InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
U.S. issues warning on North Korean hackers targeting banks worldwide
On August 26, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Treasury Department, the FBI, and U.S. Cyber Command warning that since February 2020, North Korean hackers have resumed targeting banks worldwide through the use of fraudulent international money transfers and ATM cash-outs. The alert provides an “overview of North Korea’s extensive, global cyber-enabled bank robbery scheme, a short profile of the group responsible for this activity, in-depth technical analysis, and detection and mitigation recommendations to counter this ongoing threat to the Financial Services sector.” The North Korean hackers, the alert notes, were responsible for stealing $81 million from a Bangladeshi bank in 2016, and have engaged in fraudulent ATM cash-outs affecting upwards of 30 countries in a single incident. According to the alert, the hackers’ “international robbery scheme” poses “severe operational risk” for individual banks beyond reputational harm and financial losses. A robbery directed at one bank may implicate multiple banks “in both the theft and the flow of illicit funds back to North Korea,” the alert warns. The hackers “initially targeted switch applications at individual banks with FASTCash malware but, more recently, have targeted at least two regional interbank payment processors,” the alert states, cautioning that this suggests the hackers “are exploring upstream opportunities in the payments ecosystem.”
Senate investigation finds that oligarchs use art industry to avoid sanctions
Last month, the U.S. Senate Permanent Subcommittee on Investigations issued a bipartisan report titled “The Art Industry and U.S. Policies that Undermine Sanctions,” which details findings from a two-year investigation related to how Russian oligarchs appear to have used the art industry to evade U.S. sanctions. According to the Subcommittee, the investigation—which focused on major auction houses, private New York art dealers, and seven financial institutions—revealed that the “secretive nature” of the art industry “allowed art intermediaries to purchase more than $18 million in high-value art in the United States through shell companies linked to Russian oligarchs after they were sanctioned by the United States in March 2014,” and that, moreover, “the shell companies linked to the Russian oligarchs were not limited to just art and engaged in a total of $91 million in post-sanctions transactions.” The report claims that the art industry is largely unregulated, and, unlike financial institutions, is not subject to the Bank Secrecy Act (BSA) and is not required to maintain anti-money laundering (AML) and anti-terrorism financing controls. However, the report notes that sanctions imposed by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) do apply to the industry, emphasizing that U.S. persons are not allowed to conduct business with sanctioned individuals or entities.
The Subcommittee’s key findings include that while four of the major auction houses have established voluntary AML controls, they treat an art agent or advisor as the principal purchaser of the art, which allows the auction house to perform due diligence on the art agent or advisor instead of identifying and evaluating a potentially undisclosed client. The auction houses also reportedly rely on financial institutions to identify the source of funds used to purchase the art. Because of these practices, the report concludes that these shell companies continue to have access to the U.S. financial system despite the imposition of sanctions.
The report makes several recommendations including: (i) the BSA should be amended to include businesses that handle transactions involving high-value art; (ii) Treasury should be required to collect beneficial ownership information for companies formed or registered to do business in the U.S., making the information available to law enforcement; (iii) Treasury should consider imposing sanctions on a sanctioned individual’s immediate family members; (iv) Treasury should announce and implement sanctions concurrently “to avoid creating a window of opportunity for individuals to avoid sanctions”; (v) the ownership threshold for blocking companies owned by sanctioned individuals should be lowered or removed; (vi) Treasury should maximize its use of suspicious activity reports filed by financial institutions to, among other things, alert other financial institutions of the risks of transacting with sanctioned entities; (vii) OFAC should issue comprehensive guidance for auction houses and art dealers on steps for determining “whether a person is the principal seller or purchaser of art or is acting on behalf of an undisclosed client, and which person should be subject to a due diligence review”; and (viii) OFAC should issue guidance on “the informational exception to the International Emergency Economic Powers Act related to ‘artworks.’”
Additionally, in June, a bipartisan group of senators introduced the Anti-Money Laundering Act of 2020 (AMLA) as an amendment (S.Amdt 2198 to S.4049) to the National Defense Authorization Act (NDAA), which would, among many other things, require federal agencies to study “the facilitation of money laundering and the financing of terrorism through the trade of works of art or antiquities” and, if appropriate, propose rulemaking to implement the study’s findings within 180 days of the AMLA’s enactment.
Agencies clarify BSA/AML due diligence requirements for “politically exposed persons”
On August 21, the FDIC, Federal Reserve Board, FinCEN, NCUA, and OCC issued a joint statement clarifying that banks should ensure customers who may be considered “politically exposed persons” (PEPs) be subject to customer due diligence matching the risk levels posed by the relationships. In general, while PEPs are not defined within the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) regulations, they commonly refer to “foreign individuals who are or have been entrusted with a prominent public function, as well as their immediate family members and close associates.” U.S. public officials are not included. Specifically, the agencies emphasized that not all individuals who might qualify as PEPs “are high risk solely by virtue of their status.” While FinCEN’s customer due diligence rule (CDD rule), requires banks to identify and verify the identities of new account holders, assess the riskiness of these customer relationships, and conduct ongoing monitoring (see InfoBytes coverage of the CDD Rule here), the agencies note that “the CDD rule does not create a regulatory requirement, and there is no supervisory expectation, for banks to have unique, additional due diligence steps for customers who are considered PEPs. Instead, the level and type of CDD should be appropriate for the customer risk.”
The joint statement also outlines a number of considerations for banks to take into account when evaluating a PEP’s risk level, including the type of products and services used, the volume and nature of transactions, the nature of the customer’s authority or influence over government activities or officials, and the customer’s access to significant government assets or funds. Among other impacts, the agencies note that the customer risk profile may effect “how the bank complies with other regulatory requirements, such as suspicious activity monitoring, since the bank structures its BSA/AML compliance program to address its risk profile, based on the bank’s assessment of risks.” The joint statement also rescinds the 2001 Guidance on Enhanced Scrutiny for Transactions that May Involve the Proceeds of Foreign Corruption related to foreign PEPs.
The agencies emphasized, however, that the joint statement does not change existing BSA/AML legal or regulatory requirements, nor does it “require banks to cease existing risk management practices if the bank considers them necessary to effectively manage risk.”
OFAC sanctions Syrian government officials
On August 20, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13573 against two senior members of the Syrian government. OFAC noted that, among other things, the designated individuals allegedly contributed to “the oppression of the Assad regime” in Syria. As a result, all property and interests in property belonging to the designated individuals and subject to U.S. jurisdiction are blocked and must be reported to OFAC. OFAC further noted that its regulations “generally prohibit all dealings by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked or designated persons,” and warned that non-U.S. persons that engage in transactions with the designated persons may expose themselves to designation.
OFAC sanctions persons for providing support to Iranian airline, DOJ files concurrent criminal charges
On August 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) designated two companies, as well as the owner of one of the companies, pursuant to Executive Order 13224 for allegedly providing material support to an Iranian airline previously “designated under counterterrorism authorities for support to Iran’s Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF), as well as under a counter proliferation authority that targets weapons of mass destruction proliferators and their supporters.” According to OFAC, the designated persons allegedly provided services to assist the airline sustain its fleet of aircraft and allow it to support the IRGC-QF, as well as transport Iranian technicians and technical equipment to Venezuela to support the Maduro regime. The designations follow a recent OFAC action that targeted a China-based company for allegedly acting as a general sales agent for or on behalf of the Iranian airline (covered by InfoBytes here), and serves as “another warning to the international aviation community of the sanctions risk for individuals and entities that choose to maintain commercial relationships with [the Iranian airline] and other designated airlines.” As a result of the sanctions, all property and interests in property of the designated persons that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. OFAC further noted that its regulations “generally prohibit all dealings by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked or designated persons, unless licensed or exempt,” and warned foreign financial institutions that knowingly facilitating significant transactions or providing significant financial services to the designated persons may subject them to U.S. correspondent account or payable-through sanctions.
On the same day, the DOJ announced criminal charges against the designated individual and one of the companies for allegedly conspiring to violate U.S. export laws, defraud the U.S., and violate the International Emergency Economic Powers Act (IEEPA) and the Iranian Transactions and Sanctions Regulations (ITSRs).
Special Alert: FinCEN outlines approach to BSA enforcement
On August 18, the Financial Crimes Enforcement Network, which has overall responsibility for administering the Bank Secrecy Act, issued a short statement that, for the first time, publicly outlined its approach to BSA enforcement. Of note, FinCEN indicated that it will not base enforcement actions on an institution’s failure to comply with standards announced solely in a guidance document. Additionally, for the first time, FinCEN listed a nonexhaustive set of factors it will use to determine what enforcement steps should be taken. The statement leaves FinCEN with considerable flexibility in enforcing the BSA, and raises a number of questions for legal and compliance professionals.
The statement will be of most interest to “financial institutions,” which under the BSA include a wide swath of financial services companies, that are not subject to supervision by a federal prudential regulator authorized to enforce compliance with the BSA; most prudential regulators have their own enforcement guidelines, and the federal banking agencies recently issued a joint statement on BSA enforcement. Companies subject to FinCEN’s BSA enforcement authority, particularly those such as money services businesses without federal prudential regulators, may wish to familiarize themselves with FinCEN’s enforcement factors and tailor their compliance efforts accordingly. The statement also provides implicit guidance on what actions institutions should take upon identification of a potential violation.
No enforcement action against investment advisor in first FCPA advisory opinion in six years
On August 14, the DOJ issued an FCPA Opinion Procedure Release concluding that a U.S. financial institution’s proposed payment to a foreign government-linked investment bank would not result in an enforcement action. This is the first FCPA advisory opinion issued since 2014. According to the opinion, a U.S.-based multinational financial institution (Requestor) asked the DOJ for guidance on whether its planned conduct would conform with the DOJ’s enforcement policy regarding the FCPA’s anti-bribery provisions. The Requestor explained that it intended to pay a $237,500 fee to a foreign subsidiary of a foreign investment bank that was majority owned by a foreign government, as “compensation for services the [foreign subsidiary] provided during a two-year period in which Requestor sought to and ultimately did acquire a portfolio of assets” from a different foreign subsidiary of the same investment bank. The fee represented 0.5 percent of the face value of the assets, and was intended to compensate the foreign subsidiary for “certain enumerated analytical and advisory tasks it had performed on Requestor’s behalf.”
In response to the request, the DOJ stated that it did not presently intend to take any enforcement action if the fee payment was made, noting that there is “no information evincing a corrupt intent to offer, promise, or pay anything of value to a ‘foreign official.’” For the purposes of review, the DOJ assumed that the foreign subsidiary receiving payment is “an instrumentality of a foreign government” and its employees are considered “foreign officials” as defined by the FCPA. With those assumptions, the DOJ concluded that the facts “do not reflect a corrupt intent to influence a foreign official,” because (i) the payment would be to an office, not an individual; (ii) there was no indication the payment would be diverted to an individual and there were no representations of “corrupt offers, promises, or payments of anything of value”; and (iii) the fee was commercially reasonable in response to “specific, legitimate services.”
$21.7 million FCPA settlement for consumer lender
On August 6, the SEC announced that a South Carolina-based consumer loan company agreed to pay over $21.7 million to settle the SEC’s claims that the company violated the books and records and internal accounting controls provisions of the FCPA through its Mexican loan operations. According to the SEC, the company’s former Mexican subsidiary paid more than $4 million in bribes, “directly or through intermediaries, to Mexican government officials and union officials, from at least December 2010 through June 2017 to obtain and retain business” related to the offering of small loans to state and federal government employees. The SEC alleged that in order to “retain the ability to make loans to government employees under all of the contracts” and to ensure loan repayments were made in a timely manner, the former subsidiary paid bribes in several ways, including (i) cash payments; (ii) making deposits into bank accounts linked to government officials and union officials or those of their relatives and friends; and (iii) hiring third-party intermediaries to assist in securing business and making bribe payments, including large bags of cash, to officials.
These bribes, the SEC alleged, were then inaccurately recorded in the company’s books and records as “legitimate ‘commission’ expenses.” The SEC also found that the company and its former subsidiary lacked “internal accounting controls sufficient to detect or prevent such payments,” and that as a result of the subsidiary’s failure to implement a sufficient accounts payable system, managers pre-signed blank checks, which made “it impossible to enforce authorization limits in place over payments.” The SEC further alleged that while the former subsidiary sent spreadsheets to the parent company each month detailing the payments, the company did not require invoices or back-up support to account for the expenses and failed to identify the high risk of bribery and corruption in Mexico. Additionally, the SEC noted that despite incorporating an FCPA policy into the company’s corporate compliance manual in 2013, there was no effective formal monitoring or internal controls to ensure the former subsidiary complied with the policy. The company also allegedly lacked personnel oversight in Mexico, and “the tone at the top” from company management “did not support robust internal audit and compliance functions,” leading to several material weaknesses.
In entering into the administrative order, the SEC considered the company’s cooperation and remedial efforts. Without admitting or denying wrongdoing, the company consented to a cease and desist order, and agreed to pay a $2 million civil money penalty and approximately $19.7 million in disgorgement and pre-judgment interest.
OFAC sanctions additional persons for human rights violations in China’s Xinjiang region
On July 31, the U.S. Treasury Department’s Office of Foreign Assets Control announced sanctions pursuant to Executive Order 13818 against a Chinese government entity and two current or former government officials for alleged corruption violations of the Global Magnitsky Human Rights Accountability Act. According to OFAC, the sanctioned persons are connected to serious human rights abuse against ethnic monitories, including Uyghurs, in the Xinjiang region. Earlier in July, OFAC sanctioned another Chinese government entity and several current or former government officials for similar corruption violations (covered by InfoBytes here). As a result of the sanctions, all property and interests in property of the designated persons within U.S. jurisdiction must be blocked and reported to OFAC. OFAC notes that its regulations generally prohibit U.S. persons from participating in transactions with these individuals and entities, which includes “the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the receipt of any contribution or provision of funds, goods or services from any such person.”
Concurrent with the sanctions, OFAC also issued General License No. 2, which authorizes certain wind down and divestment transactions and activities related to blocked subsidiaries of the Chinese entity through September 30.
OFAC settles Iranian sanctions violations
On July 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $824,314 settlement with a Pennsylvania-based cookware coating manufacturer for 74 apparent violations of the Iranian Transactions and Sanctions Regulations. According to OFAC, between November 2012 and December 2015, two of the company’s foreign subsidiaries allegedly sold coatings intended for customers in Iran and engaged in trade-related transactions with Iran, despite changes to OFAC’s Iran sanctions program, which prohibited such transactions. In addition, OFAC stated that in 2013, once the company realized that these sales may be problematic, some of its U.S. employees devised and facilitated a plan to continue sales from the two subsidiaries by using third-party distributers and avoiding referencing Iran on documentation.
In arriving at the settlement amount, OFAC considered various mitigating factors, including that the apparent violations were non-egregious and (i) the company voluntarily disclosed the violations and cooperated with the investigation; and (ii) the company has undertaken significant remedial efforts to address the deficiencies and minimize the risk of similar violations from occurring in the future, including appointing compliance monitors and outside counsel, making changes to its leadership, and adopting compliance and training policies.
OFAC also considered various aggravating factors, including that the company (i) failed to implement appropriate compliance policies “commensurate with selling to a high-risk jurisdiction such as Iran”; (ii) took “affirmative steps” to help the foreign subsidiaries continue to sell to Iran through indirect channels even though it knew the sales were problematic; and (iii) senior management, including U.S. employees, had actual knowledge of the conduct leading to the alleged violations and continued to facilitate transactions with Iran.