Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • House Committee report finds broad financial surveillance by federal government using financial institutions data following January 6th events

    Privacy, Cyber Risk & Data Security

    On March 5, the Committee on the Judiciary and its Select Subcommittee on the Weaponization of the Federal Government released an interim staff report on how federal law enforcement agencies, in the wake of the events of January 6, 2021, at the U.S. Capitol, engaged in financial surveillance by encouraging financial institutions to provide data on private transactions of consumers without a nexus to criminal conduct. The report indicated the consumers particularly targeted were those who tend to hold “conservative viewpoints.” The report cited several whistleblower testimonies and provided email transcripts of the government agents’ requests. One institution allegedly acted “voluntarily and without legal process” and provided the FBI with a dataset of names of those who used that institution’s credit or debit card in the Washington, D.C. region between January 5 and January 7, 2021, but also included those who had ever used that institution’s debit or credit card to purchase a firearm. The report suggested that citizens who did nothing other than go “shopping or exerciz[e] their Second Amendment rights” were placed under a type of financial surveillance between their financial institution and the government, making specific mention of right-leaning individuals now at risk.

    The report provided context with the Right to Financial Privacy Act of 1978, Section 314(a) of the USA Patriot Act, and the Bank Secrecy Act in mind. While these federal acts were created to protect citizens, the report alleged they “have failed to adequately protect American’s financial information.” The report was particularly critical of the federal government using “informal meetings and backchannel discussions” with financial institutions to devise the best methods for getting Americans’ private financial information, including using merchant category codes and politicized “search terms,” and the federal government disseminating “political materials” to such institutions that were allegedly “hostile” to conservative viewpoints and “treated lawful transactions as suspicious.”

    Privacy, Cyber Risk & Data Security House Judiciary Committee Banking Bank Secrecy Act

  • Fed finds CEO engaged in crypto “pig butchering” scam which led to bank failure

    On February 7, the Federal Reserve issued an evaluation report, as required by the Federal Deposit Insurance Act (where a loss to the deposit insurance fund is considered material), on a recently failed bank; the Fed concluded the bank failed due to alleged fraudulent activity by the bank’s CEO. In particular, the Fed found that the CEO initiated a series of wire transfers over the course of three months totaling about $47.1 million of the bank’s money as part of a cryptocurrency scam known as “pig butchering.” According to a FinCEN alert, “pig butchering” occurs when a scammer convinces its victims to invest in purportedly legitimate cryptocurrency investments but then steals the victim’s money.

    The Fed found that the bank’s employees neglected to follow proper internal controls and policies that could have “prevented or detected” the alleged fraudulent activity, attributing the failure to a reluctance to challenge the CEO given the CEO’s “dominant role in the bank and prominent role in the community.” Specifically, the employees did not comply with the bank’s BSA/AML policy or file suspicious activity reports as outlined under the policy. As a result, the Fed recommended (i) increasing the awareness among state member banks of cryptocurrency scams; and (ii) providing training to examiners on cryptocurrency scams.

    Bank Regulatory Federal Issues Cryptocurrency FinCEN Federal Reserve Bank Secrecy Act Anti-Money Laundering

  • FDIC issues December 2023 enforcement actions

    On January 26, the FDIC released a list of administrative enforcement actions taken against banks and individuals in December 2023. During that month, the FDIC made public 12 orders consisting of “four orders of termination of deposit insurance; three orders terminating consent orders; two consent orders; one order terminating supervisory prompt corrective action directive; one order of prohibition from further participation; one order to pay a civil money penalty (CMP); and one Decision and Order to Prohibit from Further Participation and Assessment of Civil Money Penalty.”

    Included is a consent order with a Mississippi-based bank for alleged Bank Secrecy Act violations, along with violations of a previous consent order from 2020, imposing a $600,000 civil money penalty. Also included is a consent order with a Kentucky-based bank, alleging the bank engaged in “unsafe or unsound banking practices and violations of law or regulation” relating to, among other things, the Bank Secrecy Act. The bank neither admitted nor denied the allegations but agreed to create a written plan to recover its losses from the bank’s relationship with a third-party loan program, to reduce the bank’s risk position in the program, and to stop granting any extensions of credit through adversely classified or criticized loans related to the third-party loan program. The consent order additionally requires the bank’s board to assess the sufficiency of the bank’s allowance for credit losses (ACL), ensuring the establishment of an appropriate ACL and to uphold and accurately report it. Specifically, “management shall review updated credit risk metrics and loss data for the third-party loan programs referenced in the ROE and ensure appropriate provisions to the ACL relative to this information.”

    Bank Regulatory Federal Issues FDIC Enforcement Bank Secrecy Act Anti-Money Laundering

  • FinCEN issues FAQs on PPP

    Federal Issues

    On January 12, FinCEN and the SBA issued FAQs on the Paycheck Protection Program (“PPP”), established under the CARES Act, to assist borrowers and lenders in interpreting the CARES act and the PPP Interim Final Rule. Among the issues addressed in the FAQs, FinCEN and the SBA provided guidance regarding whether under the CDD Rule, lenders are required to collect, certify, or verify beneficial ownership information for existing customers, stating that it is not necessary to re-verify “[i]f the PPP loan is being made to an existing customer, and the existing customer and the necessary information was previously verified. Additionally, FinCEN and the SBA addressed the question of whether a lender’s collection of the information required with respect to owners of 20% or greater interest in PPP applicants is sufficient to satisfy a lender’s obligation to collect beneficial ownership information under the Bank Secrecy Act. FinCEN and the SBA stated that for lenders with existing customers the lender does not need to reverify beneficial ownership information for owners that hold ownership interests of at least 20 percent, and with respect to new customers with the same ownership interest, all natural persons will need to provide the same information in order to satisfy BSA requirements. FinCEN also answered more FAQs on its April 2020 FAQs regarding the PPP on Second Draw PPP Loans, on BSA/AML compliances, and on SBA Procedural Notice 5000-835955, the last stating that a “PPP lender may reveal the existence of a SAR to the SBA when requesting a guaranty purchase (without charge-off) from the SBA.” 

    Federal Issues SBA FinCEN Department of Treasury PPP CARES Act Bank Secrecy Act Anti-Money Laundering Act of 2020

  • NYDFS and Fed order bank to pay fines for BSA/AML non-compliance

    Financial Crimes

    On January 19, the Federal Reserve Board and NYDFS each issued separate enforcement actions against one of the largest banks in the world for alleged compliance deficiencies and violations under BSA/AML. The Fed issued its cease and desist order and ordered the bank to pay a civil money penalty of $2.4 million. The NYDFS also issued a similar consent order with a monetary penalty of $30 million.

    According to the Fed’s order, an investigation into the bank’s practices determined that the New York branch lacked any formal policies or training on confidential supervisory information (CSI). Additionally, the order required the bank to submit a written plan to enhance internal compliance controls to the Fed, including designation of a CSI officer, among other requirements. According to NYDFS’s order, the bank previously entered into a 2018 cease and desist order with the Fed to address “significant deficiencies” in its compliance with BSA/AML requirements and OFAC regulations. NYDFS conducted an examination in 2022 and found that deficiencies cited in the 2018 order persisted for several more years. A subsequent examination in 2023 found that the bank had made significant efforts toward enhancing its compliance programs and successfully remediated prior deficiencies. Per this most recent order, NYDFS found that the bank’s BSA/AML program was not in compliance for several years; the bank failed to maintain appropriate accounting records; and the bank failed to submit a report after discovering the occurrence of “embezzlement, misapplication, larceny, forgery, fraud, [or] dishonesty[.]” The consent order stipulated several remediation requirements, including a status report to NYDFS on the bank’s BSA/AML compliance.

    Financial Crimes New York NYDFS Bank Secrecy Act Federal Reserve Bank of New York Compliance

  • NYDFS orders digital currency trading company to pay $8 million

    State Issues

    On January 12, NYDFS announced that it had entered into a consent order with a digital currency trading company after an investigation that found the company responsible for compliance failures that violated NYDFS’s virtual currency and cybersecurity regulations, leaving the company vulnerable to illicit activity and cybersecurity threats.  

    NYDFS found that the company failed to meet its compliance obligations due to (i) deficiencies in the company’s AML program; (ii) failure to file compliant suspicious activity reports; (iii) failure to conduct required OFAC screening; and (iv) failure to maintain an adequate cybersecurity program. In connection with the settlement, the company will surrender its BitLicense, the license required to be held by any company conducting virtual currency business in New York state and pay an $8 million penalty. 

    State Issues NYDFS Digital Currency Cyber Risk & Data Security Bank Secrecy Act Anti-Money Laundering Cryptocurrency OFAC Enforcement

  • FinCEN report on identity fraud in 2021 outlines statistics and processes

    Financial Crimes

    On January 9, FinCEN published a report titled “Identity-Related Suspicious Activity: 2021 Threats and Trends” which focuses on patterns in reported Bank Secrecy Act (BSA) data linked to suspicious activity from 2021. The report is part of a broader set of financial trend analyses conducted by FinCEN under section 6206 of the Anti-Money Laundering Act of 2020. During 2021, about 1.6 million of all BSA reports (or 42 percent) on suspicious activity were related to identity, equaling $212 billion in suspicious activity.

    Key findings in the report included: (i) 69 percent of identity-related BSA reports indicate attackers have impersonated others; (ii) depository institutions have filed the most BSA reports at 54 percent, with the next highest being money services businesses at 21 percent; (iii) general fraud was the most reported typology with 1.2 million BSA reports totaling $149 billion in suspicious amounts, with the next two being false records and identity theft, respectively; and (iv) there were a significant number of identity-related exploitations based on BSA report volumes and dollar values. FinCEN reported three identity-related exploitations, including how attackers (a) impersonate others; (b) dodge or exploit verification processes; and (c) use compromised credentials. A model on page six of the report provides further clarity on how attackers undermine identity processes, such as through bust out schemes (attackers open credit card accounts then max out the cards), check fraud, credit and debit card fraud, and Covid-19 fraud.

    Financial Crimes FinCEN Bank Secrecy Act Anti-Money Laundering Act of 2020 Identity Theft Fraud Credit Cards

  • FDIC releases November enforcement actions

    On December 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in November. The FDIC made 12 orders public including, “five consent orders, three prohibition orders, two orders terminating consent orders, one order to pay a civil money penalty (CMP), and one order dismissing both a notice of assessment of CMPs and an order to pay.” Included is a stipulated order and written agreement with a Tennessee-based bank (the Bank) to resolve alleged violations of the Bank Secrecy Act (BSA) and weaknesses in board and management oversight of its information technology function. The Bank agreed to the conditions of the consent order which requires the Bank to, among other things (i) establish an action plan to correct the bank’s Anti-Money Laundering/Countering the Financing for Terrorism (AML/CFT) program deficiencies and alleged violations; (ii) retain qualified IT management; (iii) perform a cybersecurity assessment; and (iv) designate someone responsible for coordinating and monitoring day-to-day compliance with the BSA.

    Bank Regulatory Federal Issues Enforcement Bank Secrecy Act Anti-Money Laundering

  • FinCEN, IRS issue alert on Covid-19 employee retention credit fraud schemes

    Financial Crimes

    On November 22, FinCEN and the IRS issued an alert to financial institutions regarding Covid-19 Employee Retention Credit (ERC)-related fraud schemes. Authorized by the CARES Act, the ERC is a tax credit aimed at incentivizing businesses to retain employees on payroll during the Covid-19 pandemic, through which fraud and scams have been carried out, FinCEN explained. The alert offers insights into typologies linked to ERC fraud and scams, emphasizes specific warning signs to aid financial institutions in detecting and reporting suspicious activities, and reinforces these institutions' obligations to report under the Bank Secrecy Act (BSA).

    According to the alert, “[d]uring the 2023 tax season, the IRS noted various scammers appeared throughout the [U.S.] using the false pretense of being tax credit experts to convince businesses to file for the ERC.” Third-party ERC promoters misled taxpayers about eligibility, aiming to profit from filing ERC claims without verifying qualifications, FinCEN added. As a result, the alert mentioned that victims risk claim denial or repayment, while scammers profit regardless of the claim's outcome, involving both willing and unaware businesses in these schemes. FinCEN added that businesses must meet specific ERC requirements, and those who received PPP loans cannot use the same wages counted in the PPP loan for the ERC application. Despite this, some may file amended tax returns misrepresenting their eligibility for the ERC by falsifying staff wages or claiming their operations were partially or fully suspended during the pandemic. FinCEN listed “red flags” indicative of ERC fraud that financial institutions should be cognizant of, including, among others, (i) a business account that receives multiple ERC check deposits over several days; (ii) small business accounts that receive ERC check deposits disproportionate to their size, employee count, and transaction volume; and (iii) a new account for an established business that only receives ERC deposits, suggesting possible identity theft using the business as a front for fraudulent claims. The alert also reminds financial institutions of their obligation to file suspicious activity reports and to keep a copy of the reports for five years from the date of the filing. 

    Financial Crimes FinCEN PPP Consumer Finance Loans CARES Act Patriot Act Bank Secrecy Act IRS Covid-19

  • NYDFS settles with bank for compliance failures

    State Issues

    On September 29, NYDFS announced a settlement with a South Korean-based bank’s American subsidiary to resolve allegations of repeated violations of AML requirements, the Bank Secrecy Act (BSA), and New York law. According to the consent order, the respondent was repeatedly examined seven times in less than 10 years by DFS and entered into a consent order with the FDIC in 2017 for BSA/AML compliance, among other things. DFS claims that respondents violated (i) New York Banking Law § 44 by conducting their business in an unsafe and unsound manner; (ii) 3 NYCRR § 116.2 by failing to maintain an effective AML compliance program; and (iii) 23 NYCRR § 504.4 by incorrectly certifying compliance with Part 504. To resolve the claims, the respondent agreed to pay a $10 million civil money penalty, and write a written plan detailing improvements to its compliance policies and procedures, among other things.

    State Issues NYDFS Civil Money Penalties Enforcement New York Anti-Money Laundering Bank Secrecy Act Settlement

Pages

Upcoming Events