Compliance Blog

I hope everyone had a great Labor Day weekend!

Speaking of laboring, the U.S. Department of Justice (DOJ) has been working hard on a number of criminal cases over the past few months. Today’s blog will examine a few cases that may have some significance for credit union compliance:

Man Pleads Guilty to Lying to Bank about MRB: Providing financial services to marijuana-related business (MRBs) can be complicated from a compliance perspective. Marijuana remains a Schedule I controlled substance and its cultivation, sale, and possession is illegal under federal law, even as a growing number of states legalize or decriminalize marijuana at the state level. Proceeds from MRBs could be viewed as proceeds of criminal activity at the federal level and could be subject to seizure as part of law enforcement operations. Credit unions and other financial institutions that wish to provide services to MRBs are required to follow FinCEN guidance on the topic, which requires the filing of Suspicious Activity Reports, among other things. As we blogged about a few months ago, the NCUA has taken action against one federal credit union, apparently for deficiencies with its MRB compliance. For these reasons, many financial institutions have chosen not to provide any banking services to MRBs.

According to this DOJ press release, an Oklahoma City man attempted to get around his bank’s reluctance to serve MRBs by claiming one of his MRBs – Friendly Management Group, LLC (FMG) – was a wellness and fitness company rather than an MRB. The man and his business “pleaded guilty in connection with a scheme to open a bank account under false pretenses to launder proceeds from marijuana sales.” Once the bank account had been opened, the DOJ alleges that the defendant then used the account to launder over $700,000 of marijuana proceeds, much of which involved “structuring” deposits into amounts of less than $10,000 to evade the bank’s CTR filing obligations. Ultimately, the defendant pleaded guilty to making false statements to a bank, agreed to forfeit over $600,000 and faces up to 30 years in prison at sentencing. FMG pleaded guilty to money laundering. Both face steep potential fines.

Charges in Scheme to Steal Money From Consumer’s Accounts: Last week the DOJ announced charges against more than two dozen defendants for a transnational scheme in which the defendants allegedly posted unauthorized debit transactions to the accounts of American consumers. According to the press release, the defendants used “sham companies” to make the unauthorized transactions appear legitimate, going so far as to create fake websites, fraudulent consumer authorizations and a consumer complaint call center for the fake businesses.

Depending on the specific facts of these transactions, they may have been covered by Regulation E, which applies to electronic funds transfers (EFTs) from deposit/share accounts, including ACH or debit card transactions. Section 1005.11 provides the error resolution procedures for Regulation E, and defines “error” to include unauthorized EFTs. Financial institutions that received a proper notice of error from consumers about these transactions would have been required by Regulation E to investigate the potential errors (or to simply correct the error in the consumer’s favor without an investigation). The defendants’ alleged efforts to disguise the transfers as legitimate transactions may have made those investigations difficult.  

Former Credit Union Employee Destroyed Computer Data: At the end of August, a former credit union employee pleaded guilty to one count of “computer intrusion,” and now faces a potential sentence of 10 years in prison. According to the DOJ, the employee sought revenge for her termination by accessing her former employer’s computer system and deleting computer files. In total, over 21 gigabytes of data were deleted, including mortgage applications and the credit union’s anti-ransomware software. The DOJ estimates the credit union has spent about $10,000 to remediate the damage. 

NCUA has published guidance on Cybersecurity Considerations for Remote Work, which discusses some of the cybersecurity risks posed by allowing remote access to the credit union’s systems. Additionally, the FFIEC IT Examinations Handbook also has a section on Remote Access, which recommends credit unions “[d]isable remote communications if no business need exists,” and “[i]mplement robust controls over configurations at both ends of the remote connection to prevent potential malicious use.”  Credit unions may want to review that guidance in light of the increased dependence on remote work during the COVID-19 pandemic. Finally, credit unions may also want to consider implementing procedures to revoke authorization for former employees immediately upon termination, to prevent continued access and potential data security breaches.