InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN outlines BSA due diligence requirements for hemp-related businesses
On June 29, the Financial Crimes Enforcement Network (FinCEN) issued guidance for hemp-related business customers to explain due diligence requirements and identify the types of information financial institutions can collect to comply with Bank Secrecy Act (BSA) regulatory requirements. The guidance supplements a December 2019 interagency statement (covered by a Buckley Special Alert), which confirmed that financial institutions are no longer required to file a suspicious activity report (SARs) on customers solely because they are “engaged in the growth or cultivation of hemp in accordance with applicable laws and regulations.” Among other things, the guidance reiterates FinCEN’s expectation that financial institutions conduct customer due diligence (CDD) for hemp-related businesses, as they would for other customers, and establish appropriate on-going risk-based CDD procedures. This may include confirming that the hemp business is complying with applicable state, tribal government, or United States Department of Agriculture licensing requirements. Financial institutions should also tailor BSA/Anti-Money Laundering programs to appropriately reflect the risks associated with a customer’s particular risk profile and file the required reports. The guidance further provides that while financial institutions are not required to file SARs on customers solely because they are engaged in a hemp business, “financial institutions are expected to follow standard SAR procedures.” Examples of suspicious activity that may warrant the filing of a SAR are provided. Finally, the guidance states that financial institutions must report currency transactions connected to hemp-related businesses as they would for any other customer for transactions above $10,000 in aggregate on a single business day.
NCUA releases additional guidance to credit unions serving hemp businesses
Recently, the NCUA released updated guidance to federally insured credit unions on serving hemp businesses. As previously covered by InfoBytes, in August 2019, NCUA released interim guidance allowing federally insured credit unions to service hemp businesses. The guidance explained that the Agriculture Improvement Act of 2018 (2018 Farm Bill) removed hemp from Schedule I of the Controlled Substances Act, but noted that hemp could not be produced lawfully under federal law, beyond a 2014 pilot program, until the USDA promulgated regulations and guidelines to implement the hemp production provisions of the 2018 Farm Bill. In October 2019, the USDA issued an interim final rule, which outlined provisions to approve plans submitted by state or Native American tribes that want to retain primary regulatory authority over the production of hemp and a federal licensing plan for producers in states and tribal territories that do not have their own USDA-approved plans.
The newly released guidance reminds credit unions to stay current with the federal, state, and Native American tribal laws and regulations that apply to any hemp-related businesses, as the interim final rule does not preempt or limit any law state or tribal law that that is more stringent than the 2018 Farm Bill. Among other things, the guidance notes that NCUA examiners will collect data concerning the types of services credit unions are providing to hemp-related businesses and states that the NCUA expects credit unions to employ sufficient customer due diligence procedures as part of their BSA/AML compliance program to ensure hemp growers possess a valid state or USDA license.
FDIC releases April enforcement actions
On May 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in April. The FDIC issued 23 orders and 2 notices of changes, which “consisted of 12 Section 19 orders, 3 orders of prohibition, 1 order to pay, 3 consent orders, 1 order to cease and desist, 4 orders terminating consent orders, and 1 order terminating an order of restitution.” Among the actions is a cease and desist order and civil money penalty issued against a Louisiana-based bank for allegedly violating the Bank Secrecy Act, EFTA, RESPA, TILA, the National Flood Insurance Program, and HMDA. The order follows the issuance of a 2019 recommended decision on remand by an FDIC administrative law judge (ALJ), who also found that the bank failed to comply with a majority of the provisions outlined in a 2011 memorandum of understanding entered into with the FDIC two years prior to the filing of this action. Specifically, the recommended decision found that the bank, among other things, “violated the independence requirement of the FDIC’s rules and regulations pertaining to appraisals by allowing a lending officer originating loans to appraise the collateral underlying the loan,” and “allow[ing] a high ranking officer to repeatedly overdraw his bank account without being charged overdraft fees” in violation of Regulation O of the Federal Reserve Board. Other violations included that the bank failed to: (i) conduct independent property evaluations and appraisals; (ii) disclose unauthorized fees or investigate reports of erroneous charges; (iii) assess flood insurance needs or inform borrowers of force-placed flood insurance rules; (iv) file suspicious activity reports and currency transaction reports; (v) implement a “meaningful compliance program” to ensure the bank did not engage in foreign financial transactions with prohibited persons identified by the Office of Foreign Assets Control; and (v) “conduct proper compliance training or maintain an effective audit program for consumer compliance matters.” The FDIC’s order affirmed the ALJ’s recommended decision to subject the bank to an order to cease and desist and pay a $500,000 civil money penalty.
Additionally, the FDIC entered a consent order against an Illinois-based bank relating to alleged weaknesses in its Bank Secrecy Act compliance program.
OCC releases recent enforcement actions
On May 21, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included among the actions is an April 14 consent order to resolve the OCC’s claims that a California-based bank engaged in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program violations. According to the consent order, an OCC examination identified deficiencies in the bank’s BSA/AML compliance program, including failure to implement a compliance program that “adequately covered the required BSA/AML program elements,” and failure to correct a previously identified BSA/AML compliance program problem. The consent order requires the bank to, among other things, (i) appoint a compliance committee of independent directors ; (ii) submit a written strategic plan to the OCC covering at least the next three years; (iii) ensure competent management and staff is in place to ensure compliance with the order, applicable laws, and rules and regulations; (iv) appoint a “permanent, qualified, and experienced BSA Officer”; (v) create and adopt a “written program of policies and procedures to provide for compliance with the BSA”; (vi) adopt a “written risk-based program of internal controls and processes to ensure compliance with the requirements to file SARs”; (vi) develop policies and procedures for performing customer due diligence; (vii) implement a program to manage BSA/AML and Office of Foreign Assets Control risk associated with processing wire transfers; and (viii) conduct a SAR “look-back” review, implement an independent BSA/AML audit program, and develop a comprehensive training program for bank employees.
FinCEN advisory warns of Covid-19 medical scams, provides guidance on reporting suspicious activity
On May 18, the Financial Crimes Enforcement Network (FinCEN) issued an advisory and companion notice on medical scams related to the Covid-19 pandemic that provide detailed instructions for financial institutions filing reports of Covid-19-related suspicious activities. The advisory outlines numerous red flag indicators and case studies addressing Covid-19 medical-related fraudulent activity to assist financial institutions in detecting, preventing, and reporting suspicious transactions. FinCEN also encourages financial institutions to consider additional contextual information, such as a customer’s historical financial activity and whether a customer exhibits multiple indicators, before making a determination that a transaction is suspicious. FinCEN further advises financial institutions—when taking a risk-based approach to Bank Secrecy Act compliance—to perform additional inquiries and conduct investigations as necessary.
The companion notice provides, among other things, that suspicious activity reports (SAR) should only include Covid-19 statements tied to suspicious activity and that statements related to Covid-19’s impact on SAR filing abilities should not be included. However, FinCEN states that filers who previously included these references are not required to file corrected reports. For fraud schemes, including those that exploit the Covid-19 pandemic, FinCEN reiterates that full details related to SAR filings and supporting documentation should be submitted as quickly as possible. The notice also addresses information sharing among financial institutions and provides contact information for reporting Covid-19-related criminal activity to other agencies.
FATF highlights financial crime risks related to Covid-19 pandemic
On May 4, the Financial Action Task Force (FATF) released a report identifying challenges, good practices, and policy responses to new money laundering and financing threats arising from the Covid-19 pandemic. The report notes that the global response to the Covid-19 pandemic is limiting the ability of the government and public sector to implement oversight of anti-money laundering and countering the financing of terrorism (AML/CFT) obligations. Among other things, FATF noted that Covid-19 threats and corresponding vulnerabilities could result in the following: (i) increased misuse of online financial services and virtual assets to move illicit funds; (ii) the bypassing of customer due diligence measures; and (iii) the misuse and misappropriation of domestic and international financial aid. Additionally, FATF noted that the increased use of online platforms for social interaction, consumer shopping, and banking measures may also lead to increased fraud by criminal actors, such as impersonation of officials, counterfeiting essential goods, and fundraising for fake charities. To address these concerns, FATF emphasized that domestic coordination assessing the impact of Covid-19 on AML/CFT risks, the use of a risk-based approach to customer due diligence, and strengthened communication with the private sector may help support the implementation of measures to manage the new risks and vulnerabilities.
Korean bank settles investigation into Iran transfers; resolves BSA/AML violations allegations
On April 20, the U.S. Attorney for the Southern District of New York and the New York attorney general announced that a Korean bank will pay $51 million in penalties to resolve a six-year investigation into the bank’s transfer of more than $1 billion to Iranian entities in violation of U.S. economic sanctions. According to the U.S. Attorney’s press release and deferred prosecution agreement and statement of facts (as well as a press release from the state attorney general), the bank violated the Bank Secrecy Act (BSA) by “willfully failing to establish, implement, and maintain an adequate anti-money laundering (‘AML’) program” at its New York branch—even though its compliance officer repeatedly asked it to do so—which led to the illegal transfer of approximately $1 billion in transactions to Iran in violation of the International Emergency Economic Powers Act. According to the government, the bank’s lack of an effective AML program resulted in its failure to detect and report $10 million in payments through the bank and other U.S. financial institutions from Korean entities to Iranian entities, as well as its failure to “report the balance of the $1 billion of such sanctioned transactions” between the parties. Furthermore, the bank also failed to self-report to the U.S. Treasury Department’s Office of Foreign Assets Control its wrongdoing in a timely manner or its willful violations of the BSA prior to the investigation. Under the terms of the deferred prosecution agreement, the bank will pay $51 million through a civil forfeiture action, half of which will go to the United States Victims of State Sponsored Terrorism Fund, and will undergo regular reviews of its AML and sanctions compliance programs.
The bank also reached a separate agreement with NYDFS for violating state regulations, under which it will pay an additional $35 million penalty for violations of BSA/AML laws. Among other things, NYDFS found that the compliance program of the bank’s New York branch failed to achieve satisfactory levels until its 2019 examination. “While the department applauds the bank for its ultimate efforts after eight examination cycles of noncompliance, one positive examination report does not equate to a sustainable, safe and sound financial institution,” NYDFS said in its consent order. Under the terms of the order, the bank is required to revise its BSA/AML compliance program and enhance its customer due diligence program to ensure compliance with relevant state laws and regulations. NYDFS acknowledged the bank’s substantial cooperation in the matter, including remediating identified shortcomings.
FFIEC updates BSA/AML examination manual
On April 15, the FFIEC published the updated Bank Secrecy Act/Anti-Money Laundering Examination Manual (Manual). According to an interagency statement, revisions were made throughout the updated sections to incorporate regulatory changes since the Manual was last updated in 2014 and “to ensure language clearly distinguishes between mandatory regulatory requirements and supervisory expectations.” The revisions can be identified by a 2020 date in the table of contents and include:
- Examiners should tailor Bank Secrecy Act/anti-money laundering (BSA/AML) examinations to a bank’s risk profile.
- Examiners should assess the adequacy of an institution’s BSA/AML compliance program and risk assessment processes. This includes identifying specific risk categories unique to a bank and analyzing the identified information to asses risks within these categories. The Manual notes, however, that there is no particular format or method for a bank to use for its risk assessment process, and reiterates that risk categories may vary based on a bank’s size, complexity, and organizational structure and that “updates may occur as necessary to align the risk assessment with a significant change in a bank’s risk profile.”
- Examiners should be mindful that banks have flexibility when designing a BSA/AML compliance program and that “minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate program.”
The agencies acknowledge that they “are aware of the uncertainty faced by financial institutions during this unprecedented time” and emphasize that the updated Manual, “which supports tailored examination work, has been in process for an extended period and should not be interpreted as new instructions or as a new or increased focus.” Additional updates to the remaining Manual sections will be released in phases at a later date.
FDIC updates Covid-19 FAQs for financial institutions
On April 15, the FDIC released updates to its list of Covid-19 frequently asked questions (FAQs) for financial institutions. The FAQs were originally released on March 19, covering bank operational issues and urging banks to work with borrowers who are experiencing payment difficulties due to Covid-19, as reported by InfoBytes here. New FAQs discuss credit reporting of payment accommodations, reminding lenders to report borrower accounts as current, provided the borrowers continue to observe the terms of the accommodations. The guidance also points financial institutions to a recent CFPB statement (covered here) for guidance on the FCRA under the CARES Act. The FDIC also updated the Troubled Debt Restructurings (TDRs) guidance, emphasizing that financial institutions do not need to classify Covid-19 borrower payment accommodations as TDRs if certain criteria are met, and that examiners “will not criticize prudent efforts to modify the terms on existing loans to affected customers.” Other updates to the FAQs include, among other things: (i) obligations to obtain updated real estate valuation information for Covid-19 related loan modifications; (ii) the use of alternative signatures for Part 363 annual reports and other notices; (iii) real estate loans in excess of loan-to-value percentages for loans refinanced by borrowers impacted by Covid-19; (iv) risk-based capital rules regarding multi-family loan modifications; (v) eligible Community Reinvestment Act activities during the Covid-19 pandemic; and (vi) Bank Secrecy Act issues regarding filing requirements, raising compliance challenges with FinCEN, and whether loans under the Small Business Administration’s Paycheck Protection Program are considered new accounts for customer due diligence purposes.
Wisconsin DFI’s Office of Credit Unions issues resource guide
On April 9, the Wisconsin DFI’s Office of Credit Unions issued a resource guide to answer questions and enable credit unions to continue to conduct business during the Covid-19 pandemic. Topics addressed include the holding of annual meetings, Bank Secrecy Act compliance, board meetings, call report deadlines, and examination protocols, among others.