Is Your Credit Union Servicing a Marijuana-Related Business?

New guidance is out from the FFIEC to clarify the responsibilities financial institutions have under the BSA when holding accounts for marijuana related businesses. Although federal law prohibits the manufacturing, distributing and dispensing of marijuana, 20 states and D.C. have legalized certain drug related activities. 

If your institution is in a state that allows these activities you may be faced with the decision to open or continue to do business with a marijuana related business. The new guidance states that financial institutions have to assess the risks of providing services to a marijuana related business that includes:

  1. Verifying with the appropriate state authorities whether the business is duly licensed and registered.
  2. Reviewing the license application (and related documentation) submitted by the business for obtaining a state license to operate its marijuana-related business.
  3. Requesting from state licensing and enforcement authorities available information about the business and related parties.
  4. Developing an understanding of the normal and expected activity for the business, including the types of products to be sold and the type of customers to be served (e.g., medical versus recreational customers).
  5. Ongoing monitoring of publicly available sources for adverse information about the business and related parties.
  6. Ongoing monitoring for suspicious activity, including for any of the red flags described in this guidance.
  7. Refreshing information obtained as part of customer due diligence on a periodic basis and commensurate with the risk posed.

A memo issued to federal prosecutors by the Department of Justice Attorney General James Cole in 2013 addressed marijuana enforcement under the Controlled Substances Act. This memo also has implications for credit unions as it lays out the priorities (Cole Memo priorities) that law enforcement will focus their efforts towards. The FFIEC guidance states a financial institution should consider if a marijuana related business implicated one of the Cole priorities. The priorities are:

  1.  Preventing the distribution of marijuana to minors.
  2.  Preventing revenue from the sale of marijuana from going to criminal enterprises, gangs, and cartels.
  3.  Preventing the diversion of marijuana from states where it is legal under state law in some form to other states.
  4.  Preventing state-authorized marijuana activity from being used as a cover or pretext for the trafficking of other illegal drugs or other illegal activity.
  5.  Preventing violence and the use of firearms in the cultivation and distribution of marijuana.
  6. Preventing drugged driving and the exacerbation of other adverse public health consequences associated with marijuana use.
  7. Preventing the growing of marijuana on public lands and the attendant public safety and environmental dangers posed by marijuana production on public lands.
  8. Preventing marijuana possession or use on federal property.

The compliance burden associated with these types of businesses is great. Perhaps we should bring back the slogan “Just Say No!”

Read More

Social Media Guidance from FFIEC is Final

The guidance originally published by the FFIEC in January 2013 is now final and credit unions should take note. Although the guidance does not impose any new regulatory requirements, it does lay out the framework for managing risk associated with the use of social media by financial institutions. Specifically the guidance states the components of a risk management program should consist of the following:

  • A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities;
  • Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
  • A risk management process for selecting and managing third-party relationships in connection with social media;
  • An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
  • An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
  • Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and
  • Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

You can read the full text of the guidance on the CFPB’s website by clicking here.

Read More