InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC Clarifies Iran Sanctions Snapback, Also Amends General License Regarding Foreign Flights to Iran
On December 15, OFAC updated the Frequently Asked Questions Relating to the Lifting of Certain U.S. Sanctions Under the Joint Comprehensive Plan of Action, clarifying two FAQs regarding the re-imposition of sanctions in the event of a “sanctions snapback.” Among other things, the revised guidance clarified that the U.S. will not retroactively impose sanctions for activity considered legitimate during the time of the transaction, but that activity would have to immediately halt because the agreement does not grandfather existing contracts. In addition, OFAC explained that the U.S. would provide non-Iranian foreigners a 180-day period to wind down operations that were authorized prior to a snapback. The FAQ-guidance also explained that if a snapback of sanctions were to result in the revocation of licenses, the U.S. government would provide a 180-day wind-down period for those deals, and non-Iranian foreigners could receive repayment from Iranians for goods and services provided prior to a snapback under the terms of an existing contract.
Separately, OFAC issued amended license General License J-1, regarding foreign flights to Iran, to also authorize flights that involve code-sharing agreements. A code-share is a marketing arrangement in which an airline places its designator code on a flight operated by another airline, and sells tickets for that flight. GL J-1 is effective as of December 15 and replaces and supersedes General License J in its entirety.
FinCEN Issues Advisory and Supplemental FAQs on Cyber-Events and Cyber-Enabled Crime
On October 25, FinCEN issued advisory bulletin FIN-2016-A005 reminding financial institutions of their Bank Secrecy Act (BSA) obligations to report certain cyber-events and cyber-enabled crime. The advisory highlights the importance of (i) reporting cyber-events and cyber-enabled crime through Suspicious Activity Reports (SARs); (ii) including cyber-related information such as IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information, in SAR reporting; (iii) collaborating with BSA/AML, cybersecurity, and other in-house units to facilitate “a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime”; and (iv) sharing cyber-related information – including specific malware signatures, IP addresses and device identifiers, and virtual currency addresses that seem anonymous – amongst financial institutions for the “purpose of identifying and, where appropriate, reporting money laundering or terrorist activities.” Importantly, the advisory distinguishes between mandatory SAR reporting of cyber-events, providing three specific examples, and voluntary reporting of cyber-events. Per the advisory, “[c]yber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
FinCEN simultaneously issued FAQs to supplement advisory bulletin FIN-2016-A005. The FAQs, which supersede 2001 FAQs regarding computer intrusion, provide answers to a set of nine questions. The FAQs address, among other things, (i) when cyber-related SAR reports should be filed; (ii) the type of information that should be included in cyber-related SARs; and (iii) cyber-event and cyber-enabled crime information sharing, pursuant to Section 314(b) of the USA PATRIOT Act, between financial institutions.
OFAC Amends Cuban Assets Controls Regulations
OFAC took an additional step toward further implementation of President Obama’s new policy direction toward Cuba on October 17, with the publication of a final rule amending the Cuban Assets Control Regulations, 31 CFR Part 515 (CACR). Of those most relevant to financial institutions, OFAC updated the CACR by, among other things, amending paragraphs (c) and (f) of section 515.584, which relates to certain financial transactions involving Cuba. Section 515.584(c), as outlined in OFAC’s set of updated FAQs, “authorizes all transactions incident to the processing and payment of credit and debit card transactions for third-country nationals traveling to, from, or within Cuba.” FAQ number 49 further explains that “[a]ny person subject to U.S. jurisdiction, including U.S. financial institutions and their foreign branches, may conduct transactions authorized by [section 515.584(c)].” Section 515.584(f), as explained by FAQ 73, permits: Any banking institution …that is a person subject to U.S. jurisdiction is authorized to provide financing for exports or reexports of items, other than agricultural commodities, authorized pursuant to § 515.533, including issuing, advising, negotiating, paying, or confirming letters of credit (including letters of credit issued by a financial institution that is a national of Cuba), accepting collateral for issuing or confirming letters of credit, and processing documentary collections. OFAC’s amendments to the CACR are effective immediately.
FFIEC Releases FAQs on Cybersecurity Assessment Tool
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
OFAC Publishes Fact Sheet and FAQ Related to Termination of Burma Sanctions Program; Updates SDN List
On October 7, OFAC published a Fact Sheet and Frequently Asked Question (FAQ) number 481 regarding the implementation of the President’s Executive Order entitled “Termination of Emergency with Respect to the Actions and Policies of the Government of Burma.” OFAC’s fact sheet explains that all OFAC-administered restrictions and authorizations under the Burma sanctions program pertaining to banking with Burma, including 2012 and 2013 OFAC general licenses that authorized certain correspondent account activity with Burmese banks, are terminated pursuant to the Executive Order. FAQ 481 clarifies that “[p]ending OFAC enforcement matters will proceed irrespective of the termination of OFAC-administered sanctions on Burma, and OFAC will continue to review apparent violations of the [Burmese Sanctions Regulations], whether [such violations] came to the agency’s attention before or after the Burma sanctions program was terminated.” In connection with terminating the Burma-related sanctions program, OFAC made several deletions to its SDN List.
OFAC Updates Iran-Related FAQs
On October 7, OFAC updated its Frequently Asked Questions (FAQs) relating to the Listing of Certain U.S. Sanctions under the Joint Comprehensive Plan of Action (JCPOA). In addition to adding three FAQs related to due diligence (see M.10 through M.12), OFAC amended two FAQs (C.7 and C.15) regarding Financial and Banking Measures and one FAQ (K.19) related to Foreign Entities Owned or Controlled by U.S. Persons. FAQ M.10 clarifies that while “[i]t is not necessarily sanctionable for a non-U.S. person to engage in transactions with an entity that is not on the SDN List but that is minority owned, or that is controlled in whole or in part, by an Iranian or Iran-related person on the SDN List,” it is recommended that persons engaging in such transactions exercise caution to ensure that they do not involve Iranian or Iran-related persons on the SDN List. FAQs M.11 and M.12, respectively, address (i) due diligence expectations related to the screening of potential Iranian counterparties; and (ii) the circumstances under which OFAC expects a non-U.S. financial institution to repeat the due diligence their customers have already performed on an Iranian customer.
OFAC Publishes Burma-Related FAQ
On September 14, President Obama announced his intent to lift certain sanctions against Burma and to designate it as a least-developed beneficiary developing country for the purposes of the Generalized System of Preferences program, a status that would allow imported products from Burma to enjoy lower tariffs and preferential treatment. Accordingly, OFAC published new FAQ 480 to address the President’s announcement regarding the policy change with respect to Burma. The policy change will take effect when the President issues a new Executive Order and, at that time, OFAC “will formally remove the Burmese Sanctions Regulations from the Code of Federal Regulations and take other administrative actions as necessary.”
GSEs Release Redesigned Uniform Residential Loan Application
On August 23, Fannie Mae and Freddie Mac (GSEs) published a redesigned Uniform Residential Loan Application (URLA), the first substantial update to the standardized form used by borrowers applying for a residential loan in more than 20 years. The GSEs also released a redesigned Uniform Loan Application Dataset (ULAD) Mapping Document, used to “ensure consistency of data delivery.” The GSEs revised the URLA and ULAD by (i) redesigning the format to support better efficiency and more accurate data collection; (ii) including new and updated fields intended to “[c]apture loan application details that reflect today’s mortgage lending business and support both the GSEs’ and government requirements”; (iii) simplifying instructions; and (iv) incorporating revised HMDA demographic questions. The GSEs released FAQs about the redesigned URLA and ULAD, which will be available for lender use beginning January 1, 2018. Among other things, the FAQs note that (i) the GSEs will continue to support the URLA in paper form; and (ii) updates to the published documents may be required as a result of the CFPB’s review of the redesigned URLA in connection with the Regulation B safe harbor.
Federal Banking Agencies Urge Financial Institutions to Conduct Diversity Self-Assessments
On August 2, the Federal Reserve, OCC, and FDIC released FAQs regarding their standards for assessing the diversity policies and practices of regulated entities. Following the June 10, 2015 Federal Register publication titled “Final Interagency Policy Statement Establishing Joint Standards for Assessing the Diversity Policies and Practices of Entities Regulated by the Agencies” (Policy Statement), the FAQs seek to clarify the agencies’ standards for entities conducting self-assessments of their diversity policies. Although self-assessments are voluntary, the banking agencies strongly encourage financial institutions to disclose their diversity policies, diversity practices, and self-assessment information on their websites and provide the same to their primary federal financial regulator.
OFAC Updates Cuba-Related FAQs
On July 25, OFAC updated its list of frequently asked questions related to Cuba to clarify requirements applicable to persons subject to U.S. jurisdiction that are providing carrier or travel services to Cuba pursuant to 31 C.F.R. § 515.572. According to new FAQ 38, where such a person is providing travel or carrier services to a customer traveling to or from Cuba under a specific license, OFAC will consider the collection and retention of the traveler’s specific license number to be equivalent to collecting and retaining a physical or electronic copy of the specific license, as required by § 515.572(b)(1). The carrier or travel services provider must maintain a record of the specific license number or a copy of the license for at least five years. Revised FAQ 39 reiterates that authorized carrier or travel service providers must also retain a certification from each customer traveling to or from Cuba indicating the provision of the Cuban Assets Control Regulations that authorizes travel and the names and addresses of the individual travelers for at least five years from the date of the transaction.