Old News

September 18, 2018

Swiss Regulator FINMA criticizes Societe General’s lack of an EVOC – Enterprise View of the Customer


Not being able to impose monetary penalties, Swiss financial supervisor FINMA concluded two enforcement procedures against Credit Suisse AG. In the first, FINMA identified wide-ranging deficiencies in the bank’s AML program in three of the biggest global fraud/AML cases of the past ten years: the International Federation of Association Football (FIFA) scandal, Brazil’s oil corruption case involving Petrobras, and Venezuelan oil bribery and corruption case involving Petróleos de Venezuela, S.A. (PDVSA). The second procedure was a garden-variety PEP versus high-performing Relationship Manager case. Collectively, FINMA “decreed measures to further improve anti-money laundering processes and to accelerate the implementation of steps already initiated by the bank” and, notably, FINMA imposed “an independent third party to monitor the implementation and effectiveness of these measures.”

One of the most significant findings – and a warning to financial institutions everywhere – was that there was “no automated comprehensive overview of client relationships”. FINMA found:

“To combat money laundering effectively, every relevant department within the bank must be able to see all the client’s relationships with the bank instantly and automatically. Credit Suisse AG has been in the process of implementing such a “single client view” since 2015. Progress has been made, however this overview is still to be extended outside the Compliance unit. This results in organisational weaknesses in addition to the contraventions of anti-money laundering provisions.”

The result? Credit Suisse will need to build out a real-time, bank-wide single view of the customer … or Enterprise View of the Customer (EVOC).

September 12, 2018

Cannabis, Congress, and Courage – Why Banks are not Banking Marijuana Related Businesses

In January 2018, Attorney General Sessions “revoked Obama-era guidance that had effectuated a hands-off approach to state-legalized cannabis businesses.”

This quote from an online National Law Journal article (see https://www.law.com/nationallawjournal/2018/09/11/feds-should-be-banging-the-drum-the-loudest-for-cannabis-industry-banking/?slreturn=20180812164053) and others like it, have been used by both (all?) sides of the marijuana argument currently embroiling America.

But what, exactly, did AG Sessions revoke? Was there a “hands-off approach” by the Feds to state-legalized cannabis businesses? And what does the Sessions memo do, if anything, for financial institutions looking to provide services to marijuana-related businesses?

If there are answers to those questions, we need to first go back almost 10 years to the first DOJ memo on marijuana. But an interim stop is warranted, to March 2017 with President Trump’s Executive Order 13777 calling for federal agencies to establish Regulatory Reform Task Forces to identify regulations for potential repeal, replacement, or modification. At that time the President, and (fairly) some others felt that American society was over-regulated. It was time to take a look at all the regulations, and repeal, replace, or modify. In response, the Department of Justice formed its task force and began its work identifying regulations, rules, and anything that looked like and acted like a regulation or rule.

On November 17, 2017 the DOJ task force’s early work was made public, when the Attorney General issued a memo prohibiting the DOJ from issuing so-called guidance memos going forward and providing notice that a DOJ task force would be looking at existing memos to recommend candidates for repeal or modification. This memo-against-memos provided, in part:

Today, in an action to further uphold the rule of law in the executive branch, Attorney General Jeff Sessions issued a memo prohibiting the Department of Justice from issuing guidance documents that have the effect of adopting new regulatory requirements or amending the law. The memo prevents the Department of Justice from evading required rulemaking processes by using guidance memos to create de facto regulations.

In the past, the Department of Justice and other agencies have blurred the distinction between regulations and guidance documents.  Under the Attorney General’s memo, the Department may no longer issue guidance documents that purport to create rights or obligations binding on persons or entities outside the Executive Branch.

The Attorney General’s Regulatory Reform Task Force, led by Associate Attorney General Brand, will conduct a review of existing Department documents and will recommend candidates for repeal or modification in the light of this memo’s principles.

On December 21, 2017 the Attorney General announced that “pursuant to Executive Order 13777 and his November memorandum prohibiting certain guidance documents, he is rescinding 25 such documents that were unnecessary, inconsistent with existing law, or otherwise improper.” None of the “marijuana memos” were on the list of twenty-five.

But on January 4, 2018, AG Sessions issued a memo, tersely titled “Marijuana Enforcement” which, among other things, rescinded five marijuana-related memos:

  1. Ogden Memo – October 19, 2009: David W. Ogden, Deputy Attorney General, “Memorandum for Selected United States Attorneys: Investigations and Prosecutions in States Authorizing the Medical Use of Marijuana”. This was issued at a time when only a handful of states were embarking on early medical marijuana programs.
  2. Cole I – June 29, 2011: James M. Cole, Deputy Attorney General, “Memorandum for United States Attorneys: Guidance Regarding the Ogden Memo in Jurisdictions Seeking to Authorize Marijuana for Medical Use”
  3. Cole II – August 29, 2013: “Memorandum for All United States Attorneys: Guidance Regarding Marijuana Enforcement”. Note that Cole II set out the eight enforcement priorities that were picked up in FinCEN’s February 14, 2014 Guidance (see below), but it said nothing about financial institutions, financial crimes, or the Bank Secrecy Act.
  4. Cole III – February 14, 2014: “Memorandum for All United States Attorneys: Guidance Regarding Marijuana Related Financial Crimes”. The title of this memo is important: unlike Cole I, Cole II brought in marijuana related financial crimes, the obligations of financial institutions, and the specter of those institutions violating federal law by knowingly providing services to marijuana-related businesses. In fact, Cole II noted that the Cole I guidance “did not specifically address what, if any, impact it would have on certain financial crimes for which marijuana-related conduct is a predicate.” Cole II addressed those impacts.
  5. Wilkinson Memo – October 28, 2014: Monty Wilkinson, Director of the Executive Office for U.S. Attorneys, “Policy Statement Regarding Marijuana Issues in Indian Country”.

Cole III needs to be read with the FinCEN Guidance issued the same (Valentine’s) day. I won’t repeat the FinCEN Guidance here (you can find it here https://www.fincen.gov/resources/statutes-regulations/guidance/bsa-expectations-regarding-marijuana-related-businesses) but its authors intended that it “clarifies how financial institutions can provide services to marijuana-related businesses consistent with their BSA obligations.” [Note that most financial institutions have interpreted that to mean they cannot provide services to marijuana-related businesses and meet their BSA obligations]. The FinCEN Guidance heavily relied on and quoted the Cole II eight priorities, and set out requirements for risk assessments, customer due diligence (seven distinct requirements), a requirement that “financial institutions should consider whether a marijuana-related business implicates a Cole priority or violates state law, twenty-five “red flags” for monitoring and surveillance of marijuana-related businesses, and how to (and shall) file Suspicious Activity Reports on every marijuana-related business customer, regardless of whether their activity is suspicious or not. Again, the vast majority of financial institutions have chosen not to knowingly bank marijuana-related businesses.[1]

But back to Attorney General Sessions and his “rescission of the Cole memo”. The terse title of his memo sends a clear message: “Marijuana Enforcement”. It was not titled “Managing Competing State and Federal Obligations In A Way That Advances The Positives Aspects of Marijuana Reform While Addressing Possible Negative Societal and Economic Harm”. Attorney General Sessions’ intent was clear from the outset: it was about enforcement.

And he directed that enforcement at banks, credit unions, and money remitters, among others. His memo began with a statement about the “significant penalties” for the “serious crimes” of cultivating, distributing, and possessing the “dangerous drug” marijuana in violation of the Controlled Substances Act. He then stated that these activities “also may serve as the basis for the prosecution of other crimes”, and he listed three such crimes: (1) those prohibited by the money laundering statutes under Title 18, sections 1956 and 1957; (2) the unlicensed money transmitter statute under Title 18, section 1960; and (3) the Bank Secrecy Act under Title 31, section 5318.

For banks, section 5318 of Title 31 is the “program” requirement: section 5318(h) provides that “in order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs …”. Failure to have an effective program or being found to have a program that doesn’t contain all the necessary “pillars” or attributes required, can result in billion-dollar fines and penalties. Knowingly providing banking services to marijuana-related businesses can expose banks to program violations.

The result? Federal banking regulators need to provide more current, clearer guidance for banks and credit unions.  Only the National Credit Union Association has responded to FinCEN’s February 2014 Guidance (by way of a July 18, 2014 letter from the NCUA’s Director of Examinations that his office had provided the FinCEN Guidance to NCUA field examiners “who are responsible for determining the compliance of financial institutions that provide services to marijuana-related businesses”). This need was recognized by the Treasury Department’s Office of Inspector General in an October 16, 2017 memo he wrote to Treasury Secretary Mnuchin. In one of the four challenges facing the Treasury Department – anti-money laundering, terrorist financing, and Bank Secrecy Act enforcement – the Inspector General wrote that “FinCEN is also challenged with providing clarifying guidance to financial institutions that are reluctant to do business with State-legalized marijuana dispensaries.”

That challenge must be taken up by FinCEN and the banking regulators. Unless and until the financial services industry gets clear, unequivocal, consistent, written laws, regulations, and guidance from Congress, Treasury, and Justice to provide banking services to marijuana-related businesses, it will and should do what it is currently doing – balancing the undue risks against the insufficient rewards – and continue to stand on the sidelines while our communities, veterans, patients, doctors, caregivers, and others suffer. Congressional and Executive Branch compassion[2]without the necessary collaboration and courage to act will not resolve this crisis.

[1] FinCEN data suggests that ~400 of the ~12,000, or about 3% of, US credit unions and banks are knowingly providing financial services to marijuana-related businesses.

[2] I’m not sure we’ll see much compassion for marijuana adoption from AG Sessions. In a speech he gave in March 2017 (https://www.justice.gov/opa/speech/attorney-general-jeff-sessions-delivers-remarks-efforts-combat-violent-crime-and-restore ) he stated: “ … we need to focus on the third way we can fight drug use:  preventing people from ever taking drugs in the first place. I realize this may be an unfashionable belief in a time of growing tolerance of drug use.  But too many lives are at stake to worry about being fashionable.  I reject the idea that America will be a better place if marijuana is sold in every corner store.  And I am astonished to hear people suggest that we can solve our heroin crisis by legalizing marijuana – so people can trade one life-wrecking dependency for another that’s only slightly less awful.  Our nation needs to say clearly once again that using drugs will destroy your life.”

September 11, 2018

UNODC Report 2011 – The Estimate for Global Money Laundering

Many recent reports refer to the total amount of money laundering in the world, with wild and often unsupported estimates. For example, a September 2018 CD Howe research paper titled “Hidden Beneficial Ownership and Control: Canada as a Pawn in the Global Game of Money Laundering” (with the conclusion “with increasing concern about tax evasion, corruption, money laundering, the use of shell companies and offshore legal arrangements, it is time for a central publicly accessible registry to unmask the beneficial owners of corporations and certain trusts.”) found that “official estimates of money laundering in Canada range from $5 billion to $100 billion.” That is quite a range (imagine if a prospective employer offered to pay you between $50,000 and $1 million a year)!  https://www.cdhowe.org/sites/default/files/attachments/research_papers/mixed/Final%20for%20advance%20release%20Commentary_519.pdf

Other reports use statements like “over $1 trillion is laundered globally every year, and less than one per cent is seized.” Where do these numbers come from?

In October 2011 the United Nations Office of Drug Control issued a 140-page research report titled “Estimating illicit financial flows resulting from drug trafficking and other transnational organized crimes.” The report is available at https://www.unodc.org/documents/data-and-analysis/Studies/Illicit_financial_flows_2011_web.pdf.

The Preface to the Report is useful. It provides:

“‘Always follow the money’ has been sound advice in law enforcement and political circles for decades. Nevertheless, tracking the flows of illicit funds generated by drug trafficking and organized crime and analysing the magnitude and the extent to which these are laundered through the world’s financial systems remain daunting tasks.

UNODC’s research report, estimating illicit financial flows resulting from drug trafficking and other transnational organized crimes, attempts to shed light on the total amounts likely to be laundered across the globe, as well as the potential attractiveness of various locations to those who launder money. As with all such reports, however, the final monetary estimates are to be treated with caution. Further research and more systematic collection of data on this topic are clearly required.

Prior to this report, perhaps the most widely quoted figure for the extent of money-laundering was the IMF’s ‘consensus range’ of between 2-5 per cent of global GDP, made public in 1998. A study-of-studies, or meta analysis, conducted for this report, suggests that all criminal proceeds are likely to have amounted to some 3.6 per cent of GDP (2.3 – 5.5 per cent) or around US$2.1 trillion in 2009. The resulting best estimate of the amounts available for money-laundering would be within the IMF’s original ‘consensus range’, equivalent to some 2.7 per cent of global GDP (2.1 – 4 per cent) or US$1.6 trillion in 2009. From this figure, money flows related to transnational organized crime activities represent the equivalent of some 1.5 per cent of global GDP, 70 per cent of which would have been available for laundering through the financial system.


Less than 1 per cent of global illicit financial flows are currently seized and frozen. UNODC’s challenge is to work within the UN system and with Member States to help build the capacity to track and prevent money laundering, strengthen the rule of law and prevent these funds from creating further suffering.”

Page 7 of the report provides some detail on the phrase “less than 1 per cent of global illicit financial flows are currently seized and frozen: “The results also suggest that the ‘interception rate’ for anti-money-laundering efforts at the global level remains low. Globally, it appears that much less than 1% (probably around 0.2%) of the proceeds of crime laundered via the financial system are seized and frozen.”

What about this now-accepted “consensus range” for the extent of money laundering of between 2% and 5% of global GDP? Page 9 offers an interesting observation on that consensus range: “The data suggest that the best estimates are situated at the lower end of the range. But this is to some extent a question of methodology. If tax- and customs-related money-laundering activities were included in the calculation, results would move towards – and perhaps exceed – the upper end of the ‘consensus range’. On the other hand, if only transnational crime-related proceeds were considered, the available estimates for laundering would fall to levels around 1% of GDP, and thus below the ‘consensus range’.” Note that global GDP is ~$75 trillion.

This is not to say that the report lacks rigor. The authors and contributors did a remarkable, and remarkably detailed, study; the results of which deserve to be used as benchmarks for the ongoing fight against global money laundering. An example of that rigor can be found in the sections that describe the methodologies used, including (at pages 16 and 17), the “dynamic multiple-indicators multiple-causes’ (DYMIMIC) model, which uses two sets of observable variables and links them as a proxy to the unobservable variable (the extent of money-laundering).”

The result? It remains fair to say that more than one trillion dollars is laundered every year, most of that flows through the global financial system, and less than one-half of one per cent of the proceeds of crime laundered via the financial system is seized and frozen.

September 7, 2018

Veterans Medical Marijuana Safe Harbor Act introduced in U.S. Senate – September 5, 2018

Democratic Senators Bill Nelson (Florida) and Brian Schatz (Hawaii) have introduced S3409 – the Veterans Medical Marijuana Safe Harbor Act. Although the text of the bill is not yet on the Congress website (www.thomas.loc.gov), it is available through Senator Nelson’s site: https://www.billnelson.senate.gov/sites/default/files/Medical%20Marijuana%20for%20Veterans.pdf

The bill is smartly conceived and plainly written. It provides a temporary 5-year safe harbor for VA doctors in the 30 states (and DC) with medical marijuana laws to recommend, complete forms for, or register veterans for participation in a treatment program. It also appropriates $15 million for VA studies on the use of medical marijuana for pain and as an alternative for opioid use.

This follows on an August 30, 2018 letter from the Senate Committee on Veterans Affairs to VA Secretary Robert Wilkie encouraging him to use his authority “to conduct a rigorous clinical trial into the safety and efficacy of medicinal cannabis for veterans with PTSD and chronic pain.”

I would recommend that the bill also consider whether the VA doctors should have a FAERS-like reporting regime. FAERS – the FDA’s Adverse Event Reporting System – is a database that contains adverse events reports, medication error reports, and product quality complaints resulting in adverse events that were submitted to the FDA. The database is designed to support the FDA’s post-marketing safety surveillance program for drugs and therapeutic biologic products. Requiring FAERS-like reporting would provide much-needed data on the efficacy and safety of marijuana.

September 6, 2018

Bloomberg: “Crypto World Rocked After Long-Time Advocate Backpedals … Exchange cites need to navigate the regulatory environment”


The article offers an interesting look at crypto’s version of what the highly regulated (and supervised) mainstream financial industry players have had to negotiate for years: satisfying their customers’ desire for service and privacy, while satisfying their regulatory requirements … however uncertain or fast-changing those requirements may be.

The article begins with:

“It’s a dark day for crypto when one of the best known platforms offering peer-to-peer trading, more in line with the original vision for Bitcoin than centralized exchanges, will start asking users for personal information. Erik Voorhees, chief executive officer of cryptocurrency exchange ShapeShift AG, said in a blog post on Tuesday the platform is launching a membership program, which ‘requires basic personal information to be collected.’ and will ‘become mandatory soon.'”

Bloomberg then reports that:

“ShapeShift is making the move after users requested account-related features such as email notifications, as it’s exploring the ability to tokenize loyalty programs, and as the company recognizes the need to be ‘prudent and thoughtful in our approach as we navigate the regulatory environment,’ according to the blog post. Cryptocurrency watchers have zeroed in on that last item and are speculating Swiss-based ShapeShift has caved to regulators. Asked whether the move was in response to specific regulatory requirements, Voorhees replied, ‘this is a precautionary move to derisk the company amid an ever-changing legal grey area.’ Voorhees did appear to partially side with critics in his blog post, as he said making membership mandatory ‘sucks’ and that ShapeShift still believes individuals deserve the right to financial privacy.”

It has not been a good week for cryptocurrencies. This story, along with reports that Goldman Sachs may be abandoning (or slowing down) its plan to open a cryptocurrency trading desk because of the ambiguous regulatory environment. At last check, Bitcoin was down below $6,500.

September 4, 2018

ING pays record EUR 775,000,000 fine to Dutch Public Prosecution Service for multiple AML failures

Dutch prosecutors hammered ING Group for 7+ years of abject AML failures … missing and incomplete customer due diligence files, failing to review CDD files, improper customer risk ratings, failure to exit known bad customers in a timely fashion, late suspicious transaction reports, capping transactional alerting systems (which they called “topping”), even “culpable money laundering.” ING failed to adequately staff its financial economic crime group, knew it was understaffed, and didn’t properly staff it. The Dutch prosecutors seemed irritated about this, as they imposed a EUR 100,000,000 “disgorgement” based on the amount that ING under-staffed its FEC unit by.

Expect much industry fall-out from this. It raises the penalty bar to new heights – no European agency has imposed a fine and penalty even close to this. A link to the English version of the statement of facts for “Investigation Houston” is file:///C:/Users/jrr19/Downloads/statement_of_facts_houston.pdf

August 27, 2018

Oregon’s Marijuana Regime is “Out of Control” according to its US Attorney

Almost three weeks before FinCEN’s quarterly marijuana update, the United States Attorney for Oregon described Oregon’s marijuana regime as “out of control”. He noted that his office is “alarmed by revelations from industry representatives, landowners, and law enforcement partners describing the insufficient and underfunded regulatory and enforcement structure governing both recreational and medical use” and that “overproduction is rampant and the illegal transport of product out of state—a violation of both state and federal law—continues unchecked.” He concluded with “it’s time for the state to wake up, slow down, and address these issues in a responsible and thoughtful manner.”  The press release is available at https://www.justice.gov/usao-or/pr/us-attorney-statement-release-2018-hidta-marijuana-insight-report

If I was, or was providing guidance to, an Oregon marijuana-related business or someone looking to invest in or provide banking services to an Oregon MRB, I would be very, very concerned that the US Attorney sees the regime and its actors as being out of control.


August 26, 2018

FinCEN Updates its Marijuana SAR Data… but Information is needed!

The U.S. financial industry is in its 5th year of filing “marijuana” Suspicious Activity Reports (SARs) pursuant to guidance issued by FinCEN on February 14, 2014.  As FinCEN reports this week, 334 banks and 107 credit unions (out of approximately 11,000) are “providing banking services to marijuana-related businesses” or “actively providing banking services to marijuana-related businesses” or “actively banking marijuana-related businesses” (quoting from the title of chart 1 of the update, the text accompanying chart 1, and chart 2, respectively).  But I believe FinCEN’s descriptions are not accurate, as many financial institutions are not, in fact, knowingly providing banking services to marijuana-related businesses (MRBs). Instead, they consider these to be prohibited businesses that they do not knowingly bank, and if they uncover any MRBs through due diligence, monitoring, or surveillance, file a “Marijuana Termination” SAR and exit the relationship.

There is some good data in this report, but not much usable information.  For example, there is nothing on the size and locations of the banks and credit unions filing the marijuana SARs, which states are involved, whether the activity involves medicinal/medical or recreational/adult-use MRBs, or how many MRBs are being reported and why. Next quarter, I’d like to see FinCEN report provide some of this information.  In addition, FinCEN should consider “cleaning up” the report. I offer three suggestions.

First, when describing the three marijuana SAR categories (Limited, Priority, and Termination), FinCEN refers to Cole Memo “red flags” … but none of the three Cole Memos (or the Ogden Memo) have any “red flags”. Rather, the Cole Memos instruct federal prosecutors to “focus enforcement resources on persons or organizations whose conduct interferes with any one or more of the [eight] important priorities”.  The red flags are actually set out in the FinCEN guidance – and there are 23 red flags to consider – and that original guidance correctly refers to the Cole Memo “priorities” when describing the three marijuana SAR types.  Although some may quibble with my distinction, the term “red flags” is a red flag for banking auditors and regulators … the Cole Memo has priorities, the FinCEN guidance has red flags.

Second, footnote 1 of this recent Report describes when to use each of the three marijuana SAR types. For the marijuana “Termination” SAR, FinCEN indicates that it is to be used when the financial institution has decided to terminate its relationship with the MRB because (1) the financial institution “has decided not to have marijuana related customers for business reasons” or (2) the MRB is not fully compliant with the appropriate state’s marijuana regulations, or (3) the MRB raises one or more of the Cole Memo red flags. (Note the use of the alternative “or”). This language is different than the 2014 guidance, which has nothing about deciding not to have marijuana related customers for business reasons.  I would like to see FinCEN provide the industry with guidance for not only exiting MRBs, but also about simply not providing banking services to marijuana related customers for business/risk reasons.  It is clearly needed if only 440 of more than 11,000 banks and credit unions are knowingly or unknowingly providing banking services to MRBs.

Third, there is nothing in the 2014 guidance, nor in this report, that defines a “marijuana related business”.  It is certainly implied that to be an MRB requires being subject to state marijuana regulations, but clear guidance would be helpful. Also, there are many businesses that do not have to be licensed and are not governed by state marijuana regulations, but are indirectly dealing with MRBs. Footnote 7 of the 2014 guidance referred to indirect services (“a financial institution could be providing services to a non-financial customer that provides goods or services to a marijuana-related business (e.g., a commercial landlord that leases property to a marijuana-related business). In such circumstances where services are being provided indirectly, the financial institution may file SARs based on existing regulations and guidance without distinguishing between “Marijuana Limited” and “Marijuana Priority.”): but it did not differentiate between (what I’ll call) Direct MRBs (those that are required to be licensed under state marijuana regulations) and Indirect MRBs (those that capital, services, products, property to Direct MRBs).  The Small Business Administration has addressed these “indirect” MRBs – see the News from May 2, 2018, below. It would be great if FinCEN did, also.

Finally, this Report describes the marijuana Limited-Priority-Termination SAR categories as “three phases for describing a financial institution’s relationship to marijuana-related businesses.” That isn’t accurate: there is not a progression or phasing of these categories, and the original 2014 guidance didn’t describe them that way. A bank or credit union doesn’t have to start with a Limited SAR, then progress to a Priority SAR, then end with a Termination SAR: they are three distinct SARs, dependent on the circumstances of each case.

August 1, 2018

Professional Money Launderers – FATF Guidance and a US criminal case

FATF’s report on Professional Money Launderers is a must read. The public version of the report was released on July 26, 2018 (wouldn’t we all love to see the non-public version!). In an ironic twist, the report team was was co-led by the delegations from Russia and the United States (HUGE collusion!). The Report does a great job of describing the techniques and tools used by the three types of PMLs: individuals, organizations, and networks of associates and contacts. There are sections on: the four types of dedicated money laundering organizations and networks; three supporting mechanisms used by PMLs; and five types of complicit or criminal service providers. And like many FATF reports, the 25 “boxes” or examples are very useful and add some color to the report.  Well done FATF! And after reading this … are lawyers and accountants high risk customer classes???

The report is available at http://www.fatf-gafi.org/media/fatf/documents/Professional-Money-Laundering.pdf

And just two days before the FATF report was issued, an indictment was unsealed in Federal Court in Miami charging 8 defendants with money laundering. A press release provided, in part:

“According to the criminal complaint, the conspiracy in this case allegedly began in December 2014 with a currency exchange scheme that was designed to embezzle around $600 million from PDVSA, obtained through bribery and fraud, and the defendants’ efforts to launder a portion of the proceeds of that scheme.  By May 2015, the conspiracy had allegedly doubled in amount to $1.2 billion embezzled from PDVSA.  PDVSA is Venezuela’s primary source of income and foreign currency (namely, U.S. Dollars and Euros). 

The complaint alleges that surrounding and supporting these false-investment laundering schemes are complicit money managers, brokerage firms, banks and real estate investment firms in the United States and elsewhere, operating as a network of professional money launderers.

The alleged conspirators include former PDVSA officials, professional third-party money launderers, and members of the Venezuelan elite …”.

The indictment can be found here: US v Venezuelans Money Laundering SDFL 18CR03119

July 31, 2018

OCC announces Special Purpose National Bank charters for qualifying FinTechs

This has been a number of years in the making (going back to December 2016) and is a good first step. Hopefully some FinTechs will look to obtain a federal banking charter ….

Policy Statement: https://www.occ.gov/publications/publications-by-type/other-publications-reports/pub-other-occ-policy-statement-fintech.pdf

Manual: https://www.occ.gov/publications/publications-by-type/licensing-manuals/file-pub-lm-considering-charter-applications-fintech.pdf

July 29, 2018

Richards AML Scenario Builder© – as relevant today as it was in 1999

Richards AML Scenario Builder ©


July 18, 2018

Marijuana Looping & Cash Structuring – the Sweet Leaf decision reveals a glaring weakness in states’ controls over their retail marijuana regimes

County of Denver v Sweet Leaf Final Decision 7-5-18

On July 5th the City/County of Denver revoked all 26 marijuana licenses held by 9 businesses operating as Sweet Leaf. For more than two years Sweet Leaf knowingly engaged in “looping” – the practice of making multiple one-ounce transfers of marijuana to the same customer within a single day. According to the Final Decision, “Sweet Leaf’s practice of artificially dividing a single transaction into multiple transfers of marijuana to the same customer was done for the purpose of evading quantity limitations on the sale of marijuana.”

Marijuana Looping: artificially dividing a single transaction into multiple transfers of marijuana to the same customer done for the purpose of evading quantity limitations on the sale of marijuana.

Cash Structuring: artificially dividing a single transaction into multiple transfers of cash by the same customer done for the purpose of evading reporting requirements on cash transactions.

In this case, Sweet Leaf fully acknowledged that it engaged in a looping scheme, but argued that it was simply exploiting a gap in the law limiting customers’ purchases to 1 ounce per day “as long as the customer left the premises and came back without the previously purchased marijuana.” The Final Decision offered some examples, including a medical marijuana patient who purchased 446 pounds of marijuana for more than $577,000 in 137 days over a six month period. In those 137 “loopy” days, Sweet Leaf’s medical marijuana patient purchased enough marijuana to roll about 300,000 joints … 

Critically, the hearing officer concluded that “Sweet Leaf’s actions have put all other marijuana businesses in Denver and Colorado at risk of federal enforcement.”

This case highlights a problem that California’s “pot czar”, Joe Devlin identified in a statement published in the Sacramento Bee on December 29, 2017: “How to enforce a new limit on how much pot a person can buy per day: ‘Does the dispensary have to create a customer account or do you just check ID? I don’t know how you prove you’re not exceeding the daily limit without creating a customer account.'”

No states (I’m aware of) require marijuana/cannabis dispensaries or stores to (1) record the identification of customers/purchasers, and (2) make those identifications available real-time to all retailers to prevent customers from “looping” … but when a dispensary knowingly engages in looping, it deserves to not only lose its license, and have its marijuana stock forfeited (As happened to Sweet Leaf), but there should be criminal actions taken – at both the state and federal level.  I would be surprised if the Colorado US Attorney’s office didn’t step in.

July 13, 2018

Russian Military Officers Indicted – DC District Court, case 18CR00215

Count 1 of the indictment of the 12 Russian GRU officers (conspiracy to commit an offense against the United States) begins with “In or around 2016, the Russian Federation (“Russia”) operated a military intelligence agency called the Main Intelligence Directorate of the General Staff (“GRU”). The GRU had multiple units, including Units 26165 and 74455, engaged in cyber operations that involved the staged releases of documents stolen through computer intrusions. These units conducted large scale cyber operations to interfere with the 2016 U.S. presidential election.”

Mr. Mueller and his team are exceptional prosecutors and lawyers. Every word and phrase in a Special Counsel indictment has meaning. So to begin this indictment with “the Russian Federation” is telling.

And Count 10 – conspiracy to commit money laundering – is a text-book example of using bitcoin to fund criminal activity. Paragraphs 57 to 62 of the indictment provide the details:

“… the Defendants conspired to launder the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies such as bitcoin. Although the Conspirators caused transactions to be conducted in a variety of currencies, including U.S. dollars, they principally used bitcoin when purchasing servers, registering domains, and otherwise making payments in furtherance of hacking activity.  Many of these payments were processed by companies located in the United States that provided payment processing services to hosting companies, domain registrars, and other vendors both international and domestic.  The use of bitcoin allowed the Conspirators to avoid direct relationships with traditional financial institutions, allowing them to evade greater scrutiny of their identities and sources of funds.  All bitcoin transactions are added to a public ledger called the Blockchain, but the Blockchain identifies the parties to each transaction only by alpha-numeric identifiers known as bitcoin addresses.  To further avoid creating a centralized paper trail of all of their purchases, the Conspirators purchased infrastructure using hundreds of different email accounts, in some cases using a new account for each purchase.  The Conspirators used fictitious names and addresses in order to obscure their identities and their links to Russia and the Russian government.”

And the defendants (are alleged to have) not only bought bitcoin, but earned it through mining:

“The Conspirators funded the purchase of computer infrastructure for their hacking activity in part by “mining” bitcoin.  Individuals and entities can mine bitcoin by allowing their computing power to be used to verify and record payments on the bitcoin public ledger, a service for which they are rewarded with freshly-minted bitcoin.  The pool of bitcoin generated from the GRU’s mining activity was used, for example, to pay a Romanian company to register the domain dcleaks.com through a payment processing company located in the United States. In addition to mining bitcoin, the Conspirators acquired bitcoin through a variety of means designed to obscure the origin of the funds.  This included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards.  They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.”

The indictment is US v 12 Russian GRU Officers Indictment DCDC 18CR00215 7-13-18

(An indictment contains allegations that have yet to be proven in a court of law.)

July 4, 2018

Real News: 600+ indicted … $2 billion in fraud … where is the national media attention?

A review of both Bing and Google News suggests that none of the major national news services ran a story on the Justice Department’s “largest ever health care fraud enforcement action”.  Negative news searches only work if there is news to search …


National Health Care Fraud Takedown Results in Charges Against 601 Individuals Responsible for Over $2 Billion in Fraud Losses

Largest Health Care Fraud Enforcement Action in Department of Justice History Resulted in 76 Doctors Charged and 84 Opioid Cases Involving More Than 13 Million Illegal Dosages of Opioids

Department of Justice

Office of Public Affairs

Attorney General Jeff Sessions and Department of Health and Human Services (HHS) Secretary Alex M. Azar III, announced today the largest ever health care fraud enforcement action involving 601 charged defendants across 58 federal districts, including 165 doctors, nurses and other licensed medical professionals, for their alleged participation in health care fraud schemes involving more than $2 billion in false billings.  Of those charged, 162 defendants, including 76 doctors, were charged for their roles in prescribing and distributing opioids and other dangerous narcotics.  Thirty state Medicaid Fraud Control Units also participated in today’s arrests.  In addition, HHS announced today that from July 2017 to the present, it has excluded 2,700 individuals from participation in Medicare, Medicaid, and all other Federal health care programs, which includes 587 providers excluded for conduct related to opioid diversion and abuse …

June 21, 2018

FinCEN’s Marijuana SAR Update …

FinCEN doesn’t seem keen on publicizing these updates … and the media doesn’t seem keen to pick them up. But there is some interesting information …

Since it’s Valentine’s Day 2014 guidance for banks to (not) bank marijuana-related businesses (MRBs) and to file the three types of “marijuana” SARs, FinCEN has been tracking the numbers and types of SARs filed and how may banks and credit unions are banking MRBs (based on the SAR filings). https://www.fincen.gov/sites/default/files/shared/277157%20EA%202nd%20Q%20MJ%20Stats_Public.pdf

  • Limited Marijuana SARs are those where the bank is simply reporting the existence of an MRB – no Cole memo or other red flags. There have been 37,885 of these since 2Q 2014 and they are going up linearly.
  • Priority Marijuana SARs are those where one or more red flags is/are triggered but the bank is not exiting the MRB. There have been 3,809 of these since 2Q 2014 and they are going up linearly.
  • Termination Marijuana SARs are those where one or more red flags is/are triggered and the bank is exiting or has exited the MRB. There have been 12,331 of these since 2Q 2014 and they are going up linearly.

That’s a total of ~52,000 marijuana-related SARs filed since 2Q2014. To put that number in perspective, in that same period, depository institutions filed just over 3.7 million SARs … so marijuana SARs filed by depository institutions accounted for 1.4% of all depository institution SARs.

Another (more) interesting fact. FinCEN reports that, based on SAR filings, about 310 banks and 100 credit unions are “actively banking” marijuana businesses. That’s about double the number from three years ago, but only about 20 higher than a year ago (suggesting that those institutions that are going to actively bank marijuana businesses have already decided to do so, and the rest will sit on the sidelines until the regulatory and criminal prospects are more settled). But it’s still a small fraction of the total number: using FDIC and NCUA data from June 2015 (roughly the middle of the “marijuana SAR” period and published in FinCEN’s final rule for beneficial ownership), there are ~6,350 banks and ~6,165 credit unions. So … just less than 5% of banks and 2% of credit unions are “actively banking” marijuana businesses, according to FinCEN.  But those numbers may be high – those institutions that are filing “Termination” SARs may not, in fact, be knowingly, actively banking marijuana related businesses, but exiting those it finds through monitoring and surveillance – or they may be low – it’s possible that not all banks and credit unions that are “actively banking” marijuana businesses are actively filing Marijuana Limited SARs. It’s hard to tell, since FinCEN seems reluctant or unable to publish detailed, actionable information.

June 20, 2018

Finally! A blockchain explanation that makes sense!

https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/blockchain-beyond-the-hype-what-is-the-strategic-business-value?cid=other-eml-alt-mip-mck-oth-1806&hlkid=d2c58d1171ab41a8a16e22859260e7cf&hctky=10239825&hdpid=6a0817ff-c71d-4a97-be68-b9b733f3d39f  accessed June 20, 2018

“Blockchain is a distributed ledger, or database, shared across a public or private computing network. Each computer node in the network holds a copy of the ledger, so there is no single point of failure. Every piece of information is mathematically encrypted and added as a new “block” to the chain of historical records. Various consensus protocols are used to validate a new block with other participants before it can be added to the chain. This prevents fraud or double spending without requiring a central authority. The ledger can also be programmed with “smart contracts,” a set of conditions recorded on the blockchain, so that transactions automatically trigger when the conditions are met. For example, smart contracts could be used to automate insurance-claim payouts.”


“The economic incentives to capture value opportunities are driving incumbents to harness blockchain rather than be overtaken by it. Therefore, the commercial model that is most likely to succeed in the short term is permissioned rather than public blockchain. Public blockchains, like Bitcoin, have no central authority and are regarded as enablers of total disruptive disintermediation. Permissioned blockchains are hosted on private computing networks, with controlled access and editing rights.”

June 19, 2018

Subject Matter Experts vs. Subject Matter Enthusiasts

Like most industries, the financial crimes risk management industry is rank with jargon, axioms, and hackneyed phrases we all toss around with plenty of abandon but little discipline.  Rising to the top of this heap is “Subject Matter Expert” or “SME”.

More important to the success or failure of any endeavor than the self-styled Subject Matter Expert is the dreaded Subject Matter Enthusiast.  The Expert is just that: someone with talent, training, subject matter knowledge, environmental knowledge, and years of experience (and not just one year of experience many times, but many years of experience). The true Expert doesn’t see him or herself as an expert, won’t call himself (I’m going single pronoun from here on, if that’s OK) an expert, probably doesn’t see himself as an expert, but he possesses those traits, or enough of them, to truly be, and be seen as, a Subject Matter Expert.  The Enthusiast, on the other hand, often calls himself an Expert when he isn’t, or thinks of himself as possessing enough of as many of the traits needed to pass himself off as an Expert. The Enthusiast overcomes his lack of true expertise with just enough confidence, hubris, and (frankly) enthusiasm to move a project ahead or design a monitoring system just long enough to allow auditors, regulators, and prosecutors to catch up … and for the experts to bail him (and the project or monitoring system) out.

A Subject Matter Enthusiast usually means well but isn’t the “expert” he thinks he is. Unwittingly, he can cause all sorts of damage (note that the word immediately after “enthusiasm” is “entice” … indeed, Enthusiasts often entice people into doing things they wouldn’t otherwise do). And as a rule, a business person in a typical financial institution is a Subject Matter Expert in their business and a Subject Matter Enthusiast in your business (financial crimes risk management), and risk management professionals are Subject Matter Experts in risk and Subject Matter Enthusiasts about the businesses. The trick is to be respectful of and acknowledge where each other’s expertise begins and ends, and enthusiasm begins and ends, and somehow meet in the middle.

Oddly enough, most of us in the financial crimes risk management industry are a little bit of both: we may be an Expert in technology and an Enthusiast in AML, or an Expert in auditing and an Enthusiast in AML, or an Expert in AML and an Enthusiast in technology … the key is to recognize where (whether) your Expertise begins and ends, and where your Enthusiasm begins and ends, and to know where your colleagues fall on the Expertise/Enthusiasm spectrum.  And the most successful financial crimes risk management efforts are those where everyone involved in the effort knows where his and everyone else’s expertise and enthusiasm begin and end, and where everyone is respectful of and accepts others’ expertise.

This seems particularly important in this new age of disruptive fintech. I’ve seen some great fintech companies that are technology experts but financial crimes enthusiasts but aren’t aware (or aware enough) of their lack of financial crimes expertise and are not respectful enough of the financial crimes expertise of those they’re trying to sell to.

So, the next time you’re pulling together a team to solve any financial crimes problem – and that team can include fintech companies looking to sell you a “solution” – make sure everyone on the team recognizes and is aware of every team member’s Expertise/Enthusiasm spectrum. Knowing, and admitting, where/whether your expertise begins and ends, and your enthusiasm begins and ends, will make your team, and project, a success.

(Thomas Friedman had a different twist on subject matter enthusiasts in a NYT Op/Ed from April 24, 2001, where he wrote: “The well-intentioned but ill-informed being led by the ill-intentioned but well-informed.”)

May 31, 2018

Jim Richards joins Deloitte as a Senior Advisor

http://<iframe src=”https://www.linkedin.com/embed/feed/update/urn:li:activity:6407661890650013696″ height=”415″ width=”504″ frameborder=”0″ allowfullscreen=””></iframe>

As Michael Shepard of Deloitte posted to his LinkedIn page:

“I’m so thrilled that Jim Richards will serve as a Senior Advisor for Deloitte’s Financial Crime/Anti-Money Laundering practice.  Jim has over 20 years of experience as an executive in financial crime risk management.  He recently retired from Wells Fargo & Co. where he served for 13 years as the Executive Vice-President, Bank Secrecy Act Officer, Director of Global Financial Crimes Risk Management. Jim will be a tremendous asset to our clients and our practice, providing executive insights and unique perspectives to clients. He is an incredibly knowledgeable and innovative financial crime risk management leader.”

May 18, 2018

US v Rabobank NA, SD CA 18CR00614 – Does it pose questions every BSA Officer needs to ask?

On February 7, 2018, Rabobank NA pleaded guilty to a charge of conspiracy to defraud the United States and corruptly obstruct an OCC examination. On May 18th the judge sentenced Rabobank to two years’ probation and the maximum fine of $500,000. This is on top of the previous $368.7 million forfeiture.

There is an interesting passage from the original criminal information. Paragraph 17 provides as follows:

“During certain periods in 2011, the M&I [Monitoring & Investigations] Unit had only two people to handle investigations and only three analysts to monitor and manage thousands of monthly alerts. In other words, during those particular periods, three people were tasked with reviewing approximately 2,300 alerts per month and two people were tasked with conducting more than 100 investigations per month, including approximately 75 customers per month for whom SAR determinations had to be made.”

So the Government appears to be critical that there were only 3 people to clear 2,300 alerts per month … that’s about 733 per person per month, or about 35 per day … and that there were only 2 people to clear 100 investigations per month … that’s just over two cases per day.

The questions every BSA Officer has to ask are these: how many alerts and cases are my folks clearing every day, how does that compare to what the Rabobank analysts/investigators were clearing, and do I have to do something different in my shop as a result?

May 16, 2018

FinCEN Director Ken Blanco testifies on the new CDD/Beneficial Ownership Rule

House Financial Services Committee – FinCEN Director Blanco Written Testimony 5-16-18

What is interesting is what Director Blanco did not have to testify about the enforcement of the new rule. He wrote, in part:

“Although we expect covered institutions to be ready on May 11, 2018, to begin timely and effective implementation of the policies, procedures, and controls required under the CDD Rule—and we are pleased to have heard from many in industry that they were ready—we also understand that institutions, regulators and other stakeholders may need a little extra time to smooth out any wrinkles. This is the case whenever we issue a new rule, the purpose of which is always to enhance our AML regime and not to serve as a vehicle for punishing financial institutions. There is always an understandable expectation that industry’s fine-tuning of its implementation, and the government’s fine-tuning of the examination process itself, takes time and that new questions often emerge after implementation begins. We have spoken with our counterparts, including the Federal Banking Agencies, the U.S. Securities and Exchange Commission, and the Commodity Futures Trading Commission, to discuss these issues. We are all committed to ensuring that covered financial institutions are able to implement the rule effectively, and in a way that makes practical sense.

Our goal in this rule is to gain the transparency needed to protect the U.S. financial system and to prevent, deter, detect and disrupt money laundering, terrorist financing, and other serious crimes. It is important for us to continue to work with our regulatory partners, their examiners and financial institutions to achieve these objectives through compliance with the rule. It is equally important, however, to understand that seamless implementation does not happen
overnight and, for some areas, we all will need time to benefit from cumulative practical experiences with the new rule as part of the process. In the meantime, we would encourage financial institutions to alert their examiners to any issues early on, and to share such concerns with FinCEN. We will continue to work with industry and regulators to understand and help address any concerns.”

This passage needs to be read carefully. Essentially, there is an expectation that financial institutions’ programs are ready on May 11th, but those institutions and their regulators “may need a little extra time to smooth out any wrinkles.” And that “new questions often emerge after implementation begins” and “we will all need time to benefit from cumulative practical experiences with the new rule”.  But what does not appear? Any statement that there will be a period of forbearance. Based on a strict reading of this testimony, covered financial institutions should expect that their programs will be judged as of May 11, and like with everything in BSA/AML, that judgment will be impacted by the environment the financial institution finds itself in at the time of judgment, not the environment it was in at the time of implementation. So beware! When being audited or examined in 2019 or 2020 for your compliance with the CDD Rule, look to the environment at that time – not as it was in May 2018 – for how your program will be judged as it was in May 2018.

May 14, 2018

“The Courage To Change” Podcast has been published


Please take the time to listen to Jo Ann Barefoot’s podcast. The notes provide:


We’re moving into a new era of regulation and compliance that will be driven by new technology. Most of our listeners know I’ve co-founded a regtech firm, Hummingbird, to help bring this new model, first, to anti-money laundering, which is widely seen as the arena where the old compliance model is most broken, and where new technology could go the farthest, fastest, to solve everyone’s problems — by both improving outcomes and cutting costs. There is a growing global “regtech” community, in both the public and private sectors, aiming to transform financial regulation and compliance, and specifically to make them both digitally-native, with all the power of digitization to make everything better, faster, and cheaper, all at once.

Executing this transformation will take imagination, vision, wisdom and even courage, which is why I invited today’s guest to join us.  He is Jim Richards, founder of the new firm, RegTech Consulting, and I think he used the word “courage” six times, in our talk.  We sat down together at this year’s LendIt conference in San Francisco, just a few days after Jim had retired from his position as the Bank Secrecy Act Officer and Global Head of Financial Crimes Risk management at Wells Fargo, a job he held for more than twelve years. He’s also an attorney and a deep expert in financial crime.

Jim is famously outspoken. He’s also funny (he says the book he wrote on transnational financial crime sold more copies in Russian than in English. Most of all, though, he’s frustrated. He thinks we can do better in fighting financial crime.

I do too. According to the United Nations, there’s about $2 trillion in global financial crime each year, and we’re catching less than 1 percent of it. To achieve these paltry results, the financial industry spends around $50 billion a year. In other words, launderers can fund terrorism and amass wealth by trafficking in drugs, weapons, and human beings, with very little risk of getting caught. No wonder financial crime is a growing global business.

Jim says that the heart of this problem is that incentives are misaligned, which means resources are too. He thinks we’ve built a regulatory system that does not reward effectiveness but instead prizes compliance “hygiene.” The theory of the system, of course, is that banks’ careful compliance with the AML regulations should lead to high levels of effectiveness in helping law enforcement stop financial crime. Possibly, in an earlier era, it did. Today, though, there is a massive mismatch between the compliance activities required by our regulations and the desired outcomes — partly because the technology of both money laundering, and anti-money laundering, has shifted under our feet. And today’s methods can’t scale up.

Like many people in the AML world — including me — Jim envisions a better system in which, mostly through newer technology, we could take some of the thousands of people and billions of dollars devoted to this effort and redirect them to drive better results, and cut the costs, too.

He has lots of ideas. They include updating the rules on Currency Transaction Reports; fixing the Know Your Customer process through more information standardization, prescreening, and data sharing; addressing the new beneficial ownership requirements (which he calls a tsunami hitting banks and their small business customers; and resolving what he calls “The Clash of the Titles” — the four titles of the US Code that govern financial crime. He suggests getting law enforcement input into financial regulators’ enforcement efforts. He has thoughts on how AML and fraud detection overlap and differ. He says there’s a lot to learn from how fintech companies do AML since they generally have good data and new systems. Like our previous Barefoot Innovation guest, Ripple’s Chris Larsen, Jim sees a useful model in how global trade was transformed by the advent of standardized shipping containers, as explained in Marc Levinson’s book, The Box.

A key issue is transaction monitoring (although Jim vigorously argues that term is obsolete). The law requires banks to monitor their customers’ activity and report suspicious patterns.  Today, this process, systemwide, produces huge over-reporting of meaningless alerts that drown both bank personnel and law enforcement in low-value information they don’t have the tools to analyze. It’s a perfect use case for AI, which Jim says Wells Fargo began using in AML as early as 2008 and is now building further under his successor, Graham Bailey (whom Jim calls a genius, the best AML technologist in the industry).

Jim says that banks like Wells Fargo devote less than ten percent of their AML compliance people to working on sophisticated, complex crime, while the other 90+ percent do regulatory compliance, just “crunching through the volumes.”  This is at a time when the crime itself is getting more and more sophisticated because the worst criminals are adopting new tech and are building global networks, most of which we can’t find with current methods. He makes the case that it would be good to flip that and deck the 90 percent against the big problems. We already have the technology to do that, both in process and analytics. We just need to enable the system to adopt it, for both government and industry.

The original AML law in the United States, the Bank Secrecy Act, is approaching the half-century mark. It’s been modernized and automated along the way — FinCEN has brought in a lot of automation — but the system doesn’t yet leverage the newest technology. It needs to shift to digitally-native design, probably with open source technology that can enable new, efficient, effective approaches, system-wide. A few weeks after we recorded this episode, I hosted a roundtable in Washington where experts from across the AML ecosystem — large and small banks, fintechs, regtechs, bank regulators, trade groups, Congressional staff, academics and, crucially, law enforcement — spent a day together thinking through next-generation AML. The new Comptroller of the Currency, Joseph Otting, has made AML modernization a top priority. Change is coming.

And it’s attracting great people, including great tech people, into solving these problems, including many who, a year ago, would surely have laughed to hear Jim Richards say, as he did to me, that BSA Officer is “the most fascinating job you can have in banking.”  People think compliance is boring. They’re wrong. It’s fascinating, and it’s important.

Jim has founded his new firm, RegTech Advisors, to, as he puts it, “develop the next generation of professionals, technologies, programs, and regimes and really make a difference.” He thinks doing that will take courage… including the courage to make some mistakes. That’s a type of courage that doesn’t come easily to the regulatory sector, but we’re going to have to develop it.


May 8, 2018

Beneficial Ownership – a Centralized Registry is the Key!

Requiring financial institutions to collect the (one to five) names and PII of what may or may not be the beneficial owners of a legal entity customer, as well as the name and “certification” of the representative of the legal entity that those are, indeed, the beneficial owner(s) of the legal entity, is a positive step. But without a centralized registry of beneficial ownership, it is an incomplete exercise.

A great blueprint for a centralized registry can be found in a December 2017 paper written by Mora Johnson of Publish What You Pay Canada. In “Building a Transparent, Effective Beneficial Ownership Registry: Lessons Learned and Emerging Best Practices From Other Jurisdictions”, Ms. Johnson provides a succinct list of the eight features a beneficial ownership registry must have. Her focus is on Canada, which has 14 provincial and territorial company registries, so much can be learned from this in applying it to the 50 state registries in the United States. Those eight features are:

  1. All legal entities
  2. Centralized registry
  3. Open to the public
  4. Verified information
  5. Skilled, empowered registrar(s)
  6. Prompt information updates
  7. Adequate data standards
  8. Intelligent design considerations (e.g., drop-downs and legal entity identifiers)

The report is available at http://www.pwyp.ca/images/documents/PWYP-Canada-CRBO-Policy-English-INTERACTIVE.pdf

May 7, 2018

Jim Richards featured in two podcasts

Thomson Reuters Legal Executive Institute podcast on the beneficial ownership rule, with Holly Sais Phillippi, Partner Director in Governance, Risk & Compliance for Thomson Reuters Legal; Brett Wolf, Reuters senior financial crimes correspondent; and Jim Richards.

American Bankers Association/American Bar Association (ABA/ABA) Financial Crimes conference podcast with Ryan Rasske, Senior VP, Risk & Compliance, ABA’s Professional Development Group, available at https://www.youtube.com/watch?v=gDCnAujJHMA&feature=youtu.be (“Jim Richards, former BSA Officer at Wells Fargo and currently the Principal at RegTech Consulting LLC, talks with ABA’s Ryan Rasske about the synergy between BSA/AML, fraud and cyber-enabled crimes, including the focus on clean data to fight financial crimes. Learn more about the ABA/ABA”)

For all of the great ABA/ABA Financial Crimes podcasts, go to the “Experience Page” at https://www.aba.com/Training/Conferences/Pages/fce-podcasts.aspx

May 4, 2018

Dress Appropriately – AML Policies, Procedures, and Policedures

“As chief executive at General Motors, Mary Barra practices what she preaches. Her management philosophy is epitomized by GM’s workplace dress code—which is equally brief, and also an antidote to the restrictive, wallet-draining policies at many large corporations. It reads, in full: ‘Dress appropriately.’”

Much can be learned from this when it comes to writing BSA/AML policies (what you must do), procedures (how you must do it), and policedures (those bridge-too-far documents that describe what to do and how to do it).  Tremendously detailed and prescriptive policies and procedures are usually impossible to adhere to on a day-to-day basis, invariably ignored in times of stress, and often turned against you by regulators and prosecutors.  Granted, a two-word policy may not cut it with regulators or those in the implementation trenches, but a general rule to follow may be that you keep your policies below 1,500 words: after all, if the US Colonies can declare their independence from Britain in 1,458 words, a decent BSA Governance team can declare that a bank adhere to customer due diligence regulations in 1,458 words (or less).

A common policy drafting mistake is to assume that the theory of the policy will translate into sound practice in the front line units. As the great philosopher Yogi Berra said, “in theory there is no difference between theory and practice: in practice there is.” So give your policies and procedures (and your policedures) to those people in your organization that are supposed to be following them, and have them tell you whether the practice of implementation meets the theory of compliance.

And on a related note, if your program is replete with “Roles & Responsibilities” documents and intra-company service level agreements, take another look at your corporate policies and line of business procedures: R&Rs and SLAs are often manifestations of the failure to write policies and procedures that can actually be understood and followed.

May 2, 2018

SBA’s new Marijuana Business Policy – Is SBA-backed lending to the budding indirect marijuana industry up in smoke?

On April 3rd, the US Small Business Administration issued a benignly-titled policy notice that could have a profound impact on the “budding” marijuana industry. Title “Revised Guidance on Credit Elsewhere and Other Provisions”, the policy notice essentially extends the prohibition on banks using SBA-backed loans from just direct marijuana businesses to indirect marijuana businesses.  The notice notes that the prohibition “currently provides that businesses engaged in any activity that is illegal under federal, state or local law are ineligible for SBA financial assistance. SBA is issuing additional guidance to specifically address businesses that derive revenue from marijuana-related activities or that support the end-use of marijuana.”

What is meant be “businesses … that support the end-use of marijuana”? These are defined as “Indirect Marijuana Businesses”, which is “a business that derived any of its gross revenue for the previous year (or, if a start-up, projects to derive any of its gross revenue for the next year) from sales to Direct Marijuana Businesses of products or services that could reasonably be determined to support the use, growth, enhancement or other development of marijuana. Examples include businesses that provide testing services, or sell grow lights or hydroponic equipment, to one or more Direct Marijuana Businesses. In addition, businesses that sell smoking devices, pipes, bongs, inhalants, or other products that may be used in connection with marijuana are ineligible if the products are primarily intended or designed for such use or if the business markets the products for such use.”

So what small businesses could derive any of their gross revenue from products or services sold to direct marijuana businesses? The list is long and varied: garden supply companies (you need to read about Hawthorne Gardening Company’s marijuana-related business … and Hawthorne is a subsidiary of Scott’s Miracle-Gro, SMG on NYSE), lawyers, architects, engineers, web designers, etc.

And the Notice forges on, specifically calling out commercial property owners that have the temerity to have tenants such as lawyers, architects, engineers, web designers, etc.,  …

“Leasing Part of a Building Acquired with Loan Proceeds (13 CFR § 120.131). Chapter 2, Paragraph V.F.1.g) (page 131). Currently, this SOP paragraph provides that, during the life of an SBA-guaranteed loan, the borrower may not lease space to a business that is engaged in any activity that is illegal under federal, state or local law. For consistency with the changes identified above regarding marijuana-related businesses, Lenders are advised that, during the life of the SBA-guaranteed loan, a borrower may not lease space to the ineligible businesses described above because the collateral could be subject to seizure and because payments on the SBA loan would be derived from illegal activity. If a borrower does lease to an ineligible marijuana-related business, SBA District Counsel should be consulted to determine what action should be taken.”

So it looks like SBA-backed lending to the budding indirect marijuana business industry may be up in smoke! But as indicated above, whether and how this policy could be enforceable, other than on an after-the-fact basis, is doubtful. At best, hedge funds, private equity lenders, and as always lawyers, stand to do well.

The policy is available at:


April 24, 2018

Public/Private Sector Partnership in Combating Financial Crime: The More Things Change, The More They Stay The Same

“Operationalizing the provisions of the Bank Secrecy Act and USA PATRIOT Act has been and continues to be a complex endeavor.  From the policies, procedures, and practices for know your customer or enhanced due diligence; to the systems and tools to monitor transactions and conduct surveillance of high-risk customers or classes of customers; to the ability to analyze, investigate, and report suspicious activity; and to trending, training and testing for and of those programs, the tasks of individual financial institutions are daunting.  As daunting is the task of the regulatory community to set standards for and examine those programs.  Continued cooperation and dialogue between the regulatory community and the institutions it regulates is critical to understanding and controlling the unique risks posed by money laundering and terrorist financing.”

This is an excerpt from Congressional testimony of Jim Richards almost fourteen years ago, yet it remains true today.

See attached testimony of James R. Richards on behalf of Bank of America before the House Financial Services Subcommittee on Oversight and Investigations on “Improving Financial Oversight: A Private Sector View of Anti-Money Laundering Efforts”, May 18, 2004

2004-05-18 Richards Testimony House Financial Services

April 13, 2018

Beneficial Ownership is less than a month away

I’m predicting some chaos, lots of gnashing of teeth and wringing of hands, Media and Social Media !WTF?! and Congressional !Calls to Action! as we hit the formal implementation date of May 11th. It’s then (by the way, May 11th is a Friday) that unsuspecting small business owners (and the bookkeepers of those owners) will descend upon confused and unprepared bankers across the country and be asked to fill in a form listing as many as four owners as well as (or) the single person who has effective control of the company (won’t THAT conversation be interesting in some mom-and-pop businesses?).

This requirement has been in the works for more than 20 years – in the mid-1990s there was a call for obtaining beneficial ownership information in the private banking space (Congressional hearings and the New York Fed’s 1997  “Guidance on Sound Practices Governing Private Banking Activities”) and for high risk accounts (such as the 1999 National Money Laundering Strategy that called for a study to provide recommendations to Treasury on “how to assure that [high risk] accounts are traceable to their beneficial interest holders”). We saw beneficial ownership get picked up in the Patriot Act in 2001 (notably the second “Special Measure” in section 311 and for private banking due diligence in section 312), and we saw the U.S. get buffeted in its 2006 FATF Mutual Evaluation results for failing to meet the requirements of Recommendations 33 and 34. All of which led to the 2012 ANPRM, the 2014 NPRM, and the 2016 Final Rule which gave us until May 11, 2018 to implement a beneficial ownership regime.  We’re one month away … it is going to get very interesting … and my notes will get a little thicker:

Next Generation of AML?

There is a lot of media attention around the need for a new way to tackle financial crimes risk management. Apparently the current regime is “broken” (I disagree) or in desperate need of repair (what government-run program isn’t in need of repair?).

  1. Customer- and account-based transaction monitoring is a thing of the past: relationship-based interaction monitoring and surveillance is the NextGen.
  2. Single entity SAR filers are a thing of the past: 314(b) associations and joint filings are the NextGen.
  3. A lot of FinTech companies really want AML to be like classical music, where every note is carefully written, the music is perfectly orchestrated, and it sounds the same time and time again regardless of who plays it … but AML is more like jazz: defining, designing, tuning, and running effective anti-money laundering interaction monitoring and customer surveillance systems is like writing jazz music … the composer/arranger (FinTech) provides the artist (analyst) a foundation to freely improvise (investigate) within established and consistent frameworks, and no two investigations are ever the same.
  4. The federal government has the tools in its arsenal: it simply needs to use them in more courageous and imaginative ways. Tools such as section 311 Special Measures and 314 Information Sharing are grossly under-utilized.
  5. CTRs are the biggest resource drain in BSA/AML. Because of regulatory drift, CTRs are de facto SAR-lites … get back to basic CTRs and redeploy the resources used in the ever-expanding aggregation requirements to better SARs.
  6. And remember the “Clash of the Titles” … the protect-the-financial-system (filing great SARs) requirements of Title 31 (Money & Finance … the BSA) are trumped by the safety and soundness (program hygiene) requirements of Title 12 (Banks & Banking), and financial institutions act defensively because of the punitive measures in Title 18 (Crimes & Criminal Procedure) and Title 50 (War … OFAC’s statutes and regulations). There is a need to harmonize the Four Titles and how financial institutions are examined against them. BSA/AML people are judged on whether they avoid bad TARP results (from being Tested, Audited, Regulated, and Prosecuted) rather than being judged on whether they provide actionable, timely intelligence to law enforcement. As the great Hugh MacLeod wrote: “I do the work for free. I get paid to be afraid …”


April 10, 2018

Update on Backpage.com seizure and indictment

The Department of Justice has posted the Backpage.com indictment (https://www.justice.gov/file/1050276/download), a 93-count indictment against the seven individuals who ran Backpage.com at various times from its inception in 2004. The indictment, filed on March 28th in Federal District Court in Arizona, goes through the often disgusting and brazen history of Backpage.com. By 2010 most state AGs were pressing Backpage.com to shut down or change its ways; and by 2014 the major credit card companies and banks were blocking Backpage.com transactions. There is a good description of how they used front companies and third party payment processors to gain access to US payments. Paragraph 171 sets out the bank transactions that make up the “transactional money laundering” charges under 18 USC s. 1957(a).  Page 54 lists the bank accounts and properties that are subject to forfeiture. BSA/AML staff at Bank of America, BMO Harris, National Bank of Arizona, Arizona Bank & Trust, Green Bank, Wells Fargo should review these transactions and accounts, and look at alerts, referrals, cases, and investigations, as well as account opening documentation, with a view to seeing if their processes and procedures caught what they should have.  These are always good opportunities to test the effectiveness of your program against actual known bad behavior (with the caveat that this is simply an indictment containing allegations). Also, run the properties against your bank’s mortgage and customer systems to see if you have any credit-related exposure.

The DOJ Press Release (https://www.justice.gov/opa/pr/justice-department-leads-effort-seize-backpagecom-internet-s-leading-forum-prostitution-ads) gives credit to the FBI, the US Postal Inspection Service, and IRS-CI, the US Attorneys for the Central District of California and Arizona, and the Attorneys General of Texas and California. It would be great to see what role BSA reports played in the indictment of criminal activity spanning 10+ years!

April 6, 2018

Backpage.com has been seized!

Following on the Senate Permanent Subcommittee on Investigation’s January 2017 report titled “Backpage.com’s Knowing Facilitation of Online Sex Trafficking”, it appears that the Department of Justice has effectively shut down this notorious sex trafficking/human trafficking website. The media is reporting that multiple people have been charged. This is a great development!

April 4, 2018

FinCEN publishes FAQs on the new Customer Due Diligence/Beneficial Ownership Rule

FinCEN published the long-awaited, and much-anticipated, FAQs on the new customer due diligence/beneficial ownership rule, which comes into effect on May 11th.  Brett Wolf, writing for Thomson Reuters, included the following in a story titled “U.S. Treasury releases beneficial­ ownership guidance as rule looms”:

“One  noteworthy  omission  from  the  FAQ  document  was  guidance  on  interaction  with  the  so-­called  legal  entity  customer representative, the person who ‘walks into the branch to open the account,’ and who is to attest to the accuracy of the beneficial ownership information provided to the bank, said Jim Richards, who recently left his position as the Bank Secrecy Act officer at Wells Fargo.  The  idea  was  that  the  attestation,  a  signature,  would  provide  prosecutors  with  ‘someone  to  go  after’ if  false  ownership information were provided to banks, said Richards, who has founded RegTech Consulting LLC. It remains unclear what the consequences would be, and how banks are required to react, if a legal entity customer representative were to refuse to sign the attestation, he said.

“‘I thought the FAQs would say something about that, because if you look at the preamble to the final rule, there is a reference to the Department of Justice seeing that attestation as a significant part of the form,’ Richards said.”

“He added that the FAQs related to Currency Transaction Reports (CTRs) ‘are a trap for those that fail to consider beneficial owners when aggregating cash transactions for CTR purposes.'”


Take a close look at Questions 32 and 33 – if the bank has knowledge, then it must include beneficial owners in the CTR when they are or appear to be the actual beneficiaries of the cash transactions. This standard – if the bank has knowledge – is a trap for banks that are struggling with aggregating all cash transactions across all delivery channels (branches, ATMs, cash vaults) across multiple accounts. Be cautious! And make sure you are on the same page as your auditors and examiners when it comes to whether you have actual knowledge.

Another interesting answer was to Question 30 – the meaning of the word “equipment” for the so-called “leased equipment” exemption. In what could be an omission or miss by FinCEN is the inclusion of aircraft in the type of equipment that is exempt from beneficial ownership information. This seems to be the opposite of what some of those in Congress that are looking for more transparency with aircraft ownership. See, for example, the Aircraft Ownership Transparency Act of 2017, HR 3544 introduced by Rep Stephen Lynch (D. MA). That bill requires full and clear beneficial ownership information for all FAA registered aircraft.

More to come on beneficial ownership … and expect some chaos as the May 11 implementation date draws near, and the public (and media and Congress) become aware of what banks will be asking for.

April 3, 2018

Ninth Circuit rules that the FFIEC BSA/AML Examination Manual has the force of regulation!

Upsetting the long-held belief that legislation is clarified by regulations that are clarified and explained by written guidance and modified over time by shifting regulators’ expectations, the Ninth Circuit has recently ruled that the BSA/AML Examination Manual (written guidance) is, effectively, regulation.

In California Pacific Bank v. Federal Deposit Insurance Corporation a three-judge panel of the U.S. Court of Appeals for the Ninth Circuit held in March 2018 that the Bank Secrecy Act (BSA) and its implementing regulations were not unconstitutionally vague, and that the FDIC had properly relied on the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual. Writing for the majority, Judge James Gritzner wrote:

“Not only are the BSA and FDIC’s implementing regulations economic in nature and threaten no constitutionally protected rights, but it is clear that a detailed manual issued by agencies with enforcement authority, such as the FFIEC Manual, can put regulated banks on notice of expected conduct. The BSA authorizes the FDIC to review banks for compliance. 12 U.S.C. § 1818(s). The FFIEC Manual frames the examiners’ expectations in anticipation of routine compliance checks … We hold that the BSA and its implementing regulations are not unconstitutionally vague, and the FDIC did not exhibit unconstitutional bias against the Bank. We further hold that the FDIC acted in accordance with the law by relying on the FFIEC Manual to clarify its four pillars regulation.”

So unless and until this Ninth Circuit decision is over-ruled or contradicted … consider the BSA/AML Exam Manual to be have the impact of regulations.