September 2021 Newsletters

Providing Custody Services for Crypto Assets

By now, most of us have at least heard of cryptocurrency. We know that it is a digital or virtual currency that is secured by cryptography, making it nearly impossible to counterfeit or double-spend. One of the most defining features of cryptocurrencies is the fact that it is decentralized, rendering it theoretically immune to interference or manipulation by the federal government. Afterall, it is hard to regulate something that only exists electronically on the distributed ledger in which it is recorded, rather than in any physical form such as real currency. Last year, clarification was released relating to national banks and federal saving associations and their ability to provide custody services for crypto assets. Was this a change from previous policy and what does this mean for banks?

The OCC issued a public letter on July 22, 2020, clarifying that national banks and federal saving associations have the right to take custody of cryptocurrency assets. The important thing to keep in mind here is that this isn’t really new information or a change in policy. Cryptocurrencies such as Bitcoin are simply a newer version to an existing concept when it comes to safekeeping and custody services. Cryptocurrency is a new playing field for many financial institutions so it’s no surprise that uncertainty surrounded this topic. The OCC released the public letter in response to requests for clarification on the matter. In fact, according to the OCC, banks have had the ability to take custody of digital assets since 1988.  

While providing safekeeping and custody services is not an unusual service among national banks providing such services for cryptocurrency left many banks unsure and reluctant. If we’ve learned one thing in the world of compliance, it is to never assumer. So, the OCC clarified that financial institutions providing custody services, even for cryptocurrency, is perfectly acceptable and should be consider nothing more than a modern method to a traditional service. When custody services are provided for cryptocurrency, it involves holding unique cryptographic keys which can be used by the customer to access units of cryptocurrency in crypto wallets. It also involves providing other related services such as enabling a customer to engage in currency exchange transactions, transaction settlements, trade execution, record keeping, valuation, tax services, and reporting. Although custody services for cryptocurrency is not a change in policy, the challenges surrounding cryptocurrency and cryptocurrency-related services can be unique. Therefore, it is crucial that banks understand the guidance and expectations when dealing with cryptocurrency. Banks should begin with an evaluation of risk and engage in practices that align with their overall business plan and strategy. This includes developing and implementing a program for cryptocurrency custody services that will ensure consistency between the bank’s overall risk profile and the bank’s sound risk management practices. Developing and maintaining internal controls is another step which will contribute to successfully complying with not only the bank’s internal requirements, but also all applicable laws and regulations. 

Reference: Interpretive Letter 1170, Authority of a National Bank to Provide Cryptocurrency Custody Services for Customers (occ.gov)

Please Allow Me to Reintroduce Myself: FinCEN’s AML/CFT Priorities

On June 30th, 2021, FinCEN issued its first government-wide policy priorities for anti-money laundering (AML) and countering the financing of terrorism (CFT) in accordance with the Anti-Money Laundering Act of 2020. And just what are these significant AML/CFT threats you ask?  Introducing, in no order:

  • Corruption
  • Cybercrime
  • Foreign and domestic terrorist financing
  • Fraud
  • Transactional criminal organization activity
  • Drug trafficking organization activity
  • Human trafficking and human smuggling
  • Proliferation financing

This list should look familiar—these are longstanding and continuing AML/CFT concerns that have already been previously identified by FinCEN and other agencies. Yet in an interagency statement with FinCEN, the agencies stated that this publication does not create an “immediate change to Bank Secrecy Act (BSA) requirements or supervisory expectations for banks.” So why now?  Why is it important financial institutions review and stay abreast of these noted threats, especially as it relates to their specific programs and risk tolerances? 

The agencies have stated that FinCEN will be producing regulations within the next six months to address how these priorities are going to be incorporated into banks’ BSA risk assessments. Proactive planning is the reason for this article. Although banks are not required to incorporate the priorities into their risk based BSA compliance program until the effective date of the revised regulations, nor will you be examined on your incorporation until that date, a proactive attack rather than reactive response is crucial. 

Corruption will focus on domestic and foreign corruption and corrupt actors, including authoritarian states and their financial facilitators. This includes human rights abuses for such countries as Nicaragua, South Sudan, and Venezuela. Institutions need to comply with their BSA obligations by identifying typologies and red flags in these and other jurisdictions at risk of corruption. 

Cybercrime is to include relevant cybersecurity and virtual currency considerations. The primary focus here is cyber-enabled financial crime, ransomware attacks, and the misuse of virtual assets. Increased exploitation resulting from the COVID-19 pandemic has escalated these concerns, especially through phishing campaign, compromising of remote applications, business email compromise and other fraudulent attacks. Additionally, convertible virtual currency (CVC) has grown as a “currency of preference” among online illicit activities. As such, banks need to reexamine their policies and procedures when it comes to banking customers engaged in these activities. 

Terrorist financing includes international and domestic terrorism. Banks need to remember the importance of identifying and filing suspicious activity reports (SARs) on potential terrorist financing transactions and have procedures in place to report violations requiring immediate attention. This is not just complex schemes—“lone wolfs” or single actors using small amounts of money to self-fund an attack are applicable. 

Fraud generates the largest share of illicit proceeds in the United States, and such schemes are enabled by the internet (romance schemes or synthetic identity fraud of real and fake information to create new and different identities). A renewed interest in the banks capabilities to assess COVID-19 fraud, cyber-enabled crime and money mules will be important. 

Transactional criminal organization (TCO) activity combines another topic of concern; drug trafficking organization (DTO) activity and human trafficking and human smuggling. A fentanyl epidemic in the United States is being driven by DTOs, predominantly from Mexico. Income funneling through shell companies or receipt of payment from a variety of means could indicate human trafficking. These are priority threats because of the close connection between the crime, terrorism and TCOs that inherently engage in illicit activities. Financial institutions need to consider cybercrime, drug trafficking, fraud, human and wildlife smuggling, intellectual property theft weapons trafficking and corruption in their scopes. 

Lastly, proliferation financing includes financing of nuclear, chemical, or biological weapons via proliferation support networks. Global correspondent banking is the principal driver and most vulnerable to this type of risk within the United States because of its processing of U.S. dollar transactions involved with cross-border trade. A review of the bank’s policies, procedures, risk identifiers and tolerances, along with an audit-approach to the bank’s relationships will assist in mitigating this risk.

Although not new, COVID-19 and a reinvigorated oversight to BSA/AML compliance are increasing banks’ responsibilities to prioritize these marked initiatives from FinCEN. Stay tuned for new and amended regulatory requirements in the coming months to address next steps.  

Flood Insurance and the Multiple Building Scenario

One of the most common topics that come up on the Hotline is how to determine the proper flood insurance coverage requirement for the multiple building scenario. The flood regulations generally require buildings in the Special Flood Hazard Area (SFHA) to have “sufficient” flood insurance coverage. This requirement looks a little different when we are discussing multiple buildings that secure the loan. This week let’s take the time to explore some of the basic questions that impact the bank’s requirements so that you can explain them to your team. 

What if some buildings are in and some buildings are out?

Luckily, the regulators published an FAQ that deals with this question directly. Regulators tell us that a “lender must determine whether any improved real property securing the loan is in an SFHA. In cases in which the loan is secured by multiple buildings and some of the buildings are located in an SFHA in which flood insurance is available under the Act, but other buildings are not located in an SFHA (or are located in an SFHA, but not in a participating community), a lender is required to obtain flood insurance only on the buildings securing the loan that are located in an SFHA in which flood insurance is available under the Act.” 

The regulators then give us an example where a loan is secured by five buildings:

  • Buildings 1 and 2 are located in an SFHA and the community participates in the NFIP;
  • Building 3 is not located in an SFHA; and
  • Buildings 4 and 5 are located in an SFHA, but the communities do not participate in the NFIP.

The first prong of our analysis is that the buildings must be in the SFHA for the regulation to require flood insurance coverage. This rules out building 3. The second prong of our analysis is that flood insurance must be available under the NFIP program for the regulation to require flood insurance coverage. This prong rules out Buildings 4 and 5. Even though these two buildings are in a flood zone, they are in communities that do not participate in the NFIP. Members often ask if they can still require flood coverage even if it is not required under the regulations. The FAQ goes on to tell us: “A lender may decide to require the purchase of flood insurance (from a private insurer) on buildings 4 and 5 because these buildings are located in an SFHA. Further, depending on the risk factors of building 3, the lender may elect to require flood insurance as a matter of safety and soundness, even if the building is not located in an SFHA.”

Do we have enough coverage?

Now that know what buildings require coverage under the flood regulations, the next most common question our Hotline advisors answer is how much coverage is required when multiple buildings secure the loan and how it has to be spread around. One of our favorite tool for that question comes from a PowerPoint presentation prepared by the FDIC. Slides 13-15 at https://www.fdic.gov/regulations/resources/director/technical/flood/flood-4.pdf explore at this question. Let’s explore this question with the help of the example provided by the FDIC on Slide 15.  

In the example, we have a $2,000,000 loan secured by two pieces of commercial property and a single-family home. We will assume that each of these buildings is in the SFHA and in an NFIP-participating community.

  • Single family: $200,000 insurable value; $250,000 NFIP Max
  • Commercial Building #1: $1,000,000 insurable value; $500,000 NFIP Max
  • Commercial Building #2: $300,000 insurable value; $500,000 NFIP Max

Slide 13 tells us that for purposes of determining appropriate coverage for multiple buildings, “the calculation is the same as for a single building; however, the bank must spread the coverage among all of the buildings in the special flood hazard area. Each building must have some coverage.” We know from § 339.3(a), for each “The amount of insurance must be at least equal to the lesser of the outstanding principal balance of the designated loan or the maximum limit of coverage available for the particular type of property under the Act.” This means that we first look at each individual building to determine the proper measure for that building and add those numbers together to determine the aggregate total. For this step, we compare the insurable value of the building to the NFIP Max for each building, choosing the lesser of each. After we finish this step we conclude the following:

  • Single family: $200,000 based on the insurable value
  • Commercial Building #1: $500,000 based on the NFIP Max
  • Commercial Building #2: $300,000 based on the insurable value

When we add these individual numbers, it totals to $1,000,000. Next, we compare the result of this calculation to the loan amount. Since the loan amount exceeds $1,000,000, we base our aggregate required coverage on $1,000,000. From here, as long as each of the buildings that require flood insurance coverage has “some coverage,” we have met the regulatory requirement.

Compliance Alliance has the tools to help you stay compliant with the flood regulations. In applying the requirements we discussed today, your team may find our Flood Insurance Minimum Coverage Calculation & Documentation Calculator helpful. Of course, if you have any questions about how to meet the flood insurance requirements, don’t hesitate to reach out to Hotline via chat or email.

Slow and Steady Wins the Race – Funds Availability Exceptions

In the beloved fairytale of the tortoise and the hare, we learn a life lesson that those who are slow and steady in their approach to life, that-is-to-say constant in their progression and improvement, oftentimes win the race.

Did anyone else find this to be hogwash? 

In today’s environment, it isn’t slow and steady wins the race, it is get the job done, get it done right, and get it done now. Gone are the days of waiting. If I don’t know the answer, the internet does. If my wife is undecided about where to eat dinner, 10 thousand strangers are willing to give their input about good food nearby. While every bookie would have won their bet on the hare, if he didn’t throw the race for a nap, there is another lesson to be learned from the tortoise. That is, there are exceptions to the rule and sometimes those exceptions are going to make people unhappy.

When I worked as a teller for a bank, occasionally a customer would come in and deposit a check. Upon completion of their deposit, a friendly little box would cheerfully chirp, notifying me that their check was placed on hold. It was then my privilege to notify the customer they wouldn’t have access to the funds they just deposited for a certain number of days. More often than not, the disgruntled customer would leave without cash in hand. As a teller, I always wondered why the bank would put holds on checks. The answer is simple – it is for the customers and the bank’s security and well-being. Because with the never-ending obligation to get things done now, also comes a swarm of Nigerian Princes, expired extended warranties, and free cruise line vacations.

So what hold exceptions are available? In order to minimize the risk to the bank and their customer’s customers, Regulation CC has provided six different exceptions that allow banks to extend deposit hold periods.

  1. Checks deposited into a new account (open for 30 days or less);
  2. Aggregated check deposits over $5,525 in one day (only the amount over $5,525);
  3. Redeposited check (returned unpaid and redeposited by the customer or the bank);
  4. Check deposits to accounts that have been repeatedly overdrawn (within the past 6 months);
  5. Check deposits where the bank reasonably doubts collectability; and
  6. Emergency conditions (war, equipment failure, etc…).

For reference see § 229.13: https://www.ecfr.gov/cgi-bin/text-idx?node=pt12.3.229&rgn=div5

After the time of deposit, or no later than the first business day following the day the facts become known to the bank which causes the hold to be placed, the bank must provide a written notice to the customer of the hold being placed. The notice must contain a number code that identifies the customer’s account (does not need more then 4 numbers), the date of the deposit, the amount being delayed, the reason for the exception, and the time period when the funds will be made available.

Regulation CC provides that the bank may use one of these exceptions to extend the availability schedule by a reasonable period of time. Reasonable is left to the bank to determine, however, a check subject to an exception hold would generally be available no later than the seventh business day after deposit. If the bank wants to extend the hold beyond that, they should be able to establish a reasonable purpose to do so.

While life in the fast lane may be fun, the prudent course is for the bank to be conservative and exercise its Reg CC rights as needed to protect the bank and its customers.