Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 19, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included among the actions is an October 9 consent order to resolve the OCC’s claims that a Washington, D.C.-based branch of a Caribbean bank (bank) engaged in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program violations. According to the consent order, the OCC identified “critical deficiencies” in certain elements of the bank’s BSA/AML compliance program, including failure to implement a compliance program that “adequately covered the required BSA/AML program elements,” and failure to timely file Suspicious Activity Reports (SARs). Among the compliance program failures, the consent order states that the bank had (i) “systemic deficiencies in its transaction monitoring systems and alert management processes, which resulted in monitoring gaps”; (ii) “systemic deficiencies in its customer due diligence, enhanced due diligence, and customer risk rating processes”; and (iii) “an inadequate system of internal controls, ineffective independent testing, a weak BSA Officer function, and insufficient staffing and training.” The consent order requires the bank to pay a $5 million civil money penalty as a result of the deficiencies.
On October 13, the Financial Crimes Enforcement Network (FinCEN) issued an advisory for financial institutions to assist in detecting and preventing Covid-19-related unemployment insurance (UI) fraud. The advisory highlights specific ways illicit actors are exploiting the pandemic to engage in UI fraud, including, among other things, employees receiving UI payments while still being paid reduced, unreported wages from their employer, and the submission of UI claims using stolen or fake identification information. The advisory includes a specific list of red flag indicators for financial institutions to be aware of, such as (i) UI payments from a different state from the one in which the customer resides; (ii) multiple state UI payments within the same disbursement period; (iii) UI payments in a different name from the account holder; (iv) the withdrawal of UI funds in lump sums by cashier’s check or prepaid debit card; (v) multiple accounts receiving UI payments being associated with the same free, web-based email account; and (vi) a newly opened account that starts to receive numerous UI deposits. Financial institutions are encouraged to perform additional inquiries and investigations where appropriate, consistent with a risk-based approach for compliance with the Bank Secrecy Act. Lastly, should financial institutions need to report any UI fraud in a suspicious activity report, FinCEN encourages the institution to reference the advisory.
On September 29, FinCEN Director Kenneth A. Blanco spoke at the Association of Certified Anti-Money Laundering Specialists (ACAMS) virtual AML conference, noting that FinCEN has received over 91,000 suspicious activity reports (SARs) referencing Covid-19 and the federal stimulus programs under the CARES Act. Blanco stated that the vast majority (about 71 percent) of the Covid-19 SARs have come from depository institutions, while 17 percent have come from credit unions and five percent have come from the Money Services Business (MSB) industry. The securities and casino industries account for the final three percent. Blanco urged financial institutions to be “as specific as possible” when filling out their Covid-19-related SARs to ensure it gets to the right investigative team expeditiously. Blanco noted that “vague references to ‘stimulus’ or ‘CARES Act’ or ‘benefit,’” hinders the agency’s ability to get the SAR to the right team. Additionally, Blanco emphasized FinCEN’s advisories and guidance related to Covid-19 fraud (covered by InfoBytes here, here, and here) and encouraged the audience to review the agency’s dedicated Covid-19 webpage.
On September 1, the Financial Crimes Enforcement Network (FinCEN) released a statement reiterating that “the unauthorized disclosure of [suspicious activity reports] (SARs) is a crime that can impact the national security of the United States, compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports.” FinCEN stated it is aware that a series of articles will be published by various media outlets based on unlawfully disclosed SARs and other sensitive government documents and has referred the matter to the DOJ and the U.S. Treasury Department’s Office of Inspector General.
On August 13, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, the “agencies”) issued a joint statement, which clarifies how the agencies apply the enforcement provisions of the Bank Secrecy Act (BSA) and related anti-money laundering (AML) laws and regulations. Specifically, the statement discusses the conditions that require the issuance of a mandatory cease and desist order under sections 8(s) and 206(q). According to the agencies, there are no new exceptions or standards created by document. Among other things, the statement:
- Provides examples of when an agency shall issue a cease and desist order in accordance with sections 8(s)(3) and 206(q)(3) for “[f]ailure to establish and maintain a reasonably designed BSA/AML Compliance Program. The statement notes that an institution would be subject to a cease and desist order when the one component of their compliance program “fails with respect to either a high-risk area or multiple lines of business… even if the other components or pillars are satisfactory.”
- Describes circumstances in which an agency may use its discretion to issue formal or informal enforcement actions related to unsafe or unsound BSA-related practices. The statement notes that the “form and content” of the enforcement action will depend on a variety factors, including “the capability and cooperation of the institution’s management.”
- Describes how the agencies incorporate customer due diligence regulations and recordkeeping requirements as part of the internal controls pillar of an institutions BSA/AML compliance program.
- Discusses the treatment of isolated or technical compliance program requirements that are generally not issues resulting in an enforcement action.
On August 10, the Financial Industry Regulatory Authority (FINRA), SEC, and the CFTC announced separate settlements with a broker-dealer following investigations into its anti-money laundering (AML) programs. The broker-dealer did not admit or deny any of the charges, and the agencies all considered remedial actions undertaken by the broker-dealer. FINRA fined the broker-dealer $15 million for allegedly failing to establish and implement AML processes reasonably designed to detect and report suspicious transactions as required by the Bank Secrecy Act, including foreign currency wire transfers to and from countries known to be at high risk for money laundering. Additionally, the broker-dealer “lacked sufficient personnel and a reasonably designed case management system.” The broker-dealer consented to the terms of the Letter of Acceptance, Waiver and Consent and agreed to retain a third-party consultant to take steps to remediate its AML program.
In a separate investigation conducted by the SEC, the broker-dealer reached a settlement to resolve allegations that it repeatedly failed to file suspicious activity reports (SARs) as required by the Exchange Act for U.S. microcap securities trades executed on behalf of its customers. According to the SEC, because the broker-dealer’s “AML policies and procedures were not reasonably tailored to the risks of [its] U.S. microcap securities business,” over a one-year period, it failed to (i) recognize red flags; (ii) properly investigate suspicious activity; and (iii) file more than 150 SARs in a timely fashion even after compliance personnel flagged the suspicious transactions. Under the terms of the order, the broker-dealer has agreed to be censured, will cease and desist from committing future violations, and will pay an $11.5 million civil penalty.
The CFTC also announced a settlement to resolve allegations that the broker-dealer failed to (i) diligently supervise the handling of several commodity trading accounts; (ii) sufficiently oversee its employees’ handling of these accounts, leading to its “failure to maintain an adequate [AML] program and to conduct appropriate customer monitoring”; and (iii) identify or conduct adequate investigations necessary to detect and report suspicious transactions. Under the order, the broker-dealer is required to pay an $11.5 million civil penalty and disgorge $706,214 it earned as the futures commission merchant for certain accounts that were the subject of a 2018 CFTC enforcement action.
On July 16, the Financial Crimes Enforcement Network (FinCEN) issued an alert warning financial institutions about a scam using social media accounts to solicit fraudulent payments denominated in convertible virtual currency (CVC). According to FinCEN, high-profile social media accounts were compromised and used to solicit payments to CVC accounts, with claims that any CVC sent would be “doubled and returned to the sender.” The alert reminds financial institutions to report suspicious transactions involving this type of activity as soon as possible, and that “[a]ny data or information that helps identify the activity as suspicious can be included as an indicator” on their Suspicious Activity Report (SAR) form. The alert notes several indicators to assist financial institutions in identifying activity related to the scam, including (i) communications soliciting payments with misspellings; (ii) social media posts soliciting donations from unverified accounts; and (iii) multiple accounts communicating the same message soliciting funds for an unknown purpose.
On May 18, the Financial Crimes Enforcement Network (FinCEN) issued an advisory and companion notice on medical scams related to the Covid-19 pandemic that provide detailed instructions for financial institutions filing reports of Covid-19-related suspicious activities. The advisory outlines numerous red flag indicators and case studies addressing Covid-19 medical-related fraudulent activity to assist financial institutions in detecting, preventing, and reporting suspicious transactions. FinCEN also encourages financial institutions to consider additional contextual information, such as a customer’s historical financial activity and whether a customer exhibits multiple indicators, before making a determination that a transaction is suspicious. FinCEN further advises financial institutions—when taking a risk-based approach to Bank Secrecy Act compliance—to perform additional inquiries and conduct investigations as necessary.
The companion notice provides, among other things, that suspicious activity reports (SAR) should only include Covid-19 statements tied to suspicious activity and that statements related to Covid-19’s impact on SAR filing abilities should not be included. However, FinCEN states that filers who previously included these references are not required to file corrected reports. For fraud schemes, including those that exploit the Covid-19 pandemic, FinCEN reiterates that full details related to SAR filings and supporting documentation should be submitted as quickly as possible. The notice also addresses information sharing among financial institutions and provides contact information for reporting Covid-19-related criminal activity to other agencies.
On May 5, FINRA issued Regulatory Notice 20-13, reminding firms to be aware of the heightened threat of frauds and scams during the Covid-19 pandemic. The notice sets forth practices that firms may wish to implement to address risks relating to fraudulent account openings and money transfers, including a customer identification program, steps to monitor for fraud during account opening, bank account verification and restrictions on funds transfers, ongoing monitoring of accounts, collaboration with clearing firms, and compliance with Suspicious Activity Report filing requirements. The notice also sets forth methods that firms may employ to address risks relating to firm imposter scams and IT help desk scams.
On February 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include four civil money penalty orders, three cease and desist orders, five removal/prohibition orders, and a termination of an existing enforcement action. Included among the actions is a January 30 Consent Order to resolve the OCC’s claims that a New York-based bank engaged in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program violations. According to the consent order, an OCC examination identified alleged deficiencies in the bank’s BSA/AML compliance program, including (i) failure to “assess and monitor high risk customer activity flowing to or from high risk jurisdictions”; (ii) deficient BSA/AML policies, procedures, systems and controls; (iii) inadequate suspicious activity monitoring and suspicious activity reporting (SAR) to FinCEN; (iv) deficient Customer Due Diligence processes, including failure to appoint a BSA officer; and (v) failure to sufficiently monitor or provide controls for increased wire and ACH transactions. The consent order requires the bank to, among other things, (i) appoint a compliance committee within 30 days; (ii) submit a written strategic plan to the OCC covering at least the next three years; (iii) appoint a “permanent, qualified, and experienced BSA Officer” with sufficient staff; (iv) create and adopt a “written program of internal control policies and procedures to provide for the compliance with the BSA”; and (v) adopt and deploy a “written system of internal controls and processes to ensure compliance with the requirements to file SARs.”
- Jeffrey P. Naimon to discuss "Post-pandemic CFPB exam preparation" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Making fair lending work for you" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Reading the tea leaves of President Biden’s initial financial appointees" at LendIt Fintech
- APPROVED Webcast: Staying in the know with Buckley regtech solutions
- Moorari K. Shah to discuss “CA, NY, federal licensing and disclosure” at the Equipment Leasing & Finance Association Legal Forum
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable