Wednesday, July 24, 2024

July 2018 OBA Legal Briefs

  • Reefer madness
  • Update: campaign committee, PAC and political party accounts
  • More on the Beneficial Ownership Rule
  • Policies – Part 2
  • AML/BSA Q&As

Reefer madness

By Pauli Loeffler

Even before State Question 788 passed, we received a lot of questions about banking marijuana related businesses (“MRBs”) mostly dealing with businesses selling CBD (short for “cannabidiol”) oil, and medical marijuana (“MMJ”) will shortly be available by prescription.

CBD Oil. Many banks are dealing with customers selling THC-free (no THC detectable) CBD for which no prescription is needed. The customer who markets THC-free CBD needs to ensure that the product sold has been independently tested, and the test results to show it is THC-free, to be legal.

What makes all this so complicated is that the cannabis sativa plant produces numerous compounds including THC (“tetrahydrocannabinol” – the psychoactive compound) which causes the high as well as CBD (non-psychoactive). In other words, the plant used to produce hemp (used for rope, cloth, etc.) is the same plant used to produce medical marijuana. Plants whether grown for hemp or marijuana contain both THC and CDB, but the difference is hemp legally grown by a licensed grower can only have a very low concentration of THC when tested (.3% in Colorado – in fact one hemp grower’s entire crop had to be destroyed when it exceeded the limit). On the other hand, medical (and recreational) marijuana is cultivated for high THC of 12% or higher. The sticky part is whether THC-free CBD is “marijuana related,” and if so whether this is marijuana related business. This is something the bank needs to ask its examiner.

Other issues concern the FDA and the FTC. The FDA’s interest is that CBD is not marketed as a drug without preapproval, that is, not offered and intended to diagnosis, cure, mitigate, treat, or prevent disease. The FTC is interested in truthfulness of claims regarding health benefits made without competent and reliable scientific testing as well as deceptive advertising. Both the FDA and the FTC can freeze and take assets of the marketers.

An additional complication which applies not only to CBD oil retailers (if such customers are MRBs) but also to MMJ growers and dispensaries is the fact that, although FinCEN issued guidance regarding MRBs, the guidance was based on the Department of Justice’s Cole Memo which was rescinded in January this year, so there is some question whether the guidance is still valid. You will want to read these two articles:

I would also add that I’ve seen a display of CBD oil at the WalMart checkout counter and elsewhere. It is quite possible that several of your current customers are also selling it.

There is one more consideration:  If the customer is selling the product online, there may be the additional problem of charge-backs. I am aware of a consumer’s ACH to purchase CDB oil being denied for risk by the processor.

MMJ. Mary Beth is in the planning stage to present some sessions for the OBA on what may be done and under what conditions, as well as what cannot be done. Hopefully, these plans will be solidified soon and on the OBA calendar.

At this point, the bank has to make a policy decision on whether or not to bank MRBs. At the end of the day, the federal laws prohibit banking an illegal business. There are proposed rules for licensing growers, processors, dispensaries, transporters, and patients. All growers, processors, and dispensaries must register with the Oklahoma Bureau of Narcotics and Dangerous Drugs. The Final Draft of the Rules can be found here. The Rules are 76 pages long and are slated for a vote by the board of the Oklahoma State Department of Health (“OSDH”) on July 10, 2018, which will be live-streamed. Once the Rules are approved, applications will be available July 26, 2018 (see FAQs). OSDH will not accept or process applications until August 25, 2018. The OSDH will respond to all applicants within 14 days on the denial or approval of the completed application packets.

One thing to keep in mind is dispensaries are cash intensive and will generally have ATMs on the premises.


Update: campaign committee, PAC and political party accounts

By Pauli Loeffler

Although I covered this topic in the May 2016 OBA Legal Briefs, since we are getting numerous calls and emails, I am taking this opportunity to reiterate a couple of points and provide an update on a rule change that has occurred.

All accounts need an EIN.  A recurring question we receive is whether the candidate’s social security number can be used as the tax identification number on the account. The answer is:  No! An EIN is required.  If a candidate shows up saying otherwise or directs the banker setting up the account to the Q&A  on the Oklahoma Ethics Commission’s (OEC’s) webpage, the customer and the banker might believe otherwise.

While it is true that the OEC does not require an EIN, the IRS has the final word:

Political parties; campaign committees for candidates for federal, state or local office; and political action committees are all political organizations subject to tax under IRC section 527…

A political organization must have its own employer identification number (EIN), even if it does not have any employees.

Authorized signers/debit cards. There was a change in Rule 2.95 Campaign Depository Account Requirements, effective May 26, 2017. 

Rule 2.95. Campaign Depository Account Requirements.

Every candidate committee, political action committee and political party committee shall maintain a campaign account in each campaign depository in the name of the committee as it is registered with the Commission. All contributions to a committee except in-kind contributions, including contributions by a candidate to his or her candidate committee, shall be deposited in a campaign account. All expenditures made by a committee shall be made on a check or by debit card, signed by the candidate, Treasurer or Deputy Treasurer of a candidate committee and by the Treasurer or Deputy Treasurer of a political action committee. Provided, however, a candidate may authorize other individuals to sign checks or debit cards for the candidate’s committee; however, the candidate, the Treasurer and Deputy Treasurer shall remain responsible for the lawful expenditure of committee funds. Checks for a political action committee shall include the identification number of the committee assigned by the Commission. A campaign account may earn interest paid by the financial institution in which the account is maintained, but campaign funds shall not be invested in any other way. Contributions from corporations, labor unions, a limited liability company that has one or more corporate members or a partnership that has one or more corporate partners shall not be commingled with other contributions made to a candidate committee, a limited committee or a political party committee.


More on the Beneficial Ownership Rule

By John S. Burnett

To follow up on May’s Legal Briefs, here is some additional important information on FinCEN’s Beneficial Ownership requirements.

FinCEN’s temporary ‘exceptive’ relief

Bankers across the country must have grabbed FinCEN’s attention, somehow, about automatic rollover CD and loan renewals, because just days after the May 11 “applicability” date for FinCEN’s Beneficial Ownership Requirements rules, the agency issued “temporary limited exceptive relief” in the form of a 90-day delay (from May 11 until August 9. 2018) in the applicability date for certificate of deposit and loan accounts that automatically roll over or renew, established before May 11. In its Ruling FIN-2018-R002 (}, FinCEN said that, during the delay, it would determine “whether and to what extent additional exceptive relief may be appropriate” for such accounts.

I am not aware of any loan services or products that automatically renew. As a practical matter, then, FinCEN’s exceptive relief really only applies to auto-rollover CD accounts. You should be obtaining certifications of beneficial ownership in connection with loan renewals. Those certifications should include the statement by the legal entity that it will notify the bank in the event of any change in the ownership information they are certifying. That will allow future renewals of that loan only without recertification.

You should assume that there will be no extension of the exceptive relief, or additional relief forthcoming, and continue to press legal entities with CD accounts to provide you with certifications of beneficial ownership in advance of their next maturity date that falls on or after August 9. You also should obtain with each of those certifications the legal entity’s statement that it will notify the bank if any of the information in the certification changes.

Most importantly, remember that the agreement to notify the bank in the event of a change in beneficial ownership information only applies to the specific CD or loan in connection with which you obtained it. It does not apply to other CDs or loans of that entity customer. It also does not apply to any new CDs opened by, or extensions of credit made to, those entity customers. You still must obtain a certificate (with the agreement to notify the bank) for each new CD account (new money) or new extension of credit (non-renewal).

Entity as trustee of owner

In May’s discussion, you saw that, when a trust is the beneficial owner of the legal entity customer, the individual trustee is to be identified as the beneficial owner (his/her name (labeled as “trustee” if possible), address, DOB and SSN or other identifying number), and if there are co-trustees or multiple trustees, identify only one of them. But what if the trustee is an entity, such as a bank trust department or a law firm? Question 20 in the April 3, 2018, FAQs informs us that when a trust owns 25% or more of the legal entity customer, “the beneficial owner for purposes of the ownership prong is the trustee, regardless of whether the trustee is a natural person or a legal entity,” but … “where a natural person does not exist for purposes of the ownership prong, a natural person would not be identified.” Since only natural persons are to be identified as beneficial owners, no individual should be identified as the owner of the trust’s “piece” of the legal entity customer. You do, however, have to obtain the name of a control-prong individual for the legal entity customer.

Estates as customers

Do you need to obtain beneficial ownership information for a decedent’s estate? What happens if 25% or more of a legal entity customer is owned by the estate of a deceased individual? Is the personal representative of the estate identified as the beneficial owner? Are the heirs in the will also beneficial owners? Those are all questions we’ve received concerning the Beneficial Ownership rule.

Those questions are great examples of a need to go back to the definitions in the regulation. In these questions, there is an evident misunderstanding of what a “legal entity customer” is. Apparently, there is confusion between a need to probate an estate via the state’s court system and the filing of documents with the Secretary of State (or similar office) to form a legal entity. Those are two entirely different and separate processes. One is a beginning; the other, an ending.

A decedent’s estate is not a legal entity customer under the Beneficial Ownership rule. So, if you are opening an account for an estate, rule simply won’t apply.

Estate as owner of a legal entity customer

If John Jones is the 100% beneficial owner of Jones & Sons, Inc., on June 10, and dies on June 15, on June 16 John Jones’s estate will be the beneficial owner (for the ownership prong) if your bank has to renew a loan to Jones & Sons, Inc., pending settlement of the estate. Following the example of a trust as owner previously discussed, the estate’s personal representative should be listed as the beneficial owner. There will also be a control prong individual, who may or may not be the personal representative, depending on whether the company continues to operate.

If ownership of Jones & Sons, Inc., is transferred from the estate to James Jones and John Jones Jr. when the estate is settled, they then become the beneficial owners of the business, but not until they actually have ownership of the company (when the corporate stock is transferred from the estate to them).


Policies – Part 2

By Andy Zavoina

In Part 1 of this article (May 2018 Legal Briefs), I discussed how important policies and procedures can be by using the pending Department of Justice suit against a southern California auto dealer to illustrate what can happen when you fail to have a key policy and procedures to implement it.

In Part 2, I’ll discuss a list of key bank policies and some basics on writing and maintaining them.

Policies lists

A policies list should include those technically required, and those that the bank has determined it needs based on the business it does. There is no “one size fits all” listing of policies because policies should be based on the products and services offered, the volume of each and the clientele of the bank.

Banking agencies do not have detailed lists of the policies actually required to operate a bank. I do have a list of policies the Office of the Comptroller of the Currency (OCC) requires of a de novo bank plus new additions created by new and revised laws. This should be an excellent starter document to compare against a list of policies your bank has.

  1. Lending
  2. Funds Management, Investment Securities, & Interest Rate Risk
  3. Fiduciary (Trust banks)
  4. Capital
  5. Internal/External audits
  6. Insider Activities (Reg O) *
  7. Compliance Program *
  8. Branch Closing *
  9. BSA (AML/CDD/EDD/CIP, including beneficial ownership) *
  10. Securities Transactions (for Broker-Dealers)
  11. Board Supervision
  12. Disaster Recovery *
  13. Privacy and Security *
  14. SAFE policy (see 12 CFR 1007.104) *
  15. FCRA (see 12 CFR 1022.42(a)-(c) and App E integrity of info) *
  16. FCRA (see 12 CFR 1022.82(c) (address discrepancies) *
  17. RESPA (see 12 CFR 1024.38(a) – requires reasonable policies and procedures) *

An “*” indicates a policy Compliance is often involved in. Newer requirements include a citation.

Writing and maintaining policies

Policies are often written by bank staff, reviewed by management and approved by the bank’s board. A policy should be succinct as it is broad and provides general guidance on the bank’s requirements. A procedural document on the other hand is very detailed, describes finite steps the bank requires to comply with the policy and is approved by management because it may change more frequently than a policy. In the end both documents must be employed throughout the bank and each improves decision making and answers common questions.

A common question on policies is how to keep them current and how often they need to be updated and approved. I recommend coordinating with the entire bank, Lending, Operations, Finance, Marketing, Compliance, etc. One person should be a Point of Contact (POC) for all of these policies but that does not make this person responsible for each. Create a list and include information such as the policy name, responsible department, the senior manager over the department and therefore the policy, and the date it was last updated. Break the list down so that at the board’s request, these are presented annually, semiannually, quarterly or monthly by dividing the policy count by the periods available for review.

If there is a new policy requirement or a revision such as the beneficial ownership rules added to the Bank Secrecy Act, those must be approved to implement the policy revisions as soon as possible. All others should be reviewed annually, even if the implementing rule or regulation has not changed. This is because the board needs an opportunity to revisit them and ensure that each is still guiding the bank in the direction the board wants to go.

The POC with the master list should be able to schedule the policies for review and inform the responsible areas a few months in advance that a policy they are responsible for will be reaffirmed at board meeting on a scheduled date. They should be updated as needed so that at least a month in advance the board can be advised which polices they will see at their next meeting, specified by date. If the bank has an intranet or other media to provide copies electronically, use that or indicate where and when copies will be available for review in advance of the meeting. In either case, contact information for a person knowledgeable about the policy should be listed in case the director has any questions. Then on the meeting date, the vote on the policy is fast and simple although it is advised that the knowledgeable persons on the policies being reaffirmed be available for last minute questions from board members.



By John Burnett

With enactment (as Public Law 215-174) of the Economic Growth, Regulatory Relief, and Consumer Protection Act, formerly known as S. 2155, we received the expected flurry of questions about what section 104 of the Act (Home Mortgage Disclosure Act Adjustment and Study) means for smaller-volume HMDA filers.

The Bureau, FDIC and OCC have issued some preliminary guidance information on the impact of section 104 on HMDA filing. If your bank is a HMDA reporter and you think it meets the criteria for the partial filing exemption in Section 104 for small reporters (originated fewer than 500 closed-end loans or fewer than 500 open-end loans in each of the two preceding calendar years, and didn’t receive a rating of “needs to improve” in its two most recent CRA evaluations or a rating of “substantial noncompliance” in its more recent CRA evaluation), don’t change what you’ve been doing, yet.

Section 104 provides a partial exemption to qualified financial institutions (see previous paragraph), allowing them to omit from their filings SOME of the data fields that were added to HMDA filing requirements under Regulation C beginning with 2018 data filed in 2019. Exactly what that means for HMDA filers isn’t crystal clear yet, but here’s what we do know, based on the guidance from the Bureau, FDIC and OCC:

  1. There will be no change in the LAR format for data collected in 2018. The same data fields will be filled by filers who are not affected by section 104 and those who receive the partial exemption.
  2. Filers with the partial exemption will enter an “exemption code” for the affected fields.
  3. The exemption code and the affected fields will be specified in a revised Filing Instructions Guide (FIG) that the Bureau expects to release later this summer.
  4. All LARs use the same HMDA platform. A beta version of the HMDA platform for submission of 2018 data will be available later this year for filers to test.
  5. Banking agencies have said they will not require resubmission of 2018 data reported in 2019 unless there are material errors, and that they don’t anticipate penalties for errors on 2018 data as long as there is a good faith effort to comply.

What you should be doing now

First, go back to the start of this article to find the criteria that qualify a “small reporter.” Check your origination numbers for closed-end and open-end HMDA-subject loans and dig out your two most recent CRA evaluation ratings. If you qualify as a small reporter, start talking with your vendor for the software you use to create your LARs for submission to find out what plans it has, if any, to make the change-over as easy as possible (even positive changes take effort). And keep your eyes peeled for the promised updated Filing Instructions Guide, due later this summer.


By Paul Loeffler

We get a lot of emails on a variety of topics at This month, we are going to share some touching on the Anti-Money Laundering/Bank Secrecy Act.


Q. We received cash from a law firm that deposited $12,500; $10,000 went into the operating account and $2,500 into the IOLTA account. Do we need to ask the law firm for information on who the $2,500 benefited, or are we ok since it is under $10,000?

A. You report both deposits because they are conducted by the same individual (and because they are both conducted on behalf of the law firm). Because you have to report the IOLTA deposit, you must report the person on whose behalf it was completed. There are two such persons: the law firm and the law firm’s client.

Q. We have a new DBA account that has filed for a fictitious registration in Oklahoma with an Oklahoma address. The parent entity is organized in Texas. Do we use the Texas information and address for the parent, the Oklahoma address and the Oklahoma Secretary of State filing number for the fictitious name?

A. If you are asking about item 20 (source used to verify identity), use the Texas documents because you are reporting on a Texas entity.

Q. How do you complete CTR in the following scenario?

Customer withdraws 10,000 at teller, $140 at bank owned ATM, and  $140+$3 fee at foreign ATM.

Do you include the Foreign ATM amount? If so, do you add a second location page with the $143 on the cash out in item #42?

A. Since you know about it, you file on it. Add a second location page with the foreign ATM, showing a withdrawal of $140 (the $3 was a fee, and s/he didn’t get it in cash).

Q. Do we need to list the beneficiary as the name of the revocable trust (the account name) with the trustee as the conductor? Both have the conductor and the trust use the same Tax Identification Number. The bank’s processor will not allow us to use both.

A. If the trustee is the grantor, the transaction really only benefited the trustee as an individual. I would ignore the trust altogether.

Q. We have a County Inmate Trust account (the County deputies bring in the cash, and we had a cash transaction that triggered the teller to do a CTR. The Tax Identification Number for the account is for the County Treasurer. We think this would be exempt from CTR reporting but just wanting to make sure.

A. The account is held by an exempt “person,” a unit of local government. However, the title of the account suggests that the cash was being deposited on behalf of individuals (inmates). If more than $10,000 in cash was deposited on behalf of any one or more individuals, you would file and include information on those individuals.

Q. With the new CTR form, it is required to show the amount of cash transacted at each branch. I have a situation that cash transactions at foreign ATMs done on the same day which require a CTR. My question is how and where should I show the cash on the locations since they were not done at our bank owned ATMs?  I included it in the bottom section as cash out but received an error saying branch totals had to equal total amount of cash out.  I hope this makes since.

A. Completing the Part III (Transaction Location) portion of a CTR involving a foreign ATM (I assume you refer to an ATM not owned by your bank, not an ATM outside the U.S.) is something that FinCEN is decidedly unhelpful with. A good friend who sent FinCEN an email with detailed questions about such an ATM transaction got a voice mail that didn’t offer much guidance other than “you should be able to get this information.”

Here’s what I suggest:

Item 38 – If the ATM is a bank ATM, select depository institution. If it’s not a bank ATM or if you don’t know who owns/operates it, select “Other” and insert “Non-bank ATM” in the “Other (specify): field

Item 29 – If it’s a bank and you know who its regulator is, select it. Otherwise, use “Unknown”

Item 38 – No entry

Item 30 – Insert what you know about the name of the ATM owner/operator, whether it’s a bank or not

Item 32 – Check the unknown box

Items 32 – 35 – Address of the ATM from your transaction info

Item 36 – Look up the ZIP Code on the USPS website. Use only five digits.

Item 37 – Select the USA or territory name. There is no instruction for completing this field if the ATM is outside the US and territories.

Item 40 – No entry

If you can’t complete the CTR with that information, contact FinCEN for guidance.


Q. We received a multi-county Grand Jury Subpoena with a list of documents including any Suspicious Activity Reports filed. I know we must comply with the Right to Financial Privacy Act both Federal and State. However, our legal counsel found the following information, which I’ve never seen before, below. There are no SARs for this particular customer, but would you recommend I notify the FDIC about the request?

12 CFR §353.  Reports and Records.

(g)  Confidentiality of suspicious activity reports. Suspicious activity reports are confidential. Any bank subpoenaed or otherwise          requested to disclose a suspicious activity report or the information contained in a suspicious activity report shall decline to produce the suspicious activity report or to provide any information that would disclose that a suspicious activity report has been prepared or filed citing this part, applicable law (e.g., 31 U.S.C. 5318(g)), or both, and notify the appropriate FDIC regional office (Division of Supervision and Consumer Protection (DSC)).

A. I do suggest that you notify the FDIC. They may want to remind the issuing district attorney of 31 U.S.C. 5318(g). In your answer to the subpoena, you can simply answer that the bank has not filed any SARs on the target of the subpoena.

If, as you research for the subpoena, you identify activity in your customer’s accounts that you believe to be suspicious, you may decide to file a SAR after responding to the subpoena. Make certain that you do not mention the subpoena in the SAR.

Q. I have a customer that is bringing in checks written on the same date and in consecutive number order all written under $8,000.00 from a local business. This structuring is avoiding CTRs. The question is should I file the report on both the business and the customer together in one SAR or should it be two separate SARs?

A. The pattern of this activity certainly looks like structuring. If your customer is cashing the checks, you would, of course, be filing CTRs when appropriate. But if your customer is scheduling the cashing of the checks so that no more than one check is cashed each business day, it really looks suspect.

This is all part of one pattern of activity, regardless of the “players.” It would be more helpful to law enforcement — should they choose to follow up — if you pack this into a single report so that both parties are identified, even if one isn’t mentioned until the narrative.