Loading…

Cannabis Banking Legislation – Will the SAFE Banking Act Actually Result in More Banks Providing Financial Services to Marijuana Related Businesses?

adminCannabis/Marijuana

In the last two years, the percentage of banks actively banking (federally illegal and unregulated) marijuana related businesses (MRBs) has gone from 5% to more than 10% – why do we need Congress to interfere? Our experience with (federally legal and regulated) money services businesses (MSBs) shows that relief is hard to come by … and may not dramatically increase the number of banks willing to take on MRBs.

I have written three articles on FinCEN’s quarterly “marijuana banking update”. The most recent, published on June 25, 2019, is available at Richards article on FinCEN MRB reports.  Those reports, published by FinCEN since 1Q 2017 and tracking marijuana-related Suspicious Activity Reports (SARs) filed since the FinCEN guidance was published in February 2014, show two broad categories of data: (1) the total number of banks and credit unions that are “actively banking marijuana related businesses”; and (2) the number of each of the three types of SARs that FinCEN has directed financial institutions to file: Marijuana Limited, Marijuana Priority, and Marijuana Termination. I won’t describe what type of activity each type of SAR is meant to report, as the descriptions in the quarterly updates are inconsistent with the actual 2014 guidance. You’ll have to read the articles to find out about those inconsistencies.

I’ve also written about the proposed SAFE Banking Act – Richards article on SAFE Banking Act – which is the Democratic-controlled House of Representatives’ attempt at getting a federal law passed to give financial institutions some comfort that they simply by knowingly providing financial services to (what the bill describes as) “cannabis related legitimate businesses” and “service providers”, they won’t be sanctioned by their regulatory agencies.

Let’s put those two things together – FinCEN’s quarterly updates on the number of banks and credit unions “actively banking marijuana related businesses”, and the push in Congress (or at least one of the two chambers of Congress) to pass a law to encourage banks and credit unions to knowingly provide financial services to the federally illegal and unregulated “cannabis related legitimate businesses” and their “service providers”.

The most recent (June 2019) FinCEN update is available at FinCEN 2Q 2019 MRB Update. It shows that as of June 30, 2019, there were 553 banks and 162 credit unions “actively banking marijuana related businesses.” (I have put this phrase in quotes because industry experts believe that the number of banks and credit unions that are actively, knowingly providing depository or transactional services to licensed cannabis or marijuana businesses is much less than what FinCEN reports … and closer to 50 than 715. But let’s go with what FinCEN has been publishing.).  The slow but steady increase in the number of banks and credit unions providing banking services to MRBs is shown in the FinCEN chart below:

What is not shown, though, is the percentage of banks and credit unions that are providing financial services to marijuana related businesses. Using data provided by the FDIC, which insures all commercial banks and savings institutions, and the NCUA, which insures all credit unions, we can see that (1) the total number of banks and credit unions has been falling, while (2) the total number of banks and credit unions that are providing banking services to MRBs has more than doubled in the last two years:

The total number of banks and credit unions has been dropping over the last 2+ years (by about 9%), while the total number of banks and credit unions providing financial services to MRBs has been going up (by almost 200%). The result is that as of June 2019, about one in ten federally insured banks and more than one in sixteen depository institutions overall, are, according to the Treasury Department, “actively banking marijuana related businesses”. It’s perplexing why relatively so few credit unions are engaged in the MRB space.

Which begs the question: if the percentage of depository institutions actively banking marijuana related business has more than doubled in the last two years, and if one in ten federally insured banks and more than one in sixteen depository institutions overall, are actively banking marijuana related businesses, do we even need Congress to intervene and pass new laws to encourage those depository institutions? New laws mean new regulations. New regulations certainly mean new regulatory guidance and expectations, and probably mean more government expense and oversight.

A fair argument can be made that if only 10% of banks and 3% of credit unions are actively banking marijuana related businesses, we absolutely need Congress (and the President) to step in and pass a law or laws to encourage more banks and credit unions to participate in the marijuana/cannabis industry. But even if a SAFE Banking Act, or equivalent, is passed by Congress and signed into law by the President, regulations and regulatory guidance will still need to be published and written, and banks and credit unions will still need to have a risk-based program with the panoply of required preventative and detective controls. Those programs are expensive to build, more expensive to maintain, and bring uncertain regulatory, legal, and reputational risk to the institution. And, of course, MRBs will still be federally illegal, and remain unregulated by any federal agencies.

Money Services Businesses (MSBs) – a lesson for banking Marijuana Related Businesses (MRBs)?

Money Services Businesses, or MSBs (check cashers, money transmitters, currency exchangers) are all perfectly legal, state-licensed, federally-registered financial institutions that, since 2002 have been required to have their own BSA/AML compliance programs and to report suspicious activity. Just like banks and credit unions. And in March 2005 the financial services regulators issued guidance to the industry on how to provide banking services to MSBs. The FinCEN press release provided the following explanation:

“The Financial Crimes Enforcement Network (“FinCEN”), together with the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration (collectively, the “Federal Banking Agencies”) are jointly issuing this Statement to address our expectations regarding banking institutions’ obligations under the Bank Secrecy Act for money services businesses, such as check cashers and money transmitters. Money services businesses are losing access to banking services as a result of concerns about regulatory scrutiny, the risks presented by money services business accounts, and the costs and burdens associated with maintaining such accounts. Concerns may stem, in part, from a misperception of the requirements of the Bank Secrecy Act, and the erroneous view that money services businesses present a uniform and unacceptably high risk of money laundering or other illicit activity.”

Notwithstanding that MSBs are legal businesses, are federally-regulated, and the regulators have encouraged banks to provide financial services to them, the vast majority of financial institutions today will not bank MSBs. Why? The real or perceived regulatory burdens are too onerous, and the regulatory, legal, and reputational risks are too great. There may be some data on what percentage of banks and credit unions are knowingly, actively banking MSBs, but I haven’t seen it. Anecdotes suggest that less than one in five banks and credit unions have an MSB banking program and are knowingly, actively providing depository and transactional services for MSBs.

So if less than one in five depository institutions are banking federally legal and regulated Money Services Businesses more than fifteen years after given a Congressional “green light”, and if the percentage of depository institutions banking federally illegal and unregulated Marijuana Related Businesses has more than doubled in the last two years to one in sixteen … do we really need Congress to pass a law encouraging depository institutions to bank these illegal, unregulated businesses, or do we simply wait until marijuana is federally legal, and then regulate the marijuana industry … hopefully better than we’ve done with the money services industry?

In December 2018 I proposed an idea to provide relief to depository institutions looking at knowingly, actively providing financial services to MRBs: have the regulatory agencies publish guidance that would treat MRBs like MSBs. The idea was simple … replace the terms “money services business” and “MSB” in the interagency 2005 guidance on MSBs, with “marijuana related business” and “MRB”. At least we might find that 20% of banks and credit unions would be able to balance the meager rewards with the uncertain risks and provide financial services to marijuana related businesses. See Richards – 2005 MSB Guidance = 2019 MRB Guidance

Cryptocurrencies – A New Crypto Rating Council Tries to Handicap the Likelihood a Cryptocurrency is a Security

adminCrypto & Blockchain

Crypto Rating Council

A group of crypto financial services firms and exchanges have formed the Crypto Rating Council, or CRC “to create a framework to consistently and objectively assess whether any given crypto asset has characteristics that make it more or less likely to be classified  as a security under the U.S. federal securities laws.” See their website at https://www.cryptoratingcouncil.com/#about-us

The founding members of the Crypto Rating Council are Anchorage, Bittrex, Circle Financial, Coinbase, Cumberland, Genesis, Grayscale, and Kraken.

‍According to the website:

“The important question of whether any given digital asset is a security—as opposed to a commodity, a currency, or something else—informs critical licensing, registration, and operating obligations for financial services firms that support cryptocurrency. The U.S. Securities & Exchange Commission has issued guidance that some crypto assets may be securities while others may not be.”

That guidance began with a Report of Investigation the SEC released in 2017 – https://www.sec.gov/litigation/investreport/34-81207.pdf and continued with Guidance on Initial Coin Offerings published on April 3, 2019 – https://www.sec.gov/news/public-statement/statement-framework-investment-contract-analysis-digital-assets

As the CRC notes:

“While the SEC’s guidance has been helpful in alerting the industry to complex legal issues, determining whether any particular token is a security remains highly circumstantial and difficult to resolve even with the help of leading legal and technical experts. This complexity has led to expensive, redundant, and frequently inconsistent compliance analysis among financial services firms and has generally slowed the launch of new cryptocurrency assets in the U.S.”

And

“The question of whether a crypto asset is a security—as opposed to a currency, a commodity, or something else—may trigger registration, licensing, and other operating obligations for financial services firms that offer digital asset services like exchange, investment management, and trading. Under federal U.S. law, this important question is generally answered by applying the four-factor Howey test, which requires painstaking “facts and circumstances” analysis which often leads to judgment calls, inconsistent results, and can lead to disagreement among legal experts (and government officials). The founding members formed the CRC to create a compliance tool which, in partnership with securities law experts, allows the members to consistently review assets supported in the ordinary course of their respective businesses.”

In addition to slowing the launch of new cryptocurrency assets in the US, there have been dozens (hundreds) of digital asset/ICO enforcement actions filed by the SEC. A list of those actions is available at https://www.sec.gov/spotlight/cybersecurity-enforcement-actions

So, as a result of this confusion, the Crypto Rating Council was formed “to create a framework to consistently and objectively assess whether any given crypto asset has characteristics that make it more or less likely to be classified  as a security under the U.S. federal securities laws.”

The Securities Rating Framework

According to the CRC, its securities rating framework is “a points-based rating system built upon a set of factual questions that assess each element of the legal test to determine whether an asset is a security. Our framework is derived directly from case law and SEC guidance and has been structured to emphasize objective, repeatable, and fact-driven responses that can be answered more consistently across different assets and across the same asset over time.”

‍In its FAQs section, the CRC described its securities rating framework as follows:

“At the core of the Council’s work is a points-based rating system centered around a set of factual questions. Working with legal and technical experts and members of the community, the CRC distilled a set of yes or no questions which are designed to plainly address each of the four, Howey test factors: (i) whether crypto purchasers invested money, (ii) in a “common enterprise”, (iii) with a reasonable expectation of profit, (iv) based on the efforts of others. The questions are tailored to assess the characteristics most likely to impact any given crypto asset’s treatment under the securities laws. These characteristics include circumstances of the asset’s issuance, governance features, third-party contributions to the project, and practical use of the asset by the general public. The questions are also structured to allow for objective, repeatable, and fact-driven responses that can be answered consistently across different assets and across the same asset over time.”

The Rating Explained

Again, according to the FAQs:

“Each question in the framework is assigned a points-based weighting to reflect its relative importance, the sum of which create scores for each Howey factor. Those scores are then scaled into a final rating between 1 and 5. A score of 5 results when an asset appears to have many characteristics that are consistent with the Howey-test factors. It is probably more likely, relative to lower-scored assets, to implicate the U.S. securities laws. A score of 1 results when an asset appears to have few characteristics that are consistent with the Howey-test factors. It is probably less likely, relative to higher-scored assets, to implicate the U.S. securities laws.”

How Did The Cryptocurrencies Fare Under the Rating System?

A useful graph published online (is “published online” necessary in 2019, or will “published” suffice?) by TheBlockCrypto.com provides the results of the CRC’s first efforts:

We can spotlight three of these to see how the scores were determined at a high level: Bitcoin at 1.00 (definitely not a security), Ethereum at 2.00 (probably not a security), and XRP at 4.00 (likely to be a security).

 

SAFE Banking Act of 2019 – Some Suggestions for the Senate

adminAML Regulations and Enforcement Actions, Cannabis/Marijuana

The SAFE Banking Act, HR 1595, was approved by the House on September 25, 2019. As written, it is a “bill to create protections for depository institutions that provide financial services to cannabis-related legitimate businesses and service providers for such businesses, and for other purposes.” There has been much written about the SAFE Banking Act, but as I went through it, I saw a number of things that need to be addressed.  So below are some general comments and observations – written in blue italics – and some suggestions for the Senate – written in red bold italics – as the Senate considers what, if any, changes to make to the House version, and whether to actually vote on their version of the SAFE Banking Act.

The link to the text is SAFE Banking Act – congress.gov

SAFE Banking Act, HR 1595 as approved by the House of Representatives, September 25, 2019

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE; PURPOSE.

(a) SHORT TITLE.—This Act may be cited as the ‘‘Secure And Fair Enforcement Banking Act of 2019’’ or the ‘‘SAFE Banking Act of 2019’’.

(b) PURPOSE.—The purpose of this Act is to increase public safety by ensuring access to financial services to cannabis-related legitimate businesses and service providers and reducing the amount of cash at such businesses.

Comment – The purpose statement focuses on public safety and getting cash out of cannabis businesses. But there is very little else in the Act that specifically addresses public safety or cash. Note the modifier “legitimate” (see section 14 definition)

SEC. 2. SAFE HARBOR FOR DEPOSITORY INSTITUTIONS.

(a) IN GENERAL.—A Federal banking regulator may not—

(1) terminate or limit the deposit insurance or share insurance of a depository institution under the Federal Deposit Insurance Act (12 U.S.C. 1811 et seq.), the Federal Credit Union Act (12 U.S.C. 1751 et seq.), or take any other adverse action against a depository institution under section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818) solely because the depository institution provides or has provided financial services to a cannabis-related legitimate business or service provider;

(2) prohibit, penalize, or otherwise discourage a depository institution from providing financial services to a cannabis-related legitimate business or service provider or to a State, political subdivision of a State, or Indian Tribe that exercises jurisdiction over cannabis-related legitimate businesses;

Comment – Section 2 is clearly a safe harbor from actions taken by a federal banking regulator – not from the Department of Justice. Compare this to section 4’s broader protections. Note that 12 USC 1818 is the “cease and desist” section. The phrase “solely because” is significant: the intent and effect of this is that a federal banking regulator can bring an adverse action against a depository institution providing financial services to a cannabis-related legitimate business if that institution otherwise violates banking laws or regulations.

(3) recommend, incentivize, or encourage a depository institution not to offer financial services to an account holder, or to downgrade or cancel the financial services offered to an account holder solely because— (A) the account holder is a cannabis-related legitimate business or service provider, or is an employee, owner, or operator of a cannabis-related legitimate business or service provider; (B) the account holder later becomes an employee, owner, or operator of a cannabis-related legitimate business or service provider; or (C) the depository institution was not aware that the account holder is an employee, owner, or operator of a cannabis-related legitimate business or service provider;

Comment – Section 2(a)(3) introduces protections for account holders who are employees, owners, and operators. Also, note that (2) provides that regulators cannot discourage financial institutions from providing services, and (3) provides that regulators cannot encourage financial institutions not to provide services. What was the legislative intent?

(4) take any adverse or corrective supervisory action on a loan made to— (A) a cannabis-related legitimate business or service provider, solely because the business is a cannabis-related legitimate business or service provider; (B) an employee, owner, or operator of a cannabis-related legitimate business or service provider, solely because the employee, owner, or operator is employed by, owns, or operates a cannabis-related legitimate business or service provider, as applicable; or (C) an owner or operator of real estate or equipment that is leased to a cannabis-related legitimate business or service provider, solely because the owner or operator of the real estate or equipment leased the equipment or real estate to a cannabis-related legitimate business or service provider, as applicable; or

(5) prohibit or penalize a depository institution (or entity performing a financial service for or in association with a depository institution) for, or otherwise discourage a depository institution (or entity performing a financial service for or in association with a depository institution) from, engaging in a financial service for a cannabis-related legitimate business or service provider.

(b) SAFE HARBOR APPLICABLE TO DE NOVO INSTITUTIONS.—Subsection (a) shall apply to an institution applying for a depository institution charter to the same extent as such subsection applies to a depository institution.

Comment – Section 2(a)(5) is interesting with the addition of “(or entity performing a financial service for or in association with a depository institution) …”. Subsections 2(a)(2) and (5) could be combined without loss of meaning.

SEC. 3. PROTECTIONS FOR ANCILLARY BUSINESSES.

For the purposes of sections 1956 and 1957 of title 18, United States Code, and all other provisions of Federal law, the proceeds from a transaction involving activities of a cannabis-related legitimate business or service provider shall not be considered proceeds from an unlawful activity solely because—

(1) the transaction involves proceeds from a cannabis-related legitimate business or service provider; or

(2) the transaction involves proceeds from— (A) cannabis-related activities described in section 14(4)(B) conducted by a cannabis-related legitimate business; or (B) activities described in section 14(13)(A) conducted by a service provider.

Senate Suggestion 1 – The title of section 3 is the only reference to “ancillary businesses”. This is a left-over from the original SAFE Banking Act. This section should be changed to  “Protections from Federal Laws Relating to Specified Unlawful Activity”

SEC. 4. PROTECTIONS UNDER FEDERAL LAW.

(a) IN GENERAL.—With respect to providing a financial service to a cannabis-related legitimate business or service provider within a State, political subdivision of a State, or Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis pursuant to a law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country, as applicable, a depository institution, entity performing a financial service for or in association with a depository institution, or insurer that provides a financial service to a cannabis-related legitimate business or service provider, and the officers, directors, and employees of that depository institution, entity, or insurer may not be held liable pursuant to any Federal law or regulation— (1) solely for providing such a financial service; or (2) for further investing any income derived from such a financial service.

Comment – Section 4’s protections extend more broadly than the narrower section 2 safe harbor, notably because individuals are protected.

(b) PROTECTIONS FOR FEDERAL RESERVE BANKS AND FEDERAL HOME LOAN BANKS.—With respect to providing a service to a depository institution that provides a financial service to a cannabis-related legitimate business or service provider (where such financial service is provided within a State, political subdivision of a State, or Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis pursuant to a law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country, as applicable), a Federal reserve bank or Federal Home Loan Bank, and the officers, directors, and employees of the Federal reserve bank or Federal Home Loan Bank, may not be held liable pursuant to any Federal law or regulation— (1) solely for providing such a service; or (2) for further investing any income derived from such a service.

(c) PROTECTIONS FOR INSURERS.—With respect to engaging in the business of insurance within a State, political subdivision of a State, or Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis pursuant to a law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country, as applicable, an insurer that engages in the business of insurance with a cannabis-related legitimate business or service provider or who otherwise engages with a person in a transaction permissible under State law related to cannabis, and the officers, directors, and employees of that insurer may not be held liable pursuant to any Federal law or regulation— (1) solely for engaging in the business of insurance; or (2) for further investing any income derived from the business of insurance.

(d) FORFEITURE.— (1) DEPOSITORY INSTITUTIONS.—A depository institution that has a legal interest in the collateral for a loan or another financial service provided to an owner, employee, or operator of a cannabis-related legitimate business or service provider, or to an owner or operator of real estate or equipment that is leased or sold to a cannabis-related legitimate business or service provider, shall not be subject to criminal, civil, or administrative forfeiture of that legal interest pursuant to any Federal law for providing such loan or other financial service. (2) FEDERAL RESERVE BANKS AND FEDERAL HOME LOAN BANKS.—A Federal reserve bank or Federal Home Loan Bank that has a legal interest in the collateral for a loan or another financial service provided to a depository institution that provides a financial service to a cannabis-related legitimate business or service provider, or to an owner or operator of real estate or equipment that is leased or sold to a cannabis-related legitimate business or service provider, shall not be subject to criminal, civil, or administrative forfeiture of that legal interest pursuant to any Federal law for providing such loan or other financial service.

SEC. 5. RULES OF CONSTRUCTION.

(a) NO REQUIREMENT TO PROVIDE FINANCIAL SERVICES.—Nothing in this Act shall require a depository institution, entity performing a financial service for or in association with a depository institution, or insurer to provide financial services to a cannabis-related legitimate business, service provider, or any other business.

(b) GENERAL EXAMINATION, SUPERVISORY, AND ENFORCEMENT AUTHORITY.—Nothing in this Act may be construed in any way as limiting or otherwise restricting the general examination, supervisory, and enforcement authority of the Federal banking regulators, provided that the basis for any supervisory or enforcement action is not the provision of financial services to a cannabis-related legitimate business or service provider.

Comment – Section 5(a) allows financial service providers to decide not to engage with cannabis-related legitimate businesses or service providers. It does not extend that to the employees, officer, or operators of those businesses, though. Section 5(b) gives teeth to the section 2 safe harbor language (“solely because the depository institution provides or has provided financial services to a cannabis-related legitimate business or service provider”). However, section 5(b) could be better written by including the “solely” term.

SEC. 6. REQUIREMENTS FOR FILING SUSPICIOUS ACTIVITY REPORTS.

Section 5318(g) of title 31, United States Code, is amended by adding at the end the following:

‘‘(5) REQUIREMENTS FOR CANNABIS-RELATED LEGITIMATE BUSINESSES.—

‘‘(A) IN GENERAL.—With respect to a financial institution or any director, officer, employee, or agent of a financial institution that reports a suspicious transaction pursuant to this subsection, if the reason for the report relates to a cannabis-related legitimate business or service provider, the report shall comply with appropriate guidance issued by the Financial Crimes Enforcement Network. The Secretary shall ensure that the guidance is consistent with the purpose and intent of the SAFE Banking Act of 2019 and does not significantly inhibit the provision of financial services to a cannabis-related legitimate business or service provider in a State, political subdivision of a State, or Indian country that has allowed the cultivation, production, manufacture, transportation, display, dispensing, distribution, sale, or purchase of cannabis pursuant to law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country.

Senate Suggestion 2 – Section 6 adds a new subsection (5). Subsection (1) doesn’t change: it provides “The Secretary may require any financial institution, and any director, officer, employee, or agent of any financial institution, to report any suspicious transaction relevant to a possible violation of law or regulation.” This section calls for “guidance” from FinCEN, not a regulation or regulations. First, is this the existing (2014) FinCEN guidance, or does it contemplate new, yet to be issued, guidance? If the latter, there is no time frame for issuing such guidance. I would make this clear: FinCEN guidance to be issued within 180 days. Compare this to section 7. And see comments on section 10. Second, question whether that guidance would satisfy the Administrative Procedures Act. See the (excellent) testimony of Margaret (Meg) Tahyar: https://www.banking.senate.gov/imo/media/doc/Tahyar%20Testimony%204-30-19.pdf and the federal banking regulators Interagency Statement on Clarifying the Role of Supervisory Guidance, https://www.fdic.gov/news/news/press/2018/pr18059a.pdf

‘‘(B) DEFINITIONS.—For purposes of this paragraph: ‘‘(i) CANNABIS.—The term ‘cannabis’ has the meaning given the term ‘marihuana’ in section 102 of the Controlled Substances Act (21 U.S.C. 802). ‘‘(ii) CANNABIS-RELATED LEGITIMATE BUSINESS.—The term ‘cannabis-related legitimate business’ has the meaning given that term in section of the SAFE Banking Act of 2019. ‘‘(iii) INDIAN COUNTRY.—The term ‘Indian country’ has the meaning given that term in section 1151 of title 18. ‘‘(iv) INDIAN TRIBE.—The term ‘Indian Tribe’ has the meaning given that term in section 102 of the Federally Recognized Indian Tribe List Act of 1994 (25 7 U.S.C. 479a). ‘‘(v) FINANCIAL SERVICE.—The term ‘financial service’ has the meaning given that term in section 14 of the SAFE Banking Act of 2019. ‘‘(vi) SERVICE PROVIDER.—The term ‘service provider’ has the meaning given that term in section 14 of the SAFE Banking Act of 2019. ‘‘(vii) STATE.—The term ‘State’ means each of the several States, the District of Columbia, Puerto Rico, and any territory or possession of the United States.’’.

SEC. 7. GUIDANCE AND EXAMINATION PROCEDURES.

Not later than 180 days after the date of enactment of this Act, the Financial Institutions Examination Council shall develop uniform guidance and examination procedures for depository institutions that provide financial services to cannabis-related legitimate businesses and service providers.

Senate Suggestion 3 – See the comments for section 6. Between these two sections, CRLB/SP program requirements, including SAR reporting guidance, won’t be available to financial institutions for ~6 months after the enactment of the Act. That creates problems for the section 10 report. And why is this language – FFIEC guidance and exam procedures in 180 days – different than the similar hemp section 11(b) – federal banking regulators to publish best practices within 90 days?

SEC. 8. ANNUAL DIVERSITY AND INCLUSION REPORT.

The Federal banking regulators shall issue an annual report to Congress containing—

(1) information and data on the availability of access to financial services for minority-owned and women-owned cannabis-related legitimate businesses; and

(2) any regulatory or legislative recommendations for expanding access to financial services for  minority-owned and women-owned cannabis-related legitimate businesses.

SEC. 9. GAO STUDY ON DIVERSITY AND INCLUSION.

(a) STUDY.—The Comptroller General of the United States shall carry out a study on the barriers to market-place entry, including in the licensing process, and the access to financial services for potential and existing minority-owned and women-owned cannabis-related legitimate businesses.

(b) REPORT.—The Comptroller General shall issue a report to the Congress—(1) containing all findings and determinations made in carrying out the study required under subsection (a); and (2) containing any regulatory or legislative recommendations for removing barriers to marketplace entry, including in the licensing process, and expanding access to financial services for potential and existing minority-owned and women-owned cannabis-related legitimate businesses.

SEC. 10. GAO STUDY ON EFFECTIVENESS OF CERTAIN REPORTS ON FINDING CERTAIN PERSONS.

Not later than 2 years after the date of the enactment of this Act, the Comptroller General of the United States shall carry out a study on the effectiveness of reports on suspicious transactions filed pursuant to section 15 5318(g) of title 31, United States Code, at finding individuals or organizations suspected or known to be engaged with transnational criminal organizations and whether any such engagement exists in a State, political subdivision, or Indian Tribe that has jurisdiction over Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis. The study shall examine reports on suspicious transactions as follows: (1) During the period of 2014 until the date of the enactment of this Act, reports relating to marijuana-related businesses. (2) During the 1-year period after date of the enactment of this Act, reports relating to cannabis-related legitimate businesses.

Senate Suggestion 4 – Why is this study limited to looking at whether SARs are effective at identifying transnational criminal organization connections to CRLBs? The study should look at whatever patterns, trends, typologies can be identified from all 5318(g)(5) SARs (as well as CTRs), not just connections to TCOs. This is a lost opportunity.

Senate Suggestion 5 – Comparing the MRB SAR regime to the CRLB SAR regime is a sound idea, but the mechanics or timing are not right. CRLB SARs won’t immediately be filed by financial institutions: FinCEN must first either enact a regulation or issue guidance relating to CRLB SAR filings. The triggering event cannot be until/after the date of enactment of this Act, but until/after a regulation or guidance is published or written.

SEC. 11. BANKING SERVICES FOR HEMP BUSINESSES.

(a) FINDINGS.—The Congress finds that— (1) the Agriculture Improvement Act of 2018 (Public Law 115–334) legalized hemp by removing it from the definition of ‘‘marihuana’’ under the Controlled Substances Act; (2) despite the legalization of hemp, some hemp businesses (including producers, manufacturers, and retailers) continue to have difficulty gaining access to banking products and services; and (3) businesses involved in the sale of hemp-derived cannabidiol (‘‘CBD’’) products are particularly affected, due to confusion about their legal status.

(b) FEDERAL BANKING REGULATOR HEMP BANKING GUIDANCE.—Not later than the end of the 90-day period beginning on the date of enactment of this Act, the Federal banking regulators shall jointly issue guidance to financial institutions—(1) confirming the legality of hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products, and the legality of engaging in financial services with businesses selling hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products, after the enactment of the Agriculture Improvement Act of 2018; and (2) to provide recommended best practices for financial institutions to follow when providing financial services and merchant processing services to businesses involved in the sale of hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products.

Senate Suggestion 6 – See section 7, which calls for FFIEC guidance and exam procedures in 180 days. Why is this section calling for the federal banking regulators to publish best practices within 90 days? Also, if a financial institution knows that its customer is selling unapproved hemp-derived CBD products in violation of the FFD&C Act, is it protected by this section?

Senate Suggestion 7 – Why are merchant processing services called out in this section, and nowhere else? If merchant processing services are not “financial services”, then this is a huge gap in the Act, as (arguably) the most important financial service a CRLB can obtain is merchant services. See section 14(7).

(c) FINANCIAL INSTITUTION DEFINED.—In this section, the term ‘‘financial institution’’ means any person providing financial services.

Senate Suggestion 8 – What is the purpose of subsection (c)?

SEC. 12. APPLICATION OF SAFE HARBORS TO HEMP AND CBD PRODUCTS.

(a) IN GENERAL.—Except as provided under subsection (b), the provisions of this Act (other than sections 6 and 10) shall apply to hemp (including hemp-derived cannabidiol and other hemp-derived cannabinoid products) in the same manner as such provisions apply to cannabis.

Senate Suggestion 9 – The House version excludes hemp from Section 6, the SAR reporting section, and Section 10, the study of SARs to determine if there are any transnational criminal organizations connections to the cannabis industry. Is it the intent of Congress that hemp and hemp products are not covered by the SAR reporting obligations but are otherwise covered by FFIEC guidance and examination procedures?

(b) RULE OF APPLICATION.—In applying the provisions of this Act described under subsection (a) to hemp, the definition of ‘‘cannabis-related legitimate business’’ shall be treated as excluding any requirement to engage in activity pursuant to the law of a State or political subdivision thereof.

(c) HEMP DEFINED.—In this section, the term ‘‘hemp’’ has the meaning given that term under section 297A of the Agricultural Marketing Act of 1946 (7 U.S.C. 1639o).

SEC. 13. REQUIREMENTS FOR DEPOSIT ACCOUNT TERMINATION REQUESTS AND ORDERS.

(a) TERMINATION REQUESTS OR ORDERS MUST BE VALID.—

(1) IN GENERAL.—An appropriate Federal banking agency may not formally or informally request or order a depository institution to terminate a specific customer account or group of customer accounts or to otherwise restrict or discourage a depository institution from entering into or maintaining a banking relationship with a specific customer or group of customers unless— (A) the agency has a valid reason for such request or order; and (B) such reason is not based solely on reputation risk.

(2) TREATMENT OF NATIONAL SECURITY THREATS.—If an appropriate Federal banking agency believes a specific customer or group of customers is, or is acting as a conduit for, an entity which— (A) poses a threat to national security; (B) is involved in terrorist financing; (C) is an agency of the Government of Iran, North Korea, Syria, or any country listed from time to time on the State Sponsors of Terrorism list; (D) is located in, or is subject to the jurisdiction of, any country specified in subparagraph (C); or (E) does business with any entity described in subparagraph (C) or (D), unless the appropriate Federal banking agency determines that the customer or group of customers has used due diligence to avoid doing business with any entity described in subparagraph (C) or (D), such belief shall satisfy the requirement under paragraph (1).

(b) NOTICE REQUIREMENT.—

(1) IN GENERAL.—If an appropriate Federal banking agency formally or informally requests or orders a depository institution to terminate a specific customer account or a group of customer accounts, the agency shall— (A) provide such request or order to the institution in writing; and (B) accompany such request or order with a written justification for why such termination is needed, including any specific laws or regulations the agency believes are being violated by the customer or group of customers, if any.

(2) JUSTIFICATION REQUIREMENT.—A justification described under paragraph (1)(B) may not be based solely on the reputation risk to the depository institution.

(c) CUSTOMER NOTICE.—

(1) NOTICE REQUIRED.—Except as provided under paragraph (2) or as otherwise prohibited from being disclosed by law, if an appropriate Federal banking agency orders a depository institution to terminate a specific customer account or a group of customer accounts, the depository institution shall inform the specific customer or group of customers of the justification for the customer’s account termination described under subsection (b).

(2) NOTICE PROHIBITED.— (A) NOTICE PROHIBITED IN CASES OF NATIONAL SECURITY.—If an appropriate Federal banking agency requests or orders a depository institution to terminate a specific customer account or a group of customer accounts based on a belief that the customer or customers pose a threat to national security, or are otherwise described under subsection (a)(2), neither the depository institution nor the appropriate Federal banking agency may inform the customer or customers of the justification for the customer’s account termination. (B) NOTICE PROHIBITED IN OTHER CASES.—If an appropriate Federal banking agency determines that the notice required under paragraph (1) may interfere with an authorized criminal investigation, neither the depository institution nor the appropriate Federal banking agency may inform the specific customer or group of customers of the justification for the customer’s account termination.

(d) REPORTING REQUIREMENT.—Each appropriate Federal banking agency shall issue an annual report to the Congress stating— (1) the aggregate number of specific customer accounts that the agency requested or ordered a depository institution to terminate during the previous year; and (2) the legal authority on which the agency relied in making such requests and orders and the frequency on which the agency relied on each such authority.

(e) DEFINITIONS.—For purposes of this section: (1) APPROPRIATE FEDERAL BANKING AGENCY.—The term ‘‘appropriate Federal banking agency’’ means— (A) the appropriate Federal banking agency, as defined under section 3 of the Federal Deposit Insurance Act (12 U.S.C. 1813); and (B) the National Credit Union Administration, in the case of an insured credit union. (2) DEPOSITORY INSTITUTION.—The term ‘‘depository institution’’ means— (A) a depository institution, as defined under section 3 of the Federal Deposit Insurance Act (12 U.S.C. 1813); and (B) an insured credit union.

SEC. 14. DEFINITIONS.

In this Act:

(1) BUSINESS OF INSURANCE.—The term ‘‘business of insurance’’ has the meaning given such term in section 1002 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (12 U.S.C. 5481).

(2) CANNABIS.—The term ‘‘cannabis’’ has the meaning given the term ‘‘marihuana’’ in section 102 of the Controlled Substances Act (21 U.S.C. 802).

(3) CANNABIS PRODUCT.—The term ‘‘cannabis product’’ means any article which contains cannabis,  including an article which is a concentrate, an edible, a tincture, a cannabis-infused product, or a topical.

(4) CANNABIS-RELATED LEGITIMATE BUSINESS.—The term ‘‘cannabis-related legitimate business’’ means a manufacturer, producer, or any person or company that— (A) engages in any activity described in subparagraph (B) pursuant to a law established by a State or a political subdivision of a State, as determined by such State or political subdivision; and (B) participates in any business or organized activity that involves handling cannabis or cannabis products, including cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.

Senate Suggestion 10 – This appears to be an unnecessarily complicated definition. It could be simplified to: “CRLB “means any person or legal entity that engages in or participates in any business or organized activity pursuant to a law established by a State or a political subdivision of a State, as determined by such State or political subdivision, that involves cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.” Does the inclusion of the word “legitimate” mean that those cannabis-related businesses that are in violation of their state-licensing requirements are not covered by the SAFE Banking Act, and banks providing services to those non-legitimate cannabis-related businesses also not protected?

(5) DEPOSITORY INSTITUTION.—The term ‘‘depository institution’’ means— (A) a depository institution as defined in section 3(c) of the Federal Deposit Insurance Act (12 U.S.C. 1813(c)); (B) a Federal credit union as defined in section 101 of the Federal Credit Union Act (12 U.S.C. 1752); or (C) a State credit union as defined in section 101 of the Federal Credit Union Act (12 U.S.C. 1752).

(6) FEDERAL BANKING REGULATOR.—The term ‘‘Federal banking regulator’’ means each of the Board of Governors of the Federal Reserve System, the Bureau of Consumer Financial Protection, the Federal Deposit Insurance Corporation, the Federal Housing Finance Agency, the Financial Crimes Enforcement Network, the Office of Foreign Asset Control, the Office of the Comptroller of the Currency, the National Credit Union Administration, the Department of the Treasury, or any Federal agency or department that regulates banking or financial services, as determined by the Secretary of the Treasury.

(7) FINANCIAL SERVICE.—The term ‘‘financial service’’— (A) means a financial product or service, as defined in section 1002 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (12 U.S.C. 5481); (B) includes the business of insurance; (C) includes, whether performed directly or indirectly, the authorizing, processing, clearing, settling, billing, transferring for deposit, transmitting, delivering, instructing to be delivered, reconciling, collecting, or otherwise effectuating or facilitating of payments or funds, where such payments or funds are made or transferred by any means, including by the use of credit cards, debit cards, other payment cards, or other access devices, accounts, original or substitute checks, or electronic funds transfers; (D) includes acting as a money transmitting business which directly or indirectly makes use of a depository institution in connection with effectuating or facilitating a payment for a cannabis-related legitimate business or service provider in compliance with section 5330 of title 31, United States Code, and any applicable State law; and (E) includes acting as an armored car service for processing and depositing with a depository institution or a Federal reserve bank with respect to any monetary instruments (as defined under section 1956(c)(5) of title 18, United States Code.

Senate Suggestion 11 – See section 7, which provides, in part, “financial services and merchant processing services to businesses involved in the sale of hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products.” This definition of “financial services” appears to include merchant services. Sections 7 and 14 need to be reconciled.

(8) INDIAN COUNTRY.—The term ‘‘Indian country’’ has the meaning given that term in section 1151 of title 18.

(9) INDIAN TRIBE.—The term ‘‘Indian Tribe’’ has the meaning given that term in section 102 of the Federally Recognized Indian Tribe List Act of 1994 (25 U.S.C. 479a).

(10) INSURER.—The term ‘‘insurer’’ has the meaning given that term under section 313(r) of title 31, United States Code.

(11) MANUFACTURER.—The term ‘‘manufacturer’’ means a person who manufactures, compounds, converts, processes, prepares, or packages cannabis or cannabis products.

(12) PRODUCER.—The term ‘‘producer’’ means a person who plants, cultivates, harvests, or in any way facilitates the natural growth of cannabis.

(13) SERVICE PROVIDER.—The term ‘‘service provider’’— (A) means a business, organization, or other person that— (i) sells goods or services to a cannabis-related legitimate business; or (ii) provides any business services, including the sale or lease of real or any other property, legal or other licensed services, or any other ancillary service, relating to cannabis; and (B) does not include a business, organization, or other person that participates in any business or organized activity that involves handling cannabis or cannabis products, including cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.

Comment – This is an expansive definition as it includes those that sell a good or service to a CRLB that could have no connection to the actual cannabis business (e.g. is a Starbucks a “service provider” if it sells coffee to budtender?). Perhaps regulations or regulatory guidance will narrow this down.

(14) STATE.—The term ‘‘State’’ means each of the several States, the District of Columbia, Puerto Rico, and any territory or possession of the United States.

SEC. 15. DISCRETIONARY SURPLUS FUNDS.

Section 7(a)(3)(A) of the Federal Reserve Act (12 U.S.C. 289(a)(3)(A)) is amended by striking ‘‘$6,825,000,000’’ and inserting ‘‘$6,821,000,000’’.

SEC. 16. DETERMINATION OF BUDGETARY EFFECTS.

The budgetary effects of this Act, for the purpose of complying with the Statutory Pay-As-You-Go Act of 2010, shall be determined by reference to the latest statement titled ‘‘Budgetary Effects of PAYGO Legislation’’ for this Act, submitted for printing in the Congressional Record by the Chairman of the House Budget Committee, provided that such statement has been submitted prior to the vote on passage.

FinCEN’s BSA Value Project – An Effort to Provide Actionable Information for SAR Filers

adminAML Regulations and Enforcement Actions, FinTech, Financial Crimes, and Risk Management

Two Million SARs are Filed Every Year … But Which Ones Provide Tactical or Strategic Value to Law Enforcement?

On August 13, 2019, FinCEN Director Kenneth A. Blanco delivered prepared remarks at the 12th annual Law Vegas AML Conference for casinos and card clubs. The remarks are available at Director Blanco Remarks 8-13-2019

Included in the Director’s remarks was some interesting information on an eight-month old “BSA Value Project” that may have been started because, as Director Blanco remarked, FinCEN has “heard during our discussions that there continues to be a desire for more feedback on what FinCEN is seeing in the BSA data in terms of trends [and] we need to do better SAR analysis for wider trends and typologies …”. Director Blanco noted that “We want to provide more feedback, and we will.”

There has not been much public mention of the BSA Value Project: a quick Google search shows that FinCEN’s Associate Director Andrea Sharrin introduced the BSA Value Project at a Florida International Bankers Association (FIBA) conference on March 12, 2019, and then Director Blanco described it in his August 13th remarks:

In January 2019, FinCEN began an ambitious project to catalogue the value of BSA reporting across the entire value chain of its creation and use. The project will result in a comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information to all types of consumers of that information.

We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis. The project has included hundreds of interviews with stakeholder groups, including casinos.

So far, the study has confirmed there are extensive and extremely varied uses of BSA information across all stakeholders (including by the private sector) consistent with their missions.

Almost One in Four FBI and IRS-CI Investigations Use BSA Data

Director Blanco made the following remarks on the usefulness of BSA data:

All FBI subject names are run against the BSA database. More than 21 percent of FBI investigations use BSA data, and for some types of crime, like organized crime, nearly 60 percent of FBI investigations use BSA data. Roughly 20 percent of FBI international terrorism cases utilize BSA data.

The Internal Revenue Service-Criminal Investigation section alone conducts more than 126,000 BSA database inquiries each year. And as much as 24 percent of its investigations involving criminal tax, money laundering, and other BSA violations are directly initiated by, or associated with, a BSA report.

In addition to providing controlled access to the data to law enforcement, FinCEN also proactively pushes certain information to them on critical topics. On a daily basis, FinCEN takes the suspicious activity reports and we run them through several categories of business rules or algorithms to identify reports that merit further review by our analysts.

Our terrorist financing-related business rules alone generate over 1,000 matches each month for review and further dissemination to our law enforcement and regulatory partners in what we call a Flash report. These Flash reports enable the FBI, for example, to identify, track, and disrupt the activities of potential terrorist actors. It is incredibly valuable information.

But Which BSA Filings are Providing Real Value to Law Enforcement?

There is no doubt that the (roughly) 20 million BSA reports that are filed each year provide great value to law enforcement. But questions remain about the utility of those filings, and the costs of preparing them. Some of those questions include: (i) which of those reports provide value? (ii) what kind of value is being provided – tactical and/or strategic? (iii) can financial institutions eliminate the “no value” filings and deploy those resources to higher-value filings? (iv) can financial institutions automate the preparation and filing of the low value filings and deploy those resources to the highest-value filings?

I have written a number of articles on the need for better reporting on the utility of SAR filings. Links to three of them are:

SAR Feedback 314(d) – July 30 2019

BSA Reports and Federal Criminal Cases – June 5 2019

The TSV SAR Feedback Loop – June 4 2019

Conclusion

Kudos to Director Blanco and his FinCEN team for their initiative and efforts around the BSA Value Project. The results of the Project could be a game-changer for the financial industry’s BSA/AML programs. The industry is being inundated with calls to apply machine learning and artificial intelligence to make their AML programs more effective and efficient. But if those institutions don’t know which of their filings provide value, and arguably only one in four is providing value, they cannot effectively use machine learning or AI.

The entire industry is looking forward to the results of FinCEN’s BSA Value Project!

The WayBack Machine … and the Marihuana Problem in New York (circa 1944) – updated with the OFAC Fentanyl Drug Trafficking Organization Designation of August 21, 2019

adminCannabis/Marijuana, FinTech, Financial Crimes, and Risk Management

One of the greatest investigative tools available today is the Internet Archive, a “non-profit library of millions of free books, movies, software, music, websites, and more” – https://archive.org/. The best tool in this online library is the WayBack Machine. It is described as follows:

The Internet Archive has been archiving the web for 20 years and has preserved billions of webpages from millions of websites. These webpages are often made up of, and link to, many images, videos, style sheets, scripts and other web objects. Over the years, the Archive has saved over 510 billion such time-stamped web objects, which we term web captures.

We define a webpage as a valid web capture that is an HTML document, a plain text document, or a PDF.

domain on the web is an owned section of the internet namespace, such as google.com or archive.org or bbc.co.uk. A host on the web is identified by a fully qualified domain name or FQDN that specifies its exact location in the tree hierarchy of the Domain Name System. The FQDN consists of the following parts: hostname and domain name.  As an example, in case of the host blog.archive.org, its hostname is blog and the host is located within the domain archive.org.

We define a website to be a host that has served webpages and has at least one incoming link from a webpage belonging to a different domain.

As of today, the Internet Archive officially holds 273 billion webpages from over 361 million websites, taking up 15 petabytes of storage.

Here’s an example of how the WayBack Machine can be used. In a federal criminal complaint unsealed on August 15, 2019 in the case of United States v Manish Patel (Eastern District of California, case no 19-MJ-0128), the affidavit supporting the complaint provided that the defendant had business cards that showed he was the CEO of The Sentient Law Group PC in New York City, but the website for that entity – http://www.sentientlawgroup.com – as accessed on August 5, 2019 did not show him as CEO.  But by simply typing that URL into the WayBack Machine’s search bar you find every instance of that website that was captured by the WayBack Machine. Viewing the first and last captures (on April 13, 2017 and February 12, 2019) shows the defendant Patel as the CEO, his practice focus areas (including cannabis law, which is ironic given that Patel was charged with multiple counts involving possession with intent to distribute marijuana).  This tool is particularly helpful in online child pornography cases, where defendants move and change websites, and was instrumental in a number of post-9/11 cases, where the English language Al Qaeda website changed dramatically after 9/11 … but its historical web pages remained accessible, thanks to the Internet Archive and its WayBack Machine.

OFAC Designation of the Zheng Drug Trafficking Organization – August 21, 2019

Another great example of the power of the WayBack Machine can be found in a series of federal criminal cases that culminated in OFAC designating the criminal defendants as Foreign Narcotics Kingpins. See the Treasury press release at https://home.treasury.gov/news/press-releases/sm756

One of those designated, Fujing Zheng, was indicted in federal court in Ohio in August 2018 (US v Zhang et al, Northern District of Ohio, case 18CR00474). In that 86-page indictment, the Government alleges that the Zhang organization used a website to market its illegal drugs – www.globalrc.net

What has happened to www.globalrc.net?

If you search for that URL today, you get the following:

As it shows, that domain has been seized by the DEA and is no longer accessible. But the WayBack Machine has captured and saved that website 65 times between April 8, 2009 and February 15, 2019:

And simply by selecting any of the 65 dates, you can access the captured website. An example is from January 6, 2017:

You can see the actual website used by the Zheng DTO back in 2017. A powerful investigative tool!

But there is more to be found on the Internet Archive. The twenty or so archived collections are incredible sources. Here is an example of a document from the “Journals” collection:

https://archive.org/details/TheMarihuanaProblemInTheCityOfNewYork-19441973Edition/page/n19

In 1944, Legendary New York Mayor F.H. LaGuardia commissioned a report to look into “The Marihuana Problem in the City of New York.” The forward is interesting. It provides:

“As Mayor of New York City, it is my duty to foresee and take steps to prevent the development of hazards to the health, safety, and welfare of our citizens. When rumors were recently circulated concerning the smoking of marihuana by large segments of our population and even by school children, I sought advice from The New York Academy of Medicine, as is my custom when confronted with problems of medical import.”

“The report of the present investigation covers every phase of the problem and is of practical value not only to our own city but to communities throughout the country. It is a basic contribution to medicine and pharmacology.”

“I am glad that the sociological, psychological, and medical ills commonly attributed to marihuana have been found to be exaggerated insofar as the City of New York is concerned. I hasten to point out, though, that the findings are to be interpreted only as a reassuring report of progress and not as encouragement to indulgence, for I shall continue to enforce the laws prohibiting the use of marihuana until and if complete findings may justify an amendment to existing laws. The scientific part of the research will be continued in the hope that the drug may prove to possess therapeutic value for the control of drug addiction.”

Try out the Internet Archive!

A Better Way to Fight Money Laundering – American Banker quotes Jim Richards and Others

adminAML Regulations and Enforcement Actions

Jim Richards was quoted in an August 2019 American Banker article titled “Is There a Better Way to Fight Money Laundering?” by Victoria Finkel. AB Link

The article is well-researched, well-written, and accurately and fairly makes the point that there are better ways to fight money laundering, but there are impediments. Like all articles, though, the editors are required to edit, and quotes are often trimmed to fit the flow, cadence, and tone of the article.

Below are the two quotes that are in the article. I’ll add the context for each.

“Everybody in the regime wants to try to make it more efficient and effective, but everybody’s got a different definition of efficient and effective,” said Jim Richards, the former global head of financial crimes risk management for Wells Fargo and the founder of RegTech Consulting.

What was not included in the article was the next sentence, where I stated that:

“The prudential regulators are focused on safety and soundness, or how we do our jobs: conducting risk assessments, writing policies and procedures, risk rating and performing due diligence on our customers, documenting and validating the models developed for monitoring transactions, and documenting the reasons why we don’t file a suspicious activity report. Law enforcement, on the other hand, is focused on how well we do our jobs: providing timely, actionable intelligence to law enforcement in order to fight financial crime. And since it is the regulators, not law enforcement, that are examining us, our focus is rightly on compliance – how we do our jobs – and not on how well we provide intelligence to law enforcement.”

The article also quotes Greg Baer of the Bank Policy Institute, who has this take on the dilemma of being examined on how we do our jobs, not on how well we do our jobs:

“The examiners who determine compliance are not allowed to know, in all but rare cases, what becomes of the suspicious activity reports that are filed,” Baer of the Bank Policy Institute said. “So that compliance rating is driven far more by things like, are there written policies and procedures, has there been strict one hundred percent adherence to those policies and procedures, rather than the efficacy of the SARs that are filed. What that leads to is, AML is examined much the same way as any other function — through a check-box kind of approach,” Baer said. This in turns shifts the balance with regard to bank priorities, with compliance becoming the main focus. That includes an over reliance on defensive SARs and a fixation on minutiae, according to industry experts.”

John Byrne, a long-time industry expert, is also quoted:

“We have these laws for one reason and one reason alone — and that’s to get valuable data and information in the hands of law enforcement, so there can be a reaction,” said John Byrne, an expert on anti-money-laundering issues and vice chairman of AML RightSource. “When regulators are criticizing banks for being a couple of days late in a filing or putting a company on a cash reporting exemption list by error, that’s a problem.”

The next Richards quote deals with the lack of actionable feedback on the reports that are being filed:

“What the CFOs and the CEOs are saying is, what are we getting for all this money we’re pumping into the AML/BSA regime?” said Richards, the former Wells Fargo executive. “Can we produce fewer alerts and have it cost less and investigate fewer cases and file better SARs? The answer to that is maybe — but we don’t know what a better SAR is.”

We don’t know what a better SAR is because the feedback SAR filers get from regulators, law enforcement, and FinCEN is scattered and ad hoc, at best, and non-existent, at worst. I have written about the need for feedback through what I have called TSV SARs, or Tactical or Strategic Value SARs, on multiple occasions. See, for example, https://regtechconsulting.net/money-laundering-terrorist-financing-general/fincens-fy2020-report-to-congress-reveals-its-priorities-and-performance/

The American Banker article has some other excerpts that deserve mention. First is an estimate of the amount of illicit funds in the US financial system:

“The United Nations Office on Drugs and Crime estimates that as much as $2 trillion is illegally laundered around the world each year — while law enforcement reportedly catches less than 1% of that. As much as $300 billion in illicit funds make their way through the U.S. financial system in a given year, according to the Treasury Department.”

The estimate of the amount of illicit funds flowing through the US financial system is close to the amount of illicit funds reported by SAR filings!

In 2018, banks and credit unions filed ~975,000 SARs. Based on some empirical data and some conversations with BSA Officers, the average depository institution SAR reports ~$245,000. In 2018, MSBs filed ~875,000 SARs. Those average about $36,000. “Others” filed another $275,000 SARs, and I’ll guess that those averaged ~$50,000. The total? Almost $300 billion. And that doesn’t include a percentage of the 18 million Currency Transaction Reports: if the average CTR reported $20,000 and 20% of the CTRs involved illicit funds, that would add another $70 billion being reported by financial institutions. So it may not be a reporting issue at all.

So, financial institutions are reporting over $300 billion in potential illicit funds flowing through the US financial system every year. But what percentage of the total flow of funds is illicit? Based on excerpts from the 2015 and 2018 US National Money Laundering Risk Assessments, the total annual flow of funds through the two main wire transfers systems (Fedwire and CHIPS), ACH, debit cards, and cash is about $2 quadrillion dollars. So the illicit funds flowing through the US system represent about 0.0001% of the total funds. Interesting …

A second excerpt that caught my eye is the following:

“… broad AML legislation recently introduced by a bipartisan group of senators — Mark Warner, D-Va., Doug Jones, D-Ala., Tom Cotton, R-Ark., and Mike Rounds, R-S.D. — would require the Department of Justice to report annually on how frequently law enforcement agencies use Bank Secrecy Act reporting as part of their investigations.”

What is interesting is that while it would be great to have a new law to compel the Justice Department to report annually on how law enforcement is using BSA reports, there already is a law that compels the Treasury Department to report semi-annually on how law enforcement is using BSA reports, and it is not being enforced! Take a look at the USA PATRIOT Act’s section 314(d). Once again, I’ve written about this: https://regtechconsulting.net/aml-regulations-and-enforcement-actions/sar-feedback-what-ever-happened-to-section-314d/

Hopefully, this well-researched, well-written American Banker article will be well-received by everyone who has an interest in seeing the US BSA/AML regime become more effective, more efficient, and better serve the global, national, and local financial systems and financial institutions as we continue the fight against financial crime.

Is the Clinical Cannabis Catch-22 Coming to Closure?

adminCannabis/Marijuana

The Scottsdale Research Institute case may be a significant step forward in the normalization of cannabis. And it may address one of the most vexing clinical cannabis catch-22 situations there is today.

Schedule I of the Controlled Substances Act lists drugs that are both harmful and have no currently accepted medical use. Marijuana or cannabis was included in Schedule I since the passage of the Controlled Substances Act in 1970, and has remained there, notwithstanding great public, political, and other pressure to reschedule or even deschedule it.

Congress has the ability to reschedule marijuana. Let’s assume that they’re not prepared to act anytime soon: that would take courage and compromise, two things that appear to be lacking in this Congress. But the DEA also has the ability to reschedule marijuana, but it has not done so, and various DEA publications have indicated that it won’t do so because of a dearth of clinical trials demonstrating currently accepted medical use, or medical efficacy. One of the reasons for the dearth of clinical trials is a lack of availability of approved research-grade cannabis. Under the Controlled Substance Act, the DEA controls who gets to product cannabis for clinical trials. Currently, there is one such approved facility, the University of Mississippi. And the cannabis produced by that facility is, by most accounts, not very good (the picture here is from the Scottsdale Research Institute court filing, mentioned below). So why aren’t there more facilities approved to grow cannabis for medical research?

The DEA controls that, too. From 1970 (when the CSA was passed and cannabis was included in Schedule I), dozens of applications to produce cannabis for medical research were filed, and none were approved. In late 2015 a federal law was passed that compelled the DEA to act on these applications – to approve or deny them – within 90 days. Again, dozens of applications have been filed. And none have been acted on.

An interesting case is now before the US Court of Appeals (District of Columbia) called In re: Scottsdale Research Institute, LLC, District of Columbia Court of Appeals, case No. 19-1120, where a medical research company is seeking to compel the DEA to act on its application to produce pharmaceutical-grade cannabis. The facts are important …

A doctor in Arizona, Dr. Suzanne Sisley, has the necessary federal approvals to run a clinical trial to determine whether cannabis is effective in treating veterans’ PTSD (as Dr. Sisley writes in her Declaration supporting the petition, she “struggled for seven years [from 2009 to 2016] to get approval from four different federal agencies to conduct clinical trials of cannabis as a treatment for PTSD symptoms in veterans.”). But she cannot begin those trials without pharmaceutical grade cannabis, which the only approved supplier cannot provide. In 2016 she (actually, her company and the appellant in this case, Scottsdale Research Institute, LLC, or “SRI”) submitted an application to grow her own cannabis for her clinical trials, but the DEA hasn’t acted on that application, notwithstanding the law that says it has to. Without pharmaceutical-grade cannabis to run her FDA-approved clinical trials, she was stuck. This petition, called a Writ of Mandamus, was brought to compel the DEA to act. Notably, the Writ of Mandamus does not seek to compel the DEA to grant the application to produce cannabis for research: as SRI writes in its petition, “mandamus here will not divest the agency of its discretion. It simply allows the process contemplated by the statute to begin, not end. The agency still maintains discretion to deny or delay the application.”

So let’s sum up:

  • The DEA won’t consider rescheduling cannabis without clinical trials.
  • Clinical trials require approved, pharmaceutical-grade cannabis.
  • The DEA decides who produces pharmaceutical-grade cannabis.
  • The only DEA-approved producer of pharmaceutical-grade cannabis cannot produce pharmaceutical-grade cannabis.
  • Since 2016, the DEA has been required by law to either approve or reject applications to produce cannabis for medical research within 90 days of receiving the application.
  • The DEA has received dozens of applications from entities seeking to produce pharmaceutical-grade cannabis.
  • The DEA has neither approved nor rejected any of those applications in the 3+ years it has been compelled by law to do so.
  • SRI is bringing a federal court action to compel the DEA to consider its application.

As Dr. Sisley and SRI’s petition to the District of Columbia Court of Appeals provides:

“Millions of Americans believe cannabis holds the key to ending their pain and suffering, making the need for clinical trials acute no matter the outcome of SRI’s clinical trials. If those studies show that thirty-eight states (and counting), doctors, legislators, and the American public are all wrong—i.e., that cannabis lacks medical utility—then we must know this now. Those using cannabis to treat conditions like PTSD may be jeopardizing their health and welfare. But in the more likely alternative— i.e., SRI’s studies prove that cannabis has medical value—DEA’s delay inexcusably deprives combat veterans and others of a treatment option necessary to ease their pain. Either way, more delay is unconscionable.”

The Court of Appeals issued a preliminary ruling on July 29th regarding SRI’s June 11th petition: the DEA has 30 days to file a response, and SRI then has 14 days to file a reply to that response. Notably, after receiving SRI’s 284-page petition, the Court of Appeals has limited the DEA’s response to 7,800 words, and SRI’s reply to 3,900 words. (This article is 800 words long, by the way).

I doubt that clinical trials will prove that cannabis lacks medical utility – but whether something has medical utility isn’t really the question. Many non-approved, and unapprovable, products have some medical utility, but can’t be safely used as federally-approved medicines. Let’s allow the clinical researchers to do their jobs. Let’s allow – perhaps we need to compel – federal regulatory agencies to do their jobs. And wherever and however this comes out at the end, at least we will know what safe and appropriate medical uses there are for cannabis, or components of cannabis.

SAR Feedback? What Ever Happened to Section 314(d)?

adminAML Regulations and Enforcement Actions

Wouldn’t it be great if Treasury published a report, perhaps semi-annually, that contained a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports (SARs) and investigations conducted by federal, state, and local law enforcement agencies (to the extent appropriate) and distributed that report to financial institutions that filed those SARs?

To get Treasury to do that, though, would probably require Congress to pass a law compelling it to do so.

Hold it. Congress did pass that law.  Almost 18 years ago. And, by all accounts, it’s still on the books. What happened to those semi-annual reports? When did they begin? If they began, when did they end?

Section 314(d) – Its Origins

What became 314(d) was introduced in the House version of what became the USA PATRIOT Act. The House version, the Financial Anti-Terrorism Act, was introduced on October 3, 2001. It was marked up by the House Financial Services Committee on October 11. The Senate version, originally titled the Uniting and Strengthening America Act, or USA Act, was introduced on October 4th and had sections 314(a) (public to private sector information sharing), 314(b) (cooperation among financial institutions, or private-to-private sector information sharing), and 314(c) (“rule of construction”). There was no 314(d) in that early version.

On October 17th, HR 3004, the Financial Anti-Terrorism Act, was passed by the House 412-1. Title II was “public-private cooperation”. Section 203 was:

“Reports to the Financial Services Industry on Suspicious Financial Activities – at least once each calendar quarter, the Secretary shall (1) publish a report containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate; and (2) distribute such report to financial institutions as defined in section 5312 of title 31, US code.”

The Senate and House versions were reconciled, and on October 23rd the House Congressional Record shows a consideration of what was then the USA PATRIOT Act. That version of the bill then included what had been section 203 and was now 314(d). It was the same, except instead of a quarterly report it was a semi-annual report (“at least once each calendar quarter” was changed to “at least semiannually”).

SAR Activity Review – Was That The Answer to 314(d)?

The ABA has written, and at least one former FinCEN employee has stated that the “SAR Activity Review – Trends, Tips, and Issues” was the response to 314(d). The SAR Activity Reviews were excellent resources. They contained sections on SAR statistics, national trends and analysis, law enforcement cases, tips on SAR form preparation and filing, issues and guidance, and an industry forum. The first SAR Activity Review noted that it was published under the auspices of the BSAAG, was to be published semi-annually in October and April, and was “the product of a continuing collaboration among the nation’s financial institutions, federal law enforcement, and regulatory agencies to provide meaningful information about the preparation, use, and utility of SARs.”  Although that certainly sounds like it is responsive to section 314(d), there is no reference to 314(d).

And the first SAR Activity Review was published more than a year before 314(d) was passed. Even the first SAR Activity Review published after the enactment of the USA PATRIOT Act and section 314(d) – the 4th issue published on July 31, 2002 – didn’t make any reference to 314(d). Beginning with the 6th issue of the SAR Activity Review, published in October 2003, the authors broke out the statistics from the “Trends, Tips & Issues” document and published a separate, and more detailed, “SAR Activity Review – By The Numbers”. The last SAR Activity Review (the 23rd) and the last “By The Numbers” (the 18th) were published on April 30, 2013. None of those forty-one publications referenced 314(d). After the SAR Activity Reviews stopped, FinCEN continued to publish “SAR Statistics”, and did so three times from June 2014 through March 2017.  For the last few years, FinCEN has maintained SAR Stats on its website – https://www.fincen.gov/reports/sar-stats  – that is updated on a monthly basis. Those statistics are useful, but cannot be thought of as “containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate”, quoting the 314(d) language.

Does Anyone Know What Happened to 314(d)?

I don’t have the answer to that question. Perhaps 314(d) is seen as satisfied by the accumulation of advisories, guidance, bulletins, etc., published by FinCEN and other Treasury bureaus and agencies and departments from time to time. Perhaps there is a Treasury Memorandum out there that I’m not aware of that provides a simple explanation. Perhaps not: most BSA/AML experts I speak with are not even aware of 314(d), and if the SAR Activity Review did satisfy the spirit and intent of 314(d), the last one was published more than six years ago. But everyone in the private sector BSA/AML risk management space has been clamoring for more feedback from law enforcement and FinCEN on the effectiveness and usefulness of their SAR filings. Perhaps a renewed (or any) focus on 314(d) is the answer.  The revival of 314(d) could give FinCEN the mandate they’ve been looking for to provide more valuable information to the private sector producers of Suspicious Activity Reports. We would all benefit.

One in Two Cannabis Dispensaries is Robbed or Burglarized? Perhaps not …

adminCannabis/Marijuana

Are there any good studies on robbery and burglary rates of cannabis related businesses as compared to other businesses? Are cannabis related businesses robbed or burglarized at higher rates than other cash intensive businesses?

These questions may not be answered – I know I haven’t found good answers, and I have looked. Two written statements by the Credit Union National Association (CUNA) and American Bankers Association (ABA) provide two very different answers.

The Senate Committee on Banking, Housing, and Urban Affairs held a hearing on “Challenges for Cannabis and Banking: Outside Perspectives” on July 23, 2019. Both CUNA and the ABA had representatives provide written testimony and answers questions from the Senators. The written statement from the representative of CUNA included the following statement (which was picked up by one of the Senators during the question and answer session):

“A 2015 analysis by the Wharton School of Business Public Policy Initiative found that, in the absence of being banked, one in every two cannabis dispensaries were robbed or burglarized—with the average thief walking away with anywhere from $20,000 to $50,000 in a single theft.”

One in every two cannabis dispensaries is robbed or burglarized! That is a stunning statistic. Actually, it is really two statistics because of the significant difference between a burglary and a robbery. Without getting into legal minutia, burglary is entering into a structure or dwelling with the intent to commit a crime; robbery is taking something from a person using force, or the threat of force, to do it. Put another way, a burglary becomes a robbery if there is someone in the structure or dwelling and the perpetrator uses force or the threat of force to take something. Both are serious crimes, but robbery is much more serious than burglary, as it (the robbery) involves direct victims.

The written statement from the American Bankers Association included the following:

“In Denver, [the roughly 500] cannabis businesses make up less than 1% of all local businesses but have accounted for 10% of all reported business burglaries from 2012-2016. On average, more than 100 burglaries occur at cannabis businesses each year according to the Denver Police Department, and burglaries and theft comprise almost 80% of Denver’s cannabis industry-related crime.”

CUNA’s statement that one in every two cannabis dispensaries is robbed or burglarized caught me by surprise.  The ABA’s statement – that roughly one in five cannabis business is burglarized – seems more reasonable. Logically, if one in every two dispensaries was robbed or burglarized, there would be headlines. I can’t find them. So I looked into CUNA’s source for its one in two conclusion, what they called “the Wharton analysis.”

It doesn’t exist.

Here’s a link to the Wharton “analysis” … https://publicpolicy.wharton.upenn.edu/live/news/2214-cash-crime-and-cannabis-banking-regulations-in-an/for-students/blog/news#_edn2.

First, it is a 2017 student blog written by three students which bears the following disclaimer: “The views expressed on the Student Blog are the author’s opinions and don’t necessarily represent the Wharton Public Policy Initiative’s strategies, recommendations, or opinions.”

This November 20, 2017 student blog – not a Wharton Public Policy Institute publication at all – is titled “Cash, Crime, and Cannabis: Banking Regulations in an Illegal Market”. Under the heading “Risky Business”, the three student authors write:

“Not only are cash businesses conducive to tax manipulation, they also hurt many individuals, because of the risk of crime. In 2015, one in two cannabis dispensaries were robbed or burglarized, with the average thief walking away with anywhere from $20,000 to $50,000 in a single act [citation]. Mitch Morrissey, district attorney of Denver, notes a direct increase in crime cases related to the marijuana industry, and sees the reasoning behind the robberies stating: ‘You hit a 7-Eleven, you’ll get 20 bucks. You hit a dispensary, you’ll get $300,000 on a good day’ [citation].”

The citation the students provide is http://www.sivallc.com/the-growing-need-for-a-cannabis-dispensary-security-plan-infographic/

That page is no longer available. But the citation is not to an article or study, but simply to the infographic, which they label “Dispensary Security Infographic” and the source is shown as “Bubulyan Consulting Group”.  Bubulyan Consulting Group is actually Bulbulyan Consulting Group, which was the original name of Siva Enterprises. Avis Bulbulyan is the CEO of Siva Enterprises (www.sivallc.com).

I haven’t reached out to Mr. Bulbulyan to ask him where he obtained the data for the inforgraphic, but it appears that the source was an NBC news story from February 4, 2014 (available at https://www.nbcnews.com/storyline/legal-pot/high-crimes-robber-gangs-terrorize-colorado-pot-shops-n20111). That story includes the following:

“In 2009, the Denver Police Department estimated that about 17 percent of marijuana retail shops had been robbed or burglarized in the last year. That was good news: a bit less than liquor stores (20 percent) and banks (34 percent), and on par with pharmacies. Today, however, a darker picture has emerged. There are about 325 marijuana companies in Denver, based on an analysis of licensing data done for NBC News by Marijuana Business Daily, a leading trade publication. (Most companies hold numerous licenses.) At the same time, there have been about 317 burglaries and seven robberies reported by these companies in the last two years, according to police data. That’s an annual robbery and burglary rate of about 50 percent, more than double what it was in 2009. While a Denver Police spokesperson disputed these figures, the department doesn’t have its own.”

As written above, there is a significant difference between a burglary and a robbery. Using NBC’s numbers from its 2014 story, “that’s an annual robbery rate of about 1% and a burglary rate of about 49%.”

So what is the experience of law enforcement and the cannabis industry?

Colorado statistics seem to paint a very different picture

The City of Denver has an “Open Data” effort that includes marijuana-related crime (“crimes reported to the Denver Police Department which, upon review, were determined to have clear connection or relation to marijuana.”). It is available at County of Denver Marijuana Crime . That data suggests that marijuana-related business burglaries peaked in 2013 at 101, and dropped to 74 for the first eleven months of 2018. That suggests a burglary rate of 12% – 15%. Marijuana-related business robberies peaked in 2014 at 5: they recorded 1 such event in 2018. That rate is between 0.2% and 1%. Notably, these statistics are not comparing the marijuana-related crime rates with overall crime rates. It may well be that marijuana dispensaries are burglarized and robbed at roughly the same rate as other cash intensive businesses.

In an October 2018 report by the Colorado Division of Criminal Justice on organized crime cases in Colorado, the DCJ wrote “there has been concern that, due to the cash-only nature of the industry, robbery would be prevalent, but this has not been the case.” This seems in keeping with the 2014 NBC story that anecdotally suggests a robbery rate of 1% for cannabis dispensaries (in the Denver area).

Some research also suggests that the crime/cannabis nexus isn’t as strong as the anecdotes suggest, and in fact state-legal cannabis dispensaries may help reduce crime.

In a paper published in May 2018 “High on Crime? Exploring the Effects of Marijuana Dispensary Laws on Crime in California Counties” (http://ftp.iza.org/dp11567.pdf) the authors looked at violent and property-related crimes in California on a county-by-county level, and concluded that:

“The results suggest no relationship between county laws that legally permit dispensaries and reported violent crime. We find a negative and significant relationship between dispensary allowances and property crime rates, although event studies indicate these effects may be a result of pre-existing trends. These results are consistent with some recent studies suggesting that dispensaries help reduce crime by reducing vacant buildings and putting more security in these areas.”

Although this study doesn’t refer to robberies or burglaries at cannabis dispensaries, it seems logical that if those dispensaries were being robbed or burglarized at a rate of 50%, the study would have pointed that out.

A study published in the Journal of Preventive Medicine in March 2018 https://www.sciencedirect.com/science/article/pii/S0091743517305078 by university researchers funded by the Centers of Disease Control and Prevention looked at “the geography of crime and violence surrounding tobacco shops, medical marijuana dispensaries [MMDs], and off-sale alcohol outlets in a large, urban low-income community of color” using data from 2014. The abstract provides:

“Results indicated that mean property and violent crime rates within 100-foot buffers of tobacco shops and alcohol outlets—but not MMDs—substantially exceeded community-wide mean crime rates and rates around grocery/convenience stores (i.e., comparison properties licensed to sell both alcohol and tobacco) …”

Conclusion

There is no doubt that cash intensive businesses – bars, restaurants, convenience stores, casinos, cannabis dispensaries – are more likely to suffer burglaries and/or robberies than those businesses that are not cash intensive. And it seems logical that cannabis dispensaries, which struggle to get and maintain banking relationships and are therefore more cash intensive than other businesses, and have a very valuable and largely untraceable product on their premises, are more likely to suffer burglaries and/or robberies at an even higher rate. But that combined rate is probably not 50%. It is probably closer to the ABA’s figure (from the Denver Police Department, apparently) of 20%, or even the County of Denver data that suggests a rate of 12% – 15%.  Regardless, public policy should be driven by accurately reported and cited information: citing a 2015 Wharton Business School study is very different than citing a 2014 NBC News report. Although the robbery rates and burglary rates may in fact be high, and the NBC News report accurate, we are all better served if the bases of our collective public policy decisions are known and accurate.

The Federal Government must step up and provide legislation, regulation, and regulatory guidance to the financial services industry so that cannabis businesses and cannabis related businesses can have access to the full suite of banking services – notably deposit accounts, cash management services, payroll services, merchant banking services, credit, and insurance. The SAFE Banking Act might be a good first step.

Business Email Compromise – New FinCEN Advisory and Trend Analysis

adminMoney Laundering & Terrorist Financing - General

FinCEN has issued an updated advisory on Business Email Compromise (BEC) fraud schemes: FinCEN 2019 BEC Advisory . At the same time it issued a Financial Trend Analysis that provides some details on what FinCEN is seeing from the Suspicious Activity Reports on BEC schemes: BEC Trends

FIN-2019-A005 Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes (July 16, 2019)

This 2019 Advisory is 12 pages long, and supersedes the 2016 advisory: FinCEN 2016 BEC Advisory. Highlights of the 2019 Advisory can be summarized as follows:

Instances of BEC reported to FinCEN have climbed from averaging just under 500 reports per month (averaging $110 million monthly in total attempted BEC thefts) in 2016 to over 1,100 monthly reports (averaging over $300 million monthly in total attempted BEC thefts) in 2018. Since November 2016, financial institutions reported over 6,000 instances and over $2.6 billion in attempted and successful transactions affiliated with suspected money laundering activity through BEC schemes.

Three observed trends since the 2016 Advisory. First, a concentration of targeting of particular sectors: manufacturing and construction (25% of reported BEC cases), commercial services (18%), and real estate (16%). Second, the majority of BEC incidents (reported in the Trends Analysis at 73%) affecting U.S. financial institutions and their customers are increasingly involving initial domestic funds transfers, rather than international, likely taking advantage of money mule networks across the United States to move stolen funds. Third, the two most common impersonations – CEO and vendor – are trending in different directions: CEO impersonations are trending down (from 33% of reported incidents in 2017 to 12% in 2018), and vendor impersonations are trending up (from 30% of incidents in 2017 to 39% in 2018, becoming the most common BEC method). FinCEN also noted that the average transaction amount for BECs impersonating a vendor or client invoice was $125,439, compared with $50,373 for impersonating a CEO.

A BEC scheme’s probability of success and the potential payout from fraudulent payment instructions often depends on (1) the criminal’s knowledge of their victim’s normal business processes by leveraging publicly available information about the victim organization’s vendors, contracts, and business processes, and (2) weaknesses in the victim’s authorization and authentication protocols.

In this 2019 Advisory, FinCEN broadens its definitions of email compromise fraud activities to clarify that such fraud targets a variety of types of entities and may be used to misdirect any kind of payment (not just wire transfers) or transmittal of other things of value. While many email compromise fraud scheme payments are carried out via wire transfers (as originally stated in the 2016 BEC Advisory), FinCEN has observed BEC schemes fraudulently inducing funds or value transfers through convertible virtual currency payments, ACH transfers, and purchases of gift cards.

The 2019 Advisory also expands the types of victims beyond commercial businesses. FinCEN analysis has indicated criminal groups use a variety of techniques to conduct BEC fraud against individuals, particularly and increasingly those with high net worth, and entities that routinely use email to make or arrange payments between partners, customers, or suppliers. Targets of these schemes fall outside of the definition of traditional business customers, such as government entities and non-profit organizations or even the financial institutions themselves.

Footnote 7 provides that “The definitions of email compromise fraud, BEC, and EAC supersede the definitions in the 2016 BEC Advisory.” Those definitions are (and the red font indicates changes from 2016):

Email Compromise Fraud: Schemes in which 1) criminals compromise[1] the email accounts of victims to send fraudulent payment instructions to financial institutions or other business associates in order to misappropriate funds or value; or in which 2) criminals compromise the email accounts of victims to effect fraudulent transmission of data that can be used to conduct financial fraud. The main types of email compromise, the definitions of which have been modified to reflect the expansion of victims being targeted, include:

Business Email Compromise (BEC): Targets accounts of financial institutions or customers of financial institutions that are operational entities, including commercial, non-profit, nongovernmental, or government entities.

Email Account Compromise (EAC): Targets personal email accounts belonging to an individual.

BEC Fraud against Governments – BEC frauds have targeted accounts used for pension funds, payroll accounts, and contracted services. Schemes against government victims are consistent with other common typologies in BEC fraud. BEC schemes targeting government entities also often include vendor impersonation.

BEC Fraud against Educational Institutions – In 2016, financial institutions reported to FinCEN over 160 incidents of BEC targeting educational institutions where criminals attempted to steal over $50 million. The education sector has the largest concentration of high-value BEC attempts in financial sector reporting, even though only approximately 2% of BEC incidents affected educational institutions in 2017. Schemes against educational institutions frequently involve vendor impersonation. Attackers use authentic-looking payment requests to direct funds to domestic bank accounts they control. Large-scale construction and renovation projects have repeatedly been targets of high-dollar thefts.

BEC Fraud against Financial Institutions – In some cases, BEC actors directly target the financial institutions themselves. This scheme typically involves spoofing bank domains and sending what appear to be credible messages to imitate official communications between bank employees, such as sending emails that appear to be from a financial institution’s SWIFT (wire operations) department with payment instructions and SWIFT reference numbers in the email text to enhance its apparent legitimacy to the victim.

Information Sharing – The 2019 Advisory encourages financial institutions to use 314(b) to share information. FinCEN points out that many beneficiaries of BEC schemes play roles in larger networks of criminal activity and laundering of funds from illicit activity (“FinCEN encourages financial institutions to share valuable information about BEC beneficiaries and perpetrators, for purposes of identifying and, where appropriate, reporting activities that they suspect may involve possible terrorist activity or money laundering.”).

The 2019 Advisory includes a section on information for US financial institutions (which supersedes the 2016 advisory):

Risk Management Considerations – In determining the inherent risk of BEC, financial institutions should consider the level of information available publicly about key financial counterparties and processes, including information on public websites or on the darknet (e.g., email account login credentials that have been compromised and posted for sale). Financial institutions need to also consider its procedures and processes relating to how it (1) authenticates participants in communications,( 2) authorizes transactions, and (3) communicates information and changes about transactions. A multi-faceted transaction verification process, as well as training and awareness-building to identify and avoid spear phishing schemes, are critical.

Response and Recovery of Funds – To request immediate assistance in recovering BEC-stolen funds, financial institutions should file a complaint with the FBI’s Internet Crime Complaint Center (IC3), contact their local FBI field office, or contact the nearest USSS field office. These agencies are part of FinCEN’s Rapid Response Program (RRP). Financial institutions should also use the 314(b) information sharing process to request assistance from other financial institutions involved in (victims of or unwitting participants in) the scheme.

Suspicious Activity Reporting – Financial institutions should provide all pertinent available information on the event and associated suspicious activity, including cyber-related information, in the SAR form and narrative. Specifically, the following information is highly valuable to law enforcement and FinCEN in investigating BEC/EAC fraud:

Transaction details:

1) Dates and amounts of suspicious transactions;

2) Sender’s identifying information, account number, and financial institution;

3) Beneficiary’s identifying information, account number, and financial institution; and

4) Correspondent and intermediary financial institutions’ information, if applicable.

Scheme details:

1) Relevant email addresses and associated Internet Protocol (IP) addresses with their respective timestamps;

2) Description and timing of suspicious email communications and any involved compromised or impersonated parties; and

3) Description of related cyber-events and use (or compromise) of particular technology in the conduct of the fraud. For example, financial institutions should consider including any of the following information or evidence related to the email compromise fraud:

  1. a) Email auto-forwarding
  2. b) Inbox sweep rules or sorting rules set up in victim email accounts
  3. c) A malware attack, and
  4. d) The authentication protocol that was compromised (i.e., single-factor or multi-factor, one-step or multi-step, etc.)

[1] Criminals engaged in email compromise fraud may directly compromise email accounts through unauthorized electronic intrusions in order to leverage the compromised account for sending messages, or they may instead impersonate an email account through spoofing the email address or using an email account closely resembling a known counterparty or customer’s email address (i.e., that is slightly altered by adding, changing, or deleting one or more characters).