InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Treasury recommends stronger DeFi supervision
On April 6, the U.S. Treasury Department published a report on illicit finance risks in the decentralized finance (DeFi) sector, building upon Treasury’s other risk assessments, and continuing the work outlined in Executive Order 14067, Ensuring Responsible Development of Digital Assets (covered by InfoBytes here).
Written by Treasury’s Office of Terrorist Financing and Financial Crimes, in consultation with numerous federal agencies, the Illicit Finance Risk Assessment of Decentralized Finance is the first report of its kind in the world. The report explained that, while there is no generally accepted definition of DeFi, the term has broadly referred to virtual asset protocols and services that allow for automated peer-to-peer transactions through the use of blockchain technology. Used by a host of illicit actors to transfer and launder funds, the report found that “the most significant current illicit finance risk in this domain is from DeFi services that are not compliant with existing AML/CFT [anti-money laundering and countering the financing of terrorism] obligations.” These obligations include establishing effective AML programs, assessing illicit finance risks, and reporting suspicious activity, the report said.
The report made several recommendations for strengthening AML/CFT supervision and regulation of DeFi services, such as “closing any identified gaps in the [Bank Secrecy Act (BSA)] to the extent that they allow certain DeFi services to fall outside the scope of the BSA’s definition of financial institutions.” The report also recommended, “when relevant,” the “enforcement of virtual asset activities, including DeFi services, to increase compliance by virtual asset firms with BSA obligations,” and suggested continued research and engagement with the private sector on this subject.
In addition, the report pointed to a lack of implementation of international AML/CFT standards by foreign countries, “which enables illicit actors to use DeFi services with impunity in jurisdictions that lack AML/CFT requirements,” and commented that “poor cybersecurity practices by DeFi services, which enable theft and fraud of consumer assets, also present risks for national security, consumers, and the virtual asset industry.” To address these concerns, the report recommended “stepping up engagements with foreign partners to push for stronger implementation of international AML/CFT standards and advocating for improved cybersecurity practices by virtual asset firms to mitigate these vulnerabilities.” The report seeks input from the public sector to inform next steps.
National bank fined $98 million by OFAC, Fed for sanctions violations
On March 30, the U.S. Treasury Department’s Office of Foreign Assets (OFAC) announced a $30 million settlement with a national bank to resolve potential civil liabilities stemming from trade insourcing software that the bank and its predecessor bank provided to a foreign European bank between 2008 and 2015. According to OFAC’s web notice, at the direction of a mid-level manager, the predecessor bank customized the software for general use by the European bank, which the predecessor bank “knew or should have known would involve engaging in trade-finance transactions with sanctioned jurisdictions and persons.” The European bank used the software to manage 124 non-OFAC compliant transactions totaling approximately $532 million involving parties in jurisdictions subject at the time of the transactions to sanctions regulations.
OFAC noted that the national bank inherited the trade insourcing relationships when it acquired the predecessor bank, claiming that the national bank “did not identify or stop the European bank’s use of the software platform for trade-finance transactions involving sanctioned jurisdictions and persons for seven years despite potential concerns raised internally” following the acquisition. OFAC also noted, however, that the national bank’s alleged failure to stop the violations “was not a result of a systemic compliance breakdown within the broader [] organization,” which OFAC acknowledged has “a historically strong overall sanctions-compliance program.”
In arriving at the settlement amount, OFAC considered various mitigating factors, including that (i) the majority of the 124 apparent violations related to agriculture, medicine, and telecommunications and therefore may have been eligible for a general or specific license, thus mitigating the harm to sanctions policy objectives; (ii) the legacy business unit at the predecessor bank was relatively small and that there was no indication that senior management either directed or had actual knowledge that the predecessor bank provided the software to the European bank for such purpose; and (iii) upon identifying the alleged violations, the bank promptly terminated the European bank’s access, voluntarily disclosed the matter to OFAC, conducted an extensive internal investigation, produced the results to OFAC, cooperated with OFAC throughout the investigation, agreed to toll the statute of limitations, and took remedial measures.
Concurrently, the Federal Reserve Board issued an order fining the bank holding company in the amount of $67.8 million for allegedly engaging in unsafe or unsound practices related to its oversight of sanctions compliance risks at the national bank. The Fed noted that the national bank “no longer offers the trading platform to foreign banks” and has “strengthened firmwide compliance with OFAC regulations.”
OFAC sanctions darknet marketplace for selling stolen data
On April 5, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, against one of the world’s largest darknet marketplaces for its involvement in the theft and sale of device credentials and related sensitive information. According to OFAC, the marketplace accesses victims’ devices without authorization and sells the stolen data, including usernames and passwords, on the darknet. The action was taken in coordination with the DOJ and international partners from a dozen countries who are also taking action against market users across multiple jurisdictions and seizing associated website domains. The designation built upon previous actions taken against darknet marketplaces, including sanctions issued last year against the world’s most prominent darknet market. (Covered by InfoBytes here.) OFAC also referenced FinCEN’s 2019 Advisory on Illicit Activity Involving Convertible Virtual Currency, to warn “that darknet markets frequently include offers for the sale of illicit goods and services that use virtual currencies as a method of payment.” (Covered by InfoBytes here.) As a result of the sanctions, all property and interests in property belonging to the sanctioned entity in the U.S. must be blocked and reported to OFAC. OFAC noted that U.S. persons are prohibited from participating in transactions with sanctioned persons, and that “persons that engage in certain transactions with the entity designated today may themselves be exposed to sanctions.”
The DOJ stated in its press release that, along with its partners, it had “dismantled” the marketplace and “arrested many of its users around the world.” The DOJ explained that the marketplace “was also one also one of the most prolific initial access brokers [] in the cybercrime world,” and “attract[ed] criminals looking to easily infiltrate a victim’s computer system.” The marketplace sold access to ransomware actors looking to attack computer networks in the United States and globally, the DOJ said, adding that the marketplace also sold device “fingerprints” used to trick third-party websites into thinking the marketplace user was the actual account owner.
OFAC settles with digital platform on sanctioned transactions
On March 31, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $72,230 settlement with a global digital trading platform to resolve allegations that it processed transactions for customers who self-identified as being located in Iran or Cuba, or were employees of the Government of Venezuela (GoV). OFAC’s web notice stated that between March 2017 and May 2022, the company, or certain of its non-U.S. affiliates, allegedly maintained accounts for customers who submitted information showing their locations were in a sanctioned jurisdiction. OFAC further maintained that the company violated the Venezuela Sanctions Regulations by processing transactions on behalf of two customers who self-identified as employees of the GoV. OFAC claimed, among other things, that the company implemented inadequate compliance processes to identify, analyze, and address risks.
In its web notice, OFAC stated that it determined that “the violations were voluntarily self-disclosed and were non-egregious.” OFAC also considered various mitigating factors, including that the company has not received a penalty notice from OFAC in the preceding five years. Additionally, the company undertook numerous remedial measures upon learning of the alleged violations, cooperated with OFAC throughout the investigation, and agreed to toll the statute of limitations, the notice said.
The company issued the following response: “We appreciate that OFAC recognized our full cooperation and remediation of the issues involved in this matter. These were self-identified and self-reported matters that reflect the rigor of our compliance review processes.”
Orrick represented the company in this matter.
OFAC sanctions arms facilitator for attempted North Korea-Russia deals
On March 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13551, against a Slovakian national for attempting to facilitate arms deals between Russia and the Democratic People’s Republic of Korea (DPRK) to aid Russia’s war against Ukraine. “Schemes like the arms deal pursued by this individual show that Putin is turning to suppliers of last resort like Iran and the DPRK,” Secretary of the Treasury Janet L. Yellen said. “We remain committed to degrading Russia’s military-industrial capabilities, as well as exposing and countering Russian attempts to evade sanctions and obtain military equipment from the DPRK or any other state that is prepared to support its war in Ukraine.”
As a result of the sanctions, all property and interests in property of the sanctioned individual that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC, as well as “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons.” Persons that engage in certain transactions with the designated individual may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for the individual designated today could be subject to U.S. correspondent or payable-through account sanctions.”
FinCEN looks at business email threat in real estate
On March 30, FinCEN released a Financial Trend Analysis examining threat patterns and trends identified in Bank Secrecy Act (BSA) data relating to business email compromise (BEC) in the real estate sector during 2020 and 2021. According to the analysis, BEC attackers target businesses and financial institutions that routinely conduct large wire transfers and rely on email for communication about these wires. FinCEN explained in its announcement that attackers “may obtain unauthorized access to networks and systems to misappropriate confidential and proprietary information,” noting in its analysis that “[p]erpetrators typically compromise a key email account by using computer intrusions or social engineering and send an email that fraudulently directs funds to criminal-controlled accounts” where many times “the victim is tricked into thinking a legitimate email from a trusted person or entity is directing them to make a payment.” According to the Federal Bureau of Investigation’s Internet Crime Compliant Center, BEC incidents resulted in more than $43 billion in worldwide losses between June 2016 and December 2021.
FinCEN’s analysis found that attackers most commonly impersonated title and closing entities and personnel, and that 1,767 incidents involved initial domestic transfers of fraudulent funds to accounts at U.S. depository institutions (151 incidents involved initial transfers of fraudulent funds to international institutions). Additionally, the analysis found that 83 of the 2,103 reported real estate-related BEC incidents involved convertible virtual currency.
FinCEN reiterated that financial institutions, real estate sector entities, and the public “may all play an important role in protecting the U.S. financial system from [real estate] BEC attacks through awareness of actions to detect and mitigate attacks, information sharing mechanisms that can prevent attacks, and various ways to report incidents when they occur.” FinCEN further encouraged these entities to “[a]ssess the vulnerability of their business processes with respect to BEC and consider actions to ‘harden’ or increase the resiliency of their processes and systems against email fraud schemes.” This includes understanding quantifiable risks associated with the authentication of participants involved in communications, the authorization of transactions, and the communication of information and changes about transactions. Additionally, entities should “[a]dopt a multi-faceted transaction verification process—as well as training and awareness-building—to identify and evade spear phishing attempts.” FinCEN emphasized that “[i]dentifying fraudulent transaction payment instructions before payments are issued is essential to preventing and reducing unauthorized transactions.”
OFAC sanctions individuals involved in Syria’s drug production and trafficking
On March 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) designated key individuals for supporting the regime of Syrian President Bashar al-Assad and the regime’s billion-dollar illicit drug production and trafficking enterprise. Taken in coordination with the UK, the designations, issued pursuant to Executive Orders 13572, 13582, and 13224, “also highlight the important role of Lebanese drug traffickers—some of whom maintain ties to Hizballah—in facilitating the export of Captagon[,]” the dangerous amphetamine at issue. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions or subject to an enforcement action, OFAC warned.
OFAC sanctions Belarusian state-owned enterprises and government officials; amends Belarus Sanctions Regulations
On March 24, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against Belarusian state-owned enterprises and government officials. In so doing, OFAC designated three entities and nine individuals, and identified one presidential aircraft as blocked property, pursuant to Executive Order 14038. The announcement noted that the designations build on previously issued sanctions taken against individuals and entities in Belarus in response to efforts by the Lukashenka regime to suppress democracy and support the Russian Federation’s war against Ukraine. “The authoritarian Lukashenka regime relies on state-owned enterprises and key officials to generate substantial revenue that enables oppressive acts against the Belarusian people,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson said in the announcement. Concurrently, the State Department imposed visa restrictions on 14 additional individuals, “including regime officials involved in policies to threaten and intimidate the Belarusian people, for their involvement in undermining democracy under Presidential Proclamation 8015.”
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless authorized by a general or specific OFAC license, or if otherwise exempt.
Additionally, OFAC published a final rule in the Federal Register amending and reissuing the Belarus Sanctions Regulations in their entirety in order to implement the August 2021 Belarus-related Executive Order 14038 (discussed above), “Blocking Property of Additional Persons Contributing to the Situation in Belarus,” and incorporate a directive regarding sovereign debt (covered by InfoBytes here and here). The final rule (effective March 27) also updates and adds new definitions, general licenses, and interpretive guidance, among other things.
OFAC sanctions additional persons connected to Burma’s military regime
On March 24, pursuant to Executive Order 14014, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against two individuals and six entities connected to Burma’s military regime. In announcing the sanctions, OFAC explained that the Burmese military, which overthrew the country’s democratic government in February 2021, has increased its reliance on air strikes in civilian populated areas and that the designated persons have provided assistance to military efforts through the importation, storage, and distribution of jet fuel. “Burma’s military regime continues to inflict pain and suffering on its own people,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in the announcement. “The United States remains steadfast in its commitment to the people of Burma, and will continue to deny the military the materiel it uses to commit these atrocities.”
In conjunction with the sanctions, OFAC published an alert warning of the sanctions risks associated with providing jet fuel to the Burmese military. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless authorized by a general or specific OFAC license, or if otherwise exempt.
FinCEN releases beneficial ownership reporting guidance
On March 24, FinCEN released its first set of guidance materials to aid the public and small businesses in reporting beneficial ownership information (i.e., individuals who directly or indirectly own or control a company). As previously covered by InfoBytes, last September, FinCEN published a final rule establishing beneficial ownership information requirements, as required by the Corporate Transparency Act. The final rule, which becomes effective January 1, 2024, will require most corporations, limited liability companies, and other entities created in or registered to do business in the United States, to report information about their beneficial owners to FinCEN. Reporting companies created or registered before January 1, 2024, will have until January 1, 2025, to file their initial reports, while reporting companies created or registered after January 1, 2024, will have 30 days after creation or registration to file their initial reports. The guidance materials include FAQs, information on key filing dates, and informational videos. Additional guidance will be published in the coming months, including a Small Entity Compliance Guide, FinCEN said in the announcement.