Lessons learned from a Michigan Credit Union
NCUA’s Cease-and-Desist Order for a Cannabis Banking Program
by Alan Hanson
Most people who are involved in or are considering cannabis banking are aware that the NCUA recently issued a Cease-and-Desist Order for a small credit union in Michigan. This blog isn’t about that credit union – my focus is on understanding the NCUA Order and what we can learn from it.
I will go through each section of the Order related to MRBs to understand NCUA’s requirements and what they mean to other financial institutions (“FIs”).
A.) Implement an automated system to effectively monitor and identify all transaction for suspicious activity in accordance with 31 C.F.R. §1020.210(a)(2)(v)(B), by April 30, 2021, and ongoing. Your automated compliance and suspicious activity monitoring system must include functions to support your compliance with FinCEN requirements for Marijuana-Related Businesses (“MRB”). At a minimum, this includes:
- Reconciliation of MRB Point of Sale, METRC, or accounting system data relative to member deposits.
- Ongoing monitoring of adverse public information affecting MRBs.
- Timely verification of changes in licensure status, including notification of a lapse in an MRB’s state licensure.
- Systematic monitoring of unusual Automated Clearing House or wire activity for MRB accounts.
- Monitoring of FinCEN “Red Flags” outlined in FIN-2014-G001, “BSA Expectations Regarding Marijuana-Related Businesses.”
I first want to point out that securing a compliance vendor is not a requirement or pre-requisite to serving the cannabis industry. There are many financial institutions that have very successful cannabis banking programs that do not use compliance vendors. I suspect that the NCUA made this requirement based upon the specific findings and negotiations with the subject credit union. It doesn’t apply across-the board.
The second issue regarding the NCUA’s requirement is this. It appears that they’re focusing on the deposit side of cannabis banking. While monitoring deposits are very important, it is equally as important to monitor outgoing transactions.
If you choose to use a compliance vendor, there are several things you need to consider. Compliance vendors are great a collecting and manipulating data, and all compliance vendors should be fully competent at addressing items 1-3 above. However, items 4 & 5 require a more subjective review. A couple of compliance vendors do address these requirements, but I would not say they are able to fully comply with FinCEN guidance. Even with a compliance vendor, the FI will need to perform its own transaction monitoring.
It’s also important to remember that compliance is the responsibility of the FI – and all related compliance decisions. To be effective, the software should be customizable to confirm with the institution’s risk tolerances and specific requirements. The software also needs to provide adequate reporting so that they have all the information necessary to make fully informed decisions. Finally, it needs to have the ability to archive information so that if a FI is challenged on a decision they are able to retrieve the information that was used in making that decision.
I also strongly recommend that an FI start banking the industry without the aid of a compliance vendor. When you only have a couple of MRB clients it is manageable to perform the required compliance monitoring. What you learn by doing this will enable you identify your vendor needs and then select the vendor that best meets those needs. You will also be able to perform proper vendor management, by understand the process you can assess if the vendor is performing adequately. Finally, you will be able to determine when it is cost effective to bring on the vendor. You also need to remember that your regulator has specific vendor management requirement that need to be followed.
B.) Engage a third party to validate your automated compliance and suspicious activity monitoring system simultaneously with the implementation of this system.
The next requirement is to validate your compliance software. In this case NCUA required a third-party, again this was specific to the findings and negotiations with the subject credit union. With any vendor, validation of the services provided are a critical requirement for an effective vendor management program. I think it is always valuable to hire an experienced third-party, but not always required. What it comes down to it the experience and the FI’s understanding of the cannabis banking. If the FI has gained the expertise, they are capable of conducting their own validation.
C.) Immediately file all Suspicious Activity Reports (“SARs”) in accordance with 31 C.F.R. §1020.320. This includes continuous and initial MRB SARs. Develop and implement a system to ensure all SARs are filed accurately, completely, and on time by March 31, 2021.
D.) Immediately develop and implement a system to ensure all Currency Transaction Reports are filed accurately in accordance with 31 C.F.R. §1020.311.
The Fed’s got Al Capone for not filing taxes, and not filing timely SAR’s and CTR’s will always get a FI in trouble. I know from experience that a credit union can easily go from filing 10-15 SARs annually to a 100+ a year, and the number of CTR’s can get crazy. This is one of the hardest aspects of banking cannabis, but also the most important. I am a bit of a SAR/CTR snob. Many of the compliance vendors offer the ability to file SARs and CTRs, but my advice is to use your traditional BSA/AML software to file. This has nothing to do with the compliance vendors. When getting into cannabis banking, there is a steep learning curve. If you already have an effective process in place, continue to use that process; why recreate the wheel? You will also likely have multiple staff that know how to file on your existing system, so you have built in back up. Your regulator is also familiar and has confidence in your existing system.
One final aspect that I want to touch upon is this same order could be issued against a FI that is not banking the cannabis industry. Many FI’s have polices that state they will not bank MRBs, but if you are not actively looking for them, you are banking them. The cannabis industry is tight knit community and they’ve learned what it takes to avoid detection at FI’s with lax compliance practices. If you have branch operations in one of the many states with legal cannabis sales, you need to actively enforce your policies.
If you have questions, please reach out to me at firstname.lastname@example.org. I’d be happy to talk to you.