How the Edges of Financial Technology Could Change Regulation

Financial regulation in the United States follows a longstanding pattern: The presidential administration changes, the other political party takes power and the financial regulation pendulum swings. Those working in compliance inevitably need to recalibrate.

President Joe Biden’s messaging so far has aimed to minimize polarization. This bodes well for moving beyond the typical “financial deregulation” versus “more regulation” dynamic. It gives the industry an opportunity to turn our attention towards pulling the overall framework out of an old, slow, manual and paper-based reality. What the U.S. financial regulatory framework really needs are large, fundamental overhauls and modernizations that will support a healthy, ever-changing financial services marketplace — not just through the next presidential administration, but further beyond, through the next several decades.

The incoming leadership could make regulation smarter and more effective with reforms that:

  • Measure success by outcomes and evidence, as opposed to procedural adherence.
  • Leverage technology to streamline compliance for agencies as well as providers.
  • Catch up and keep up with the ongoing advancements in financial technology.

The time for these sorts of changes just so happens to be ripe.

Digital or cryptocurrencies and charters for financial technologies have an awkward fit within the existing regulatory framework. Cannabis, another fringe area of finance, poses extra layers of legal and regulatory challenge, but its status could change on a dime if the new administration resolves the state and federal disconnect. All three of these peripheral business opportunities have gained significant momentum recently and may force regulators to adapt. To support these new use cases, which would otherwise break existing bank infrastructure, technology providers would have to modernize in ways that would benefit financial service compliance across the board.

As the emerging regulatory lineup takes shape from the legacies of the outgoing agency heads, the swing from the past administration to the present may not be all that dramatic. There are strange bedfellows in fintech. In the last six months of Donald Trump’s administration, there was already a balance between Acting Comptroller of the Currency Brian Brooks and U.S. Treasury Secretary Steven Mnuchin.

Brooks was indeed very active in his short tenure. Under him, the Office of the Comptroller of the Currency issued full-service national bank charters for fintech companies, published interpretive letters supporting digital currencies and published a working paper from its chief economist, Chartering the FinTech Future,” that lent support to the use of stablecoins.

In contrast, Mnuchin spent his last month in office encouraging  Financial Crimes Enforcement Network, or FinCEN, to issue a controversial proposed rulemaking that would affect crypto wallets and transactions. Critics argue this would make compliance impossible for decentralized technologies.

The Biden administration may have a similar dynamic between these two regulatory roles, albeit less dramatic. The confirmation of Treasury Secretary Janet Yellen, with her experience and moderate stance, conveys a great deal of stability. Still, she may not champion stablecoins, given her public statements on cryptocurrency.

At writing, Michael Barr is the anticipated pick for comptroller. His extensive and diverse résumé shows a long history of supporting fintech. We anticipate that he would continue the momentum towards modernization that Brooks started.

Gary Gensler, the nominated chair of the Securities and Exchange Commission, has a great deal of expertise and enthusiasm for digital currencies. Since his tenure as chair of the Commodity Futures Trading Commission during Barack Obama’s administration, he has served on faculty at MIT Sloan School of Management, teaching courses on blockchain, digital currencies and other financial technologies. Chris Brummer, the Biden administration’s anticipated choice for the CFTC, currently serves as faculty director at Georgetown University’s Institute of International Economic Law, has written books on the regulation of financial technologies and founded D.C. Fintech Week to help promote discussion of fintech innovation among policymakers.

When we get to the outer edges of finance — to crypto, charters and cannabis — the divide between political camps starts to disappear. But there’s still quite a bit of rigidity in the traditional financial industry and regulatory framework. Combining the slate of steady, open-minded regulators with the building pressures of technology yields reasonable hope for regulatory overhauls that will pull compliance along into the future.

FinCEN Files Underline BSA/AML System Mess

On its face, BuzzFeed’s reporting package on the details of 2,100 leaked suspicious activity reports (SARs) it obtained seems bad for many of the big banks mentioned. The articles take institutions to task for processing “trillions of dollars of suspicious transactions despite their own staff’s warnings that they might be related to crime.”

But the biggest scandal from the leaks may not be what it says about big banks — the biggest scandal is what it reveals about the anti-money laundering system at large. The leaks aptly demonstrate the system’s immense flaws.

These would hardly be news to bankers, who have known and complained about the system for years. They are on the cusp of winning reforms that, while not fixing the system as a whole, could lessen the burden on banks to report customers’ beneficial owners.

But the deeper issue is that the system encourages the proliferation of anti-money laundering filings, often without regard to whether they are truly related to any criminal activity.

The “FinCEN Files” are in part built on the premise that when a bank files a suspicious activity report, it truly believes that the transaction is related to financial crime or terrorism. BuzzFeed says the system “contains a crucial loophole” — although banks are required to alert the Financial Crimes Enforcement Network via a SAR, they are not obligated “to halt the suspicious activity or stop serving shadowy clients.”

But as the story later acknowledges and any banker can tell you, filing a SAR doesn’t necessarily mean the bank thinks there’s criminal activity going on. Banks are actively encouraged to file SARs for anything that seems even potentially fishy. The consequences of not filing a SAR can be severe, including extra scrutiny from regulators, an enforcement order or steep fines. Bank officers have been fired for failing to file SARs on activity that later turned out to be criminal.

The result? Banks have filed defensively for well over a decade. It’s so bad that at one point, a former FinCEN director used to tell a story about how a bank had filed a SAR because an employee’s bacon was stolen from the office fridge.

Predictably, this means banks and credit unions file a tremendous amount of SARs. There were some 839,000 filed by depository institutions in 2014. That rose to 1.1 million by 2019, a 32% jump. Does anyone think that all those SARs represent real criminal activity? Requiring banks to stop processing all those transactions wouldn’t close a loophole, it would violate due process. In many cases, banks are even told by law enforcement agencies to continue to process suspicious transactions. Such “keep open” letters are a way for law enforcement to continue to track potential criminals.

The “FinCEN Files” do make a great point when it says “the majority of these reports … are never even read, much less investigated.” We’ve built an entire money laundering system around the annual filing of millions of SARs and currency transaction reports (CTRs), the vast majority of which will never be seen by a human being.

If you listen to the way law enforcement agencies tell it, this is a feature, not a bug, of the system. Those agencies want banks to file SARs and CTRs because it creates a virtual warehouse of financial information they can use to track down leads. The more data they have, the better.

This approach assumes there is no cost for banks to do all of this, when the cost is in excess of $25 billion annually, according to some estimates. If banks weren’t spending a huge chunk of resources and time chasing down every potential dodgy transaction, they probably could be using it on other activities, like lending in their communities.

This approach would be acceptable if the current system actually worked, but it’s not clear it does. The amount of money laundered each year is roughly 2% to 5% of global GDP, or between $800 billion to $2 trillion, according to the United Nations Office on Drugs and Crime. Some estimates say law enforcement catches less than 1% of that.

Privately, many banking officials will tell you the vast majority of financial crimes are still going undetected. While the current system is great at catching unsophisticated criminals, the ones who know what they’re doing can find elaborate ways around the system.

Don’t get me wrong. If a bank is knowingly facilitating criminal activity — as has happened in the past and some of these 2,100 SARs show — they should be punished to the fullest extent of the law. But the biggest takeaway of this story is that our system is inefficient, costly and — worst of all — does not seem to work very well.

FinCEN Files: What Community Banks Should Know

Big banks processed transactions on the behalf of Ponzi schemes, businesses accused of money laundering and a family of an individual for whom Interpol had issued a notice for his arrest — all while diligently filing suspicious activity reports, or SARs.

That’s the findings from a cache of 2,000 leaked SARs filed by banks such as JPMorgan Chase & Co, Bank of America Corp., Citibank and American Express Co. to the U.S. Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. These files, which media outlets dubbed the “FinCEN Files,” encompassed more than $2 trillion in transactions between 1999 and 2017.

Community banks, which are also required to file SARs as part of Bank Secrecy Act/anti-money laundering laws, may think they are exempt from the scrutiny and revelations applied to the biggest banks in the FinCEN Files. Not so. Bank Director spoke with two attorneys that work with banks on BSA/AML issues for what community banks should take away from the FinCEN Files.

Greater Curiosity
Community banks should exercise curiosity about transaction trends in their own SARs that may add up to a red flag — whether that’s transaction history, circumstances and similarities to other cases that proved nefarious. Banks should ask themselves if these SARs contain details that indicated the bank should’ve done something more, such as not complete the transaction.

“That is probably the biggest go-forward lesson for banks: Make sure that your policies and procedures are such that — when someone is looking at this in hindsight and evaluating whether you should have done something more — you can demonstrate that you had the proper policies and procedures in place to identify when something more needed to be done,” says James Stevens, a partner at Troutman Pepper.

Although it may be obvious, Stevens says banks should be “vigilantly evaluating” transactions not just for whether they merit a SAR, but whether they should be completed at all.

Size Doesn’t Matter
When it comes to BSA/AML risk profiles and capabilities, Stevens says size doesn’t matter. Technology has leveled the playing field for many banks, allowing smaller banks to license and access the capabilities that were once the domain of larger banks. It doesn’t make a difference in a bank’s risk profile; customers are its biggest determinant of a bank’s BSA/AML risk. Higher-risk customers, whether through business line or geography, will pose more risk for a bank, no matter its size.

But banks should know they may always be caught in between serving customers and regulatory activity. Carleton Goss, counsel at Hunton Andrews Kurth, points out that changing state laws mean some financial institutions can serve cannabis businesses that are legal in the state but still need to file SARs at the federal level. Banks may even find themselves being asked by law enforcement agencies to keep a suspicious account open to facilitate greater monitoring and reporting.

“There’s definitely a tension between serving customers and preventing criminal activity,” he says. “You don’t always know the extent of the activities that you’ve reported — the way the SAR reporting obligation is worded, you don’t even have to be definitively sure that a crime has occurred.”

“Front Page of the Newspaper” Test
Reporting in recent years continues to cast a spotlight on BSA/AML laws. Before the FinCEN Files, there was the 2016 Panama Papers. Stevens says that while banks have assumed that SARs would remain confidential and posed only legal or compliance risk, they should still be sensitive to the potential reputational risks of doing business with certain customers — even if the transactions they complete for them are technically compliant with existing law.

Like everything else we do, you have to be prepared for it to be on the front page of the newspaper,” he says.

Media reports mean that regulatory pressure and public outrage could continue to build, which could heighten regulatory expectations.

“Whenever you see a large event like the FinCEN files, there tends to be pressure on the regulators to ‘up their game’ to avoid giving people the perception that they were somehow asleep at the wheel or missed something,” Goss says. “It would be fair for the industry to expect a little bit more scrutiny than they otherwise would on their next BSA exam.”

How AML Compliance Could Soon Change


AML-9-21-18.pngDespite major changes in compliance obligations starting with the Dodd-Frank Act through the more recent Economic Growth, Regulatory Relief, and Consumer Protection Act, requirements related to anti-money laundering (AML) compliance have remained largely unchanged.

The last major revision of AML compliance requirements was in 2001 with the U.S.A. PATRIOT Act amendments to the Bank Secrecy Act. This era may be coming to an end with the reintroduction earlier this summer of H.R. 6068, Counter Terrorism and Illicit Finance Act (CTIFA), and the convergence of market developments.

Although the reintroduced CTIFA bill removes a prior provision that would have required beneficial ownership information for new corporations to be collected and provided to FinCEN, the revised CTIFA would make a number of other significant changes to AML compliance requirements:

  • Increase the filing thresholds for currency transaction reports from $10,000 to $30,000 and for suspicious activity reports (SARs) from $5,000 to $10,000;
  • Require the Secretary of the Treasury to undertake a formal review of the information reporting requirements in the BSA to ensure the information is “of a high degree of usefulness” to law enforcement, and to propose changes to reduce regulatory burden;
  • Reduce impediments to the sharing of SAR information within a financial group, including with foreign branches, subsidiaries, and affiliates;
  • Create a process for FinCEN to issue no-action letters concerning the application of the BSA or any other AML law to specific conduct, including a statement whether FinCEN has any intention of taking an enforcement action with respect to such conduct;
  • Encourage the use of technological innovations such as artificial intelligence in AML compliance;
  • Establish an 18-month safe harbor from enforcement of FinCEN’s beneficial ownership and customer due diligence rule, which became effective in May 2018; and
  • Commission studies on the effectiveness of current beneficial ownership reporting regimes and cost-benefit analyses of AML requirements.

Although the CTIFA’s prospects for passage are uncertain, several of its provisions track market developments that are already bringing about change. First, innovative technologies such as artificial intelligence and blockchain increasingly are being leveraged for AML compliance solutions.

Artificial intelligence has the potential to transform terabytes of customer information into actionable AML insights including, for example, customizable pre-drafted suspicious activity report templates or customer risk profiles. These risk profiles update in real time in support of the new customer due diligence “pillar” of AML compliance. Blockchain and other distributed ledger technologies may be deployed to create standardized digital identities for customers to expedite and safeguard KYC and authentication processes.

Second, banks already are taking a hard look at their CTR and SAR processes to determine the ratio of meaningful information to noise that has been included in these reports. This augmented reporting will result in a direct benefit to the network of federal government agencies tasked with analyzing reports to find information with a high degree of usefulness in law enforcement investigations.

Third, banks are increasingly providing services to new types of high-risk businesses, such as marijuana-related businesses (“MRBs”) and cryptocurrency companies. FinCEN has for each of these industries been a pioneer in issuing guidance relatively early in the industry’s lifecycle to explain how AML compliance obligations apply, but this guidance requires updating. As just one example, FinCEN’s three-tiered system for filing SARs applies when a bank provides banking services directly to an MRB, but there are less clear SAR filing guidelines when a bank provides services to a customer that provides services to MRBs or owns shares of an MRB.

Banks continue to use FinCEN’s administrative ruling request process or the supervisory process to obtain guidance for high-risk customers, albeit in an ad hoc, non-public way. This request process is less effective than the no-action letter process contemplated in the CTIFA.

The CTIFA, if enacted, would significantly change AML compliances. At the same time, innovation and new business opportunities, among other market developments, are already contributing to AML compliance enhancements. Regardless of whether the legislation passes, the industry appears to be entering an era of change.

Banks Face Continuing Legal Challenge Servicing Marijuana Growers


marijuana-9-8-17.pngIn the past five years, marijuana has become big business in the United States. There are now eight states with fully legalized recreational marijuana. Couple that with the other 20-plus states with legalized medical marijuana and we have two-thirds of Americans living in states with some form of legal access to marijuana. Many of the remaining states have decriminalized possession of small amounts of marijuana. Currently, it is estimated there are approximately 200,000 full-time and part-time workers in the cannabis industry, with legal marijuana and marijuana-related businesses (MRBs) anticipated to account for revenues in the $50 billion range over the next few years.

However, marijuana remains illegal at the federal level under the Controlled Substances Act. Marijuana continues to be classified as a Schedule I narcotic, which is the highest and most dangerous drug classification. Schedule I drugs are those that have no known medicinal value and the federal government considers to be illegal in all respects. Included with marijuana in this classification are heroin, ecstasy, methaqualone and peyote.

The inconsistency between state and federal laws has caused much confusion and consternation, particularly for financial institutions. In states where marijuana is legal, financial institutions have made many requests for federal guidance on banking MRBs. In 2014, the Department of Justice and Financial Crimes Enforcement Network, or FinCen, responded to such requests with the so-called Cole Memorandum and guidance titled “BSA Expectations Regarding Marijuana-Related Businesses,” respectively. The Cole Memorandum states the federal government will not prosecute within the cannabis industry so long as companies (including banks) obey local and state laws and regulations. The FinCen guidance provided a procedure for filing Suspicious Activity Reports for known MRB bank customers.

Unfortunately, neither of these governs the three prudential federal bank regulators, particularly in the enforcement of Bank Secrecy Act and anti-money laundering rules. As a result, most banks will not touch marijuana-related deposits, make loans to marijuana businesses or permit the use of credit cards on their payment systems. Banks that do provide services to MRBs are very quiet about it. They typically limit the deposits to certain dollar amounts, and if there is any whiff of concern, the accounts are quickly closed. It is estimated that in 2016, about 300 financial institutions in this country knowingly provided deposit accounts to MRBs. Many of these institutions have long standing relationships with their MRB customers and often require them to sign confidentiality agreements to keep the relationship quiet. There has been much speculation on how many banks are unknowingly banking marijuana customers, though it is certain that many are.

All of this legal uncertainty and risk has kept most banks out of the marijuana growing industry, leaving the business almost entirely cash-based. Many MRBs must find workarounds to deal with the cash they cannot deposit and the bills and taxes they must pay. Retailers have methods for hiding cash, including the purchase of armored cars and warehouses where cash can be stored. Many in the business have created their own security forces enlisting motorcycle gangs and former police or military personnel to protect their cash. Employees also are paid in cash, so pay day is staggered in order to prevent robberies. Taxes must be paid in person and are subject to penalties for cash payment. In addition, those who pay their taxes in cash are not eligible to take deductions, so they are paying taxes on gross revenue amounts, though it is difficult to determine (or audit) what those gross amounts really are. Many states are realizing this cash-based business is ripe for organized crime involvement.

With traditional banking mostly out of the picture, many entrepreneurs are working on technical alternative payment platforms as a way around old fashioned banking relationships. Some are using or developing crypto-currency platforms like Bitcoin and, more recently, Potcoin. These are only limited solutions to not having a deposit account or the ability to accept credit card payments. Others are trying to use stored value cards, cell phone apps and other mechanisms. Currently, no alternatives have caught on with the public or the industry. Alternative lenders, including individuals, private equity firms and loan sharks also have stepped in to provide expensive financing to the industry.

The Trump administration does not seem keen on legalizing marijuana, and Attorney General Jeff Sessions appears to be leaning toward increased enforcement. There are numerous bills in Congress to legalize marijuana and permit MRBs to be banked, but it is not clear whether any of these will pass. Until then, most banks will continue facing legal issues and continue avoiding the burgeoning and lucrative marijuana industry.

New Anti-Money Laundering Rules Will Impact Banks


anti-money-laundering-6-8-16.pngFueled by the leak of the Panama Papers, the Financial Crimes Enforcement Network (FinCEN) has published a final regulation requiring banks to identify beneficial owners of their legal entity customers. Heralding the new regulation as a critical step in its effort to prevent criminals from using companies to hide their identity and launder criminal proceeds, the Treasury Department, buttressed by new Justice Department initiatives, is amplifying the momentum building within the anti-money laundering (AML) enforcement community to achieve unprecedented transparency across the corporate spectrum.

What the Regulation Does
In writing the regulation, FinCEN has built upon the customer due diligence mandated by existing Customer Identification Program (CIP) regulations, adding a provision requiring banks to identify and verify natural persons who are beneficial owners of legal entity customers together with one individual who has significant management responsibility. To give adequate time for retooling of CIP programs, compliance with the final regulation becomes mandatory by May 11, 2018. Once in force, it will apply to all new accounts, but will only apply to existing accounts when the bank detects information relevant to reevaluating a customer’s risk profile.

FinCEN defines “legal entity customer” to mean a corporation, LLC, or other entity created by filing a public document with the secretary of state or similar office. General partnerships and other entities formed under foreign laws are also covered, but most trusts are excluded.

The regulation permits, but does not require, the use of an official Certification Form. Information must be provided to the best knowledge of the person opening an account. A bank may rely on the information supplied by its legal entity customer so long as it knows no facts causing it to question its reliability.

Beneficial ownership is measured by an “ownership prong” requiring identification of individuals owning 25 percent equity in the legal entity customer and a “control prong” requiring identification of a single individual having significant management responsibility. FinCEN makes clear that only the identity—not the status—of beneficial owners must be verified, and verification procedures should address elements in a bank’s CIP. Updating of beneficial ownership information would be triggered only if normal monitoring detects heightened risk in the profile or activities of a legal entity customer.

Even More Regulations May Be Coming Down the Pike
Treasury also proposes to issue regulations targeting U.S.-based, foreign-owned, single-member limited liability companies, to require taxpayer identification numbers and eliminate exemption from U.S. reporting requirements.

Treasury also has asked Congress to pass legislation requiring a company to disclose owner names at the time it is formed. If enacted, the legislation would enable the capture of critical information when a company commences business and would give U.S. enforcement authorities access to a central registry of beneficial ownership data. Treasury officials have not indicated whether the registry would be made available to banks. Treasury is also recommending legislation requiring U.S. banks to provide foreign jurisdictions with the same information that foreign banks must provide to the IRS.

Aligning itself with Treasury, the Justice Department also is proposing legislation to combat illegal proceeds of transnational corruption. If enacted, the legislation would allow prosecutors to pursue cases directly against corrupt foreign regimes, authorize administrative subpoenas and expand substantive corruption offenses.

How to Prepare
Even though mandatory compliance with the beneficial ownership regulation is two years away, the board should have compliance personnel begin the process of amending their bank’s CIP to satisfy the requirements of the new regulation, paying particular attention to the account opening process.

With regard to account opening, banks should:

  • Determine whether and to what extent the CIP already captures beneficial ownership information.
  • Develop beneficial owner identity verification procedures for legal entity customers that meet the new regulatory definition, and determine to what extent existing CIP verification procedures should be incorporated.

With regard to account maintenance, banks should:

  • Establish criteria and “red flags” that will trigger beneficial ownership reviews and updates of legal entity customers.
  • Identify legal entity customers that meet the new regulatory definition so that the institution will be able to act when triggering events occur.
  • Consider the need, despite no regulatory requirement, for conducting standardized periodic updates of beneficial ownership information.

With two powerful agencies combining to tighten risk-based controls on money laundering and foreign corruption, it is clear that banks will need to devote increased resources to AML compliance. Board members must remain mindful that the functional regulators will continue to require the global enterprise to maintain safety and soundness by appropriately managing risk and minimizing susceptibility to illegal financial activity.

 

Bank Secrecy Act: Do Regulators Care?


Accounting fraud, terrorist attacks and economic meltdowns are the catalysts for many of today’s financial regulations. With so much focus recently on the Dodd-Frank Act, many financial institutions may be overlooking the compliance requirements for the Bank Secrecy Act (BSA), or anti-money laundering law. In this video, John ReVeal, attorney for Bryan Cave LLP, shares his insights into how BSA violations are perceived by the regulators.