Auditing AML Governance Through
the Regulatory Lens A guide for financial institutions to create, and
auditors to assess, processes and controls developed
to manage previously unknown and emerging risks
ABSTRACT Financial institutions operate in an environment
filled with emerging risks that can go unnoticed
until it is too late. New technology, laws, and
threat actors require a calculated approach to
managing the external risks, but an institution
must also equally consider the internal risk of not
fully considering all potential risk components.
Failing to fully document the actions (and reasons
for the actions) taken, when designing and
implementing controls to combat emerging
money laundering risks, can result in regulatory
action, fines, or reputational risk. “What do we
say when the regulators show up?” shouldn’t be
a question uttered three months after launching
a project, but rather three months before.
Continue reading for ideas on how to answer that
ever-pressing question.
Rob Mesarick, CAMS CAMS-Audit White Paper
1
Table of Contents Introduction .................................................................................................................................................. 2
Structure of the BSA/AML Compliance and Governance Function .............................................................. 2
Case Study ................................................................................................................................................. 2
BSA/AML Governance Roles, Responsibilities, and Challenges ................................................................ 3
Risk Assessment ............................................................................................................................................ 5
Assessing Existing and Emerging Risks and Establishing a Risk Tolerance ............................................... 5
The United States Marijuana Industry ...................................................................................................... 7
Risk Management Framework .................................................................................................................... 11
Guiding and Documenting the Decision-Making Process ....................................................................... 11
Internal Considerations ........................................................................................................................... 11
External Considerations .......................................................................................................................... 12
Crafting Controls to Manage the Risk ......................................................................................................... 14
Coverage Assessment ............................................................................................................................. 14
Policy and Procedure .............................................................................................................................. 16
Line of Business Impact ........................................................................................................................... 17
Compensating Detection Methods and Controls ................................................................................... 18
User Acceptance Testing ......................................................................................................................... 19
Post-Implementation Assessment .......................................................................................................... 19
Conclusion ................................................................................................................................................... 20
References .................................................................................................................................................. 21
2
Introduction Bank Secrecy Act (“BSA”) compliance failures and enforcement actions are an all-too-familiar
sight in today’s financial industry. The issues and root causes can vary greatly, but most often there
are two broad themes: 1) An institution has demonstrated an inability to execute on existing
processes and procedures in place to meet regulatory obligations or expectations; or 2) an
institution has no processes in place to ensure compliance with a regulatory obligation or
expectation.
An issue that falls into the first category can often be addressed very quickly. If a third-party
reviewer identifies a higher-than-acceptable rate of quality errors in the cleared alert population,
management can hold additional training sessions and increase quality assurance (“QA”) rates for
underperforming analysts as needed. In essence, the process as designed is reasonably effective
but could benefit from some enhancement.
A financial institution that falls into the latter category, however, is often exposed to significant
financial, reputational, and strategic impacts. These issues do not go away overnight and often
come with a fair amount of heartburn until the scope and dollar cost required to correct the issue
can be quantified. Institutions that have been required by regulators to perform a multi-year look-
back can certainly attest to this fact.
This paper will focus on the issues that fall into latter bucket and will provide meaningful
perspective to financial institutions and audit professionals in designing processes and controls to
manage previously unknown and emerging risks in a manner that meets regulatory expectations.
In general, a sustainable framework that will aid an institution in the crafting and implementation
of measures to manage these risks will be provided. For illustrative purposes, marijuana-related
businesses (MRBs) will be used as a thematic emerging risk throughout each phase of the general
framework.
Structure of the BSA/AML Compliance and Governance Function
Case Study As previously noted, BSA/Anti-Money Laundering (BSA/AML) enforcement actions take many
forms, but failures stemming from an inadequate compliance structure are often systemic. An
institution that does not dedicate the resources needed to remediate problem areas in their infancy
will be exponentially affected with each passing day. The consent order,1 issued by the Office of
the Comptroller of the Currency (OCC) in 2017, against Continental National Bank of Miami,
Florida, is one example of an institution found to have numerous compliance structure deficiencies.
The order covers a wide variety of compliance areas needing enhancement that would have been
cared for were an appropriate governance structure in place, such as a robust risk assessment, data
mapping between systems, and ongoing policy and procedure development.
1 “Consent Order: In the Matter of Continental National Bank of Miami,” OCC, July 18, 2017, U.S. Department of the Treasury.
3
Of particular interest is that the bank was previously the subject of a cease-and-desist order for
BSA-related deficiencies in 20052 which was ultimately terminated in 2008.3 Further, both the
2005 and the 2017 actions required that the bank enhance the audit function to ensure ongoing
compliance with the BSA. While the specific circumstances leading up to the repeat offense are
not public knowledge, this is a prime example of what makes the internal audit function so
important; issues this numerous do not occur overnight. There are numerous layers of detection
that could have identified these issues long before rising to the level of consent order worthiness.
Most financial institutions employ a quality assurance program to identify errors in areas that are
highly manual or subjective in nature, as is the case with suspicious activity monitoring reviews.
An institution’s internal audit team should also be able to identify error trends with regard to
adherence to policy and procedure, or proactively determine that the procedures themselves are
not sufficient to meet regulatory requirements. In order for these programs to be effective, they
must have adequate resources, be led by knowledgeable staff, and have the full support of the
board and senior management; the lack of any one of these characteristics may be the root cause
of Continental National Bank’s BSA deficiencies. The impact of a consent order of this scope and
size was felt both internally and externally through the immediate hire of resources to address the
provisions4 and the reputational risks that come with negative media coverage. It is therefore vital
to the long-term success of an organization to have sustainable processes in place to maintain
compliance and a strong audit function to provide a credible challenge to those operations.
BSA/AML Governance Roles, Responsibilities, and Challenges If a financial institution is to successfully manage the ongoing maintenance and development of a
BSA compliance program, they must first make clear which individual or group is ultimately
responsible for executing and owning initiatives. Relying on the United States as a framework, the
Federal Financial Institutions Examination Council (FFIEC) manual devotes considerable
attention to this topic, but there are only a few strict requirements that every financial institution
is expected to meet. The two most essential elements are 1) that the board of directors is responsible
for approving and overseeing the structure and management of the bank’s BSA/AML compliance
function, and 2) that senior management is responsible for implementing and enforcing the board-
approved program. How the program is designed and responsibilities are assigned will vary from
institution to institution, accounting for the unique risks presented by the types of products offered,
exposure to specific AML typologies, geographic footprint, and the size of the institution. A
centralized unit dedicated to the ongoing development of a BSA/AML program might be most
efficient for one institution, and compliance responsibilities may be delegated throughout the
various lines of business for another.
An institution’s governance structure faces many potential challenges, but perhaps the most
important quality that contributes to the ongoing success of the group is that it is comprised of
diverse individuals, both technically and culturally. While an AML background should be the
common thread of experience among the group, the day-to-day challenges that a governance unit
2 “Consent Order: In the Matter of Continental National Bank of Miami,” OCC, June 24, 2005, U.S. Department of the Treasury. 3 “Consent Order: In the Matter of Continental National Bank of Miami,” December 8, 2008, U.S. Department of the Treasury. 4 “Continental National Bank Signs Consent Order,” by N. Dahlberg, August, 11, 2017, Miami Herald.
4
faces is benefitted by prior experience in the fields of information technology (IT), project
management, law enforcement, and branch banking, among many other fields. An agile group that
is quickly able to identify and resolve issues, and efficiently respond to changing regulatory
guidelines, minimizes the risk exposure an institution faces while decreasing the cost of
compliance. An institution often encounters unexpected technical issues that create an immediate
risk of noncompliance, such as the corruption of data feeds or the need to retune suspicious activity
monitoring scenarios. Having a governance member with a solid background in IT and data quality
allows for a faster assessment of the root cause and a solution to be implemented than would be
the case were multiple people or functional areas need to be involved. In the case of the recently
implemented “Beneficial Ownership”5 rule, major system enhancements and coordination across
all lines of business was needed for many banks to comply with the rule. Initiatives such as these
call for a leader with project management experience to effectively manage resources and achieve
incremental milestones.
Of course, AML professionals do not grow on trees, and depending on who you talk to, there’s a
shortage of qualified AML professionals who possess the skills needed to effectively navigate the
myriad day-to-day compliance challenges.6 There is no question that regulators expect financial
institutions to have staff in place whose experience and education are commensurate with their
current job responsibilities. In the aforementioned consent order placed on Continental National
Bank in 2017, Article II placed numerous requirements on the institution as it relates to staffing,
most notably:
appointing a qualified and experienced BSA officer;
engaging an independent third party to conduct a formal written assessment of the bank’s
oversight and infrastructure, and to also evaluate the capabilities of the BSA officer and all
staff involved with BSA compliance; and
periodic written assessments assessing the adequacy of the BSA officer and supporting
staff.
The ability to recruit externally often depends on the geographic location where a bank is
headquartered; firms located in New York City or Charlotte, North Carolina, have a higher
likelihood of sourcing talent from local competitors, but that road goes both ways. Smaller regional
and community banks in rural areas may have the advantage of retaining staff due to a lack of
competition, but they are likely limited in attracting external talent with a ready-made skill set that
meets their immediate and future compliance needs. So how can an organization ensure that it has
the people with the right mix of skills to succeed in a role as challenging as BSA/AML
governance?
There is no replacement for a known commodity, and the most effective person for a governance
role may already exist within your organization. It is impossible to measure an individual’s drive
and competence by looking at a résumé, so the safest bet is to identify highly performing junior
and mid-level BSA/AML compliance staff within your organization, and present opportunities and
5 “Beneficial Ownership Requirements for Legal Entity Customers – Overview,” FFIEC, May 5, 2018, FFIEC BSA/AML Examination Manual. 6 “Compliance Job Market Shows Strength in AML and Financial Crime as Other Areas Slow,” by T. Ehret, January 18, 2017, Reuters.
5
tools for career growth. A firm that forecasts its needs in the short and long term can be confident
that it has the bench strength needed when a mid- or senior-level position is inevitably vacated.
Through the use of succession planning,7 an institution can demonstrate to regulators and auditors
that it not only has the in-house talent needed to run a sustainable program, but that it has invested
in them the time and dollars needed to advance to the next level. This approach ultimately benefits
both the employee and employer, and goes a long way in demonstrating organizational stability.
While it is ultimately the responsibility of senior management and the board to ensure effective
succession planning, audit professionals will serve their organization well by scoping this critical
activity into audit plans at least annually. Don’t be surprised if management is unable to produce
substantive (or any) documentation on the subject if it has never been requested in prior audit
reviews. If little to no assessment is available, it will ultimately benefit the organization in the long
run to compel senior management to address this forecasting gap by issuing a finding in an audit
report. If management has a documented succession plan, auditors should ensure that any key
assumptions are supported by reasonable rationale. It is also important to interview or otherwise
test staff who are deemed to be key components of long-term planning to confirm that their
knowledge, skills, and long-term goals align with the requirements of the next role.
In a general sense, financial institutions must truly embrace the idea of what constitutes an
emerging risk and have a mechanism in place to continuously monitor for them. The concept itself
is often so vague that it is often difficult to conceptualize the risk and potential impacts until they
have already materialized. This leads to reactive planning and remediation rather than proactively
adding preventative control measures. The process of evaluating emerging risks begins with a
corporate-wide risk assessment.
Risk Assessment
Assessing Existing and Emerging Risks and Establishing a Risk Tolerance A financial institution’s governance responsibilities should include the completion of corporate-
wide risk assessment at least every 12 to 18 months that assists the organization in knowing how
to apply appropriate risk management processes to mitigate risk.8 From an auditor’s perspective,
there are numerous ways to leverage the risk assessment to ensure that an institution’s governance
is proactively identifying areas of rising risk exposure and effectively assessing how to act on
them. It is important that a component of the risk assessment include a process specifically
designed to continually monitor for, identify, and quantify emerging risks in tangible terms.
Because emerging risks can take many forms, a framework needs to exist for a bank to determine
if or how an external stimulus, such as a new or repealed federal law, will impact their organization.
Continuous auditing forms the basis for an ongoing health check of a compliance program’s
ongoing development. Wherever feasible, auditors should proactively work with compliance staff
to ensure that they have a mechanism that alerts them to rising risk exposure, and a defined
emerging risk threshold that triggers an investigation into the matter. What this means in terms of
managing BSA-specific emerging risks will be covered in depth later on, but the bottom line is
7 “The Holy Grail of Effective Leadership Succession Planning,” by J. Rosenthal, K. Routch, K. Monahan, and M. Doherty, September 27, 2018, Deloitte Insights. 8 “BSA/AML Risk Assessment—Overview,” FFIEC, n.d., FFIEC BSA/AML Examination Manual.
6
that compliance staff must identify and address risks before they materialize without their knowing
it.
One reliable way for an auditor to identify risk exposure is assessing the personnel responsible for
carrying out BSA compliance activities. The risk assessment areas with the highest residual risk
ratings represent significant risk to the bank if oversight of those areas is not adequate; therefore,
it is prudent for an auditor to interview the staff responsible for managing day-to-day compliance
activities. Management should be able to clearly articulate the controls and processes that are in
place to manage the risks, and this information should match what is stated in the risk assessment.
Any substantial variances between the two should be investigated to determine if there are any
process gaps as a result of communication issues or unclear lines of responsibility. Another reliable
means of identifying risk exposure is by analyzing management information systems (“MIS”)
reports. Data trends are hard facts that are not subject to interpretation, so it is important to
determine the underlying cause. As an example, when auditing an institution’s current year
corporate-wide BSA risk assessment, obtain at least one prior year’s as well to compare key risk
areas for significant variances. A marked increase in any key areas should be accompanied by an
in-depth analysis of what contributed to the spike and whether it represents an uncontrolled
emerging risk. Areas with major variances from year to year to focus on might include:
product usage (e.g., international wires);
customer demographics, such as the number of individuals with citizenship or mailing
addresses in high-risk geographies;
cash volumes in or out; and/or
number of customer relationships physically located outside of the institution’s geographic
footprint.
There may be a perfectly reasonable explanation for any of the above items to sharply increase
year over year, such as the institution expanding into new markets or product offering changes.
These trends should be accompanied by a clear rationale supported by appropriate evidence. Any
variances that cannot be explained should include an action plan detailing the steps to be taken to
assess the root cause as well as if the existing controls in place adequately control the risk. From a
regulator’s vantage point, it is perfectly acceptable to know that a bank has identified a risk yet
chosen not to act on it, so long as it is fully analyzed and formally documented.
Assessing and acting on an emerging risk is often more difficult than mitigating the risks associated
with risk items that have long existed. It is imperative that a bank’s governance staff keep a vigilant
eye out for trigger events so that they can respond with the appropriate control measures as quickly
as possible. Trigger events include the roll out of new banking products or financial services, new
or revoked laws, and the discovery of new money laundering typologies. Examples include the
advent of digital currency, states legalizing the use of marijuana, and the use of daily fantasy sports
sites to launder money. All of these events necessitate a deep dive to understand what the potential
impacts might be to existing bank processes, or to identify areas where the institution does not
have any controls in place to manage the risks that did not exist previously. The best place to start
is by gathering and analyzing all available information to understand how the trigger event might
impact unique organization now and in the future. Risk assessments are living, breathing
documents that require continuous refreshing to stay ahead of emerging risks. Processes change as
7
new vendors are contracted, internal systems and technology are updated, and personnel are added
and subtracted from the bank every year. These developments may create coverage gaps if not
fully documented and accounted for when assessing emerging risks. It is also important that
external events are evaluated by senior management in all areas of the bank. Coverage gaps are
more likely to occur if risk is evaluated in a silo, so that the group performing an institution’s
corporate-wide risk assessment is likely to be unable to extrapolate potential adverse effects for
every internal bank operation. For this reason, those conducting the assessment must be sure that
senior management throughout the organization is able to opine on the effects an external event
might potentially have on their unit’s operations.
In a general sense, financial institutions should clearly define what their risk tolerance is through
the use of a risk-appetite statement that defines the amount of risk, on a broad level, an organization
is willing to accept in pursuit of value.9 The strategic goals of an organization are generally the
primary influence on the statement. A bank looking to achieve rapid growth in new markets may
decide that the risk of accepting higher-risk customer types like foreign politically exposed persons
(PEPs), money services businesses (MSBs), and precious metals dealers is warranted in order to
achieve their goals. Institutions that take on these customers will be able to leverage available
regulatory guidance to put controls in place to mitigate their risks.
The United States Marijuana Industry In order to illustrate how an institution’s governance team would actually go about handling a real-
world emerging risk, we will explore a risk issue that all financial institutions in the United States
must confront: Marijuana Related Businesses (“MRBs”). MRBs are unique in that is that there is
little regulatory guidance available to guide institutions in controlling the risk. In order to develop
an informed risk tolerance position and assess the risk this industry poses to your unique
institution, the first order of business is to understand where it has been and where it is going.
Medical marijuana was first legalized in the 1990s by five states and the District of Columbia,
however the number of states that have legalized some form of marijuana use over the past
decade10 is leading to explosive market growth.11 The prevalence of companies operating in this
sphere will grow as the market continues to expand, and as new players emerge so too will be the
need for financial services. In order for a financial institution to be prepared to deal with the risks
and rewards of banking such entities, the board of directors must determine a stance on the matter
and enact a corporate policy for senior management to carry out. The first order of business in
crafting an informed and sustainable policy is to develop a complete understanding of the issue.
The marijuana industry in the United States is particularly complex for a variety of reasons, which
will be covered in-depth below.
In 1970, the Comprehensive Drug Abuse Prevention and Control Act of 1970 was passed. Title II
of this act is named the Controlled Substances ACT (CSA) and was the beginning of the “War on
Drugs.” This act made the manufacturing, importation, distribution, possession, and usage of
9 “Five Steps to Developing a Comprehensive Risk Appetite Framework,” By D. Dixon, May 25, 2017, The Wall Street Journal. 10 “U.S. Marijuana Laws: A History,” by L. Shapiro and K. Mettler, April 20, 2018, The Washington Post. 11 “Legal Cannabis Industry Poised for Big Growth, in North America and Around the World,” by T. Pellechia, March 1, 2018, Forbes.
8
various drugs illegal, including marijuana. The CSA classified the drugs covered under the act into
five categories based their potential for abuse, the potential for psychological effect or dependence,
and medical applications. As of today, marijuana is still classified as a federal Schedule 1 narcotic,
similar to heroin, LSD, and Ecstasy (MDMA). What complicates the matter is that individual states
have enacted laws protecting marijuana producers and users from the federal regulation. Article
VI of the Constitution dictates that the federal law prevails when state and federal laws directly
contradict each other.12
The federal stance on marijuana remained relatively stagnant for decades until it became
increasingly apparent that the use of medical marijuana was rapidly becoming legalized in many
states across the union. In 2009, then-Deputy Attorney General David Ogden released a memo
declaring personal medicinal marijuana use to be of low priority for federal enforcement in states
that had legalized it.13 Then-Deputy Attorney James Cole followed up with an additional memo in
201314 to U.S. attorneys and federal law officials regarding the enforcement of federal marijuana
laws. The memo included eight priorities intended to assist law enforcement in focusing their
resources and prosecution efforts “on persons or organizations whose conduct interferes with any
one or more of these priorities, regardless of state law.” The memo further specifies that the federal
government will not enforce the CSA on individuals or entities who use, possess, cultivate, or
distribute marijuana so long as their doing so does not conflict with the aforementioned eight
priorities.
What was not clear up to this point was whether state or federally chartered banks would be
punished for onboarding entities that were known to be involved in some facet of the marijuana
industry. This gray area led to most banks choosing to take the risk-adverse approach and deny
these relationships for fear that they would be prosecuted for facilitating a federally illegal activity.
Finally, in 2014, the Financial Crimes Enforcement Network (FinCEN) issued guidance to the
banking industry on the BSA expectations for institutions that choose to provide services to
MRBs.15 The memo provides explicit terms by which a bank can provide services to marijuana
businesses and finally shed light on how financial institutions must proceed should they decide to
bank these customers.
Unfortunately, this clarity only lasted for a few short years, as the Cole Memo was revoked in
201816 by then-Attorney General Jeff Sessions, effectively eliminating all legal progress gains
since 2009. Banks that chose to begin accepting MRB clients suddenly found themselves in a very
awkward position, as the entire basis of the FinCEN memo was predicated on the revoked Cole
12 “State Law and Federal Law: Who Rules?” by Y. F. Baker, April 11, 2018, Current Compliance. 13 “Investigations and Prosecutions in States Authorizing the Medical Use of Marijuana,” by D. Ogden, October 19, 2009, U.S. Department of Justice. 14 “Memorandum for All United States Attorneys on Guidance Regarding Marijuana Enforcement,” by J. Cole, August 29, 2013, U.S. Department of Justice. 15 “BSA Expectations Regarding Marijuana-Related Businesses,” FinCEN, February 14, 2014, U.S. Department of the Treasury. 16 “Memorandum of for All United States Attorneys on Marijuana Enforcement,” by J. Sessions, January 4, 2018, U.S. Department of Justice.
9
Memo. Further clouding the issue is the fact that the FinCEN memo has not been revoked, nor has
any new guidance on the matter been issued as of January 2019.
Even if a form of marijuana has yet to be legalized in the states where your institution operates, it
is very likely that it will be soon. Take one look at the map below of states with current legalization
laws and combine it with the states considering ballot initiatives in the near future, and it is plain
to see that the industry is poised to become very big business.17 Some community and regional
banks have decided that it is within their risk tolerance to take on clients involved in the marijuana
industry. Some have tried to manage the risk by offering a limited suite of banking options, and
some other institutions have been banking businesses with ties to the industry all along without
ever realizing it.18 The number of institutions willing to open accounts for marijuana business is
rising, albeit slowly, but the issue is still heavily shrouded in uncertainty for both regulators and
banks.19
20
With all of this legal and operational context in mind, every financial institution needs to choose
whether they want to be or even can legally be an active participant in marijuana industry. The
choice is very cut and dry on the face of it, but either route triggers a cascade of policy, procedure, 17 “These States Are Most Likely to Legalize Marijuana in 2019,” by T. Angell, December 26, 2018, Forbes. 18 “Why Marijuana Businesses Still Can’t Get Bank Accounts,” by S. Quinton, March 22, 2016, Stateline. 19 “More Banks Working With Marijuana Businesses, Despite Federal Moves,” by T. Angell, June 14, 2018, Forbes. 20 “New Jersey Lawmakers Postponed a Critical Vote to Legalize Marijuana—This Map Shows Every U.S. State Where Pot Is Legal,” by J. Berke and S. Gould, January 4, 2019, Business Insider.
10
and process updates across your entire institution in order to comply with that decision. Consider
the matrix of potential clients that might interact with an MRB that are not involved with the
cultivation or sale of product to consumers. Growers must purchase fertilizer and cultivation tools
like specialty lighting. They must also contract an armored car service to transport product to
testing labs and dispensaries. Dispensaries must pay for packaging supplies, advertising, and
standard office products. They will likely contract a security service to monitor the premises and
also utilize third-party payroll processing services. All of these are purchased from companies who
do not physically handle marijuana, but they are being paid with funds derived from a federally
illegal enterprise. These various financial interactions drive the risk associated with the industry
to more comprehensive and far-reaching levels when compared to other industries.
Choosing to bank MRBs presents numerous risks and challenges, but it also comes with a very
high reward. The risks include:
loss of charter, depending on future federal priorities;
increased regulatory scrutiny;
Cole Memo violations, such as sales to underage individuals, committed by the customer
which are difficult to monitor;
elevated risk of facilitating financial crimes due the cash-intensive nature of the industry;
financial risk due to uncertain feasibility of the program;
lending credit risk due to civil forfeiture of collateral; and
reputational risk—existing and potential clients may morally object to the industry.
By some estimates, only 30% of businesses in the industry have a bank account,21 clearly
indicating that the vast majority of banks have chosen to avoid the industry. Those banks that do
offer services to these companies can therefore impose extremely high fees to justify the
uncertainty surrounding the aforementioned risks posed. Also consider that the costs of compliance
surrounding these customers are significant. Regulators would rightly expect extreme ongoing due
diligence and strict adherence to the requirements laid out in the available FinCEN guidance.22
The second option is to choose not to bank MRBs. This is obviously the more risk-adverse
approach, but it also locks out a rapidly growing industry and a potentially high-performing
revenue source. A bank will also incur numerous costs to maintain compliance with the policy
decision, further enhancing the negative financial impact with none of the potential gains. Further,
the decision to completely divest from all customers connected to the marijuana industry in order
to comply with federal law can lead to public criticism reputational harm. Wells Fargo, one of the
United States’ largest financial institutions, found this to be the case when they decided to close
an account held by a Democratic Party candidate running for the commissioner of agriculture in
the state of Florida.23 The bank’s position that federal law prohibits their dealing with marijuana
21 “Legal Marijuana: The $9 Billion Industry That Most Banks Won't Touch,” by K. Murphy, September 6, 2018, Forbes. 22 “BSA Expectations Regarding Marijuana-Related Businesses,” FinCEN, February 14, 2014, U.S. Department of the Treasury. 23 “A Candidate Backed Medical Marijuana. Wells Fargo Closed Her Bank Account,” E. Flitter, August 22, 2018, CNBC.
11
businesses24 does indeed hold merit, but this set of circumstances illustrates just how precarious a
position financial institutions can find themselves in when deciding how much risk to accept.
Risk Management Framework
Guiding and Documenting the Decision-Making Process As is the case with many facets of life, it is important to remember to not lose sight of the forest
for the trees. Before returning to the unique circumstances surrounding MRBs, it is important to
formulate a template for your organization to follow when evaluating emerging risks in the general
sense. Consistency is key when it comes to demonstrating sustainability, and your institution’s
approach to assessing emerging risks should generally be consistent from one risk to the next. This
next section will serve as a guide to demonstrating that your institution has sufficiently measured
the risks posed, and that the controls developed in response to those risks are well conceptualized
and sustainable. Also included throughout this section will be the perspective of an auditor,
including what artifacts could potentially be produced to demonstrate effective and thoughtful
BSA/AML governance.
Internal Considerations Before executing any strategy designed to mitigate risk, it is important to first look inward to
honestly assess limitations. Senior management must evaluate the resources, systems, and
personnel it has available and, to the extent possible, forecast how much time and money is
available without compromising the resources allocated to the rest of the compliance program.
One of, if not the most, important considerations are the people assigned to execute your plan. If
the remedy being designed to mitigate the risk is highly technical and requires numerous
individuals with advanced Microsoft Excel skills, the staff assigned to carrying out the task should
be highly proficient with the application. Conversely, if the approach as designed involves a high
volume of data entry, the individuals best assigned to the task should be those who have displayed
an aptitude for accuracy in order to reduce the likelihood of errors. In either case, if the institution
does not have the right people to execute the plan, it is time to develop a different plan that makes
use of the specific talents the team possesses. An ideal artifact to demonstrate that the expertise is
available to carry out the tasks as assigned is to leverage the succession plan previously discussed.
Along with the projected career path of staff, include special projects that they have worked on to
demonstrate prior experience and success with technical skills. If available, also list any advanced
training courses attended or certifications held to demonstrate that the person assigned to the job
is well qualified and reliable. Having this documentation on hand goes a long way in demonstrating
that the process was built with a solid foundation in mind.
Another consideration is that every financial institution is at the mercy of technology. As
previously mentioned, the recently implemented beneficial ownership rule required the collection
of information previously not required, thus, many institutions had to figure out where to store that
information. This may require your institution to enhance the existing account opening system,
24 “Wells Fargo Confirms Adherence to Federal Laws Regarding Marijuana-Related Activities,” by B. Braxton, August 22, 2018, Wells Fargo News Releases.
12
which takes time and costs money. Generally speaking, quantifying the technology costs at the
outset of any project proposal is essential to staying on budget.
Speaking of staying on budget, another key element to successful internal evaluation is to
understand the true costs associated with the project. If a third-party vendor will be contracted to
complete a portion of the work, ask a number of prospective vendors for quotes and references.
Contact peer banks who have used each prospective vendor previously and inquire as to their
efficiency and effectiveness. Contracting the wrong vendor can quickly turn into a money pit if
the vendor is unable to deliver as promised. So, perform as much due diligence as possible before
entering into an engagement. As a means to explain why one vendor was chosen over another,
archive the requests for proposal received from the bidding vendors and create memos
documenting any conversations had with peer FIs surrounding a vendor’s performance.
Corporate strategy is another area that needs to be considered when determining how to battle an
emerging risk. Communication with senior management throughout the lines of business and the
board on the plan of attack is essential to efficient use of resources. For example, if a global bank
is dealing with an emerging risk that is exclusive to a region of the world, it would be helpful to
know if there are plans to divest from the area in the next one to two years. In circumstances such
as this, a temporary manual process might be put in place to manage the risk rather than spending
ten times more to implement an automated solution that would stand the test of time. As an auditor,
obtain and review board materials over the course of the project lifecycle. At a minimum, senior
management should present the project plan to the board before beginning, and updates on the
project status should be provided throughout the lifecycle to ensure transparency.
When presenting to the board on matters related to risk detection, prevention and/or acceptance, it
is important to lay the groundwork for how each unique risk is being captured and quantified. The
first step in doing this is to document where control gaps exist and extrapolate the impact to the
bank were business operations to continue unchanged. Factors to consider include the likelihood
that the risk will bring about noncompliance with laws or regulations, the effect that the gap may
have on other areas of the bank, or the cost benefits of remediating the problem now rather than in
the future. When evaluating these factors, be sure to include projections in real terms that account
for all potential costs associated with mitigating or accepting a risk. In some instances, adding
additional staff, implementing new technology systems, or contracting the services of a third-party
vendor to mitigate a risk may prove to be more costly than the worst case scenario were the risk to
fully materialize. This information allows for complete understanding of the risk and rewards and
is essential to forming the basis of decision making at the highest levels.
External Considerations When developing strategies to deal with emerging threats, it is important for your institution to
keep in mind that there are others who are dealing with (or perhaps have already addressed) the
same issue. The Board of Governors of the Federal Reserve, Federal Deposit Insurance
Corporation (“FDIC”), FinCEN, National Credit Union Administration (“NCUA”) and OCC
recently recognized the value that collaboration among peer banks can bring when they
13
collectively released a statement on collaborative arrangements.25 The statement opens the door
for banks to more intensely consider the value of participating with others to achieve a common
goal while reducing costs and leveraging specialized expertise. Such an arrangement could be
particularly useful when enhancing a BSA program to account for the highly technical world of
blockchain and digital currency. This relatively new medium for transferring value has opened
financial institutions up to money laundering techniques that many may not be prepared to deal
with. In such circumstances, it may be beneficial to work with peer financial institutions (“FIs”)
to identify resources that can be shared with the expertise necessary to evaluate a bank’s existing
BSA program to identify weaknesses and recommend enhancements. This approach may well be
far less expensive than hiring a third-party vendor.
Because such shared arrangements rely on staff who may not have been fully vetted through your
organization’s onboarding regimen, auditors should carefully evaluate the full scope of the
arrangement, including the qualifications of the resources being brought in. Management should
obtain the résumés of the external resources brought in to work on a particular project, and a
contractual document should be drafted so that the full scope and goal of the engagement is made
clear. Auditors should assess this information after the fact to ensure that the affected areas of the
program are properly overseen by internal management, that the board of directors has provided
clearance for all related matters, and that all applicable legal restrictions have been considered.
One of the most important things for an auditor to assess in terms of preventing financial crime is
clearly defined in the regulatory joint statement, which is “that the collaborative arrangement be
designed and implemented in accordance with the bank’s risk profile for money laundering and
terrorist financing. Ultimately, each bank is responsible for ensuring compliance with BSA
requirements. Sharing resources in no way relieves a bank of this responsibility.” This statement
provides vital guidance in two key ways: 1) What works for one bank may not work for another;
and 2) bank management must be fully informed and understand the work being done by the
external resource. Auditors must therefore assess the viability of the solutions put in place specific
to their institutions particular risk profile, and also ensure that senior management is effectively
able to carry out its design after the shared expertise engagement is over.
Another external consideration relates to the customers the financial institution serves. The
priorities and banking habits of a community in the Midwest are likely to be different than those
in Los Angeles, for example. With this distinction in mind, it is important to consider the
possibility of completely de-risking in areas that carry a high risk of money laundering potential
whenever possible. Depending on the customers you serve, consider not offering services like
trade finance, pay-through accounts, and prepaid cards. If the demand for these services would be
minimal, going without them allows your compliance program to be streamlined and not carry the
cost of building controls and executing on them. Also consider the potential effects that banking
certain industries might have on your customer base. While it may be legal in your state, there is
a large portion of the public that rejects marijuana on moral grounds, and they may object to doing
business with a bank that also serves MRBs. One external event that serves as a reminder of the
risks associated with offering banking services in foreign jurisdictions and knowing the customers
your institution serves is the Panama Papers scandal. The leak of records from Mossack Fonseca
25 “Interagency Statement on Sharing Bank Secrecy Act Resources,” Board of Governors of the Federal Reserve System, October 3, 2018, Federal Reserve.
14
revealed countless instances of potential tax avoidance schemes and money laundering avenues.26
As a financial institution, there are a number of factors to consider when once learning of an
external event such as this, including:
determining if any of the clients listed in the report are customers of your institution;
conducting a look back for any confirmed matches to identify the client’s sources of funds
and evaluate for potential SAR filing;
determining if existing CDD and KYC policies and procedures are adequate to detect other
organizations whose business model operates similar to that of Mossack Fonseca; and
presenting to the board of directors the findings, quantifying areas of risk exposure, and
recommending potential remedies to control risk to the organization.
The legal and regulatory environment is always changing, so another external consideration to
keep in mind is upcoming legislation that may impact your ability to execute on controls being
built to manage an emerging risk. International privacy laws are a particularly prime example of
this concept in action for larger multinational banks. The European Union General Data Protection
Regulation (GDPR) recently went into effect and has placed numerous constraints on the options
a governance group has available to work with as it relates to customer data. The manner in which
your institution carries out the requirements associated with beneficial ownership information
collection and enhanced due diligence may well be impacted by this regulation as well.27 As an
auditor, it is important to be fully educated on the local laws within the jurisdictions where your
institution does business so that you can identify any apparent conflicts in existing and future
processes. One of the most effective ways for management to demonstrate compliance with new
and existing laws is completing a documented coverage assessment. A coverage assessment is the
basis of sound risk management principles, the concept of which is the best starting point when
crafting controls to deal with an emerging risk.
Crafting Controls to Manage the Risk
Coverage Assessment Now that internal and external considerations unique to your institution have been fully assessed
and considered, we will now return to our theme regarding emerging risk of MRBs to illustrate
how an institution’s governance team can craft controls to adhere to policy. Once the board of
directors sets forth the decision to bank or not to bank MRBs, management must now take action
to ensure adherence with the policy decision.
A coverage assessment is the first step to understanding the controls a financial institution has in
place to mitigate certain elements of an emerging risk and where controls need to be enhanced or
implemented to round out monitoring abilities. If your institution decides to bank MRBs, a logical
starting point to begin a coverage assessment is with FinCEN’s guidance, BSA Expectations
26 “What Are the Panama Papers? A Guide to History's Biggest Data Leak,” by L. Harding, April 5, 2016, The Guardian. 27 “A Compliance Conundrum for Financial Institutions: U.S. Anti-Money Laundering Initiatives and the Forthcoming EU General Data Protection Regulation,” by W. Barry, November 21, 2017, Bloomberg BNA.
15
Regarding Marijuana-Related Businesses.28 When assessing the requirements, management could
consider these example questions:
How does your institution’s current enhanced due diligence (EDD) program stack up
against the verification and ongoing customer due diligence (CDD) requirements?
How will your institution consider whether an MRB implicates one of the Cole Memo
priorities or violates state law?
Does the financial intelligence unit (FIU) have the capacity to meet the suspicious activity
report (SAR) filing volumes that will result from continuous onboarding of MRBs?
Are the suspicious activity monitoring rules that are currently in place adequate to identify
red flags specific to the industry?
Once all of the compliance areas have been reduced to writing, document the areas that have
coverage. Using the monitoring rules coverage as an example, tick and tie the rules already in place
with the red flags laid out in the guidance. If additional coverage is needed, assign an individual
the task of developing new rules and testing the outputs in user acceptance testing (UAT) to
determine their effectiveness. In this case, an auditor would look to verify that each existing rule
reasonably covers the associated red flag, and that the development and testing of any new rules
are comprehensively documented along the way. This documentation should include an analysis
of why the rule parameters would be effective at capturing the specific risk, and also consider these
factors:
The alert volumes generated. In the case of new rules being implemented specifically for
known MRB customers, additional training will need to be provided to the analysts who
work these alerts. Because the Cole Memo priorities serve as the ‘line in the sand’ that
these businesses cannot cross, this type of investigation will differ greatly from all other
alert types which rely on a binary decisions of “suspicious or not.”
The proportion of alerts the rule generates which already would have alerted under an
existing rule’s parameters versus the number that only generates for the test scenario, and
how the non-marijuana-related rules should be leveraged by an analyst when
comprehensively working the review.
The method by which the rules are being assessed for effectiveness. Is success measured
on a SAR/no SAR basis alone, or less strictly by the percentage of alerts escalated for
further investigation? Implementing new rules is certain to raise the number of alerts
generated, so in order to comprehensively track their effectiveness post-implementation,
new MIS will be needed to comprehensively report on this subset of clients.
For banks operating in multiple states where marijuana is legal in some but not all
geographies, how are interstate transactions being accounted for? Do any new or existing
scenarios need to be built to prevent marijuana sales proceeds from being deposited at a
branch where marijuana is prohibited?
28 “BSA Expectations Regarding Marijuana-Related Businesses,” FinCEN, February 14, 2014, U.S. Department of the Treasury.
16
Policy and Procedure If your institution decides to not bank MRBs, it must first decide upon what qualifies as an MRB.
Certainly, the entities that cultivate, distribute, and sell marijuana and marijuana byproducts are
considered marijuana businesses, but what about companies that make packaging supplies who
exclusively target sales to distributors? Selling packaging supplies is not a crime, but when all of
the company’s revenues are sourced directly from illegal activities (federally speaking), the
situation becomes much murkier. It would also be unrealistic for a bank to take a zero-tolerance
policy on accepting customers who do business in any way with an MRB. Marijuana growers are
plugged into the electric grid and have to pay their utility bills the same as any other business, but
it would unreasonable to not bank the electric supplier because a grower is a customer of theirs.
The most sustainable option is to therefore establish a measurable threshold based on the
institution’s risk tolerance to serve as a guide for handling companies who do business with
marijuana businesses but do not actually touch the federally illegal substance at any point of their
relationship. A tiered approach is an effective means to classify these two different types of
marijuana businesses and can be used to define whether an institution will accept their business.
A tiered strategy may involve classifying MRBs that physically touch the product at any stage of
growth through sale to the end user as a ‘Tier 1 MRB.’ These businesses would be deemed
prohibited customers. Those businesses that generate a certain portion of their revenue from selling
their product to tier 1 MRBs might be deemed ‘Tier 2 MRBs.’ As your institution has chosen to
divest from this industry, it is logical to capture the risk associated with these clients through
enhanced due diligence. Because the marijuana industry is highly cash intensive, a tier 2 MRB’s
relationship with a grower may lead to the funneling of excess cash from one to the other in an
attempt to enter the proceeds of marijuana sales into the financial system. As a means to focus
resources on the tier 2 MRBs that pose the most risk, an institution would benefit by defining a
percentage threshold of revenues derived from tier 1 MRBs. The threshold should be set at a
number commensurate with the institution’s exposure to the industry. An auditor should expect to
see the rationale sufficiently documented and ensure that the board of directors has had the
opportunity to review the approach.
Now that MRBs have been defined for your institution, the next step is to determine how to keep
these businesses out of your customer base. An institution may likely need to revise the onboarding
procedures and know-your-customer (KYC) platforms in place to include a specific question
related to involvement in the marijuana industry. This will assist in capturing a portion of the
customers that may attempt to open an account; however, it is also possible for them not to disclose
this information up front. To combat this and also identify any MRBs that were onboarded prior
to launching the initiative, developing a process whereby an institution’s customer base is
periodically scrubbed will drive compliance. Information on entities licensed to do business in the
marijuana industry is publicly available, and each state has a website that lists the names of growers
and dispensaries that are approved to operate. Depending on the geographic locations where an
institution operates, it may be possible to manually update such a list on a quarterly basis. If your
institution does not have the resources to do this or is located in all 50 states, there are vendors
who track this information that can be contracted.29 Whatever means is decided upon, the list can
then be used to compare against existing clientele to ensure ongoing compliance with policy. As
29 “Cannabis-Related Corporate Intelligence,” CRB Monitor, n.d.
17
an auditor, it is important to assess that the procedures surrounding the scrub process clearly define
responsibilities. The results of the scrub should also be sampled to ensure the correct disposition
of any alerts deemed to be false positives.
Line of Business Impact A key component of overall compliance rests with a bank’s individual lines of business; therefore,
it is important to consider the circumstances unique to each one. Lending lines of business, for
example, should partner with the institution’s BSA governance team to develop standards as
consistently as possible for businesses and individuals involved in the marijuana industry. The
partnership between the lines and BSA is critical when lending to MRBs, due to their cash
intensive nature. One way to combat the uncertainty surrounding these businesses’ cash flow and
potential for AML abuses is to conduct periodic site visits. This allows the line of business to gain
a level of comfort that the business is not in danger of violating any of the Cole Memo priorities
(which could lead to asset forfeiture), and it also provides the FIU with valuable information as to
the appropriateness of the businesses’ account activity, namely cash deposits.
A documented site visit program is a valuable tool when the process works as designed, and
auditors should routinely test all of the elements of the program. MIS should be obtained showing
that all customers who require a site visit receive one, that the frequency of the visits are performed
according to procedural requirements, and that the observations of the site visit conductor are
meaningful and detailed. A key component to the success of a site visit program is having staff
who understand what to look for when on site at a business and that expectations are clearly
defined. To that end, BSA governance should develop and administer site visit training to all bank
staff who might be required to conduct one, and a standard template should be created to document
the review.
As it relates to MRBs, staff should be thoroughly educated on what to expect to see (and what not
to expect to see) when visiting an MRB business location. Because the legal requirements vary
from state to state on a variety of elements, it is important that staff be familiar with all regulations
in order to identify areas of potential concern. For example, state laws vary as to how much product
an individual can purchase at any one time, so a site visit conductor should take note if they witness
a sale exceeding that amount while on the premises. Site visit conductors should also take detailed
notes on what they witness while on site and compare the facility attributes to the CDD information
provided by the customer at account opening. If a dispensary owner stated that they expect one
million dollars incoming cash per quarter, the site visit conductor would do well to plan multiple
visits during peak traffic time (e.g., Saturday afternoon) to assess the number of customers served
and average price per sale. This information could be extrapolated over a quarter to discern if the
CDD information aligns with reality. Significant variations may require further investigation to
assess the potential for money laundering activities.
Because of the legal gray area, it should also be expected that there will be instances where
businesses choose not to volunteer that they are involved in the marijuana industry at account
opening. This is particularly more likely to occur if the financial institution has determined to not
bank MRBs but is located in a state where recreational marijuana is legal. MRBs may attempt to
disguise their activities from the bank by stating half-truths like they operate as a pharmacy (but
sell medicinal marijuana), a bakery (but produce marijuana-infused bakery goods), or a nursery
18
(but grow marijuana)—all of which are half-truths and an effective means to avoid being detected
should their account activity be picked up for review. A marijuana bakery will still purchase goods
within their stated business type (e.g., wholesale purchases of flour and other baking supplies),
which increases the feel of legitimacy of the accounts. All bank staff who conduct site visits should
therefore be trained to pick up on these cues that may suggest that a business is in fact operating
as an MRB:
Excessive use of the color green on business marketing materials or interior premises
Customer website directly informing or implying that the business is involved in the
industry by using words like “natural,” “herbal,” or “alternative pain remedies”
Internal decor that promotes or advocates the use of marijuana (e.g., Bob Marley posters)
The absence of merchant services equipment to process credit/debit card purchases, or
signage indicating that all sales must be made with cash
Compensating Detection Methods and Controls A BSA program increases the odds of successfully detecting suspicious activity when there are
multiple means of detection and escalation. Emerging risks often require processes to be built to
specifically address factors unique to the issue, but it is important to also assess if there are ways
to incorporate means of detection into existing areas as well. One means of doing this to capture
the risk associated with MRBs is by evaluation through the separate processes of enhanced due
diligence and suspicious activity monitoring.
An institution that permits MRBs as account holders must vigilantly monitor for ongoing
compliance, and one reliable way of doing so is through extreme enhanced due diligence. Most
financial institutions have an existing program to manage this process, but it would be wise to
consider adding additional documentation requirements to manage the inherent risk of these
customer types. Financial statements and copies of bills of sale for supplies purchased by the entity
may assist with scrutinizing account behavior. While EDD reviews generally seek to understand
patterns of customer behavior over a moderate length of time and holistically focus on patterns of
account activity as compared to the customer’s CDD information, suspicious activity monitoring
is the cornerstone of any compliance program. Additional monitoring in this form would be
warranted as well, and AML governance should consider designing rules for specific application
to accounts held by MRBs. Lowering thresholds for cash structuring or rapid movement of funds
scenarios provides extra coverage and assurance that the business is operating consistent with
expectations. When compensating detection methods are not able to be implemented, an institution
can instead rely on compensating controls to increase effectiveness. Separation of duties goes a
long way in reducing the risk of accidental or intentional errors, and any processes put in place to
monitor MRBs should be subject to quality assurance given the inherent risk.
One of the key roles of an auditor is to serve as a trusted advisor and recommend solutions to risk
issues, so it is important to identify opportunities where compensating detection methods can be
implemented. If none are available, ensure that the roles and responsibilities are well defined in
procedures and that there is sufficient separation of duties to prevent conflicts of interest. In the
above example of SAR and EDD reviews being conducted for the same customer, it is important
to ensure that those individual functions are not carried out by the same person. As a means to
19
identify this, MIS can be obtained to evidence that the staff assigned to review individual
customers differs between processes.
User Acceptance Testing Now comes the moment of truth. Controls have been developed, the procedures created, and the
system enhancements put in place. It is time to test what has been built to see if it all works
according to design. Successful UAT testing, no matter how complicated the project, should follow
the same basic format and should consist of planning, execution, documentation, and evaluation.30
Most key among these steps is documentation, as it needs to occur throughout every phase of
testing. Testing should take into account how the system or process will be used in a real-world
environment with the users of the product in mind. Conducting testing in a vacuum, or with only
a fraction of users, or limiting the functionality tested may not provide sufficient data to identify
weaknesses in the process.
Auditing the testing process ensures the long-term sustainability of any new process that relies on
technology or models, and should be done as soon as possible following the UAT results report,
preferably before the process goes live. It is impossible to take the human element out of any
project, and this stage is likely to be one where those involved with the project since the beginning
may fall victim to inattentiveness with the end in sight. When reviewing the UAT work papers, be
sure to identify and challenge any assumptions made during the planning phase, such as elements
being previously tested and therefore omitted from final testing; functionality may have been
inadvertently changed since that time. Also keep in mind the original intended purpose of the
project when evaluating the final product. Management sought to mitigate or control an emerging
risk; it is an auditor’s job to assess whether they have done so successfully.
Post-Implementation Assessment Because BSA/AML compliance is not stagnant, it is important to periodically assess a process
designed around an emerging risk. An emerging risk is one that has yet to fully materialize, so
there are elements of the work done up to this point that may have relied upon assumptions. This
is why robust documentation throughout the project life cycle is critical. Having diligently tracked
the assumptions made along the way will help in the assessment years later. Restrictions that may
have boxed you in at one point may no longer exist. Laws often change, new technology emerges,
and there are pieces of the puzzle that can be made more useful or efficient.
Testing the results of a process six months or a year after implementation is an effective way to
determine if the process is working as intended. As it relates to MRBs, it is important to maintain
perspective when evaluating results. If a bank located in South Carolina builds a process to identify
employees of marijuana businesses, the process may run for a year and produce zero results, yet
still be appropriately designed. South Carolina does not have any laws legalizing medical or
recreational marijuana, nor is it adjacent to any states that have. Were that same process to be
implemented and produce zero results for a bank located in Denver, CO, however, chances are
something is not working right. Analyzing MIS is another dependable way to determine the
effectiveness of a new process. An organization that has decided to accept MRB clients, for
30 “Fundamentals on Setting Up Your User Acceptance Testing Workflow,” by R. Vogels, December 4, 2018, Usersnap.
20
example, may implement new automated suspicious activity monitoring rules to more closely
monitor their account activity. After a moderate period of time running in a production
environment (e.g., 6 to 12 months), the alert to SAR success rate of the alerts produced should be
analyzed to determine their effectiveness. If the rules produce a higher SAR rate on average when
compared to all other rules in place, that is a good indicator that the MRB rules are effective, and
the thresholds are set appropriately. If the MRB rules are producing at a significantly lower rate
than average, the activity thresholds should be retuned to eliminate the high volume of false
positives. An effective means of tuning is to run different variations of a rule in a test environment
over a three-month period and compare the test alerts generated with production results over that
same time period. The results can then be analyzed for proportionality to see if the lowered
thresholds reduce the number of false positives without sacrificing overall effectiveness; if the
lowered thresholds drop the total volume of alerts by 25%, but also fail to capture 50% of the
customers that generated a SAR filing at production thresholds, it would not be wise to move
forward with the adjusted parameters.
Conclusion Emerging risks are a constant in the ever-evolving financial services industry, and banks today are
faced with numerous compliance challenges to overcome. An uncertain regulatory environment
surrounding the marijuana business requires that difficult choices be made without the benefit of
knowing that actions will not be later met with stiff consequences. The BSA and audit community
all share the same goal of preventing financial crime. No financial institution in the United States
does things exactly the same, and that is perhaps one of the greatest strengths of the industry. There
are many ways to combat the same financial crime, but a key factor is the speed at which the risk
is addressed.
A bank’s governance team is in the best position to act swiftly when the need arises. Sound risk
management principles require that this unit have a system in place to manage or mitigate emerging
risks before the damage becomes too great. Having a sustainable template to follow when a risk is
identified allows for more efficient use of resources and to leads solutions being implemented with
greater speed.
21
References Angell, T. (2018, June 14). More banks working with marijuana businesses, despite federal
moves. Forbes. Retrieved from https://www.forbes.com/sites/tomangell/2018/06/14/more-banks-working-with-marijuana-businesses-despite-federal-moves/#33e566eb1b1b
Angell, T. (2018, December 26). These states are most likely to legalize marijuana in 2019.
Forbes. Retrieved from https://www.forbes.com/sites/tomangell/2018/12/26/these-states-are-most-likely-to-legalize-marijuana-in-2019/#497a544e5add
Baker, Y. F. (2018, April 11). State law and federal law: Who rules? Current Compliance.
Retrieved from http://www.currentcompliance.org/2018/04/11/state-law-federal-law-rules/
Barry, W. (2017, November 21). A compliance conundrum for financial institutions: U.S. anti-
money laundering initiatives and the forthcoming EU general data protection regulation.
Bloomberg BNA. Privacy Law Watch. The Bureau of National Affairs, Inc., 17 pra 226.
Retrieved from https://www.millerchevalier.com/sites/default/files/publications/A-
Compliance-Conundrum-for-Financial-Institutions_William-P-Barry.pdf
Berke, J. & Gould, S. (2019, March 26). New Jersey lawmakers postponed a critical vote to
legalize marijuana—this map shows every U.S. state where pot is legal. Business Insider.
Retrieved from https://www.businessinsider.com/legal-marijuana-states-2018-1
Board of Governors of the Federal Reserve System, et al. (2018, October 3). Interagency
statement on sharing Bank Secrecy Act resources. Federal Reserve. Retrieved from https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20181003a1.pdf
Braxton, B. (2018, August 22). Wells Fargo confirms adherence to federal laws regarding
marijuana-related activities. Wells Fargo News Releases. Retrieved from https://newsroom.wf.com/press-release/community-banking-and-small-business/wells-fargo-confirms-adherence-federal-laws
Cannabis-related corporate intelligence. (n.d). CRB Monitor. Retrieved from
https://crbmonitor.com/
Cole, J. (2013, August 29). Memorandum for all United States attorneys: Guidance regarding
marijuana enforcement. U.S. Department of Justice. Retrieved from https://www.justice.gov/iso/opa/resources/3052013829132756857467.pdf
Dahlberg, N. (2017, August 11). Continental National Bank signs consent order. Miami Herald.
Retrieved from https://www.miamiherald.com/news/business/article166802672.html
Dixon, D. (2017, May 25). Five steps to developing a comprehensive risk appetite framework.
The Wall Street Journal. Retrieved from https://deloitte.wsj.com/riskandcompliance/2017/05/25/five-steps-to-developing-a-comprehensive-risk-appetite-framework/
Ehret, T. (2017, January 18). Compliance job market shows strength in AML and financial crime
as other areas slow. Reuters. Retrieved from https://www.reuters.com/article/bc-finreg-
22
compliance-market/compliance-job-market-shows-strength-in-aml-and-financial-crime-as-other-areas-slow-idUSKBN1522WG
FinCEN. (2014, February 14). BSA expectations regarding marijuana-related businesses. U.S.
Department of the Treasury. Retrieved from https://www.fincen.gov/resources/statutes-regulations/guidance/bsa-expectations-regarding-marijuana-related-businesses
FinCEN. (2014, February 14). BSA expectations regarding marijuana-related businesses. U.S.
Department of the Treasury. Retrieved from https://www.fincen.gov/resources/statutes-regulations/guidance/bsa-expectations-regarding-marijuana-related-businesses
FinCEN. (2014, February 14). BSA Expectations regarding marijuana-related businesses. U.S.
Department of the Treasury. Retrieved from https://www.fincen.gov/resources/statutes-regulations/guidance/bsa-expectations-regarding-marijuana-related-businesses
FFIEC. (2018, May 5). Beneficial ownership requirements for legal entity customers—
Overview. FFIEC BSA/AML Examination Manual. Retrieved from https://www.ffiec.gov/press/pdf/Beneficial%20Ownership%20Requirements%20for%20Legal%20Entity%20CustomersOverview-FINAL.pdf
FFIEC. (n.d.). BSA/AML risk assessment—Overview. FFIEC BSA/AML Examination Manual.
Retrieved from https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_005.htm
Flitter, E. (2018, August 22). A candidate backed medical marijuana. Wells Fargo closed her
bank account. CNBC. Retrieved from https://www.cnbc.com/2018/08/22/wells-fargo-closes-bank-account-of-candidate-who-supports-marijuana.html
Harding, L. (2016, April 5). What are the Panama Papers? A guide to history's biggest data leak.
The Guardian. Retrieved from https://www.theguardian.com/news/2016/apr/03/what-you-need-to-know-about-the-panama-papers
Murphy, K. (2018, September 6). Legal marijuana: The $9 billion industry that most banks won't
touch. Forbes. Retrieved from https://www.forbes.com/sites/kevinmurphy/2018/09/06/legal-marijuana-the-9-billion-industry-that-most-banks-wont-touch/#48865b9b3c68
OCC. (2005, June 24). Consent order: In the matter of Continental National Bank of Miami. U.S.
Department of the Treasury. Retrieved from https://www.occ.gov/static/enforcement-actions/ea2005-65.pdf
OCC. (2008, December 8). Order terminating the consent order: In the matter of Continental
National Bank of Miami. U.S. Department of the Treasury. Retrieved from https://www.occ.gov/static/enforcement-actions/ea2008-169.pdf
OCC. (2017, July 18). Consent order: In the matter of Continental National Bank of Miami. U.S.
Department of the Treasury. Retrieved from https://www.occ.gov/static/enforcement-actions/ea2017-051.pdf
23
Ogden, D. (2009, October 19). Memorandum for selected United States attorneys on
investigations and prosecutions in states authorizing the medical use of marijuana. U.S.
Department of Justice. Retrieved from https://www.justice.gov/archives/opa/blog/memorandum-selected-united-state-attorneys-investigations-and-prosecutions-states
Pellechia, T. (2018, March 1). Legal cannabis industry poised for big growth, in North America
and around the world. Forbes. Retrieved from https://www.forbes.com/sites/thomaspellechia/2018/03/01/double-digit-billions-puts-north-america-in-the-worldwide-cannabis-market-lead/#203ad17d6510
Rosenthal, J, Routch, K., Monahan, K., & Doherty, M. (2018, September 27). The holy grail of
effective leadership succession planning. Deloitte Insights. Retrieved from https://www2.deloitte.com/insights/us/en/topics/leadership/effective-leadership-succession-planning.html
Sessions, J. (2018, January 4). Memorandum for all United States attorneys on marijuana
enforcement. U.S. Department of Justice. Retrieved from https://www.justice.gov/opa/press-release/file/1022196/download
Shapiro, L. & Mettler, K. (2018, April 20). U.S. marijuana laws: A history. The Washington
Post. Retrieved from https://www.washingtonpost.com/graphics/health/marijuana-laws-timeline/?noredirect=on
Quinton, S. (2016, March 22). Why marijuana businesses still can’t get bank accounts. Stateline.
Retrieved from https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2016/03/22/why-marijuana-businesses-still-cant-get-bank-accounts
Vogels, R. (2018, December 4). Fundamentals on setting up your user acceptance testing
workflow. Usersnap. Retrieved from https://usersnap.com/blog/user-acceptance-testing-workflow/
Top Related