InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC settles with virtual currency exchange to resolve IP address screening deficiencies
On November 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $362,158 settlement with a global virtual currency exchange for allegedly exporting services to users who appeared to be located in Iran when they engaged in virtual currency transactions on the exchange’s platform. According to OFAC’s web notice, the exchange’s platform allows users to buy, sell, hold, or exchange cryptocurrencies. Users can also trade fiat currency for cryptocurrency on the platform. The exchange’s anti-money laundering and sanctions compliance program screens customers at onboarding and daily thereafter, and reviews information about IP addresses generated at the time of onboarding to prevent users in sanctioned jurisdictions from opening accounts and conducting transactions. OFAC stated, however, that between October 2015 and June 2019, the exchange allegedly processed 826 transactions totaling roughly $1.6 million on behalf of individuals who appeared to be in Iran when the transactions happened. OFAC maintained that because the exchange failed to implement IP address blocking on transactional activity across its platform, “account holders who established their accounts outside of sanctioned jurisdictions appear to have accessed their accounts and transacted on Kraken’s platform from a sanctioned jurisdiction.” As a result, the exchange allegedly violated the Iranian Transactions and Sanctions Regulations.
In arriving at the settlement amount, OFAC determined that the exchange failed to exercise due caution or care for its sanctions compliance obligations by only applying its geolocation controls at the time of onboarding and not with respect to subsequent transactional activity even though it knew customers were located worldwide.
OFAC also considered various mitigating factors, including that the exchange has not received a penalty notice from OFAC in the preceding five years, the exchange voluntarily self-disclosed the alleged violations and undertook significant remedial measures, such as (i) “adding geolocation blocking to prevent clients in prohibited locations from accessing their accounts” on the exchange’s platform; (ii) implementing blockchain analysis tools to assist with sanctions monitoring; (iii) expanding staff and providing compliance training; (iv) adding “additional screening capabilities to ensure compliance with OFAC’s ‘50 Percent Rule,’ including detailed reports on beneficial ownership; (v) contracting a vendor to assist with the identification and nationality verification through the use of artificial intelligence tools; and (vi) implementing automated controls designed to block certain accounts. In addition, the exchange agreed to invest an additional $100,000 in certain sanctions compliance controls as part of the settlement.
Providing context for the settlement, OFAC stated that this action “highlights the importance of using geolocation tools, including IP blocking and other location verification tools, to identify and prevent users located in sanctioned jurisdictions from engaging in prohibited virtual currency-related transactions”—both at the time of onboarding and throughout the lifetime of the account.
NYDFS amends cybersecurity regs
On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
Some changes within the proposed amended regulation include:
- New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
- Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
- The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
- The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
- The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
- If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
- Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
- Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
- Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
- Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
- Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory. At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
- Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
- Multi-Factor Authentication: The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
- Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
- Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
- Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.
The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
OFAC updates FAQs related to sanctioned virtual currency “mixer”
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published one new and three amended cyber-related FAQs related to sanctions issued in August against a virtual currency mixer accused of allegedly laundering more than $7 billion. As previously covered by InfoBytes, OFAC claimed the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis.” Newly added FAQ 1095 clarifies that a designated “person” under Executive Order 13722 or 13694 is a “partnership, association, joint venture, corporation, group, subgroup, or other organization.” Amended FAQs 1076, 1078, and 1079 (i) explain how persons can complete transactions or withdraw virtual currency without violating U.S. sanctions regulations; (ii) clarify whether OFAC reporting obligations apply to “dusting” transactions (wherein “certain U.S. persons may have received unsolicited and nominal amounts of virtual currency or other virtual assets from [the sanctioned company’s] smart contracts”; and (iii) outline prohibitions resulting from the sanctions.
OFAC, FinCEN take action against virtual currency exchange
On October 11, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), together with the Financial Crimes Enforcement Network (FinCEN), announced two settlements for more than $24 million and $29 million, respectively, with a Washington state-based virtual currency exchange. According to OFAC’s announcement, this is the agency’s largest virtual currency enforcement action to date, and represent the first parallel actions taken by FinCEN and OFAC in this space.
OFAC settlement. OFAC’s web notice stated that between March 28, 2014 and December 31, 2017, the exchange operated 1,730 accounts that processed 116,421 virtual currency-related transactions totaling roughly $263,451,600.13, in apparent violation of OFAC sanctions against Cuba, Ukraine, Iran, Sudan, and Syria. Specifically, due to alleged deficiencies in the exchange’s sanctions compliance procedures, the exchange failed to prevent persons located in the sanctioned jurisdictions from using its platform to engage in more than $263,000,000 worth of virtual currency-related transactions. OFAC claimed that while the IP addresses and physical address information collected on each customer at onboarding should have given the exchange reason to know that the persons were located in jurisdictions subject to sanctions, the exchange did not “screen customers or transactions for a nexus to sanctioned jurisdictions.” Rather, the exchange only screened transactions for hits against lists including OFAC’s List of Specially Designated Nationals and Blocked Persons. In arriving at the settlement amount of $24,280,829.20, OFAC considered various aggravating factors, including that the exchange did not exercise due caution or care for its sanctions compliance obligations and conveyed economic benefit to persons located in jurisdictions subject to OFAC sanctions, thus causing harm to the integrity of multiple sanctions programs. OFAC also considered various mitigating factors, including that the exchange provided substantial cooperation throughout the investigation, most of the transactions were for a relatively small amount and represented a small percentage when compared to the exchange’s annual volume of transactions, and the exchange has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
FinCEN settlement. According to FinCEN’s press release, an investigation found that from February 2014 through December 2018, the exchange failed to maintain an effective AML program, resulting in its inability to appropriately address risks associated with its products and services, including anonymity-enhanced cryptocurrencies. The exchange also failed to effectively monitor transactions on its trading platform, and relied “on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day.” FinCEN claimed that the exchange conducted more than 116,000 transactions valued at over $260 million with persons located in jurisdictions subject to OFAC sanctions, including those operating in Iran, Cuba, Sudan, Syria, and the Crimea region of Ukraine, and failed to file suspicious activity reports (SARs) between February 2014 and May 2017. The exchange also “failed to file SARs on a significant number of transactions involving sanctioned jurisdictions, including the processing of over 200 transactions that involved $140,000 worth of virtual assets—nearly 100 times larger than the average withdrawal or deposit on the Bittrex platform—and 22 transactions involving over $1 million worth of virtual assets,” FinCEN said in its announcement. Under the terms of the consent order, the exchange—which admitted to willfully violating the Bank Secrecy Act (BSA) and its implementing regulations—will pay a $29,280,829.20 civil money penalty. FinCEN stated it will credit the $24,280,829.20 the exchange has agreed to pay for the OFAC violations.
During remarks delivered at the Association of Certified Anti-Money Laundering Specialists, Under Secretary for Terrorism and Financial Intelligence Brian Nelson discussed, among other topics, Treasury’s efforts to counter illicit finance. Nelson highlighted the aforementioned settlements, stressing that failing to comply with BSA/AML requirements and SARs filing obligations “are not something that companies focused on growth can simply put off to a later day.” He also emphasized that Treasury will continue to strengthen ties with interagency partners and international counterparts to identify and pursue potential violations.
States accuse crypto platform of offering unregistered securities
On September 26, the New York attorney general sued a cryptocurrency platform for allegedly offering unregistered securities and defrauding investors. New York was joined by state regulators from California, Kentucky, Maryland, Oklahoma, South Carolina, Washington, and Vermont who also filed administrative actions against the platform. The states alleged that the platform failed to register as a securities and commodities broker but told investors that it was fully in compliance. According to the New York AG’s complaint, the platform promoted and sold securities through an interest-bearing virtual currency account that promised high returns for participating investors. The NY AG said that a cease-and-desist letter was sent to the platform last year, and that while the platform stated it was “working diligently to terminate all services” in the state, it continued to handle more than 5,000 accounts as of July. The complaint charges the platform with violating New York’s Martin Act and New York Executive Law § 63(12), and seeks restitution, disgorgement of profits, and a permanent injunction.
California’s Department of Financial Protection and Innovation (DFPI) said in a press release announcing its own action that it will continue to take “aggressive enforcement efforts against unregistered interest-bearing cryptocurrency accounts.” DFPI warned companies that crypto-interest accounts are securities and are therefore subject to investor protection under state law, including disclosure of associated risks.
OFAC publishes additional guidance related to sanctioned virtual currency “mixer”
On September 13, the U.S. Treasury Department’s Office of Foreign Assets Control published new cyber-related frequently asked questions concerning transactions involving a virtual currency mixer sanctioned last month for allegedly laundering more than $7 billion in virtual currency since 2019. As previously covered by InfoBytes, the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis,” and provided financial, material, or technological support for, or in support of, cyber-enabled activity contributing to a significant threat to the national security, foreign policy, or economic health or financial stability of the U.S. The FAQs outline requirements for completing virtual currency transactions without violating U.S. sanctions regulations, discuss whether OFAC reporting obligations apply to transactions involving unsolicited and nominal amounts of virtual currency, and reiterate that transactions involving identified virtual currency wallet addresses are prohibited absent a specific OFAC license. The FAQs noted that as part of the SDN List entry, OFAC included as identifiers certain virtual currency wallet addresses associated with the company as well as the company’s URL address. OFAC provided additional clarification on interactions with open-source code that does not involve a prohibited transaction with the sanctioned company.
D.C. Department of Insurance, Securities and Banking says certain Bitcoin activity subject to money transmission laws
Recently, the District of Columbia’s Department of Insurance, Securities and Banking (DISB) issued a bulletin informing industry participants engaging in or planning to engage in money transmission involving Bitcoin or other virtual currency “used as a medium of exchange, method of payment or store of value in the District” that such transactions require a money transmitter license. Specifically, the bulletin noted that DISB considers Bitcoin to be money for money transmission purposes. Relying on United States v. Larry Dean Harmon, DISB stated that while “money transmission is vaguely defined in DC Code,” the court’s decision “relied on the common use of the term “money” to mean a “medium of exchange, method of payment or store of value,” and that therefore Bitcoin functions like money. The bulletin also noted that the court found that while the D.C. Money Transmitters Act of 2000 specifically defined certain banking and financial terms, it did not define “money,” thereby reasoning “that the goal of the MTA is to regulate all kinds of transfers of funds, whether fiat currency, virtual currency or cryptocurrencies.”
Additionally, DISB noted that “engaging in the business of ‘money transmission’” includes “transactions where entities receive for transmission, store, and/or take custody, of Bitcoin and other virtual currencies from consumers via kiosks (aka BTMs), mobile applications and/or online transactions.” However, transactions where entities propose to sell and buy Bitcoin and other virtual currencies from consumers in exchange for cash payments via kiosks and/or online transactions are not considered to be money transmission. Entities that plan to engage in covered activities are subject to money transmission licensing requirements, DISB stated, explaining that whether an entity is required to obtain a money transmitter license depends on the individual facts and circumstances of each applicant, which include but are not limited to an applicant’s proposed business plan and flow of funds, as well as an applicant’s business model.
House Republican concerned about Treasury sanctions on virtual currency mixer
On August 23, Representative Tom Emmer (R-MN) sent a letter to Treasury Secretary Janet Yellen raising privacy and due process concerns related to recent “first-of-their-kind” sanctions issued against a virtual currency mixer accused of allegedly laundering more than $7 billion in virtual currency, including more than $455 million stolen by a Democratic People’s Republic of Korea state-sponsored hacking group that is separately subject to U.S. sanctions (covered by InfoBytes here). The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) said the sanctions resulted from the company “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” (Covered by InfoBytes here.)
Emmer stressed, however, that adding the company to OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List seemed to diverge from previous OFAC precedent since several of the company’s designated “smart contract addresses” do not appear to be a person, entity, or property, but rather are distributed technological tools that are not controlled by any entity or natural person. “OFAC has a long, commendable history of utilizing financial sanctions to enhance the national security of the United States,” the letter said. “Nonetheless, the sanctioning of neutral, open-source, decentralized technology presents a series of new questions, which impact not only our national security but the right to privacy of every American citizen.” Emmer referenced May 2019 guidance issued by FinCEN (covered by InfoBytes here), which he said drew “a distinction between ‘providers of anonymizing services’ (including ‘mixers’)” which are subject to Bank Secrecy Act obligations and “‘anonymizing software providers’” which are not. Emmer recognized that OFAC is not bound by FinCEN regulations, but said it is his understanding that the sanctioned company is “simply the anonymizing software deployed on the blockchain.”
Emmer requested clarification from Treasury on several questions, including the factors OFAC considers when designating technology to the SDN List and how OFAC plans to “uphold the appeals process for the sanctioned addresses that have no ability to appeal the sanction to OFAC” because they “are smart contracts with no agency, corporate or personal, and as such cannot speak for themselves or those whose funds they hold.”
OFAC sanctions “mixer” for laundering over $7 billion in virtual currency
On August 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 against a virtual currency mixer accused of allegedly laundering more than $7 billion in virtual currency since 2019. According to OFAC, this amount includes more than $455 million stolen by a previously sanctioned Democratic People’s Republic of Korea state-sponsored hacking group (covered by InfoBytes here). OFAC stated that the designations resulted from the company “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, added that the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis,” and stressed that Treasury “will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.” As previously covered by InfoBytes, in 2020, Treasury’s FinCEN penalized a bitcoin mixer $60 million for violating the Bank Secrecy Act.
As a result of the sanctions, all property and interests in property of the sanctioned entity that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC, as well as “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons.” OFAC noted that its regulations prohibit U.S. persons from participating in transactions with designated persons unless authorized by a general or specific license issued by OFAC or exempt.
Treasury further stressed that players in the virtual currency industry should take a risk-based approach for assessing risks associated with different virtual currency services, implementing measures to mitigate risks, and addressing the challenges anonymizing features can present to anti-money laundering/countering the financing of terrorism sanctions obligations. “[M]ixers should in general be considered as high-risk by virtual currency firms, which should only process transactions if they have appropriate controls in place to prevent mixers from being used to launder illicit proceeds,” Treasury said.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.