InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC sanctions target IRGC
On June 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) designated members and affiliates of Iran’s Islamic Revolutionary Guard Corps and its external operations arm, the IRGC-Qods Force (IRGC-QF), pursuant to Executive Order 13224, for participating in a series of plots against former U.S. officials, dual U.S. and Iranian nationals, and Iranian dissidents.
The following were specifically designated: (i) two operatives designated “for having acted for or on behalf of, directly or indirectly, the IRGC-QF”; (ii) an IRGC-QF official designated “for acting or on behalf of the IRGC-QF”; and (iii) a dual Iranian and Turkish national designated “for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, the IRGC-QF” by using his Turkey-based airline to support the IRGC-QF covert operations. (The airline is separately designated.)
As a result of the sanctions, all property and interests in property of the individuals and entities named above, and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the U.S. or in the possession or control of U.S. persons, must be blocked and reported to OFAC. OFAC’s announcement further noted that its regulations “generally prohibit” U.S. persons from participating in transactions with designated persons unless exempt or otherwise authorized by a general or specific license. The prohibitions include the making or receiving of any contribution of funds, goods, or services to or for the benefit of those persons.
OFAC issues new general licenses related to Russia and Venezuela sanctions
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) recently released two general licenses relating to Russia and Venezuela. Newly issued Russia-related General License (GL) 69 authorizes certain debt securities servicing transactions issued by an identified bank that would otherwise be prohibited by Executive Order (E.O.) 14024. Interest or principal payments on the authorized transactions cannot be made to persons located in the Russian Federation, and any payments made to a blocked person must be done in accordance with the Russian Harmful Foreign Activities Sanctions Regulations regardless of where the person is located.
Additionally, OFAC also issued GL 8L, which authorizes transactions involving Petróleos de Venezuela, S.A. (PdVSA) that are deemed necessary for the wind down of operations in Venezuela for certain entities. While authorizing some transactions, GL 8L also includes a comprehensive list of transactions that are not authorized, including “[a]ny loans to, accrual of additional debt by, or subsidization of PdVSA, or any entity in which PdVSA owns, directly or indirectly, a 50 percent or greater interest, including in kind, prohibited by E.O. 13808 of August 24, 2017, as amended by E.O. 13857, and incorporated into the [Venezuela Sanctions Regulations].”
OFAC issues new general licenses related to Russia and Venezuela sanctions
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) recently released two general licenses relating to Russia and Venezuela. Newly issued Russia-related General License (GL) 69 authorizes certain debt securities servicing transactions issued by an identified bank that would otherwise be prohibited by Executive Order (E.O.) 14024. Interest or principal payments on the authorized transactions cannot be made to persons located in the Russian Federation, and any payments made to a blocked person must be done in accordance with the Russian Harmful Foreign Activities Sanctions Regulations regardless of where the person is located.
Additionally, OFAC also issued GL 8L, which authorizes transactions involving Petróleos de Venezuela, S.A. (PdVSA) that are deemed necessary for the wind down of operations in Venezuela for certain entities. While authorizing some transactions, GL 8L also includes a comprehensive list of transactions that are not authorized, including “[a]ny loans to, accrual of additional debt by, or subsidization of PdVSA, or any entity in which PdVSA owns, directly or indirectly, a 50 percent or greater interest, including in kind, prohibited by E.O. 13808 of August 24, 2017, as amended by E.O. 13857, and incorporated into the [Venezuela Sanctions Regulations].”
NYDFS circulates advisory on file transfers
On June 2, NYDFS notified all regulated entities that an identified SQL injection vulnerability found in a web application of a managed file transfer software may allow unauthenticated attackers to gain access to its database. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others circulated the advisory, which cautioned that this vulnerability is being actively exploited by threat actors to deploy ransomware, steal data, and disrupt operations. NYDFS advised all regulated entities to conduct prompt risks assessments on their organizations, customers, consumers, and third-party service providers to mitigate risk. Regulated entities were also reminded about the requirement to report cybersecurity events as promptly as possible but no later than 72 hours at the latest, and that “evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated,” are considered a reportable cybersecurity event under 23 NYCRR Section 500.17(a)(2).
FTC, DOJ sue e-commerce company over child data
On May 31, the DOJ filed a complaint on behalf of the FTC against a global e-commerce tech company for allegedly violating the Children’s Online Privacy Protection Act Rule (COPPA) relating to its smart voice assistant’s data collection and retention practices. While the company repeatedly assured users that they could delete collected voice recordings and geolocation information, the complaint alleged that the company held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. Additionally, the complaint also contended that, for a significant period of time, the company continued to retain transcripts for recordings even after the voice recordings were deleted. According to the complaint, the company failed to provide complete, truthful notice to parents about its deletion practices and lacked an effective system to ensure users’ data deletion requests were honored.
The proposed court order would require the company to pay a $25 million civil money penalty and would prohibit the company from using geolocation and voice to create or improve any of its data products after a deletion request. The company would also be required to (i) delete any inactive smart voice assistant children’s accounts; (ii) notify users about its data retention and deletion practices and controls; and (iii) implement a privacy program specific to its use of users’ geolocation information, among other things.
OFAC sanctions Syrian financial facilitators allied with IRGC-QF
On May 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13582 and the Caesar Syrian Civilian Protection Act of 2019 (Caesar Act), against two Syrian money service businesses and the three owners and operators of Al-Fadel Exchange, which have secretly helped the Syrian regime under Bashar al-Assad and its Hizballah and Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF) allies maintain access to the international financial system in violation of international sanctions. Both E.O. 13582 and the Caesar Act underscore the gravity of enabling violent regimes to circumvent sanctions. These sanctions come on the heels of OFAC’s March 28 designation, also pursuant of the Caesar Act, of individuals involved in Syria’s drug production and trafficking (previously covered by InfoBytes here). As a result of these sanctions, “all property and interests in property of these persons which are in or come within the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. In addition, any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Additionally, “persons that engage in certain transactions with the persons designated today may themselves be exposed to sanctions or subject to an enforcement action.”
OFAC sanctions terror operatives and charcoal smugglers in Somalia
On May 24, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order (E.O.) 13536 and E.O. 13244, against 26 individuals and entities connected with terrorist group al-Shabaab. According to OFAC, the 15 financial facilitators and operatives, four charcoal smugglers, and seven of their associated companies are designated for financial facilitation, business activities, collection of funds on behalf of the terrorist group, proliferation of Improvised Explosive Devices (IEDs), and illegal charcoal smuggling from Somalia, all of which have exacerbated local conflicts and suffering. The 15 designated individuals have generated hundreds of thousands of dollars through illegal fee collections from local Somalis, to support al-Shabaab operations and weapons procurement in southern Somalia. Regarding the four charcoal smugglers, after 2012, Somali charcoal exports and imports were banned pursuant to United Nations Security Council Resolution 2036 due to its role in fueling instability in Somalia and funding criminal and terrorist organizations.
As a result of the sanctions, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. OFAC further mentioned, “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.” Lastly, OFAC stressed that engaging in certain transactions with several the individuals and entities designated entails “risk of secondary sanctions pursuant to E.O. 13224, as amended. Pursuant to this authority, OFAC can prohibit or impose strict conditions on the opening or maintaining in the United States of a correspondent account or a payable-through account of a foreign financial institution that knowingly conducted or facilitated any significant transaction on behalf of a Specially Designated Global Terrorist.”
OFAC sanctions DPRK cyber and IT workers
On May 23, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order (E.O.) 13687 and E.O. 13810, against four entities and one individual, involved in obscure revenue generation and malicious cyber activities supporting the Democratic People’s Republic of Korea (DPRK) government. Through continued coordination with the Republic of Korea (ROK), one individual and one of the entities are concurrently being sanctioned by the ROK, while the other three entities OFAC designated were previously sanctioned by the ROK earlier in February. According to OFAC, the malicious cyber action and illicit IT worker revenue generation supports the DPRK’s unlawful weapons of mass destruction and ballistic missile programs. As a result of the sanctions, all property and interests in property of the designated persons that are in the United States, or in the possession or control of U.S. persons, are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked. OFAC further mentioned, “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.”
NYDFS calls its virtual currency framework the “gold standard”
On May 25, NYDFS Superintendent Adrienne Harris testified before the New York assembly to address the regulation of virtual currency in the state. Harris highlighted the value and “gold standard” set by NYDFS’s virtual currency regulatory framework. She detailed how novel risks in that landscape were met with subsequential growth of the virtual currency unit since her arrival, including the addition of 50 professionals and a range of seasoned experts to streamline enforcement investigations.
In her testimony, Harris also voiced how the framework responsibly supports innovation for entities engaging primarily in virtual currency activities, leveraging their licensing (BitLicense) and chartering (the limited purpose trust company charter) regimes, whereas other states license virtual currency entities only as money transmitters. Adding on, she specified how NYDFS’s customized approach continues after approval, specifically, “NYDFS creates a detailed supervisory agreement that is tailored to the specific risks presented by the company’s business model. Licensed and chartered entities also are subject to ongoing supervision and are regularly examined for compliance with broadly applicable virtual currency regulations and other rules, as well as with their supervisory agreements.” The development of these tools, among other safeguards, is demonstrative of NYDFS’ focus on addressing the inherently high-risk nature of virtual currency business activity with respect to illicit transactions, she noted.
Harris further clarified that secure, customized regulatory requirements, as outlined in the framework, coupled with transparency, ushers in more business for the state, especially in the case of crypto startups. Further, other regulators, jurisdictions, and economic development agencies are seeking to replicate the framework, Harris commented, as consumer protection is not only achieved as outlined in the law, but by regulators that are able to move at a faster pace than the former.
New York reaches settlement with medical management company over patient data
On May 23, the New York attorney general announced a settlement with a medical management company, for allegedly failing to protect over 428,000 New Yorkers’ personal and health data from a 2020 ransomware cyberattack affecting roughly 1.2 million consumers nationwide. According to the AG’s investigation, the company implemented a new version of its software in January 2019, but allegedly failed to conduct a series of security tests and scans that could have identified any security problems. Further, the private information maintained by the company was not encrypted. Notably, information for 13 consumers was apparently discovered on the dark web days after the hack. The investigation concluded that the company, amongst the 28 areas where they failed to maintain reasonable data security practices to protect patients’ private and health information, allegedly failed to maintain appropriate patch management processes, conduct regular security testing of its systems, and encrypt the personal information on its servers. Under the terms of the assurance of discontinuance, the company, while neither admitting or denying the allegations, agreed to pay $550,000 in penalties, and will improve its data security practices and offer affected customers free credit monitoring services.