

(d) REPORTING REQUIREMENT.—Each appropriate Federal banking agency shall issue an annual report to the Congress stating— (1) the aggregate number of specific customer accounts that the agency requested or ordered a depository institution to terminate during the previous year; and (2) the legal authority on which the agency relied in making such requests and orders and the frequency on which the agency relied on each such authority.

(e) DEFINITIONS.—For purposes of this section: (1) APPROPRIATE FEDERAL BANKING AGENCY.—The term ‘‘appropriate Federal banking agency’’ means— (A) the appropriate Federal banking agency, as defined under section 3 of the Federal Deposit Insurance Act (12 U.S.C. 1813); and (B) the National Credit Union Administration, in the case of an insured credit union. (2) DEPOSITORY INSTITUTION.—The term ‘‘depository institution’’ means— (A) a depository institution, as defined under section 3 of the Federal Deposit Insurance Act (12 U.S.C. 1813); and (B) an insured credit union.

SEC. 14. DEFINITIONS.

In this Act:

(1) BUSINESS OF INSURANCE.—The term ‘‘business of insurance’’ has the meaning given such term in section 1002 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (12 U.S.C. 5481).

(2) CANNABIS.—The term ‘‘cannabis’’ has the meaning given the term ‘‘marihuana’’ in section 102 of the Controlled Substances Act (21 U.S.C. 802).

(3) CANNABIS PRODUCT.—The term ‘‘cannabis product’’ means any article which contains cannabis,  including an article which is a concentrate, an edible, a tincture, a cannabis-infused product, or a topical.

(4) CANNABIS-RELATED LEGITIMATE BUSINESS.—The term ‘‘cannabis-related legitimate business’’ means a manufacturer, producer, or any person or company that— (A) engages in any activity described in subparagraph (B) pursuant to a law established by a State or a political subdivision of a State, as determined by such State or political subdivision; and (B) participates in any business or organized activity that involves handling cannabis or cannabis products, including cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.

Senate Suggestion 10 – This appears to be an unnecessarily complicated definition. It could be simplified to: “CRLB “means any person or legal entity that engages in or participates in any business or organized activity pursuant to a law established by a State or a political subdivision of a State, as determined by such State or political subdivision, that involves cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.” Does the inclusion of the word “legitimate” mean that those cannabis-related businesses that are in violation of their state-licensing requirements are not covered by the SAFE Banking Act, and banks providing services to those non-legitimate cannabis-related businesses also not protected?

(5) DEPOSITORY INSTITUTION.—The term ‘‘depository institution’’ means— (A) a depository institution as defined in section 3(c) of the Federal Deposit Insurance Act (12 U.S.C. 1813(c)); (B) a Federal credit union as defined in section 101 of the Federal Credit Union Act (12 U.S.C. 1752); or (C) a State credit union as defined in section 101 of the Federal Credit Union Act (12 U.S.C. 1752).

(6) FEDERAL BANKING REGULATOR.—The term ‘‘Federal banking regulator’’ means each of the Board of Governors of the Federal Reserve System, the Bureau of Consumer Financial Protection, the Federal Deposit Insurance Corporation, the Federal Housing Finance Agency, the Financial Crimes Enforcement Network, the Office of Foreign Asset Control, the Office of the Comptroller of the Currency, the National Credit Union Administration, the Department of the Treasury, or any Federal agency or department that regulates banking or financial services, as determined by the Secretary of the Treasury.

(7) FINANCIAL SERVICE.—The term ‘‘financial service’’— (A) means a financial product or service, as defined in section 1002 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (12 U.S.C. 5481); (B) includes the business of insurance; (C) includes, whether performed directly or indirectly, the authorizing, processing, clearing, settling, billing, transferring for deposit, transmitting, delivering, instructing to be delivered, reconciling, collecting, or otherwise effectuating or facilitating of payments or funds, where such payments or funds are made or transferred by any means, including by the use of credit cards, debit cards, other payment cards, or other access devices, accounts, original or substitute checks, or electronic funds transfers; (D) includes acting as a money transmitting business which directly or indirectly makes use of a depository institution in connection with effectuating or facilitating a payment for a cannabis-related legitimate business or service provider in compliance with section 5330 of title 31, United States Code, and any applicable State law; and (E) includes acting as an armored car service for processing and depositing with a depository institution or a Federal reserve bank with respect to any monetary instruments (as defined under section 1956(c)(5) of title 18, United States Code.

Senate Suggestion 11 – See section 7, which provides, in part, “financial services and merchant processing services to businesses involved in the sale of hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products.” This definition of “financial services” appears to include merchant services. Sections 7 and 14 need to be reconciled.

(8) INDIAN COUNTRY.—The term ‘‘Indian country’’ has the meaning given that term in section 1151 of title 18.

(9) INDIAN TRIBE.—The term ‘‘Indian Tribe’’ has the meaning given that term in section 102 of the Federally Recognized Indian Tribe List Act of 1994 (25 U.S.C. 479a).

(10) INSURER.—The term ‘‘insurer’’ has the meaning given that term under section 313(r) of title 31, United States Code.

(11) MANUFACTURER.—The term ‘‘manufacturer’’ means a person who manufactures, compounds, converts, processes, prepares, or packages cannabis or cannabis products.

(12) PRODUCER.—The term ‘‘producer’’ means a person who plants, cultivates, harvests, or in any way facilitates the natural growth of cannabis.

(13) SERVICE PROVIDER.—The term ‘‘service provider’’— (A) means a business, organization, or other person that— (i) sells goods or services to a cannabis-related legitimate business; or (ii) provides any business services, including the sale or lease of real or any other property, legal or other licensed services, or any other ancillary service, relating to cannabis; and (B) does not include a business, organization, or other person that participates in any business or organized activity that involves handling cannabis or cannabis products, including cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.

Comment – This is an expansive definition as it includes those that sell a good or service to a CRLB that could have no connection to the actual cannabis business (e.g. is a Starbucks a “service provider” if it sells coffee to budtender?). Perhaps regulations or regulatory guidance will narrow this down.

(14) STATE.—The term ‘‘State’’ means each of the several States, the District of Columbia, Puerto Rico, and any territory or possession of the United States.

SEC. 15. DISCRETIONARY SURPLUS FUNDS.

Section 7(a)(3)(A) of the Federal Reserve Act (12 U.S.C. 289(a)(3)(A)) is amended by striking ‘‘$6,825,000,000’’ and inserting ‘‘$6,821,000,000’’.

SEC. 16. DETERMINATION OF BUDGETARY EFFECTS.

The budgetary effects of this Act, for the purpose of complying with the Statutory Pay-As-You-Go Act of 2010, shall be determined by reference to the latest statement titled ‘‘Budgetary Effects of PAYGO Legislation’’ for this Act, submitted for printing in the Congressional Record by the Chairman of the House Budget Committee, provided that such statement has been submitted prior to the vote on passage.

FinCEN’s BSA Value Project – An Effort to Provide Actionable Information for SAR Filers

Two Million SARs are Filed Every Year … But Which Ones Provide Tactical or Strategic Value to Law Enforcement?

Included in the Director’s remarks was some interesting information on an eight-month old “BSA Value Project” that may have been started because, as Director Blanco remarked, FinCEN has “heard during our discussions that there continues to be a desire for more feedback on what FinCEN is seeing in the BSA data in terms of trends [and] we need to do better SAR analysis for wider trends and typologies …”. Director Blanco noted that “We want to provide more feedback, and we will.”

There has not been much public mention of the BSA Value Project: a quick Google search shows that FinCEN’s Associate Director Andrea Sharrin introduced the BSA Value Project at a Florida International Bankers Association (FIBA) conference on March 12, 2019, and then Director Blanco described it in his August 13th remarks:

In January 2019, FinCEN began an ambitious project to catalogue the value of BSA reporting across the entire value chain of its creation and use. The project will result in a comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information to all types of consumers of that information.

We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis. The project has included hundreds of interviews with stakeholder groups, including casinos.

So far, the study has confirmed there are extensive and extremely varied uses of BSA information across all stakeholders (including by the private sector) consistent with their missions.

Almost One in Four FBI and IRS-CI Investigations Use BSA Data

Director Blanco made the following remarks on the usefulness of BSA data:

All FBI subject names are run against the BSA database. More than 21 percent of FBI investigations use BSA data, and for some types of crime, like organized crime, nearly 60 percent of FBI investigations use BSA data. Roughly 20 percent of FBI international terrorism cases utilize BSA data.

The Internal Revenue Service-Criminal Investigation section alone conducts more than 126,000 BSA database inquiries each year. And as much as 24 percent of its investigations involving criminal tax, money laundering, and other BSA violations are directly initiated by, or associated with, a BSA report.

In addition to providing controlled access to the data to law enforcement, FinCEN also proactively pushes certain information to them on critical topics. On a daily basis, FinCEN takes the suspicious activity reports and we run them through several categories of business rules or algorithms to identify reports that merit further review by our analysts.

Our terrorist financing-related business rules alone generate over 1,000 matches each month for review and further dissemination to our law enforcement and regulatory partners in what we call a Flash report. These Flash reports enable the FBI, for example, to identify, track, and disrupt the activities of potential terrorist actors. It is incredibly valuable information.

But Which BSA Filings are Providing Real Value to Law Enforcement?

There is no doubt that the (roughly) 20 million BSA reports that are filed each year provide great value to law enforcement. But questions remain about the utility of those filings, and the costs of preparing them. Some of those questions include: (i) which of those reports provide value? (ii) what kind of value is being provided – tactical and/or strategic? (iii) can financial institutions eliminate the “no value” filings and deploy those resources to higher-value filings? (iv) can financial institutions automate the preparation and filing of the low value filings and deploy those resources to the highest-value filings?

I have written a number of articles on the need for better reporting on the utility of SAR filings. Links to three of them are:

SAR Feedback 314(d) – July 30 2019

BSA Reports and Federal Criminal Cases – June 5 2019

The TSV SAR Feedback Loop – June 4 2019

Conclusion

Kudos to Director Blanco and his FinCEN team for their initiative and efforts around the BSA Value Project. The results of the Project could be a game-changer for the financial industry’s BSA/AML programs. The industry is being inundated with calls to apply machine learning and artificial intelligence to make their AML programs more effective and efficient. But if those institutions don’t know which of their filings provide value, and arguably only one in four is providing value, they cannot effectively use machine learning or AI.

The entire industry is looking forward to the results of FinCEN’s BSA Value Project!

The WayBack Machine … and the Marihuana Problem in New York (circa 1944) – updated with the OFAC Fentanyl Drug Trafficking Organization Designation of August 21, 2019

One of the greatest investigative tools available today is the Internet Archive, a “non-profit library of millions of free books, movies, software, music, websites, and more” – https://archive.org/. The best tool in this online library is the WayBack Machine. It is described as follows:

The Internet Archive has been archiving the web for 20 years and has preserved billions of webpages from millions of websites. These webpages are often made up of, and link to, many images, videos, style sheets, scripts and other web objects. Over the years, the Archive has saved over 510 billion such time-stamped web objects, which we term web captures.

We define a webpage as a valid web capture that is an HTML document, a plain text document, or a PDF.

domain on the web is an owned section of the internet namespace, such as google.com or archive.org or bbc.co.uk. A host on the web is identified by a fully qualified domain name or FQDN that specifies its exact location in the tree hierarchy of the Domain Name System. The FQDN consists of the following parts: hostname and domain name.  As an example, in case of the host blog.archive.org, its hostname is blog and the host is located within the domain archive.org.

We define a website to be a host that has served webpages and has at least one incoming link from a webpage belonging to a different domain.

As of today, the Internet Archive officially holds 273 billion webpages from over 361 million websites, taking up 15 petabytes of storage.

Here’s an example of how the WayBack Machine can be used. In a federal criminal complaint unsealed on August 15, 2019 in the case of United States v Manish Patel (Eastern District of California, case no 19-MJ-0128), the affidavit supporting the complaint provided that the defendant had business cards that showed he was the CEO of The Sentient Law Group PC in New York City, but the website for that entity – http://www.sentientlawgroup.com – as accessed on August 5, 2019 did not show him as CEO.  But by simply typing that URL into the WayBack Machine’s search bar you find every instance of that website that was captured by the WayBack Machine. Viewing the first and last captures (on April 13, 2017 and February 12, 2019) shows the defendant Patel as the CEO, his practice focus areas (including cannabis law, which is ironic given that Patel was charged with multiple counts involving possession with intent to distribute marijuana).  This tool is particularly helpful in online child pornography cases, where defendants move and change websites, and was instrumental in a number of post-9/11 cases, where the English language Al Qaeda website changed dramatically after 9/11 … but its historical web pages remained accessible, thanks to the Internet Archive and its WayBack Machine.

OFAC Designation of the Zheng Drug Trafficking Organization – August 21, 2019

Another great example of the power of the WayBack Machine can be found in a series of federal criminal cases that culminated in OFAC designating the criminal defendants as Foreign Narcotics Kingpins. See the Treasury press release at https://home.treasury.gov/news/press-releases/sm756

One of those designated, Fujing Zheng, was indicted in federal court in Ohio in August 2018 (US v Zhang et al, Northern District of Ohio, case 18CR00474). In that 86-page indictment, the Government alleges that the Zhang organization used a website to market its illegal drugs – www.globalrc.net

What has happened to www.globalrc.net?

If you search for that URL today, you get the following:

As it shows, that domain has been seized by the DEA and is no longer accessible. But the WayBack Machine has captured and saved that website 65 times between April 8, 2009 and February 15, 2019:

And simply by selecting any of the 65 dates, you can access the captured website. An example is from January 6, 2017:

You can see the actual website used by the Zheng DTO back in 2017. A powerful investigative tool!

But there is more to be found on the Internet Archive. The twenty or so archived collections are incredible sources. Here is an example of a document from the “Journals” collection:

https://archive.org/details/TheMarihuanaProblemInTheCityOfNewYork-19441973Edition/page/n19

In 1944, Legendary New York Mayor F.H. LaGuardia commissioned a report to look into “The Marihuana Problem in the City of New York.” The forward is interesting. It provides:

“As Mayor of New York City, it is my duty to foresee and take steps to prevent the development of hazards to the health, safety, and welfare of our citizens. When rumors were recently circulated concerning the smoking of marihuana by large segments of our population and even by school children, I sought advice from The New York Academy of Medicine, as is my custom when confronted with problems of medical import.”

“The report of the present investigation covers every phase of the problem and is of practical value not only to our own city but to communities throughout the country. It is a basic contribution to medicine and pharmacology.”

“I am glad that the sociological, psychological, and medical ills commonly attributed to marihuana have been found to be exaggerated insofar as the City of New York is concerned. I hasten to point out, though, that the findings are to be interpreted only as a reassuring report of progress and not as encouragement to indulgence, for I shall continue to enforce the laws prohibiting the use of marihuana until and if complete findings may justify an amendment to existing laws. The scientific part of the research will be continued in the hope that the drug may prove to possess therapeutic value for the control of drug addiction.”

Try out the Internet Archive!