Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Presenters:MattNewman,CaliforniaDepartmentofBusinessOversightPages4-11,41
RobTriano,FederalReserveBankofSanFranciscoPages12-24,42
DarleneJames,OfficeofCurrencyComptrollerPages25-26
BryanWampler,FederalDepositInsuranceCorporationPages27-40
Moderator:TomFleming,TomFleming&Associates
2018BankRegulatorPanel2018BankRegulatorPanel
Agenda
§ BankingMarijuanaandRelatedBusinesses
§ RiskAssessment
§ IndependentTestingTipsandBestPracticeMSB’sHotTopics
§ BeneficialOwnership
2
Disclaimer
The opinions expressed in this presentation are statements of thespeaker's opinion, are intended only for informational purposes, andare not formal opinions of, nor binding on, the Federal Reserve Bankof San Francisco or the Board of Governors of the Federal ReserveSystem, California Department of Business Oversight and FederalDeposit Insurance Corporation and the Office of CurrencyComptroller. Each participant is responsible for its own business,financial, investment or credit decisions. Use of the presentationmaterials, including audio and/or video recording of a presentation, isstrictly prohibited except by written permission of the FederalReserve Bank of San Francisco.
3
BankingMarijuanaandMarijuanaRelatedBusinesses
4
BankingMarijuanaandMarijuanaRelatedBusinesses
TheHistoryofCannabis
1) MedicinalUsage2) Recreational3) Hemp
Prohibitiona) HarryAnslinger,FederalBureauofNarcoticsb) MarijuanaTaxActc) ControlledSubstancesAct
• TrickyDickd) RecentExecutiveBranch
• Clinton,Bush,ObamaandTrump
5
RiskAssessment– RegulatoryGuidelines
TheStateMovement
a) Late70’sandEarly80’sb) CAProposition215c) CurrentStateEnvironment2018
RegulatoryEnvironmenta) ColeMemob) FinCENFIN-2014-G001BSAExpectationsRegardingMRB’sc) CADepartmentofBusinessOversight
• Position,ExamFindings,EnforcementEfforts
6
ExaminationConsiderations–MRBProgramGovernance
• Doesthebankhaveadequateboard-approvedpoliciesandproceduresinplaceastohowtohandlemarijuanaaccountsandmonitorforredflags?
• HastheBoardestablishedappropriaterisk-basedpricingstandardsforMRBdepositandloanaccounts?
• HastheBoardsetappropriatelimitstothisprogram?(i.e.typeoflicensees[producer,processor,and/orretailer]accepted,numberofaccountsaccepted,totalamountallowedtobedeposited,amountandtypesofloans,etc.)
• DoesmanagementhaveacontingencyplanwhichincludesanexitfromthebusinessshouldtherebeachangeinthepoliciesandforbearancesfromtheFederalandStategovernments?
ExaminationConsiderations– MRBProgramGovernancecontinued
• Isthereacomprehensiveriskassessmentofthebusinessline?• Hasthebankconsideredandaddressedthepracticalitiesofcash
management,includingthefacility’scapacityandsecurityissuesassociatedwithhandlinggreateramountsofcashthanwithothermerchants?
• DoesemployeeBSAtrainingincludesufficientdetailonmarijuana-relatedBSArisksandisthecoveragecommensuratewiththebank’sinvolvementintheindustry?
• DoesthebankhavethestaffingresourcesnecessarytoperformsufficientduediligenceandongoingmonitoringontheMRBaccounts,particularlygiventhesize,nature,andriskinherentintheindividualcustomers?
ExaminationConsiderations– MRBProgramGovernance continued
Lending• Doestheindependentloanreviewappropriatelytestadherenceto
thebank’spolicyonlendingtoMRBs?• Underwhatcircumstancesdotheprovisionsintheloanandcollateral
documentscontainrequirementsthatthefinancialinstitutioncanacceleratetheloantermsandcallthebalancedueandpayable?– I.e.MRBlosesitslicense,runscountertotheColeMemorequirements,
orengagesinactivitythattriggers redflagslistedintheFinCENguidance,etc.
• DoestheALLLmethodologyconsidertheinherentcreditrisksassociatedwithMRBborrowers?
ExaminationConsiderations– MRBProgramGovernancecontinued
• DoesthebanktakestepstopreventthefurtheranceofanyviolationoftheColeMemo,includingnoticetothecustomertohalttheoffendingactivityorevictaviolatingtenant?
• Didthebankperformalegalreviewofapplicablefederalandstatelaws,includingseizureofpropertyandforfeiture/subordinationofcollateral?
ExaminationConsideration– RegulatoryReporting
• Hasmanagementconsideredparticipationin314(b)– VoluntaryInformationSharing.Ifso,havepoliciesandprocedures,andprocessesbeendeveloped?
• Doesthebank’sBSAPolicyprohibittheexemptionofMRBcustomersforcurrencytransactionreports(CTR)filingpurposes?
• IsthebankfilingCTRsonMRBcustomersinaccordancewithexistingregulationsandwiththesamethresholds?
• IsthebankfilingSARsonMRBcustomersinaccordancewiththe2014FinCENguidance?
• Doesthecontentofmarijuana-relatedSARsincludeallofthecontentsasrequiredbythe2014FinCENguidance?
RiskAssessments
12
RiskAssessments– BasicRegulatoryGuidelines
BSA Exam Manual – “A well-defined risk assessment assists in identifying thebank’s BSA/AML risk profile. Understanding the risk profile enables the bank toapply appropriate risk management processes to the BSA/AML complianceprogram to mitigate risk”
§ What does this really mean?§ What am I required to do?§ What makes a good risk assessment and should it be worth investing some
time in?§ What have you seen that has worked and hasn’t worked?
13
RiskAssessments- MinimumRegulatoryExpectationswhenDevelopingaRiskAssessment
FFIEC BSA/AML Examination Manual o Appendix J - “Banks andexaminers may use the following matrix to formulate summaryconclusions. Prior to using this matrix, they should complete theidentification and quantification steps detailed in the BSA/AML RiskAssessment Overview section at page 18 of this manual.”
§ Page18- “ThedevelopmentoftheBSA/AMLriskassessmentgenerallyinvolvestwosteps:first,identifythespecific riskcategories(i.e.,products,services,customers,entities,transactions, andgeographic locations)uniquetothebank;andsecond,conductamoredetailedanalysisofthedataidentifiedtobetterassesstheriskwithinthesecategories.”
14
RiskAssessments - SmallerBanks(withlowerrisk)
Ariskassessmentwould:
§ IdentifyInherentRisksfor:Clients,Products/Services,Entities,Transactions,andGeographies
§ Usesupporting datathatisapplicabletothebank’ssize,complexityandriskprofile
§ Beutilizedtodevelopaprogramthatadequatelyaddressessaidriskprofile(RefertoAppendix IofBSAExamManual)
§ Beupdatedevery12-18months,butmorefrequentmeasuresmaybewarrantedbasedonunderlying risksorsignificantevents
§ BereviewedforreasonablenessbyAudit
15
RiskAssessments- LargerBanks(orbankswithhigherrisk)
Ariskassessmentwouldinclude:§ Inherentrisksfor:Clients,Products/Services, Entities,Transactions,and
Geographies§ Datautilization tosupport theidentificationofriskintheabovecategories
willtypicallyberobust innature§ Ongoing utilizationasatool todevelopaprogramthatadequatelyaddresses
saidriskprofile (RefertoAppendix IofBSAExamManual)§ Application tohowtheserisksandcontrolsimpactthebank’sbusiness lines,
operationalareas,andrelatedlegalentities§ Anannualupdate,butmorefrequentmeasuresmaybewarrantedbasedon
underlying risksorsignificantevents§ AreviewforreasonablenessbyAudit
16
RiskAssessments– Why?
Whyshould IinvesttimeinaqualityRiskAssessment?§ Beingconfident inknowing,morespecificallyorconcretely,whatisgoingon
atthebankto:§ IdentifyRisk§ Manage/MitigateRisk
§ Avoidsignificant regulatorycriticismorenforcementaction§ Under-identified orunidentified risk
§ CMPsorfinestendtoinvolveeitherwillfulactsorwillfulblindness. § Thelattercanbecombattedwithanappropriateriskassessmentand
mitigating factorsbuilt fromthat(i.e.controls, training, staffing,technology, etc.).
17
RiskAssessments– HowStep1
How(notthetraditional‘How’info fromregulators):
Step1ismaking friendswiththepeople inthebankwhocangetyouData.
Identifywhatyouhaveaccesstoandwhatyouwant…ifyoufind thatthereismissingkeydata,that canbeapotentialredflagof:§ CDD/EDDandClientRiskRatingprocesses,and/orSuspiciousActivity
Monitoring processesperhapsnotbeingdesigned appropriately;or§ Unorganized,behind-the-scenesdatamanagementordatastructuresthat
aren’tdesigned tohelpbusinesslinesuseinfothatthebankisalreadygathering
18
RiskAssessments– HowStep2
Step2isdetermining ifyourdataiscomprehensiveandaccurate,andcanyouexpandyourreach?
§ Dataintegrity iscriticaltoensureariskassessmentissupportable.§ Alwayspushingdatamanagementpersonnel/contactsbyaskingquestions
canbehelpful toshowthemwhatyouneed.§ Conversely,itallowsthemtoshowwhattheycanprovide.
§ ThistranslationmaybebeneficialforbothpartiesformorethanjustaBSARiskAssessment– itcouldleadtonewvehiclesforon-goingdatause
19
RiskAssessments– HowStep3
Step3isgatheringyourkeydatainaformatthatmakessensetoyou
Forclients–NAICSornatureofbusiness?HR,MR,andLR?Tenure?CategoricalHRclients?NicheClients?Exception/Prohibited Clients?AutoHRclients?
Fortransactions– transactiontypesandvolumes? HR,MR,LRtypesandvolumes? TransactionsbyNAICS/Occupation?Transactionsto/fromgeographies? Largesttransactiontypesbyclient,branch,business line?
Forgeographies– Outofmarketclients?Internationalclients?GeographyofTransactions(Domestic/Int’l)? DomesticHRGeographies? HRCountryLists/Tools?
20
RiskAssessments– HowSteps4and5
Step4istakingthissupporting dataandputting intoausableandreasonableformatforwhatyourbankistrying toaccomplish(i.e.IDriskandbuildcontrols).§ MaybetheAppendix Jmatrix;Maybeanarrative;maybeablendof
narrative,spreadsheet,matrix,andgraphs;etc.
Step5istakingthismaterialandputting itintoareadableandmeaningfulformatfortheBoardoraCommitteethereof.§ Bringing forwardpreviouslyunknown orunder-identified risks;gapsin
internalcontrols;opportunities toexpandrisk;confirmation ofrisks;etc.§ Highlighting significantchangesorspeakingtohowstrategicplansmay
impactasignificantareaofrisk.
21
RiskAssessments– CommonChallenges
§ Aclearmethodology orplanthatfitsthebank’sspecificneeds§ CleanData§ Datathattellsthestory§ Datathattellsastorywithinastory§ MultipleYearsofconsistentimplementation§ Incorporateyourcontrols– don’t forgettoheavilyleverageauditandexam
results
22
RiskAssessments- Commonalitiesforchallenges
§ Fittingatemplatedmethodology withouttailoring tothebank§ NotusingData§ UsingIncompleteorinaccuratedata§ Notconsidering criticalcontrolswithmoreweight§ Notconsidering AuditorExaminationresultsforcontrols
23
RiskAssessments– AnecdotalExperiences
The quality of a risk assessment and the use of data to create a trulymeaningful product is NOT exclusive to large banks.
§ The best risk assessment methodology and product that I’ve observed wasat a bank holding company with numerous non-bank subsidiaries and an$18 billion dollar bank.
§ The second best risk assessment methodology and product that I’veobserved was at a bank with under $100 million in total assets.
§ The risk assessment with the most flaws that I’ve observed was at a bankholding company with numerous nonbank subsidiaries and a bank withwell over $50 billion in total assets.
24
DarleneJames,OCCDarleneJames,OCC
25
IndependentTestingTips
IndependentTestingBestPractice
MSB’sHotTopics
ThecontentofthispresentationdoesnotreflecttheviewsoropinionsoftheOfficeofCurrencyComptroller.
26
IndependentTestingandMoneyServicesBusinesses
FinCENCustomerDueDiligenceRule:UnderstandingtheFinalRule
27
FinCENCustomerDueDiligenceRule:UnderstandingtheFinalRule
May2016,FinCENpublishedafinalrulethatwillrequirefinancialinstitutionstocollectbeneficialownershipinformationfromlegalentitiesataccountopeningbeginningMay11,2018.• TheFinalRuledoesnot imposeacategorical,retroactiverequirementoncollectingbeneficialownershipinformationonaccountsopened priortoMay11,2018.
• Verificationofidentityofthebeneficialownersshould beinaccordancewithrisk-basedproceduresandcontaintheelementscurrentlyrequiredundertheCustomerIdentificationRule.
• ThefinancialinstitutionmaycomplyeitherbyobtainingtherequiredinformationonthestandardcertificationformtemplateFinCENprovidedinAppendixAoftheFinalRule.However,theFinalRulealsopermitsfinancialinstitutionstoobtainthe informationbyothermeans,providedthatsuchmeansincludethecertificationofthenaturalpersonopeningtheaccountthatisrequiredbythestandardcertification.
• Financialinstitutionsmayrelyonthebeneficialownershipinformationsuppliedbythecustomer,providedthatthe institutionhasnoknowledgeoffactsthatwouldreasonablycallintoquestion thereliabilityoftheinformation.
28
BenefitsoftheRule
ForLawEnforcementTransparencyislessattractivetocriminals.Providinginaccurateinformationdemonstratesunlawfulintent.Generatesleadstoidentifyadditionalevidenceorco-conspirators.
ForFinancialInstitutions(FIs)ImprovesFI’sabilitytoassessandmitigateriskandcomplywithexistingrequirement,includingtheBSAandrelatedauthorities
ForTaxComplianceFacilitatestaxreporting,investigationsandcompliance.
Broaderthree-partstrategybyTreasuryDept.toenhancefinancialtransparencyoflegalentities.
FourKeyElementsofCustomerDueDiligence
TherearefourkeyelementsofCustomerDueDiligence:
I. CustomerIdentificationandVerification
II. Beneficialownershipidentificationandverification
Appropriaterisk-basedproceduresforconductingongoingcustomerduediligence,toinclude,butnotbelimitedto:
III. Understandingthenatureandpurposeofcustomerrelationshipstodevelopacustomerriskprofile;and
IV. Conductingongoingmonitoringtoidentifyandreportsuspicioustransactionsand,onarisk-basis,tomaintainandupdatecustomerinformation
CurrentCIP
NEW!31CFR1010.230
AmendsBSA“5th Pillar”
Viewedasrestatingexistingexpectations[31CFR1020.210]
I.CustomerIdentificationandVerification
ExistingrequirementunderCustomerIdentificationProgram(“CIP”)requirements[31CFR103.121].
NameDateofbirthAddressIdentificationnumber
(i)ForaU.S.person,ataxpayeridentificationnumber;or(ii)Foranon-U.S.person,oneormoreofthefollowing: ataxpayeridentificationnumber;passportnumberandcountryofissuance;alienidentificationcardnumber;ornumberandcountryofissuanceofanyothergovernment-issued documentevidencingnationalityorresidenceandbearingaphotograph orsimilar.
II.BeneficialOwnershipIdentificationandVerification
i. Mustidentifyandverify theidentityofbeneficialownersofalllegalentitycustomers(other thanthoseexcluded)foreachnewaccountatthetimethenewaccountisopened (other thanaccountsthatareexempted).
ii. Verificationofidentityofthebeneficialownersshouldcontaintheelementsrequired forverificationunderCIP,butFIsmayrelyoncopiesofIDsprovidedbythepersonopening theaccount.
iii. FinCENprovidedanoptional CertificationForm inAppendix AoftheFinalRule.FIsmaychoosetocomplybyusing thesampleCertificationForm,using theinstitution’s ownforms,oranyothermeansthatcomplieswiththesubstantiverequirementsofthisobligation.
iv. Mayrelyonbeneficialownership identificationsupplied bythecustomer,providedFIhasnoknowledgeoffactsthatwould reasonablycallintoquestionthereliabilityoftheinformation.
IV.OngoingMonitoring
i. Customerinformationincludesbeneficialownershipinformation.
ii. Allaccountsmustbemonitoredonarisk-basedapproach(notjustthosesubjecttothefinalrule).
iii. Updatestobeneficialownershipshouldbeevent-drivenaspartofnormalmonitoring,notasacategoricalrequirementonacontinuousorperiodicbasis.Appliestoalllegalentitycustomers,includingexistingcustomers.
iv. FinCENacknowledges:changeinbeneficialownershipisunlikelytobeidentifiedthroughtransactionmonitoring.
WhoistheBeneficialOwner?
OwnershipProng
i. Individual (persons,notentities) thatowndirectlyorindirectly25%ormoreofequityinterestofalegalentitycustomer.
ii. FinCEN“doesnotexpectFIsorcustomerstoundertakeanalysestodeterminewhetheranindividual isabeneficialownerunder thedefinition.”
iii. Notobligated todetermineorinquireifownershiphasbeenstructuredtoavoidtripping the25%level,butSARmaybeappropriateifyoudetermine theownersdid.
iv. Ifnoonemeetsthe25%ownership level,nobeneficialownerneedstobeidentifiedunder theownershipprong.
v. Trusteeisconsidered“owner”iftrustowns25%ormoreofequity interest.
WhoistheBeneficialOwner? continued
ControlProng:Onepersonwithsignificantresponsibility tocontrol,manage,ordirectthecompany.Managerialcontrol,notadministrativecontrol.Notjustthefirst‘titled’individualavailable.Evenifnoonemeetsthe25%ownershipprong, youmustalwaysidentifyonebeneficialownerunder thecontrolprong.
Certainlegalentitycustomersaresubjectonlytothecontrolprongofthebeneficialownershiprequirement:
CharitiesandNonprofitsNon-excludedpooled investmentvehicles(i.e.non-USmutualfunds, hedgefunds, privateequityfunds)
ScreeningofBeneficialOwners
OFACQ.Arefinancialinstitutions required tocomplywiththeOFACregulationswithrespecttobeneficialownership information?
A.Yes,requirement toblockpropertyandinterestsownedmorethan50%byanSDNsoFIsgenerallyshould scan.
314(a)Q.DoFIsnowhaveadditionalobligationsunderSection314(a)InformationSharing forbeneficialownership information?
A.No,theregulationimplementing section314(a)doesnotrequirethereportingofbeneficialownership information associatedwithanaccountortransactionmatchinganamedsubjectina314(a) request.Assuch,FinCENdoesnotexpectthisfinalruletoimposeadditional requirementsunder314(a).
ImplementationApproachExample
Establishcross-functionalexecutionworkinggroup includebusiness linesandtechnology
Understandanddocumentkeycompliancerequirements Establishpolicyrequirements
Createbusiness requirementsandimplementationplans
(Re)Designbusinessprocesses
Training
Procedures
(Re)Design technologysolutions
Technology implementation
ComplianceLeadership
ImplementationDesign
Execution
RegulatoryExaminationExpectations:Post- May11,2018
Regulatorswill:
ExaminationProceduresfortheCDDFinalRulethatarecurrentlybeingfinalizedbyRegulatorsandshouldbeissuedinthecomingweeks.
BeneficialOwnershipTheRulesProvideaFloor—notaCeiling.Whileregulatorsexpectallfinancialinstitutionstocomplywiththenewminimumrequirementssetforthintherules,organizationscanopttoapplyhigherbeneficialownerstandards,andincasesofhighrisk,primaryfederalregulatorsmayexpectsuchhigherstandards.
TheRulesAreNotRetroactive. Financialinstitutionsarenotobligatedto identifybeneficialownersforaccountsexistingpriortothecompliancedeadline.However,inthecourseofmonitoringexistingaccounts,iftheinstitution learnsinformationaboutbeneficialownersofacustomerthatmayberelevanttoassessingorreevaluatingrisk,thenthebeneficialownerinformationshouldbecollectedandtheiridentitiesshouldbeverifiedatthattime.
ThereWillAlwaysBea“Controlling”Individual. Therearetwoprongstothebeneficialownershiprequirements.First,thecustomerneedstoidentifyanyownersof25%ormoreoftheequity interestsofthe legalentity.Theremaybenoownersthatmeetthisthreshold.Second,thecustomermust identifyasingleindividualwith“significantresponsibilitytocontrol,manage,ordirectalegalentitycustomer,”whichmayormaynotbeoneoftheowners.Thecustomermustalwaysidentifyacontrolpersonunderthisprong,regardlessofwhetherany25%ownersareidentified.
39
KeyTakeaways
BeneficialOwnership
UseoftheCertificationFormIsOptional. Therulesincludea“CertificationRegardingBeneficialOwnersofLegalEntityCustomers”forcollectingbeneficialownershipinformationfromcustomers.Useofthisformisnotmandatory,nordoesitprovideasafeharbor.Institutionsmaycollecttherequiredinformationbywhatevermeanstheychoose,aslongastheindividualcompletingtheformcertifies,tothebestofhis/herknowledge,theaccuracyoftheinformation.
InstitutionsNeedtoVerifytheIndividual’sIdentity,NotStatus. Financialinstitutionsdonotneedto independentlyverifythattheindividualsnamedasbeneficialownersareactualbeneficialownersoftheentity.Theinstitution canrelyonthecustomer’sidentificationofthese individuals,providedtheinstitution hasnoknowledgeoffactsthatwouldreasonablycallintoquestion thenamesthecustomergave.However,theinstitution doesneedtoverifytheidentitiesofthe individualsthecustomername
40
KeyTakeaways
KeyTakeaways
MarijuanaandMarijuanaRelatedBusinesses
a)BestPracticesforBankingMRBs• BasicBSAtenets…KYC/CDD/EDD/SAM• Knowyourcustomersandtheircustomers• FollowtheCash• NoExceptions• De-riskingand
b)Resources• Weedmaps• Stateand/orLocalAuthority (CABureauofCannabisControl)• MJBusinessDaily
c)Models• SafeHarborPrivateBanking– PartnerColoradoCU
41
KeyTakeaways
RiskAssessments
TheRiskAssessmentprocessisoneofthemostcriticalinternalcontrolfunctionstoprotectabankfromregulatorycriticisms,citationsforviolationsoflaw,andenforcementactions.
EnsuringaRiskAssessmentutilizesappropriatedataisacrucialcomponenttoensuringtheconclusionsaresoundandwell-supportedbyfacts.
42
FAQs
ThankYou
43