Szell:  Is it safe?
Babe:  I don’t know what you mean. I can’t tell you something’s safe or not, unless I know specifically what you’re talking about.
Szell:  Is it safe?
Babe: Yes, it’s safe, it’s very safe, it’s so safe you wouldn’t believe it.
Szell:  Is it safe?
Babe:  No. It’s not safe, it’s… very dangerous, be careful.

In the 1976 movie Marathon Man, Babe (Dustin Hoffman) is held down while Nazi war criminal Szell (Laurence Olivier) drills Babe’s teeth without anesthetic, trying to learn if it is safe to sell a cache of diamonds stolen from concentration camp victims.  Babe has no idea what Szell was asking about so has no information to disclose, even under torture.

After a decade of painful regulatory examinations without anesthetic, bankers are now asking the same question from the perspective of the tortured.  Is it safe to do business again?  As in Marathon Man, whether it is safe depends in part on what “it” means – what the proposed business is and who the customer is.  It also depends on the bank’s systems and infrastructure to manage the risk.

Given the changing legal and liability landscape, and changing expectations of examiners, bankers are uncertain about the risks of engaging in many types of business.  Some of the areas of uncertainty include providing banking services to third party payment processors, payday lenders, or money services businesses.  Other bankers are wondering about banking services for legal marijuana retailers, or buyers, sellers, or processors of virtual currencies.  Some bankers are even hesitant to return to mortgage lending in light of all of the new regulations and regulatory scrutiny.

While no banking services are risk free, there certainly are some products and customers that present greater challenges, and there are products or customers that some banks probably need to avoid entirely.  In most cases, however, this depends on the bank’s ability to manage the risks.

Is mortgage lending “safe”?  There is no compelling reason to avoid mortgage lending if the bank hires trained loan originators, learns the new compliance rules, employs sound underwriting, and appropriately manages interest rates and similar financial risks.  The risks are generally lower if the bank originates only “qualified mortgages” as defined by the Truth in Lending Act, but product options are then significantly limited.  For this reason, many banks have reasonably concluded that the risks of making non-qualified mortgages can be managed.  For all mortgage lending, there are many compliance requirements to satisfy, but they are all manageable.  Mortgage lending requirements are certainly more onerous than a few years ago, but a bank that wants to avoid every compliance burden might as well close up shop.

Regulators have third party payment processors in their sights.  At the other end of the risk spectrum we have providing transaction account services for third party payment processors, certain virtual currency participants, and legal marijuana retailers.

It may well be that very few banks have or can afford the systems required to manage the risks of transaction services for third party payment processors (TPPPs).  TPPPs have their own customers for which they process payments, and when the bank is processing transactions for TPPPs they are essentially processing transactions for their customer’s customers.

Regulatory guidance and advisories issued by FinCEN and the FDIC make it clear that a bank is expected to conduct due diligence on the customers of its TPPPs, and recent enforcement actions indicate that a bank is subject to liability if its customer’s customers violate laws or engage in unfair, deceptive or abusive acts.  Avoiding these risks necessarily means extensive monitoring of the transactions engaged in by its customer’s customers, filing of suspicious activity reports in appropriate cases, and terminating relationships with TPPPs or at least their offending customers in some cases.

In addition, given that most of these transactions are processed as automated clearing house (ACH) transactions that can be reversed for up to 90 days or longer, processing of these transactions exposes the bank to credit risk.  While not technically a loan-to-one borrower issue, every bank still needs to consider the volume of ACH transactions as compared to its capital and how much the bank can afford to risk.

Should your bank enter the virtual currency world?  Another very high risk business line could be providing banking services for participants in virtual currencies.  A consumer who holds virtual currencies for investment or to make purchases from merchants who accept the currency is probably not very high risk so long as the bank is not processing the virtual currency transactions.

Merchants that accept the currency can be higher risk, even very high risk, depending on the merchant and the type of banking service.  All such merchants should be subject to enhanced due diligence to determine, among other things, beneficial owners of the business.  The anonymity inherent to virtual currency transactions increases the risks that unsavory businesses or individuals are behind the scenes.  If the merchant appears to be reputable, providing a loan or a non-transaction account might not present significant compliance risks.

On the other hand, processing transactions for these merchants or providing them transaction accounts could present higher risks.  While the merchant might be reputable, other parties to the transactions might not be.  Monitoring of transactions can help, but the work required to verify the identities and quality of the various parties to the transaction might be too burdensome for many banks.  Merchants located in foreign countries or that engage in transactions with persons in foreign countries raise additional compliance risks if the bank provides transaction accounts to such merchants.  Some banks will be able to manage these risks, but other banks could reasonably decide that the waters are too volatile and uncertain to wade in to at this time.

There is a host of other participants in the virtual currency world, presenting varying degrees of risk and requiring varying degrees of due diligence and monitoring if conducting transactions for them.  These other participants include companies that exchange or trade virtual currencies for fiat currencies such as the dollar, processors of virtual currency transactions, providers of virtual currency “wallets” to store the currencies, and others.  The essential issues are the same, though the degree of risk and the necessary systems to manage those risks can vary significantly.

The burning question: Is it “safe” to bank legal marijuana retailers?  There are many other business lines and customer types that often raise questions, but the last one this article considers is the providing of banking services to marijuana retailers in states that now allow medicinal or recreational marijuana sales.  While these states no longer outlaw certain marijuana sales, the federal Controlled Substances Act still makes it illegal to manufacture, distribute or dispense marijuana.

One implication of this is that a bank that provides banking services to a marijuana retailer is required to file suspicious activity reports (SARs), and to refile the SAR at least every 120 days for so long as the retailer continues to be a customer and continues to sell marijuana.  If the SAR is being filed only due to the legal (in the state) marijuana activity, a “marijuana limited” SAR is filed.  See FinCEN’s BSA Expectations Regarding Marijuana-Related Businesses.

However, if the bank determines that certain other factors exist, the bank would be required to file a “marijuana priority” SAR.  According to FinCEN, factors that would require a marijuana priority SAR include, among other things, the distribution of marijuana to minors and incidents of “drugged driving” associated with marijuana.

This raises very startling implications and suggests that a bank would be subject to regulatory criticism if it fails to identify these factors.  As to distributing marijuana to minors, in Colorado and Washington the legal age to purchase marijuana is 21, but an 18 year old can obtain a debit card or credit card.  Is a bank expected to monitor the debit card use of all of its customers under 21 and confirm that the card was never used at a marijuana retailer?

The drugged driving factor is equally ominous.  If a Denver newspaper reports that Idle Billy was arrested for drugged driving and told the police that he had purchased his stash at Blue Sky Herbs, which is the bank’s customer, would the bank be subject to liability for failing to notice this news article and therefore failing to file a marijuana priority SAR on Blue Sky?

With respect to both of these issues and other similar factors, FinCEN states that a financial institution should conduct customer due diligence that includes ongoing monitoring for suspicious transactions and ongoing monitoring of publicly available sources for adverse information about the business.  This would certainly suggest that a bank that fails to notice an adverse news article, or fails to identify a purchase of marijuana by one of its under-21 customers, would be at risk of a regulatory enforcement action. While all of this monitoring could be manageable for the bank that is prepared to invest in the necessary systems, many banks might want to sit this one out until the interplay of federal and state laws is better ironed out.

Secured lending transactions raise yet another risk.  Under the Controlled Substances Act, federal law enforcement can seize property if used to sell or distribute marijuana.  A lender that has made a loan secured by that property would then become an unsecured lender and its borrower might be facing imprisonment and have no prospects of repaying the loan.  It would seem that no amount of monitoring could avoid this risk.  A bank considering such lending might also want to consider very high loan-to-value requirements.

So, is it safe?  Banking is never completely safe.  Sometimes the risks are very low, sometimes they can be managed with appropriate systems and procedures, and sometimes the line of business or customer might best be left to other banks.

(Also published on BryanCavePayments.com)