New Blacklist Features Four U.S. Territories

The European Union (EU) released a “dirty money” blacklist on February 13, 2019, which is a list of countries perceived as deficient in anti-money laundering (AML) regulation and enforcement. The new additions are part of efforts by the EU to strengthen their money laundering and terror financing guidance after the publication of the Panama and Paradise Papers. Two United States territories, American Samoa and Puerto Rico were added to the money laundering blacklist, joining Guam and the U.S. Virgin Islands, categorizing them alongside Iran, Syria, and North Korea. In response to the EU update, the U.S. Treasury Department (Treasury) has advised American financial institutions that they can ignore the updated EU list when administering their AML programs, questioning the methodology used in compiling the list.

Treasury stated that it “has significant concerns about the substance of the list,” as the European Commission didn’t include in-depth analysis and only gave a cursory basis for the determination. Additionally, the U.S. wasn’t given a meaningful chance to discuss their inclusion on the list, noting that U.S. territories are subjected to the same high AML standards as the rest of the country. Treasury further stated that the Financial Action Task Force (FATF) is the global standard for combating money laundering and terror financing, and their high-risk jurisdiction list should be used for American institution’s AML programs enhanced due diligence.

The EU believes that the FATF list is becoming questionable and more politicized, thus their formulation of its own blacklist requiring European banks to establish enhanced due diligence for countries on their updated list.

Other countries added to this list, many of which were already on an EU tax haven list, are:

American institutions have the option of adding any jurisdiction to their internal watch list based on the risk appetite of the institution. Although watchlist additions beyond the FATF list are not required, it may be prudent for certain institutions with concentrated risk in certain areas. The European Commission states that they will continue to monitor other jurisdictions, including the United States and Russia.



Now that we’re already one month into 2019 (how is that possible?!) and the holiday haze is wearing off, it’s time to really dive into 2019. With the beneficial ownership-ridden 2018 in the rearview mirror, here are eight things a compliance officer should focus on this year:

  1. Formalize the Three Lines of Defense

I know you’ve heard about it at conferences, and you’ve read about it in your closely-followed industry periodicals. You know what it is, but you may be thinking: “I’m too small for that.” The truth is you aren’t. The three lines of defense – front line business units, independent risk management (hey there, compliance officer!) and internal audit – are scalable to financial institutions of all sizes and varying levels of complexity. You are not exempt from prudent risk management due to your size. Do you have to comply with the stringent requirements of the OCC’s Heightened Standards – NO. However, you should have a solid and effective risk management program that crosses the entire organization. Dare we call it Enterprise Risk Management (ERM)?!

To have an effective ERM program, you need the equally strong and uniquely divided three lines of defense. Formalize the structure in your Risk Policy. Your regulator will love it!

  1. Keep Your Regulatory Change Management Policy Updated

As the storm of consumer compliance overhaul slightly settles, some of you may be thinking: “I’m almost done with this regulatory change management plan.” I’m sorry to burst your bubble but you shouldn’t be. A solid regulatory change management program is one that is in place during both the calm and the crazy. If you wait for another influx of regulatory change to dust-off the regulatory change management policy, you are already two steps behind. This program should continue to evolve and mature even in times where the regulatory environment isn’t wrought with change.

  1. Identifying New and Emerging Risks

This should be an ongoing, continuous process. Your front-line business units should always have an eye out for new and emerging risks. They deal with them on a daily basis. Is there a newly implemented process that is showing poor results during quality control exercises? Do you notice a certain product causing a spike in consumer complaints? Has your front line reported seeing a new check fraud or elderly financial abuse trend? Ensure that two-way dialogue with business units is rich so that risks do not go uncovered!

  1. Modernize Your Risk Assessment Process

You know that Selena Gomez song, “I’m so sick of this same old love…”? Yeah, me neither – but, it always makes me think of work when I’m (not) listening to it in the car. I’m so sick of that same ole risk assessment, policy, training slide deck, fill in the blank here. You can’t possibly think that you are properly identifying, tracking and measuring risk using the same tool you implemented the year that mean regulator told you that you needed a risk assessment. It isn’t working! I promise! You have to modernize your practices, including your risk assessment process, to properly mitigate risks.

  1. Eliminate Exceptions

Speaking of terribly catchy pop songs – Bye, Bye, Bye… to exceptions! Exceptions are okay…until they become the rule. I know that you want friends at work and a table to sit at when you go to the breakroom for lunch, but sometimes you have to be the bad guy. Exceptions should not become an excuse. They aren’t an allowance to go around the policy. They should be only used in times where it is a true anomaly and something you could have not excepted to encounter when authoring the policy. Take a close look at exceptions across the organization. Let them help drive your policy and process revision schedule as well as training schedule for the year.

  1. Do a culture check

Look, I know writing policy and procedures is the joy of your life. You thinking about it on the evenings and the weekends and it really just fills your cup. I get it – you’re a compliance officer. Have you ever stopped to think about what happens after you release that masterpiece into the wild?

Change! It should affect change! Words on paper do nothing to help you manage your program and mitigate compliance risk. Do you know how that change happens? People and systems…and you need people to work your systems. So it really comes down to people. Your people have to make it happen. Their day-to-day work activities can either open you up to undue risk, or they can fully mitigate any risks you may be facing. The best workers are happy workers. Here at Abrigo we see people as the key to success, and you should too. Monitor employee satisfaction qualitatively and quantitatively to ensure you are properly mitigating conduct risk in your organization. Your exceptions tracking and finding remediation plan will thank you.

  1. Set a cadence with marketing

Do you remember that one time there was a new product code in the system and the marketing campaign hit the internet, but the compliance department had no idea a new product was being introduced? No? Good – that means you’re killing it! If this has happened to you, you need to open the communication with marketing to ensure it doesn’t happen again. You should have a seat at the table when new products and services are being discussed, even in the infancy stages. You are the key player for identifying potential compliance risks that these new products and services can introduce to your institution. If you don’t currently have a seat at the table, squeeze in a chair! Put some time on the marketing leader’s calendar, explain the criticality of compliance within product and marketing, and make a new friend. You won’t regret it!

  1. Face Your Findings Remediation

Every institution should have a matured and well-implemented findings remediation process for audit and regulatory findings. If not, it is time to play catch up. Findings remediation should be a formal process with participation and buy in from all business units and risk management functions. Progress should be monitored and measured with results communicated to senior management, executive committees, and the Board, as appropriate. I know that sometimes it feels like your dirty laundry is being aired, but it is all for the greater good. A clean audit may mean that you need new auditors. There are always new and emerging accepted practices, and these findings are how you grow and develop your program.

If you need help with achieving or implementing any of these eight steps, we’re here to help. Our advisory services team can help with any short or long-term projects at your institution.



The Democratic-majority House is wasting no time in opening talks about a hot topic in the banking industry: cannabis.

A hearing is scheduled on Wednesday, February 13 titled “Challenges and Solutions: Access to Banking Services for Cannabis-Related Businesses” before a subcommittee of the House Financial Services Committee. Maxine Waters (D-CA), the new Financial Services Committee Chairwoman, stated that “it’s inevitable we are going to have to talk about” the cannabis banking issue after the recent midterm elections saw another three states legalize it to some extent.

Treasury Secretary Steven Mnuchin, Federal Reserve Chairman Jerome Powell and Comptroller of the Currency Joseph Otting have all made comments recently on the need for clarification regarding banking cannabis-related businesses (or marijuana-related businesses, MRBs).

While cannabis is legal to some extent in 33 states (10 for recreational purposes), it is still illegal at the federal level, keeping many financial institutions from banking MRBs. Five years ago, the Obama administration’s Treasury Department issued a memo, the Cole Memorandum, which essentially stated the Justice Department would not enforce federal prohibition on institutions that banked cannabis businesses, except in certain circumstances. Former Attorney Jeff Sessions revoked the Cole Memo soon after he was appointed within Donald Trump’s administration. Attorney General nominee William Barr stated in his confirmation hearing in January 2019 that he wouldn’t go after institutions offering banking services to MRBs. But neither the Cole Memo nor Barr’s recent statement was enough of a green light for most financial institutions.

Banks looking to avoid banking MRBs altogether might want to look deeper into their customer base. They might already be banking an MRB without knowing it. Cannabis businesses, just like any other business, pay rent to a landlord, buy receipt paper for their registers, purchase shopping bags for customers, buy light bulbs to see around their stores. You get the picture. Just like any regular business, MRBs do business with a lot of other businesses – and potentially current customers, meaning banks are already banking MRBs to some extent, albeit a small one.

Banking cannabis-related businesses isn’t just leaving money on the table for the government and financial institutions. It’s leaving large quantities of money (read: cash) on the table, in registers, and in other unsecured places, opening these businesses to higher rates of physical crime (theft, robberies, etc.).

Rep. Denny Heck (D-WA), who introduced cannabis banking legislation with Rep. Ed Perlmutter (D-CO) for the past several Congresses, said, “When we introduced this bill six years ago, we warned that forcing these businesses to deal in cash was threatening public safety. No hearing was given.”

Now they have their hearing. And while this is the first hearing on the topic, don’t expect it to be the last. There are reports that preparations are underway for a full committee markup on legislation to make it easier, and legal, for banks to start serving cannabis businesses.

Until then, it is at the discretion of each individual institution on how they want to handle banking these businesses, knowing the state and federal laws. If an institution does plan to bank MRBs, they need to create an open dialogue with their regulator and ensure their policies and procedures are strong and offer full transparency.



We know that criminals are getting smarter and smarter and the newest hacker attempt proves just that.

An attack vector was reported to us this week from several of our customers whereby a hacker is sending 314(b) information requests with an infected attachment to BSA officers. The message looks something like this:

Hello Amy 

My name is Elaine Kirk and I’m BSA/AML officer at Interra Credit Union.

We’ve got suspicions transfer from your client, and put it on hold.

According section 314(b) of the USA PATRIOT Act we have to report you about potential money laundering.

Please review the attached document with details of this case.


Elaine Kirk

BSA-AML Compliance Officer

Interra Credit Union

The grammar police are throwing up major red flags, but this new attack vector shows something even scarier than just bad grammar: a level of sophistication similar to what bank customers and credit union members are already receiving with business email compromise (BEC) and email account compromise (EAC) phishing emails, but now aimed at BSA/AML professionals. The hackers have determined a vulnerable workflow within financial institutions where we want to stop the bad guys by sharing information. Someone studied how we work to safeguard the United States financial system and is using that information for nefarious goals.

How can you protect your institution from these attacks? First of all, be aware that the BSA/AML profession is not immune to these sorts of incidents. Then, follow these three steps:

  1. Follow your policies. These policies and procedures around email attachments and links in emails (especially from unknow sources) are in place for a reason. You open your institution up to unnecessary risks by not following these rules.
  2. Spread the news. Make sure your staff knows the current phishing scams going around and are aware of what to look for, including email addresses/domains and sender/company names.
  3. Pick up the phone. Do an internet search of the emailing institution (make sure they have a legitimate website!), call the main line and ask to speak with the person who emailed you. This way you can verbally verify if they sent the original email.
  4. Use common sense. If even one thing seems off about the email (especially basic spelling/grammar), take a deeper look before you click or download anything. If you don’t normally expect an attachment with a specific request or task, don’t download or open the attachment. Trust your gut.

If you have received a suspected phishing email, the FBI Cyber Division is asking you to file a complaint on the IC3 website:

Thanks for what all of you do to thwart financial crime and safeguard the U.S.

John Meyer has been developing solutions to protect and help financial institutions grow for more than 20 years. He has been a critical part of the organization since 2012 when he joined as chief product officer and the company was still known as Banker’s Toolbox. Prior to Abrigo, he was a senior executive with Harland Financial Solutions (now Finastra), where he managed teams providing teller, new account origination, internet banking, item processing, and BSA/CIP solutions for over 2,500 financial institutions. In his early career, John worked for a community bank in Western Pennsylvania. He holds a BS in computer science from the U.S. Military Academy at West Point and an MBA from the University of Washington.