Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN fines trust company $1.5 million for BSA violations
On April 26, FinCEN announced its first enforcement action against a trust company, in which it assessed a $1.5 million civil money penalty against a South Dakota-chartered trust company for willful violations of the Bank Secrecy Act (BSA) and its implementing regulations. According to the consent order, the trust company admitted that it willfully failed to timely and accurately report hundreds of transactions to FinCEN involving suspicious activity by its customers, including transactions with connections to a trade-based money-laundering scheme and several securities fraud schemes. The agency cited the trust company’s “severely underdeveloped” process for identifying and reporting potentially suspicious activity as part of “an overall failure to build a culture of compliance.”
According to FinCEN acting Director Himamauli Das, the trust company “had virtually no process to identify and report suspicious transactions, resulting in it processing over $4 billion in international wires with essentially no controls.” FinCEN said that the trust company should have realized that a large volume of activity from high-risk customers played a role in the closure of numerous correspondent accounts it maintained at other financial institutions, and pointed out that the trust company only began closing accounts flagged during an audit after several forced closures of its own accounts by other financial institutions and after receiving law enforcement inquiries about the accounts referred by the audit. However, at the time, the trust company made no effort to file suspicious activity reports (SARs), FinCEN found, claiming that the trust company processed hundreds of suspicious transactions worth tens of millions of dollars for risky customers that, among other things, appeared to operate in unrelated business sectors. FinCEN added that “personnel with [anti-money laundering (AML)] responsibilities have acknowledged not fully understanding federal SAR filing requirements and that they may have missed important information about some of their riskiest clients as the result of maintaining other, non-AML responsibilities.”
The consent order requires the trust company to hire an independent consultant to review its AML program and transactions from all referenced accounts, as well as any other accounts the trust company maintained for customer referrals, and conduct a SAR lookback review. The trust company is also required to implement recommendations made by the independent consultant and file SARs for any flagged covered transactions. FinCEN recognized the close collaboration and assistance provided by the DOJ and the FBI on this matter.
OCC releases enforcement actions
On March 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against a New York-based bank for allegedly engaging in unsafe or unsound practices related to its information technology security and controls, as well as its information technology risk governance and board of director/management oversight of its corporate risk governance processes. The OCC also found alleged deficiencies (including unsafe or unsound practices) in the bank’s Bank Secrecy Act (BSA)/anti-money laundering risk management controls in the following areas: “internal controls, BSA officer, customer identification program, customer due diligence, enhanced due diligence,  beneficial ownership,” and suspicious activity monitoring and reporting. The order requires the bank to, among other things, maintain a compliance committee, develop a corporate governance program to ensure appropriate board oversight, establish a written strategic plan and conduct an internal audit to assess the sufficiency of the bank’s internal controls program, implement information technology governance and security programs, and adopt an automated clearing house risk management program. The bank is also required to appoint a BSA officer to ensure adherence to the bank’s BSA/AML internal controls, conduct a suspicious activity review lookback, implement a customer information program that is reasonably designed to identify and verify beneficial owners of legal entity customers, and develop and adopt a BSA/AML model risk management process.
FinCEN warns financial institutions of surge in mail theft-related check fraud
On February 27, FinCEN issued an alert to financial institutions on the nationwide surge in check fraud schemes targeting the U.S. mail. Mail theft-related check fraud, FinCEN explained, generally relates to the fraudulent negotiation of checks stolen from the U.S. postal service, and represents one of the most significant money laundering threats to the U.S. The alert is intended to ensure financial institutions file suspicious activity reports (SARs) that appropriately identify and report suspected check fraud schemes possibly linked to mail theft. The alert highlighted red flags to help financial institutions identify and report suspicious activity, and reminded financial institutions of their Bank Secrecy Act (BSA) reporting requirements. According to FinCEN, BSA reporting for check fraud has increased significantly over the past three years. “In 2021, financial institutions filed over 350,000 [SARs] to FinCEN to report potential check fraud, a 23 percent increase over the number of check fraud-related SARs filed in 2020,” the agency said, adding that in 2022, SARs related to check fraud reached over 680,000. When suspecting this type of fraud, financial institutions are advised to refer customers to the United States Postal Inspection Service in addition to filing a SAR.
FinCEN discusses digital identity threats
On January 25, FinCEN's acting Deputy Director, Jimmy Kirby, spoke before the Identity Policy Forum regarding digital identity threats, stating that FinCEN is “pragmatically focused” on protecting the U.S. financial system from illicit finance threats. According to Kirby, financial institutions must establish with confidence who their customers are on the front end and throughout the customer relationship. He noted that a failure or security compromise in any step of that process compromises the integrity of customer identity. Kirby also pointed out that security breaches have led to data hacks of centralized repositories of identity-related information, exposing personally identifiable information, and making those data sources less reliable, and that identity-related suspicious activity reports are increasing. Observing such threats, Kirby said that FinCEN designed the Identity Project to achieve three goals, to: (i) learn about financial institutions’ customer identification processes; (ii) quantify process breakdowns, vulnerabilities, and threats; and (iii) identify solutions, including digital identity. Kirby also discussed responsible innovation and emphasized the need to “foster development of infrastructure, information sharing, and standards that will safeguard the future of identity and the financial system.” Regarding expanding partnerships and feedback loops, Kirby said that the public sector must learn from each other, and that FinCEN is “also engaging with other domestic Federal agencies and regulators on digital identity, at FedID and throughout the year.”
FinCEN alert covers potential CRE investments by sanctioned Russians
On January 25, the Financial Crimes Enforcement Network (FinCEN) issued an alert to financial institutions on potential investments in the U.S. commercial real estate sector by sanctioned Russian elites, oligarchs, their family members, and the entities through which they act. The alert provides a list of possible red flags and typologies regarding attempted sanctions evasion in the commercial real estate sector and emphasizes financial institutions’ Bank Secrecy Act reporting obligations. The alert noted that banks frequently work with market participants who seek financing for commercial real estate projects, and that banks have customer due diligence obligations to verify the beneficial owners of legal entity customers. Specifically, the alert noted that “banks therefore may be in a position to identify and report suspicious activities associated with sanctioned Russian elites and their proxies including [politically exposed persons], among banks’ [commercial real estate]-related customers.” According to FinCEN, the recent alert builds on FinCEN’s March 2022 alert identifying real estate, luxury goods, and other high value assets involving sanctioned Russian and elites, and is the fourth alert issued by FinCEN on potential Russian illicit financial activity since Russia’s invasion of Ukraine in February 2022 (covered by InfoBytes here).
FinCEN offers suspicious activity reporting guidance for human smuggling along U.S.- Mexico border
On January 13, the Financial Crimes Enforcement Network (FinCEN) issued an alert advising financial institutions on how to detect and report suspicious financial activity that may be related to human smuggling along the southwest border of the United States. Highlighting that human smuggling is one of the eight Anti-Money Laundering and Countering the Financing of Terrorism National Priorities identified by FinCEN, the agency pointed out that human smuggling along the southwest border generates an estimated $2 billion to $6 billion in yearly revenue for illicit actors. The alert, which builds on FinCEN’s 2020 and 2014 human smuggling and human trafficking advisories (covered by InfoBytes here and here), provides trends, typologies, and red flag indicators to help financial institutions better identify and file suspicious activity reports potentially related to such activity. “Financial institutions need to know that their vigilance and prompt Bank Secrecy Act reporting matters—it aids investigations tied to human smuggling and transnational organized crime, and can ultimately save lives,” FinCEN Acting Director Himamauli Das said in the announcement.
FinCEN data reveals Russian oligarchs’ financial activity
On December 22, the Financial Crimes Enforcement Network (FinCEN) issued a Financial Trend Analysis on the financial activity of Russian oligarchs. In the analysis, FinCEN examined Bank Secrecy Act (BSA) reports from March 2022 to October 2022 involving Russian oligarchs, high-ranking officials, and sanctioned individuals. FinCEN identified 454 reports detailing suspicious activity and reported that some of the trends in the data by Russian oligarchs included: (i) the movement of funds around the start of the invasion of Ukraine in February 2022; (ii) the purchase of high-value goods or property in 2022; and (iii) based on the movement of funds from accounts in Russia to other countries, an indication of potential changes in longstanding oligarch-linked financial flows related to U.S. properties and companies. FinCEN noted that 78 percent of the 454 BSA reports were filed by U.S.-based depository institutions. Other types of financial institutions—such as holding companies or financial technology companies—submitted roughly 19 percent of reports, mainly on suspicious electronic funds transfers or wire transfers and suspicions concerning the source of funds.
OCC releases enforcement actions
On October 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included among the actions is a cease and desist order against an New York branch of an India-based bank for allegedly engaging in Bank Secrecy Act/anti-money laundering (BSA/AML) program violations. The bank allegedly “failed to establish and maintain a reasonably designed BSA/AML compliance program ('BSA/AML Program') that adequately covers the required BSA/AML Program components. Deficiencies include (i) a weak system of internal controls; (ii) a weak BSA Officer function; and (iii) an insufficient training program.” The order requires the bank to, among other things, submit a BSA/AML action plan and develop a written suspicious activity monitoring and reporting program.
OFAC, FinCEN take action against virtual currency exchange
On October 11, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), together with the Financial Crimes Enforcement Network (FinCEN), announced two settlements for more than $24 million and $29 million, respectively, with a Washington state-based virtual currency exchange. According to OFAC’s announcement, this is the agency’s largest virtual currency enforcement action to date, and represent the first parallel actions taken by FinCEN and OFAC in this space.
OFAC settlement. OFAC’s web notice stated that between March 28, 2014 and December 31, 2017, the exchange operated 1,730 accounts that processed 116,421 virtual currency-related transactions totaling roughly $263,451,600.13, in apparent violation of OFAC sanctions against Cuba, Ukraine, Iran, Sudan, and Syria. Specifically, due to alleged deficiencies in the exchange’s sanctions compliance procedures, the exchange failed to prevent persons located in the sanctioned jurisdictions from using its platform to engage in more than $263,000,000 worth of virtual currency-related transactions. OFAC claimed that while the IP addresses and physical address information collected on each customer at onboarding should have given the exchange reason to know that the persons were located in jurisdictions subject to sanctions, the exchange did not “screen customers or transactions for a nexus to sanctioned jurisdictions.” Rather, the exchange only screened transactions for hits against lists including OFAC’s List of Specially Designated Nationals and Blocked Persons. In arriving at the settlement amount of $24,280,829.20, OFAC considered various aggravating factors, including that the exchange did not exercise due caution or care for its sanctions compliance obligations and conveyed economic benefit to persons located in jurisdictions subject to OFAC sanctions, thus causing harm to the integrity of multiple sanctions programs. OFAC also considered various mitigating factors, including that the exchange provided substantial cooperation throughout the investigation, most of the transactions were for a relatively small amount and represented a small percentage when compared to the exchange’s annual volume of transactions, and the exchange has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
FinCEN settlement. According to FinCEN’s press release, an investigation found that from February 2014 through December 2018, the exchange failed to maintain an effective AML program, resulting in its inability to appropriately address risks associated with its products and services, including anonymity-enhanced cryptocurrencies. The exchange also failed to effectively monitor transactions on its trading platform, and relied “on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day.” FinCEN claimed that the exchange conducted more than 116,000 transactions valued at over $260 million with persons located in jurisdictions subject to OFAC sanctions, including those operating in Iran, Cuba, Sudan, Syria, and the Crimea region of Ukraine, and failed to file suspicious activity reports (SARs) between February 2014 and May 2017. The exchange also “failed to file SARs on a significant number of transactions involving sanctioned jurisdictions, including the processing of over 200 transactions that involved $140,000 worth of virtual assets—nearly 100 times larger than the average withdrawal or deposit on the Bittrex platform—and 22 transactions involving over $1 million worth of virtual assets,” FinCEN said in its announcement. Under the terms of the consent order, the exchange—which admitted to willfully violating the Bank Secrecy Act (BSA) and its implementing regulations—will pay a $29,280,829.20 civil money penalty. FinCEN stated it will credit the $24,280,829.20 the exchange has agreed to pay for the OFAC violations.
During remarks delivered at the Association of Certified Anti-Money Laundering Specialists, Under Secretary for Terrorism and Financial Intelligence Brian Nelson discussed, among other topics, Treasury’s efforts to counter illicit finance. Nelson highlighted the aforementioned settlements, stressing that failing to comply with BSA/AML requirements and SARs filing obligations “are not something that companies focused on growth can simply put off to a later day.” He also emphasized that Treasury will continue to strengthen ties with interagency partners and international counterparts to identify and pursue potential violations.
FDIC releases August enforcement actions
On September 30, the FDIC released a list of administrative enforcement actions taken against banks and individuals in August. During the month, the FDIC made public seven orders consisting of “one consent order, one order terminating consent order, two orders of prohibition from further participation and three orders granting permission to file application and approving application for consent to participate in the conduct of the affairs of any insured depository institution.” Among the orders is a consent order imposed against a Mississippi-based bank by the FDIC and the Mississippi Department of Banking and Consumer Finance, which alleged that the bank engaged in unsafe or unsound banking practices or violations of law relating to the Bank Secrecy Act (BSA). While the bank consented to the action, it did so without admitting or denying any charges. Under the consent order, the bank must, among other things: (i) develop, adopt, and implement a written customer due diligence program; (ii) develop and establish a system of internal controls; and (iii) establish and maintain an independent testing program for compliance with the BSA and its implementing rules and regulations. The bank must also “conduct a lookback review all transactions of $3M or more starting with July 1, 2020, through February 28, 2022, to ensure all suspicious activity is identified, investigated and/or a SAR filed or a documented decision not to file is completed.”