Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 7, the Federal Reserve issued an evaluation report, as required by the Federal Deposit Insurance Act (where a loss to the deposit insurance fund is considered material), on a recently failed bank; the Fed concluded the bank failed due to alleged fraudulent activity by the bank’s CEO. In particular, the Fed found that the CEO initiated a series of wire transfers over the course of three months totaling about $47.1 million of the bank’s money as part of a cryptocurrency scam known as “pig butchering.” According to a FinCEN alert, “pig butchering” occurs when a scammer convinces its victims to invest in purportedly legitimate cryptocurrency investments but then steals the victim’s money.
The Fed found that the bank’s employees neglected to follow proper internal controls and policies that could have “prevented or detected” the alleged fraudulent activity, attributing the failure to a reluctance to challenge the CEO given the CEO’s “dominant role in the bank and prominent role in the community.” Specifically, the employees did not comply with the bank’s BSA/AML policy or file suspicious activity reports as outlined under the policy. As a result, the Fed recommended (i) increasing the awareness among state member banks of cryptocurrency scams; and (ii) providing training to examiners on cryptocurrency scams.
On January 26, the FDIC released a list of administrative enforcement actions taken against banks and individuals in December 2023. During that month, the FDIC made public 12 orders consisting of “four orders of termination of deposit insurance; three orders terminating consent orders; two consent orders; one order terminating supervisory prompt corrective action directive; one order of prohibition from further participation; one order to pay a civil money penalty (CMP); and one Decision and Order to Prohibit from Further Participation and Assessment of Civil Money Penalty.”
Included is a consent order with a Mississippi-based bank for alleged Bank Secrecy Act violations, along with violations of a previous consent order from 2020, imposing a $600,000 civil money penalty. Also included is a consent order with a Kentucky-based bank, alleging the bank engaged in “unsafe or unsound banking practices and violations of law or regulation” relating to, among other things, the Bank Secrecy Act. The bank neither admitted nor denied the allegations but agreed to create a written plan to recover its losses from the bank’s relationship with a third-party loan program, to reduce the bank’s risk position in the program, and to stop granting any extensions of credit through adversely classified or criticized loans related to the third-party loan program. The consent order additionally requires the bank’s board to assess the sufficiency of the bank’s allowance for credit losses (ACL), ensuring the establishment of an appropriate ACL and to uphold and accurately report it. Specifically, “management shall review updated credit risk metrics and loss data for the third-party loan programs referenced in the ROE and ensure appropriate provisions to the ACL relative to this information.”
On January 12, FinCEN and the SBA issued FAQs on the Paycheck Protection Program (“PPP”), established under the CARES Act, to assist borrowers and lenders in interpreting the CARES act and the PPP Interim Final Rule. Among the issues addressed in the FAQs, FinCEN and the SBA provided guidance regarding whether under the CDD Rule, lenders are required to collect, certify, or verify beneficial ownership information for existing customers, stating that it is not necessary to re-verify “[i]f the PPP loan is being made to an existing customer, and the existing customer and the necessary information was previously verified. Additionally, FinCEN and the SBA addressed the question of whether a lender’s collection of the information required with respect to owners of 20% or greater interest in PPP applicants is sufficient to satisfy a lender’s obligation to collect beneficial ownership information under the Bank Secrecy Act. FinCEN and the SBA stated that for lenders with existing customers the lender does not need to reverify beneficial ownership information for owners that hold ownership interests of at least 20 percent, and with respect to new customers with the same ownership interest, all natural persons will need to provide the same information in order to satisfy BSA requirements. FinCEN also answered more FAQs on its April 2020 FAQs regarding the PPP on Second Draw PPP Loans, on BSA/AML compliances, and on SBA Procedural Notice 5000-835955, the last stating that a “PPP lender may reveal the existence of a SAR to the SBA when requesting a guaranty purchase (without charge-off) from the SBA.”
On January 19, the Federal Reserve Board and NYDFS each issued separate enforcement actions against one of the largest banks in the world for alleged compliance deficiencies and violations under BSA/AML. The Fed issued its cease and desist order and ordered the bank to pay a civil money penalty of $2.4 million. The NYDFS also issued a similar consent order with a monetary penalty of $30 million.
According to the Fed’s order, an investigation into the bank’s practices determined that the New York branch lacked any formal policies or training on confidential supervisory information (CSI). Additionally, the order required the bank to submit a written plan to enhance internal compliance controls to the Fed, including designation of a CSI officer, among other requirements. According to NYDFS’s order, the bank previously entered into a 2018 cease and desist order with the Fed to address “significant deficiencies” in its compliance with BSA/AML requirements and OFAC regulations. NYDFS conducted an examination in 2022 and found that deficiencies cited in the 2018 order persisted for several more years. A subsequent examination in 2023 found that the bank had made significant efforts toward enhancing its compliance programs and successfully remediated prior deficiencies. Per this most recent order, NYDFS found that the bank’s BSA/AML program was not in compliance for several years; the bank failed to maintain appropriate accounting records; and the bank failed to submit a report after discovering the occurrence of “embezzlement, misapplication, larceny, forgery, fraud, [or] dishonesty[.]” The consent order stipulated several remediation requirements, including a status report to NYDFS on the bank’s BSA/AML compliance.
On January 12, NYDFS announced that it had entered into a consent order with a digital currency trading company after an investigation that found the company responsible for compliance failures that violated NYDFS’s virtual currency and cybersecurity regulations, leaving the company vulnerable to illicit activity and cybersecurity threats.
NYDFS found that the company failed to meet its compliance obligations due to (i) deficiencies in the company’s AML program; (ii) failure to file compliant suspicious activity reports; (iii) failure to conduct required OFAC screening; and (iv) failure to maintain an adequate cybersecurity program. In connection with the settlement, the company will surrender its BitLicense, the license required to be held by any company conducting virtual currency business in New York state and pay an $8 million penalty.
On January 9, FinCEN published a report titled “Identity-Related Suspicious Activity: 2021 Threats and Trends” which focuses on patterns in reported Bank Secrecy Act (BSA) data linked to suspicious activity from 2021. The report is part of a broader set of financial trend analyses conducted by FinCEN under section 6206 of the Anti-Money Laundering Act of 2020. During 2021, about 1.6 million of all BSA reports (or 42 percent) on suspicious activity were related to identity, equaling $212 billion in suspicious activity.
Key findings in the report included: (i) 69 percent of identity-related BSA reports indicate attackers have impersonated others; (ii) depository institutions have filed the most BSA reports at 54 percent, with the next highest being money services businesses at 21 percent; (iii) general fraud was the most reported typology with 1.2 million BSA reports totaling $149 billion in suspicious amounts, with the next two being false records and identity theft, respectively; and (iv) there were a significant number of identity-related exploitations based on BSA report volumes and dollar values. FinCEN reported three identity-related exploitations, including how attackers (a) impersonate others; (b) dodge or exploit verification processes; and (c) use compromised credentials. A model on page six of the report provides further clarity on how attackers undermine identity processes, such as through bust out schemes (attackers open credit card accounts then max out the cards), check fraud, credit and debit card fraud, and Covid-19 fraud.
On December 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in November. The FDIC made 12 orders public including, “five consent orders, three prohibition orders, two orders terminating consent orders, one order to pay a civil money penalty (CMP), and one order dismissing both a notice of assessment of CMPs and an order to pay.” Included is a stipulated order and written agreement with a Tennessee-based bank (the Bank) to resolve alleged violations of the Bank Secrecy Act (BSA) and weaknesses in board and management oversight of its information technology function. The Bank agreed to the conditions of the consent order which requires the Bank to, among other things (i) establish an action plan to correct the bank’s Anti-Money Laundering/Countering the Financing for Terrorism (AML/CFT) program deficiencies and alleged violations; (ii) retain qualified IT management; (iii) perform a cybersecurity assessment; and (iv) designate someone responsible for coordinating and monitoring day-to-day compliance with the BSA.
On November 22, FinCEN and the IRS issued an alert to financial institutions regarding Covid-19 Employee Retention Credit (ERC)-related fraud schemes. Authorized by the CARES Act, the ERC is a tax credit aimed at incentivizing businesses to retain employees on payroll during the Covid-19 pandemic, through which fraud and scams have been carried out, FinCEN explained. The alert offers insights into typologies linked to ERC fraud and scams, emphasizes specific warning signs to aid financial institutions in detecting and reporting suspicious activities, and reinforces these institutions' obligations to report under the Bank Secrecy Act (BSA).
According to the alert, “[d]uring the 2023 tax season, the IRS noted various scammers appeared throughout the [U.S.] using the false pretense of being tax credit experts to convince businesses to file for the ERC.” Third-party ERC promoters misled taxpayers about eligibility, aiming to profit from filing ERC claims without verifying qualifications, FinCEN added. As a result, the alert mentioned that victims risk claim denial or repayment, while scammers profit regardless of the claim's outcome, involving both willing and unaware businesses in these schemes. FinCEN added that businesses must meet specific ERC requirements, and those who received PPP loans cannot use the same wages counted in the PPP loan for the ERC application. Despite this, some may file amended tax returns misrepresenting their eligibility for the ERC by falsifying staff wages or claiming their operations were partially or fully suspended during the pandemic. FinCEN listed “red flags” indicative of ERC fraud that financial institutions should be cognizant of, including, among others, (i) a business account that receives multiple ERC check deposits over several days; (ii) small business accounts that receive ERC check deposits disproportionate to their size, employee count, and transaction volume; and (iii) a new account for an established business that only receives ERC deposits, suggesting possible identity theft using the business as a front for fraudulent claims. The alert also reminds financial institutions of their obligation to file suspicious activity reports and to keep a copy of the reports for five years from the date of the filing.
On September 29, NYDFS announced a settlement with a South Korean-based bank’s American subsidiary to resolve allegations of repeated violations of AML requirements, the Bank Secrecy Act (BSA), and New York law. According to the consent order, the respondent was repeatedly examined seven times in less than 10 years by DFS and entered into a consent order with the FDIC in 2017 for BSA/AML compliance, among other things. DFS claims that respondents violated (i) New York Banking Law § 44 by conducting their business in an unsafe and unsound manner; (ii) 3 NYCRR § 116.2 by failing to maintain an effective AML compliance program; and (iii) 23 NYCRR § 504.4 by incorrectly certifying compliance with Part 504. To resolve the claims, the respondent agreed to pay a $10 million civil money penalty, and write a written plan detailing improvements to its compliance policies and procedures, among other things.
On September 25, the SEC announced two enforcement actions against a subsidiary (respondent) of a German multinational investment bank and financial services company, in which the respondent agreed to pay a total of $25 million in penalties arising from (i) purportedly misleading statements respondent made regarding its Environmental, Social, and Governance (ESG) program; and (ii) its failure to develop a mutual fund Anti-Money Laundering (AML) program. According to the order, respondent allegedly marketed itself to clients and investors as a leader in ESG that adhered to specific policies for integrating ESG considerations into its investments but failed to implement certain provisions of its global ESG integration policy. The order contains a number of statements that respondent made concerning its ESG program that the SEC found to be materially misleading. For example, respondent allegedly represented through its ESG Policy that its research analysts were required to include financially material and reputation relevant ESG aspects into its valuation models, investment recommendations and research reports and consider material ESG aspects as part of their investment decision, but respondent’s internal analyses allegedly showed that research analysts have inconsistent levels of documented compliance with this requirement. The SEC determined that respondent’s failure to implement certain policies and procedures violated multiple sections of the Advisers Act, including Section 206(2), “which prohibits an investment adviser, directly or indirectly, from engaging ‘in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client.’”
Through the ESG order, respondent has agreed to pay a $19 million civil penalty and to cease and desist from committing any further violations of the violated sections of the Advisors Act. The SEC also charged respondent with a separate Anti-Money Laundering order, for failure to comply with the Bank Secrecy Act and FinCen regulations. Respondent did not admit nor deny the SEC’s claims.