Posts filed under ‘Privacy/Data Security’

Bank/Tech Contract Concerns Issued By FDIC IG

Written by: Lindsay Harden

The FDIC’s independent Office of Inspector General (OIG) issued a report late last week detailing a study it conducted of contracts between financial institutions and technology service providers (TSPs). The report concluded that such contracts are commonly not sufficient to address certain risks that are inherent in these relationships. Specifically, contracts with TSPs frequently lack specificity and completeness with respect to business continuity and incident response procedures and obligations.

For several years the financial regulatory agencies have shown an interest in third-party risk management, including ensuring adequate protection of private customer information. Recently, the FDIC and FFIEC have engaged in further initiatives related to cybersecurity and outsourcing of technology services. However, according to the FDIC’s Division of Risk Management Supervision, contracts with TSPs are generally out of date and do not reflect recent efforts to strengthen cybersecurity.

Based on a review of 48 contracts between financial institutions and TSPs, the OIG report made the following findings:

  • Financial institution analyses do not fully consider business continuity and incident response risks presented by TSPs
  • Key contract provisions provide limited coverage of the TSP’s business continuity planning and incident response and reporting responsibilities
  • Key contract terms lack clear and specific definition
  • The FDIC has implemented numerous initiatives to address cybersecurity risks
  • Financial institution third-party relationship risks remain and will require continued supervisory attention

In addition, the report provided some examples of necessary types of provisions that are frequently missing from contracts. For instance, only half of the contracts reviewed explicitly included business continuity provisions, and only a handful established clear performance standards and remedies for failure to meet those standards. Furthermore, many key terms used in regulatory and supervisory guidance—including “misuse of information,” “unauthorized access,” “significant disruption,” and “cyber event”—were often unused, undefined, or inadequately defined in TSP contracts.

The FDIC has plans to take certain actions by October of 2018 to follow up on the OIG’s recommendations in the report. One such action is continuing to communicate to financial institutions the importance of effective contracts with TSPs through the FDIC’s risk management supervision program, which includes guidance, examination procedures, examinations, and off-site monitoring.

The OIG report and potential FDIC action provide banks with additional leverage in negotiating TSP contracts. Affected banks should closely review existing contracts, and if your contracts are close to renewal, or if you are considering adding services under those contracts, you have an opportunity to address deficiencies.  You should review the terms of the agreement and work with counsel to identify gaps in existing or proposed agreements. Please contact us if you need assistance, as we have significant experience negotiating and drafting contracts with TSPs and assisting banks with TSP vendor diligence.

For more information, please contact Karen Garrett or Steve Cosentino, leaders of our fintech practice.

February 23, 2017 at 10:00 am

FinCEN Issues Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime

Written by: Jennifer Salisbury

On Tuesday, October 25, the Financial Crimes Enforcement Network (“FinCEN”) issued an Advisory to explain how regulations and requirements of the Bank Secrecy Act (the “BSA”) apply to cyber-events, cyber-enabled crime, and cyber-related information.

Under the BSA, a financial institution must file a Suspicious Activity Report (a “SAR”) in the event of any successful or unsuccessful cyber-event that poses or posed at least a $5,000 risk to such institution. Further, a SAR must be filed for any cyber-event that a financial institution knows or at all suspects was intended to influence a transaction or a series of transactions at such institution.  A cyber-event is an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.  In determining whether to report any cyber-event, a financial institution should take into consideration any information it has that relates at all to the cyber-event and should aggregate any funds and/or assets that were involved or put at all at risk by the cyber-event.  FinCEN also encourages any financial institution that discovers any cyber-event that falls outside of the mandatory SAR threshold to consider voluntarily filing a SAR because the information can still provide value to law enforcement investigations.

When filing a mandatory SAR, a financial institution should include any cyber-related information available to it. FinCEN also encourages any cyber-related information be included in the filing of any voluntary SAR.  Some examples of cyber-related information are IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information.  Both mandatory and voluntary SARs should include complete and accurate information including, to the extent available: a description and magnitude of the event; known or suspected time, location, and characteristics or signatures of the event; indicators of compromise; relevant IP addresses and their timestamps; device identifiers; methodologies used; and any other information the financial institution believes is relevant.

In addition, financial institutions should always ensure that they comply with any other cyber-related SAR requirements that might be imposed by their respective functional regulators.

To view the full text of the FinCEN Advisory, click here.

October 28, 2016 at 4:34 pm

“Legalized” Marijuana: A Banking Compliance Conundrum

Written byZane Gilmer

On July 1, 2015, Minnesota will join 23 other states and the District of Columbia as the latest jurisdiction to permit the sale of medical marijuana. Minnesota’s medical marijuana laws are much more restrictive than many of its sister states’ marijuana laws in terms of who may purchase products, the types of products that may be sold or consumed, and the number of facilities permitted to sell the products. Nevertheless, those restrictions do not eliminate the myriad of issues created by permitting the sale of marijuana, including compliance challenges for banks and other financial institutions. This article will address some of the key compliance issues that face Minnesota’s financial industry following the legalization of medical marijuana.

The “Cash-Only” Problem

Most of the major credit card companies prohibit the use of their card networks for marijuana purchases. As a result, “legalized” marijuana sales across the country are conducted largely on a cash basis. Many states that permit either medical or recreational marijuana have seen marijuana revenues soar into the millions of dollars on a weekly basis. The scenario in Minnesota will likely be no different. Financial institutions, however, have to proceed with caution in banking those marijuana proceeds.

The Bank Secrecy Act (“BSA”), for instance, requires banks to monitor money passing through their institutions for potential money-laundering activities.[1] To comply with the BSA, banks are required to a file Suspicious Activity Report (“SAR”) related to certain transactions they suspect involve potential money laundering. Because the cultivation, possession, and distribution of marijuana are illegal under the federal Controlled Substances Act, any proceeds deriving from those transactions would be proceeds of an illegal transaction. Any marijuana-related business (“MRB”) attempting to bank proceeds of marijuana sales would trigger the bank’s obligation to file a SAR. Banks that fail to file a SAR for a reportable activity face criminal and civil fines and other penalties. As a result, many banks in states where marijuana is legal have refused to offer depository services to marijuana businesses.

On February 14, 2014, in response to banks’ reluctance to accept marijuana proceeds, the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and the Department of Justice (“DOJ”) issued separate guidance to financial institutions related to providing banking services to the marijuana industry.[2]

DOJ Guidance

The DOJ guidance makes clear that the provisions of the BSA, money-laundering statutes, and the unlicensed money remitter statute remain in effect with regard to marijuana-related conduct, despite efforts at the state level to legalize marijuana.[3] The DOJ guidance advises that its prosecutors, in determining whether to initiate an investigation or to charge an individual or institution for violation of a provision related to marijuana conduct, should focus on whether the conduct violates any of the following eight enforcement priorities:[4]

  1. Preventing the distribution of marijuana to minors;
  2. Preventing revenue from the sale of marijuana from going to criminal enterprises, gangs, and cartels;
  3. Preventing the diversion of marijuana from states where it is legal under state law to other states;
  4. Preventing state-authorized marijuana activity from serving as a pretext for trafficking other illegal drugs or other illegal activity;
  5. Preventing violence and the use of firearms in the cultivation and distribution of marijuana;
  6. Preventing drugged driving and the exacerbation of other adverse public health issues related to marijuana;
  7. Preventing the growing of marijuana on public lands and other public safety hazards associated with marijuana on public lands; and
  8. Preventing marijuana possession or use on federal property.

The guidance explains that a violation of one of these priorities may be ripe for investigation or prosecution, whereas a marijuana-related activity that does not implicate one of these priorities may not be appropriate for prosecution. Notably, however, the DOJ guidance does not guarantee that marijuana-related activities that do not implicate one of these priorities will not be prosecuted.

FinCEN Guidance

FinCEN, for its part, issued much more tangible guidance for the financial industry. Indeed, FinCEN’s stated goals in issuing its guidance were to clarify BSA “expectations for financial institutions seeking to provide services to marijuana-related businesses” and to “enhance the availability of financial services for, and the financial transparency of, marijuana-related businesses.”[5]

Development and Implementation of Thorough Customer Due Diligence Programs Required

FinCEN’s guidance provides that “the decision to open, close, or refuse any particular account or relationship should be made by each financial institution based on a number of factors specific to that institution.” To make these decisions, financial institutions are expected to develop and implement a thorough due diligence program that includes: (1) verifying with state authorities whether the MRB is licensed and registered; (2) reviewing the state application and supporting documentation submitted by the MRB to state authorities in support of its marijuana application; (3) requesting from state authorities information related to the MRB and individuals involved with it; (4) developing an understanding of the MRB’s “normal and expected activity,” including the products it sells and types of customers it serves; (5) ongoing monitoring of adverse public information concerning the MRB; (6) ongoing monitoring for any suspicious activity; and (7) updating the due diligence information on a periodic basis. The financial institution must also consider whether the MRB is in violation of one of the DOJ’s eight priorities or state law.

SARs for MRBs

If, after completing due diligence, the financial institution decides to provide services to the MRB, the financial institution must file one of two SARs: either a “Marijuana Limited” SAR—if the financial institution “reasonably believes” that the MRB is not in violation of any of the DOJ’s eight priorities or state law—or a “Marijuana Priority” SAR—if the financial institution reasonably believes that the MRB is in violation of one of the DOJ’s eight priorities or state law. In addition, the financial institution must file a “Marijuana Termination” SAR if it provides financial services to an MRB and later decides to terminate that relationship due to money-laundering concerns or if the MRB is in violation of one of the DOJ’s priorities.

To assist financial institutions in determining which SAR to file, the FinCEN guidance sets forth the following “red flags” that, if present, could mean that an MRB is violating one of the DOJ priorities or state law:

  1. An MRB appears to be using a state-licensed marijuana business as a pretext to launder money related to other criminal activity;
  2. An MRB cannot produce sufficient documentation and other evidence to demonstrate that it is duly licensed and operating in a manner consistent with state law;
  3. An MRB cannot demonstrate the legitimate source of significant outside investors;
  4. An MRB appears to be disguising its involvement in the marijuana industry;
  5. A review of publicly available information about an MRB and related parties reveals negative information;
  6. An MRB or related parties have been subject to state or local enforcement actions;
  7. An MRB engages in international or interstate activity;
  8. The owners or related parties of an MRB reside outside of the state in which the MRB is located;
  9. An MRB is located on federal property or marijuana that is sold by the business is grown on federal property;
  10. An MRB’s proximity to a school is not in compliance with state law; and
  11. An MRB purporting to be a “nonprofit” is engaged in commercial activity inconsistent with its designation as a nonprofit.

If any of these red flags exist, the financial institution must conduct further due diligence to determine whether the MRB is in compliance with the guidance.

Compliance Challenges Not Limited to Depository Accounts

In addition to the compliance challenges of providing depository services to MRBs, banks are also faced with similar issues related to extending loans to MRBs. Not only could such action be viewed as “aiding and abetting” a federal offense, but any loan proceeds and collateral securing the loan could be subject to federal forfeiture.[6] The same may also be true for loans to third parties. For example, if a bank lends money to a strip mall developer who then rents space to an MRB, the debt service paid by the borrower/landlord is likely going to be paid with at least some proceeds of marijuana sales by the borrower’s tenant, because the tenant likely used those proceeds to pay rent to the borrower. Further, banks risk litigation, including claims related to violations of the federal Racketeer Influenced and Corrupt Organizations Act [7]—for providing knowing assistance to MRBs in violation of federal drug laws—and False Claims Act lawsuits [8]—for using proceeds of federally backed loan programs to fund or assist state MRB operations that are unlawful under federal law.

In short, there are a myriad of compliance challenges facing banks in the wake of marijuana legalization. Those challenges, however, have proven manageable. The key is to develop and implement thorough policies and procedures based on DOJ and FinCEN guidance.

[1] 31 U.S.C. § 5311, et seq.; see also 18 U.S.C. §§ 1956 and 1957 (federal anti-money laundering statutes).

[2] FinCEN Guidance, “BSA Expectations Regarding Marijuana-Related Businesses,” February 14, 2014, available at; James M. Cole, “Guidance Regarding Marijuana Related Financial Crimes,” U.S. Department of Justice, February 14, 2014, available at

[3] DOJ Guidance, p. 2.

[4] Id.; James M. Cole, “Guidance Regarding Marijuana Enforcement,” U.S. Department of Justice, August 29, 2013, available at

[5] Press release announcing FinCEN guidance, available at

[6] See, e.g., 21 U.S.C. § 853 (forfeiture statute related to controlled substances violations); 18 U.S.C. § 981, et seq. (forfeiture statute related to money laundering).

[7] 18 U.S.C. § 1961, et seq.

[8] 31 U.S.C. § 3729, et seq.


July 21, 2015 at 10:59 am Leave a comment

Massachusetts Passes Aggressive New Data Security Law

Do you own or license personal information about a resident of Massachusetts?  If so, then a new data security law, 201 CMR 17.00, applies to you.  You must develop, implement and maintain a comprehensive information security program that includes a security system covering computers, including any wireless system.  Among other requirements, you must ensure that, where technically feasible:

  • All data containing personally identifiable information (PII) must be encrypted on the wire and as its transmitted across public networks or wirelessly.  This means, for example, that PII must be sent over HTTPS, not HTTP and must be encrypted when stored in SQL Server.  This rule has significant implications for database applications.
  • All PII data stored on laptops or other portable devices, such as smartphones and USB drives must be encrypted.
  • Backup tapes must be encrypted on a prospective basis.

Penalties for noncompliance are enforced through Massachusetts General Law Title XV: Regulation of Trade, chapter 93A, section 4.  Civil money penalties may be assessed of up to $5,000 per breach or lost record, as well as reasonable costs of investigation and litigation, including attorneys fees.  Any data breach must be reported to both the Office of Consumer Affairs and Business Regulation and the Attorney General. 

The law became effective March 1, 2010 and can be found here:

Answers to Frequently Asked Questions regarding the rule can be found here:

April 29, 2010 at 7:16 pm Leave a comment

Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo


A legal resource for Banking & Financial Services


%d bloggers like this: