Presenters:MattNewman,CaliforniaDepartmentofBusinessOversightPages4-11,41

RobTriano,FederalReserveBankofSanFranciscoPages12-24,42

DarleneJames,OfficeofCurrencyComptrollerPages25-26

BryanWampler,FederalDepositInsuranceCorporationPages27-40

Moderator:TomFleming,TomFleming&Associates

2018BankRegulatorPanel2018BankRegulatorPanel

Agenda

§ BankingMarijuanaandRelatedBusinesses

§ RiskAssessment

§ IndependentTestingTipsandBestPracticeMSB’sHotTopics

§ BeneficialOwnership

2

Disclaimer

The opinions expressed in this presentation are statements of thespeaker's opinion, are intended only for informational purposes, andare not formal opinions of, nor binding on, the Federal Reserve Bankof San Francisco or the Board of Governors of the Federal ReserveSystem, California Department of Business Oversight and FederalDeposit Insurance Corporation and the Office of CurrencyComptroller. Each participant is responsible for its own business,financial, investment or credit decisions. Use of the presentationmaterials, including audio and/or video recording of a presentation, isstrictly prohibited except by written permission of the FederalReserve Bank of San Francisco.

3

BankingMarijuanaandMarijuanaRelatedBusinesses

4

BankingMarijuanaandMarijuanaRelatedBusinesses

TheHistoryofCannabis

1) MedicinalUsage2) Recreational3) Hemp

Prohibitiona) HarryAnslinger,FederalBureauofNarcoticsb) MarijuanaTaxActc) ControlledSubstancesAct

• TrickyDickd) RecentExecutiveBranch

• Clinton,Bush,ObamaandTrump

5

RiskAssessment– RegulatoryGuidelines

TheStateMovement

a) Late70’sandEarly80’sb) CAProposition215c) CurrentStateEnvironment2018

RegulatoryEnvironmenta) ColeMemob) FinCENFIN-2014-G001BSAExpectationsRegardingMRB’sc) CADepartmentofBusinessOversight

• Position,ExamFindings,EnforcementEfforts

6

ExaminationConsiderations–MRBProgramGovernance

• Doesthebankhaveadequateboard-approvedpoliciesandproceduresinplaceastohowtohandlemarijuanaaccountsandmonitorforredflags?

• HastheBoardestablishedappropriaterisk-basedpricingstandardsforMRBdepositandloanaccounts?

• HastheBoardsetappropriatelimitstothisprogram?(i.e.typeoflicensees[producer,processor,and/orretailer]accepted,numberofaccountsaccepted,totalamountallowedtobedeposited,amountandtypesofloans,etc.)

• DoesmanagementhaveacontingencyplanwhichincludesanexitfromthebusinessshouldtherebeachangeinthepoliciesandforbearancesfromtheFederalandStategovernments?

ExaminationConsiderations– MRBProgramGovernancecontinued

• Isthereacomprehensiveriskassessmentofthebusinessline?• Hasthebankconsideredandaddressedthepracticalitiesofcash

management,includingthefacility’scapacityandsecurityissuesassociatedwithhandlinggreateramountsofcashthanwithothermerchants?

• DoesemployeeBSAtrainingincludesufficientdetailonmarijuana-relatedBSArisksandisthecoveragecommensuratewiththebank’sinvolvementintheindustry?

• DoesthebankhavethestaffingresourcesnecessarytoperformsufficientduediligenceandongoingmonitoringontheMRBaccounts,particularlygiventhesize,nature,andriskinherentintheindividualcustomers?

ExaminationConsiderations– MRBProgramGovernance continued

Lending• Doestheindependentloanreviewappropriatelytestadherenceto

thebank’spolicyonlendingtoMRBs?• Underwhatcircumstancesdotheprovisionsintheloanandcollateral

documentscontainrequirementsthatthefinancialinstitutioncanacceleratetheloantermsandcallthebalancedueandpayable?– I.e.MRBlosesitslicense,runscountertotheColeMemorequirements,

orengagesinactivitythattriggers redflagslistedintheFinCENguidance,etc.

• DoestheALLLmethodologyconsidertheinherentcreditrisksassociatedwithMRBborrowers?

ExaminationConsiderations– MRBProgramGovernancecontinued

• DoesthebanktakestepstopreventthefurtheranceofanyviolationoftheColeMemo,includingnoticetothecustomertohalttheoffendingactivityorevictaviolatingtenant?

• Didthebankperformalegalreviewofapplicablefederalandstatelaws,includingseizureofpropertyandforfeiture/subordinationofcollateral?

ExaminationConsideration– RegulatoryReporting

• Hasmanagementconsideredparticipationin314(b)– VoluntaryInformationSharing.Ifso,havepoliciesandprocedures,andprocessesbeendeveloped?

• Doesthebank’sBSAPolicyprohibittheexemptionofMRBcustomersforcurrencytransactionreports(CTR)filingpurposes?

• IsthebankfilingCTRsonMRBcustomersinaccordancewithexistingregulationsandwiththesamethresholds?

• IsthebankfilingSARsonMRBcustomersinaccordancewiththe2014FinCENguidance?

• Doesthecontentofmarijuana-relatedSARsincludeallofthecontentsasrequiredbythe2014FinCENguidance?

RiskAssessments

12

RiskAssessments– BasicRegulatoryGuidelines

BSA Exam Manual – “A well-defined risk assessment assists in identifying thebank’s BSA/AML risk profile. Understanding the risk profile enables the bank toapply appropriate risk management processes to the BSA/AML complianceprogram to mitigate risk”

§ What does this really mean?§ What am I required to do?§ What makes a good risk assessment and should it be worth investing some

time in?§ What have you seen that has worked and hasn’t worked?

13

RiskAssessments- MinimumRegulatoryExpectationswhenDevelopingaRiskAssessment

FFIEC BSA/AML Examination Manual o Appendix J - “Banks andexaminers may use the following matrix to formulate summaryconclusions. Prior to using this matrix, they should complete theidentification and quantification steps detailed in the BSA/AML RiskAssessment Overview section at page 18 of this manual.”

§ Page18- “ThedevelopmentoftheBSA/AMLriskassessmentgenerallyinvolvestwosteps:first,identifythespecific riskcategories(i.e.,products,services,customers,entities,transactions, andgeographic locations)uniquetothebank;andsecond,conductamoredetailedanalysisofthedataidentifiedtobetterassesstheriskwithinthesecategories.”

14

RiskAssessments - SmallerBanks(withlowerrisk)

Ariskassessmentwould:

§ IdentifyInherentRisksfor:Clients,Products/Services,Entities,Transactions,andGeographies

§ Usesupporting datathatisapplicabletothebank’ssize,complexityandriskprofile

§ Beutilizedtodevelopaprogramthatadequatelyaddressessaidriskprofile(RefertoAppendix IofBSAExamManual)

§ Beupdatedevery12-18months,butmorefrequentmeasuresmaybewarrantedbasedonunderlying risksorsignificantevents

§ BereviewedforreasonablenessbyAudit

15

RiskAssessments- LargerBanks(orbankswithhigherrisk)

Ariskassessmentwouldinclude:§ Inherentrisksfor:Clients,Products/Services, Entities,Transactions,and

Geographies§ Datautilization tosupport theidentificationofriskintheabovecategories

willtypicallyberobust innature§ Ongoing utilizationasatool todevelopaprogramthatadequatelyaddresses

saidriskprofile (RefertoAppendix IofBSAExamManual)§ Application tohowtheserisksandcontrolsimpactthebank’sbusiness lines,

operationalareas,andrelatedlegalentities§ Anannualupdate,butmorefrequentmeasuresmaybewarrantedbasedon

underlying risksorsignificantevents§ AreviewforreasonablenessbyAudit

16

RiskAssessments– Why?

Whyshould IinvesttimeinaqualityRiskAssessment?§ Beingconfident inknowing,morespecificallyorconcretely,whatisgoingon

atthebankto:§ IdentifyRisk§ Manage/MitigateRisk

§ Avoidsignificant regulatorycriticismorenforcementaction§ Under-identified orunidentified risk

§ CMPsorfinestendtoinvolveeitherwillfulactsorwillfulblindness. § Thelattercanbecombattedwithanappropriateriskassessmentand

mitigating factorsbuilt fromthat(i.e.controls, training, staffing,technology, etc.).

17

RiskAssessments– HowStep1

How(notthetraditional‘How’info fromregulators):

Step1ismaking friendswiththepeople inthebankwhocangetyouData.

Identifywhatyouhaveaccesstoandwhatyouwant…ifyoufind thatthereismissingkeydata,that canbeapotentialredflagof:§ CDD/EDDandClientRiskRatingprocesses,and/orSuspiciousActivity

Monitoring processesperhapsnotbeingdesigned appropriately;or§ Unorganized,behind-the-scenesdatamanagementordatastructuresthat

aren’tdesigned tohelpbusinesslinesuseinfothatthebankisalreadygathering

18

RiskAssessments– HowStep2

Step2isdetermining ifyourdataiscomprehensiveandaccurate,andcanyouexpandyourreach?

§ Dataintegrity iscriticaltoensureariskassessmentissupportable.§ Alwayspushingdatamanagementpersonnel/contactsbyaskingquestions

canbehelpful toshowthemwhatyouneed.§ Conversely,itallowsthemtoshowwhattheycanprovide.

§ ThistranslationmaybebeneficialforbothpartiesformorethanjustaBSARiskAssessment– itcouldleadtonewvehiclesforon-goingdatause

19

RiskAssessments– HowStep3

Step3isgatheringyourkeydatainaformatthatmakessensetoyou

Forclients–NAICSornatureofbusiness?HR,MR,andLR?Tenure?CategoricalHRclients?NicheClients?Exception/Prohibited Clients?AutoHRclients?

Fortransactions– transactiontypesandvolumes? HR,MR,LRtypesandvolumes? TransactionsbyNAICS/Occupation?Transactionsto/fromgeographies? Largesttransactiontypesbyclient,branch,business line?

Forgeographies– Outofmarketclients?Internationalclients?GeographyofTransactions(Domestic/Int’l)? DomesticHRGeographies? HRCountryLists/Tools?

20

RiskAssessments– HowSteps4and5

Step4istakingthissupporting dataandputting intoausableandreasonableformatforwhatyourbankistrying toaccomplish(i.e.IDriskandbuildcontrols).§ MaybetheAppendix Jmatrix;Maybeanarrative;maybeablendof

narrative,spreadsheet,matrix,andgraphs;etc.

Step5istakingthismaterialandputting itintoareadableandmeaningfulformatfortheBoardoraCommitteethereof.§ Bringing forwardpreviouslyunknown orunder-identified risks;gapsin

internalcontrols;opportunities toexpandrisk;confirmation ofrisks;etc.§ Highlighting significantchangesorspeakingtohowstrategicplansmay

impactasignificantareaofrisk.

21

RiskAssessments– CommonChallenges

§ Aclearmethodology orplanthatfitsthebank’sspecificneeds§ CleanData§ Datathattellsthestory§ Datathattellsastorywithinastory§ MultipleYearsofconsistentimplementation§ Incorporateyourcontrols– don’t forgettoheavilyleverageauditandexam

results

22

RiskAssessments- Commonalitiesforchallenges

§ Fittingatemplatedmethodology withouttailoring tothebank§ NotusingData§ UsingIncompleteorinaccuratedata§ Notconsidering criticalcontrolswithmoreweight§ Notconsidering AuditorExaminationresultsforcontrols

23

RiskAssessments– AnecdotalExperiences

The quality of a risk assessment and the use of data to create a trulymeaningful product is NOT exclusive to large banks.

§ The best risk assessment methodology and product that I’ve observed wasat a bank holding company with numerous non-bank subsidiaries and an$18 billion dollar bank.

§ The second best risk assessment methodology and product that I’veobserved was at a bank with under $100 million in total assets.

§ The risk assessment with the most flaws that I’ve observed was at a bankholding company with numerous nonbank subsidiaries and a bank withwell over $50 billion in total assets.

24

DarleneJames,OCCDarleneJames,OCC

25

IndependentTestingTips

IndependentTestingBestPractice

MSB’sHotTopics

ThecontentofthispresentationdoesnotreflecttheviewsoropinionsoftheOfficeofCurrencyComptroller.

26

IndependentTestingandMoneyServicesBusinesses

FinCENCustomerDueDiligenceRule:UnderstandingtheFinalRule

27

FinCENCustomerDueDiligenceRule:UnderstandingtheFinalRule

May2016,FinCENpublishedafinalrulethatwillrequirefinancialinstitutionstocollectbeneficialownershipinformationfromlegalentitiesataccountopeningbeginningMay11,2018.• TheFinalRuledoesnot imposeacategorical,retroactiverequirementoncollectingbeneficialownershipinformationonaccountsopened priortoMay11,2018.

• Verificationofidentityofthebeneficialownersshould beinaccordancewithrisk-basedproceduresandcontaintheelementscurrentlyrequiredundertheCustomerIdentificationRule.

• ThefinancialinstitutionmaycomplyeitherbyobtainingtherequiredinformationonthestandardcertificationformtemplateFinCENprovidedinAppendixAoftheFinalRule.However,theFinalRulealsopermitsfinancialinstitutionstoobtainthe informationbyothermeans,providedthatsuchmeansincludethecertificationofthenaturalpersonopeningtheaccountthatisrequiredbythestandardcertification.

• Financialinstitutionsmayrelyonthebeneficialownershipinformationsuppliedbythecustomer,providedthatthe institutionhasnoknowledgeoffactsthatwouldreasonablycallintoquestion thereliabilityoftheinformation.

28

BenefitsoftheRule

ForLawEnforcementTransparencyislessattractivetocriminals.Providinginaccurateinformationdemonstratesunlawfulintent.Generatesleadstoidentifyadditionalevidenceorco-conspirators.

ForFinancialInstitutions(FIs)ImprovesFI’sabilitytoassessandmitigateriskandcomplywithexistingrequirement,includingtheBSAandrelatedauthorities

ForTaxComplianceFacilitatestaxreporting,investigationsandcompliance.

Broaderthree-partstrategybyTreasuryDept.toenhancefinancialtransparencyoflegalentities.

FourKeyElementsofCustomerDueDiligence

TherearefourkeyelementsofCustomerDueDiligence:

I. CustomerIdentificationandVerification

II. Beneficialownershipidentificationandverification

Appropriaterisk-basedproceduresforconductingongoingcustomerduediligence,toinclude,butnotbelimitedto:

III. Understandingthenatureandpurposeofcustomerrelationshipstodevelopacustomerriskprofile;and

IV. Conductingongoingmonitoringtoidentifyandreportsuspicioustransactionsand,onarisk-basis,tomaintainandupdatecustomerinformation

CurrentCIP

NEW!31CFR1010.230

AmendsBSA“5th Pillar”

Viewedasrestatingexistingexpectations[31CFR1020.210]

I.CustomerIdentificationandVerification

ExistingrequirementunderCustomerIdentificationProgram(“CIP”)requirements[31CFR103.121].

NameDateofbirthAddressIdentificationnumber

(i)ForaU.S.person,ataxpayeridentificationnumber;or(ii)Foranon-U.S.person,oneormoreofthefollowing: ataxpayeridentificationnumber;passportnumberandcountryofissuance;alienidentificationcardnumber;ornumberandcountryofissuanceofanyothergovernment-issued documentevidencingnationalityorresidenceandbearingaphotograph orsimilar.

II.BeneficialOwnershipIdentificationandVerification

i. Mustidentifyandverify theidentityofbeneficialownersofalllegalentitycustomers(other thanthoseexcluded)foreachnewaccountatthetimethenewaccountisopened (other thanaccountsthatareexempted).

ii. Verificationofidentityofthebeneficialownersshouldcontaintheelementsrequired forverificationunderCIP,butFIsmayrelyoncopiesofIDsprovidedbythepersonopening theaccount.

iii. FinCENprovidedanoptional CertificationForm inAppendix AoftheFinalRule.FIsmaychoosetocomplybyusing thesampleCertificationForm,using theinstitution’s ownforms,oranyothermeansthatcomplieswiththesubstantiverequirementsofthisobligation.

iv. Mayrelyonbeneficialownership identificationsupplied bythecustomer,providedFIhasnoknowledgeoffactsthatwould reasonablycallintoquestionthereliabilityoftheinformation.

IV.OngoingMonitoring

i. Customerinformationincludesbeneficialownershipinformation.

ii. Allaccountsmustbemonitoredonarisk-basedapproach(notjustthosesubjecttothefinalrule).

iii. Updatestobeneficialownershipshouldbeevent-drivenaspartofnormalmonitoring,notasacategoricalrequirementonacontinuousorperiodicbasis.Appliestoalllegalentitycustomers,includingexistingcustomers.

iv. FinCENacknowledges:changeinbeneficialownershipisunlikelytobeidentifiedthroughtransactionmonitoring.

WhoistheBeneficialOwner?

OwnershipProng

i. Individual (persons,notentities) thatowndirectlyorindirectly25%ormoreofequityinterestofalegalentitycustomer.

ii. FinCEN“doesnotexpectFIsorcustomerstoundertakeanalysestodeterminewhetheranindividual isabeneficialownerunder thedefinition.”

iii. Notobligated todetermineorinquireifownershiphasbeenstructuredtoavoidtripping the25%level,butSARmaybeappropriateifyoudetermine theownersdid.

iv. Ifnoonemeetsthe25%ownership level,nobeneficialownerneedstobeidentifiedunder theownershipprong.

v. Trusteeisconsidered“owner”iftrustowns25%ormoreofequity interest.

WhoistheBeneficialOwner? continued

ControlProng:Onepersonwithsignificantresponsibility tocontrol,manage,ordirectthecompany.Managerialcontrol,notadministrativecontrol.Notjustthefirst‘titled’individualavailable.Evenifnoonemeetsthe25%ownershipprong, youmustalwaysidentifyonebeneficialownerunder thecontrolprong.

Certainlegalentitycustomersaresubjectonlytothecontrolprongofthebeneficialownershiprequirement:

CharitiesandNonprofitsNon-excludedpooled investmentvehicles(i.e.non-USmutualfunds, hedgefunds, privateequityfunds)

ScreeningofBeneficialOwners

OFACQ.Arefinancialinstitutions required tocomplywiththeOFACregulationswithrespecttobeneficialownership information?

A.Yes,requirement toblockpropertyandinterestsownedmorethan50%byanSDNsoFIsgenerallyshould scan.

314(a)Q.DoFIsnowhaveadditionalobligationsunderSection314(a)InformationSharing forbeneficialownership information?

A.No,theregulationimplementing section314(a)doesnotrequirethereportingofbeneficialownership information associatedwithanaccountortransactionmatchinganamedsubjectina314(a) request.Assuch,FinCENdoesnotexpectthisfinalruletoimposeadditional requirementsunder314(a).

ImplementationApproachExample

Establishcross-functionalexecutionworkinggroup includebusiness linesandtechnology

Understandanddocumentkeycompliancerequirements Establishpolicyrequirements

Createbusiness requirementsandimplementationplans

(Re)Designbusinessprocesses

Training

Procedures

(Re)Design technologysolutions

Technology implementation

ComplianceLeadership

ImplementationDesign

Execution

RegulatoryExaminationExpectations:Post- May11,2018

Regulatorswill:

ExaminationProceduresfortheCDDFinalRulethatarecurrentlybeingfinalizedbyRegulatorsandshouldbeissuedinthecomingweeks.

BeneficialOwnershipTheRulesProvideaFloor—notaCeiling.Whileregulatorsexpectallfinancialinstitutionstocomplywiththenewminimumrequirementssetforthintherules,organizationscanopttoapplyhigherbeneficialownerstandards,andincasesofhighrisk,primaryfederalregulatorsmayexpectsuchhigherstandards.

TheRulesAreNotRetroactive. Financialinstitutionsarenotobligatedto identifybeneficialownersforaccountsexistingpriortothecompliancedeadline.However,inthecourseofmonitoringexistingaccounts,iftheinstitution learnsinformationaboutbeneficialownersofacustomerthatmayberelevanttoassessingorreevaluatingrisk,thenthebeneficialownerinformationshouldbecollectedandtheiridentitiesshouldbeverifiedatthattime.

ThereWillAlwaysBea“Controlling”Individual. Therearetwoprongstothebeneficialownershiprequirements.First,thecustomerneedstoidentifyanyownersof25%ormoreoftheequity interestsofthe legalentity.Theremaybenoownersthatmeetthisthreshold.Second,thecustomermust identifyasingleindividualwith“significantresponsibilitytocontrol,manage,ordirectalegalentitycustomer,”whichmayormaynotbeoneoftheowners.Thecustomermustalwaysidentifyacontrolpersonunderthisprong,regardlessofwhetherany25%ownersareidentified.

39

KeyTakeaways

BeneficialOwnership

UseoftheCertificationFormIsOptional. Therulesincludea“CertificationRegardingBeneficialOwnersofLegalEntityCustomers”forcollectingbeneficialownershipinformationfromcustomers.Useofthisformisnotmandatory,nordoesitprovideasafeharbor.Institutionsmaycollecttherequiredinformationbywhatevermeanstheychoose,aslongastheindividualcompletingtheformcertifies,tothebestofhis/herknowledge,theaccuracyoftheinformation.

InstitutionsNeedtoVerifytheIndividual’sIdentity,NotStatus. Financialinstitutionsdonotneedto independentlyverifythattheindividualsnamedasbeneficialownersareactualbeneficialownersoftheentity.Theinstitution canrelyonthecustomer’sidentificationofthese individuals,providedtheinstitution hasnoknowledgeoffactsthatwouldreasonablycallintoquestion thenamesthecustomergave.However,theinstitution doesneedtoverifytheidentitiesofthe individualsthecustomername

40

KeyTakeaways

KeyTakeaways

MarijuanaandMarijuanaRelatedBusinesses

a)BestPracticesforBankingMRBs• BasicBSAtenets…KYC/CDD/EDD/SAM• Knowyourcustomersandtheircustomers• FollowtheCash• NoExceptions• De-riskingand

b)Resources• Weedmaps• Stateand/orLocalAuthority (CABureauofCannabisControl)• MJBusinessDaily

c)Models• SafeHarborPrivateBanking– PartnerColoradoCU

41

KeyTakeaways

RiskAssessments

TheRiskAssessmentprocessisoneofthemostcriticalinternalcontrolfunctionstoprotectabankfromregulatorycriticisms,citationsforviolationsoflaw,andenforcementactions.

EnsuringaRiskAssessmentutilizesappropriatedataisacrucialcomponenttoensuringtheconclusionsaresoundandwell-supportedbyfacts.

42

FAQs

ThankYou

43