Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FinCEN seeks public comment for changing SSN requirements during customer identification

    Agency Rule-Making & Guidance

    On March 29, FinCEN published a request for information (RFI) and comment in the Federal Register, in consultation with the OCC, FDIC, NCUA, and the Fed, to receive more information on the Customer Identification Program (CIP) Rule requirement. This announcement extended the comment period as the regulators explored how banks can better collect a customer’s social security number (SSN). Specifically, FinCEN sought information on the “potential risks and benefits” if banks were to be allowed to collect partial SSNs from customers, and then used a “reputable” third-party source to obtain the full SSN. FinCEN noted there has been “expressed interest” in permitting this practice. Written comments must be received on or before May 28.

    Agency Rule-Making & Guidance Customer Identification Program FinCEN Anti-Money Laundering

  • Alabama judge finds the Corporate Transparency Act unconstitutional, DOJ quickly appeals


    On March 1, the federal district court in the Northern District of Alabama entered a final declaratory judgment concluding that the Corporate Transparency Act (CTA) is unconstitutional. The plaintiffs, including a non-profit small business association consisting of more than 60,000 small business members as well as an individual small business owner, sued the Treasury Department, Secretary Janet Yellen, and FinCEN Acting Director Himamauli Das in their official capacities, alleging that the CTA’s mandatory disclosure requirements violate the First, Fourth, Fifth, Ninth, and Tenth Amendments and exceed Congress’s authority under Article I of the Constitution.

    Corporations, LLCs, or other similar entities that are either “(i) created by the filing of a document with a secretary of state… or (ii) formed under the law of a foreign country and registered to do business in the United States” are required to provide certain beneficial ownership information, as well as disclose any related changes to FinCEN under the CTA, excluding exempt entities. The CTA was passed in 2021 as part of the National Defense Authorization Act and required most entities incorporated under state law to disclose beneficial ownership information to FinCEN to prevent financial crimes often committed through shell corporations. In September 2022, FinCEN issued a final rule implementing the CTA, which went into effect on January 1 of this year, and required currently existing entities and five million new entities formed each year from 2025 to 2034 to disclose the identity and information of any “beneficial owner” to FinCEN (see Orrick Insight here).

    According to the court, the CTA exceeds the Constitution’s limits on Congress’s power and does not have a strong enough connection to any of Congress’s listed powers to be considered a necessary or appropriate way to reach Congress’s policy objectives. The court rejected the government’s claims that the CTA is covered by various constitutional provisions, including the Commerce Clause, Taxing Clause, Necessary and Proper Clause, and Congress’s powers related to foreign affairs and national security.

    The judgment permanently enjoined the Department of the Treasury and FinCEN from enforcing the CTA against the plaintiffs and as a result they are not required to report beneficial ownership information to FinCEN at this time. The order does not ban enforcement of the CTA and its beneficial ownership disclosure requirements to FinCEN generally.

    On March 11, the U.S. Department of Justice filed a notice of appeal to the U.S. Court of Appeals for the Eleventh Circuit after U.S. District Judge Liles C. Burke’s March 1 ruling.

    Courts Alabama Corporate Transparency Act Constitution Congress FinCEN Department of Treasury

  • Fed finds CEO engaged in crypto “pig butchering” scam which led to bank failure

    On February 7, the Federal Reserve issued an evaluation report, as required by the Federal Deposit Insurance Act (where a loss to the deposit insurance fund is considered material), on a recently failed bank; the Fed concluded the bank failed due to alleged fraudulent activity by the bank’s CEO. In particular, the Fed found that the CEO initiated a series of wire transfers over the course of three months totaling about $47.1 million of the bank’s money as part of a cryptocurrency scam known as “pig butchering.” According to a FinCEN alert, “pig butchering” occurs when a scammer convinces its victims to invest in purportedly legitimate cryptocurrency investments but then steals the victim’s money.

    The Fed found that the bank’s employees neglected to follow proper internal controls and policies that could have “prevented or detected” the alleged fraudulent activity, attributing the failure to a reluctance to challenge the CEO given the CEO’s “dominant role in the bank and prominent role in the community.” Specifically, the employees did not comply with the bank’s BSA/AML policy or file suspicious activity reports as outlined under the policy. As a result, the Fed recommended (i) increasing the awareness among state member banks of cryptocurrency scams; and (ii) providing training to examiners on cryptocurrency scams.

    Bank Regulatory Federal Issues Cryptocurrency FinCEN Federal Reserve Bank Secrecy Act Anti-Money Laundering

  • FinCEN issues FAQs on PPP

    Federal Issues

    On January 12, FinCEN and the SBA issued FAQs on the Paycheck Protection Program (“PPP”), established under the CARES Act, to assist borrowers and lenders in interpreting the CARES act and the PPP Interim Final Rule. Among the issues addressed in the FAQs, FinCEN and the SBA provided guidance regarding whether under the CDD Rule, lenders are required to collect, certify, or verify beneficial ownership information for existing customers, stating that it is not necessary to re-verify “[i]f the PPP loan is being made to an existing customer, and the existing customer and the necessary information was previously verified. Additionally, FinCEN and the SBA addressed the question of whether a lender’s collection of the information required with respect to owners of 20% or greater interest in PPP applicants is sufficient to satisfy a lender’s obligation to collect beneficial ownership information under the Bank Secrecy Act. FinCEN and the SBA stated that for lenders with existing customers the lender does not need to reverify beneficial ownership information for owners that hold ownership interests of at least 20 percent, and with respect to new customers with the same ownership interest, all natural persons will need to provide the same information in order to satisfy BSA requirements. FinCEN also answered more FAQs on its April 2020 FAQs regarding the PPP on Second Draw PPP Loans, on BSA/AML compliances, and on SBA Procedural Notice 5000-835955, the last stating that a “PPP lender may reveal the existence of a SAR to the SBA when requesting a guaranty purchase (without charge-off) from the SBA.” 

    Federal Issues SBA FinCEN Department of Treasury PPP CARES Act Bank Secrecy Act Anti-Money Laundering Act of 2020

  • The Corporate Transparency Act: FinCEN Finalizes Beneficial Ownership Information Access Rule as Reporting Rule Takes Effect

    Federal Issues

    The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has issued a final rule (the Access Rule) regarding access to and use of beneficial ownership information (BOI) maintained by FinCEN.

    The Access Rule details the circumstances under which FinCEN can disclose BOI to authorized recipients. It also spells out how FinCEN will protect that information and outlines data protection protocols and oversight mechanisms for those who receive beneficial ownership information. The rule takes effect February 20, 2024.  It is the second of three FinCEN rulemakings to implement the Corporate Transparency Act (CTA).

    The first rule, the Beneficial Ownership Reporting Rule, took effect January 1, 2024. As covered previously, it requires certain domestic and foreign companies created, or registered to conduct business, in the United States to report information to FinCEN regarding their beneficial owners – individuals who directly or indirectly own or control 25 percent or more of the ownership interests of a reporting company or who exercise substantial control over such an entity.

    Read more here.

    Federal Issues Agency Rule-Making & Guidance FinCEN Beneficial Ownership Corporate Transparency Act

  • FinCEN report on identity fraud in 2021 outlines statistics and processes

    Financial Crimes

    On January 9, FinCEN published a report titled “Identity-Related Suspicious Activity: 2021 Threats and Trends” which focuses on patterns in reported Bank Secrecy Act (BSA) data linked to suspicious activity from 2021. The report is part of a broader set of financial trend analyses conducted by FinCEN under section 6206 of the Anti-Money Laundering Act of 2020. During 2021, about 1.6 million of all BSA reports (or 42 percent) on suspicious activity were related to identity, equaling $212 billion in suspicious activity.

    Key findings in the report included: (i) 69 percent of identity-related BSA reports indicate attackers have impersonated others; (ii) depository institutions have filed the most BSA reports at 54 percent, with the next highest being money services businesses at 21 percent; (iii) general fraud was the most reported typology with 1.2 million BSA reports totaling $149 billion in suspicious amounts, with the next two being false records and identity theft, respectively; and (iv) there were a significant number of identity-related exploitations based on BSA report volumes and dollar values. FinCEN reported three identity-related exploitations, including how attackers (a) impersonate others; (b) dodge or exploit verification processes; and (c) use compromised credentials. A model on page six of the report provides further clarity on how attackers undermine identity processes, such as through bust out schemes (attackers open credit card accounts then max out the cards), check fraud, credit and debit card fraud, and Covid-19 fraud.

    Financial Crimes FinCEN Bank Secrecy Act Anti-Money Laundering Act of 2020 Identity Theft Fraud Credit Cards

  • FinCEN, IRS issue alert on Covid-19 employee retention credit fraud schemes

    Financial Crimes

    On November 22, FinCEN and the IRS issued an alert to financial institutions regarding Covid-19 Employee Retention Credit (ERC)-related fraud schemes. Authorized by the CARES Act, the ERC is a tax credit aimed at incentivizing businesses to retain employees on payroll during the Covid-19 pandemic, through which fraud and scams have been carried out, FinCEN explained. The alert offers insights into typologies linked to ERC fraud and scams, emphasizes specific warning signs to aid financial institutions in detecting and reporting suspicious activities, and reinforces these institutions' obligations to report under the Bank Secrecy Act (BSA).

    According to the alert, “[d]uring the 2023 tax season, the IRS noted various scammers appeared throughout the [U.S.] using the false pretense of being tax credit experts to convince businesses to file for the ERC.” Third-party ERC promoters misled taxpayers about eligibility, aiming to profit from filing ERC claims without verifying qualifications, FinCEN added. As a result, the alert mentioned that victims risk claim denial or repayment, while scammers profit regardless of the claim's outcome, involving both willing and unaware businesses in these schemes. FinCEN added that businesses must meet specific ERC requirements, and those who received PPP loans cannot use the same wages counted in the PPP loan for the ERC application. Despite this, some may file amended tax returns misrepresenting their eligibility for the ERC by falsifying staff wages or claiming their operations were partially or fully suspended during the pandemic. FinCEN listed “red flags” indicative of ERC fraud that financial institutions should be cognizant of, including, among others, (i) a business account that receives multiple ERC check deposits over several days; (ii) small business accounts that receive ERC check deposits disproportionate to their size, employee count, and transaction volume; and (iii) a new account for an established business that only receives ERC deposits, suggesting possible identity theft using the business as a front for fraudulent claims. The alert also reminds financial institutions of their obligation to file suspicious activity reports and to keep a copy of the reports for five years from the date of the filing. 

    Financial Crimes FinCEN PPP Consumer Finance Loans CARES Act Patriot Act Bank Secrecy Act IRS Covid-19

  • FinCEN announces NPRM for new regulation to combat CVC mixing

    Agency Rule-Making & Guidance

    On October 19, FinCEN announced a notice of proposed rulemaking (NPRM) that identifies international Convertible Virtual Currency mixing (CVC) as a primary money laundering concern. In its NPRM, FinCEN highlighted the prevalence of illicit actors, including Hamas and Palestinian Islamic Jihad, who use CVC mixing to fund their illegal activity, and how increased transparency can combat their efforts. According to FinCEN, CVC mixing is used to conceal the source, destination, or amount involved in transactions. The proposed rule would require covered financial institutions to collect records of, and report suspicious CVC mixing transactions, as defined, to FinCEN within 30 days of initial detection. The proposed rule would not require covered financial institutions to source additional report information from the transactional counterparty, adding that the information required for the report is similar to information already collected by financial institutions. FinCEN also noted this is its first ever use of its authority under Section 311 of the USA PATRIOT Act.

    FinCEN invites comments for the proposed rule, including responses to questions addressing the impact of the proposed rule, definitions, reporting, and recordkeeping. Comments must be received by January 22, 2024, and they can be submitted via instructions found in the announcement.

    Agency Rule-Making & Guidance Federal Issues FinCEN Cryptocurrency Patriot Act Financial Crimes Digital Assets

  • Bank to pay $25 million to settle alleged misleading ESG claims


    On September 25, the SEC announced two enforcement actions against a subsidiary (respondent) of a German multinational investment bank and financial services company, in which the respondent agreed to pay a total of $25 million in penalties arising from (i) purportedly misleading statements respondent made regarding its Environmental, Social, and Governance (ESG) program; and (ii) its failure to develop a mutual fund Anti-Money Laundering (AML) program. According to the order, respondent allegedly marketed itself to clients and investors as a leader in ESG that adhered to specific policies for integrating ESG considerations into its investments but failed to implement certain provisions of its global ESG integration policy. The order contains a number of statements that respondent made concerning its ESG program that the SEC found to be materially misleading.  For example, respondent allegedly represented through its ESG Policy that its research analysts were required to include financially material and reputation relevant ESG aspects into its valuation models, investment recommendations and research reports and consider material ESG aspects as part of their investment decision, but respondent’s internal analyses allegedly showed that research analysts have inconsistent levels of documented compliance with this requirement.  The SEC determined that respondent’s failure to implement certain policies and procedures violated multiple sections of the Advisers Act, including Section 206(2), “which prohibits an investment adviser, directly or indirectly, from engaging ‘in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client.’”

    Through the ESG order, respondent has agreed to pay a $19 million civil penalty and to cease and desist from committing any further violations of the violated sections of the Advisors Act. The SEC also charged respondent with a separate Anti-Money Laundering order, for failure to comply with the Bank Secrecy Act and FinCen regulations. Respondent did not admit nor deny the SEC’s claims.

    Securities SEC Enforcement ESG Anti-Money Laundering Bank Secrecy Act FinCEN Settlement

  • FinCEN updates jurisdictions with AML/CFT/CPF deficiencies

    Financial Crimes

    On June 29, FinCEN announced that the Financial Action Task Force (FATF) issued a public statement updating its lists of jurisdictions with strategic deficiencies in anti-money laundering (AML), countering the financing of terrorism (CFT), and countering the financing of proliferation of weapons of mass destructions (CPF). FATF’s statements include (i) Jurisdictions under Increased Monitoring, “which publicly identifies jurisdictions with strategic deficiencies in their AML/CFT/CPF regimes that have committed to, or are actively working with, the FATF to address those deficiencies in accordance with an agreed upon timeline,” and (ii) High-Risk Jurisdictions Subject to a Call for Action, “which publicly identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and calls on all FATF members to apply enhanced due diligence, and, in the most serious cases, apply counter-measures to protect the international financial system from the money laundering, terrorist financing, and proliferation financing risks emanating from the identified countries.”

    FinCEN’s announcement also informed members that FATF added Cameroon, Croatia, and Vietnam it its list to the list of Jurisdictions Under Increased Monitoring and advised jurisdictions to apply enhanced due diligence proportionate to the risks. FATF did not remove any jurisdictions from the list. Additionally, the announcement suggests that money service businesses refer to FinCEN’s Guidance on compliance obligations to employ adequate measures against money laundering and the financing of terrorism posed by their foreign relationships. Also noted in the announcement is that the list of high-risk jurisdictions subject to a call for action, remains the same. FinCEN reminded in the announcement that U.S. financial institutions are still broadly prohibited from engaging in transactions or dealings with Iran, and they should continue to refer to existing FinCEN and Office of Foreign Assets Control guidance on engaging in financial transactions with Burma. With respect to high-risk jurisdictions subject to a call for action — the Democratic People’s Republic of Korea and Iran — “financial institutions must comply with the extensive U.S. restrictions and prohibitions against opening or maintaining any correspondent accounts, directly or indirectly, for North Korean or Iranian financial institutions,” FinCEN said, adding that “[e]xisting U.S. sanctions and FinCEN regulations already prohibit any such correspondent account relationships.”


    Financial Crimes Of Interest to Non-US Persons FinCEN Anti-Money Laundering Combating the Financing of Terrorism FATF Combating Weapons of Mass Destruction Proliferation Financing OFAC


Upcoming Events