InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California-Based Financial Institution Reaches Agreement with DOJ, Forfeits More Than $97 Million for Bank Secrecy Act Violations
On May 22, the U.S. Department of Justice announced that a California-based financial institution and its parent company have agreed to forfeit over $97 million to resolve an investigation into alleged Bank Secrecy Act (BSA) violations. The May 18 agreement between the Bank and the DOJ included a Statement of Facts in which the Bank admitted to criminal violations for willfully failing to maintain an effective anti-money laundering compliance program with appropriate policies, procedures, and controls to guard against money laundering, as well as willfully failing to file suspicious activity reports (SARs). It further admitted that from at least 2007 until at least 2012, it processed more than 30 million remittance transactions to Mexico with a total value of more than $8.8 billion, but, while its monitoring system issued more than 18,000 alerts involving more than $142 million in potentially suspicious remittance transactions, it conducted fewer than 10 investigations and filed only nine SARs. Notably, the nine SARs covered only 700 transactions totaling overall approximately $341,307. Furthermore, the financial institution recognized that over the same time period it needed to improve its monitoring of its money services businesses’ (MSBs) remittances but failed to provide appropriate staffing and resources, which led to its BSA department being unable to “conduct appropriate transaction monitoring.” This resulted in a failure to file SARs on suspicious remittance transactions. Although the financial institution recognized the need to enhance its monitoring process as early as 2004, it continued to expand its MSB business without adding staffing resources and failed to make necessary improvements to its transaction monitoring controls.
However, the DOJ stated its decision to enter into a non-prosecution agreement with the financial institution was based on evidence of extensive remedial actions. According to the DOJ’s press release, the financial institution devoted significant resources to remediation of its BSA and anti-money laundering (AML) deficiencies, exited its MSB business entirely, and ultimately ceased all banking operations. It was further credited for its cooperation with the DOJ’s criminal investigation by: (i) providing factual presentations; (ii) voluntarily making available foreign-based employees for interviews in the U.S.; (iii) producing foreign documents without implicating foreign data privacy laws; and (iv) collecting, analyzing, and organizing voluminous evidence and information for the DOJ. Under the terms of the agreement, the financial institution and its parent company have agreed to fully cooperate in this and any future DOJ investigations relating to violations of the BSA and AML statutes, as well as report, for a period of one year, any evidence or allegations of such violations. The parent company has also agreed to report to the DOJ “regarding [the] implementation of compliance measures to improve oversight of its subsidiaries’ BSA compliance.”
FinCEN Releases Third Edition of SAR Stats Technical Bulletin
On March 9, the Financial Crimes Enforcement Network released SAR Stats Issue 3, which is a yearly report of Suspicious Activity Report (SAR) statistics compiled through Dec. 31, 2016. This report provides nationwide and state/territory-specific suspicious activity data. Issue 3 covers the following industry types: depository institutions, money services business, securities and futures firms, insurance companies, casinos and card clubs, loan or finance companies, housing government sponsored entities, and other types of financial institutions.
FinCEN Issues Guidance on Sharing Suspicious Activity Reports with U.S. Parents and Affiliates of Casinos
On January 4, the Financial Crimes Enforcement Network (FinCEN) issued guidance to “confirm that, under the Bank Secrecy Act (BSA) and its implementing regulations, a casino that has filed a Suspicious Activity Report (SAR) may share the SAR, or any information that would reveal the existence of the SAR, with each office or other place of business located within the United States of either the casino itself or a parent or affiliate of the casino.” As explained in the guidance, FinCEN expects that the anti-money laundering efforts of the casino’s affiliates could be enhanced by virtue of their access to a clearer and more comprehensive picture of the activities the casino has identified as suspicious. The guidance also specified that casinos may not share SARs or information that would reveal the existence of a SAR with non-U.S. offices or affiliates, individuals or entities within the casino’s corporate famile that perform functions unrelated to gaming, a financial institution without an independent SAR obligation, or unaffialited money services businesses located within the casino. Finally, the guidance specified that a domestic affiliate that receives a SAR or revealing information from a casino may not further share that SAR with an affiliate of its own.
FinCEN Issues Advisory and Supplemental FAQs on Cyber-Events and Cyber-Enabled Crime
On October 25, FinCEN issued advisory bulletin FIN-2016-A005 reminding financial institutions of their Bank Secrecy Act (BSA) obligations to report certain cyber-events and cyber-enabled crime. The advisory highlights the importance of (i) reporting cyber-events and cyber-enabled crime through Suspicious Activity Reports (SARs); (ii) including cyber-related information such as IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information, in SAR reporting; (iii) collaborating with BSA/AML, cybersecurity, and other in-house units to facilitate “a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime”; and (iv) sharing cyber-related information – including specific malware signatures, IP addresses and device identifiers, and virtual currency addresses that seem anonymous – amongst financial institutions for the “purpose of identifying and, where appropriate, reporting money laundering or terrorist activities.” Importantly, the advisory distinguishes between mandatory SAR reporting of cyber-events, providing three specific examples, and voluntary reporting of cyber-events. Per the advisory, “[c]yber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
FinCEN simultaneously issued FAQs to supplement advisory bulletin FIN-2016-A005. The FAQs, which supersede 2001 FAQs regarding computer intrusion, provide answers to a set of nine questions. The FAQs address, among other things, (i) when cyber-related SAR reports should be filed; (ii) the type of information that should be included in cyber-related SARs; and (iii) cyber-event and cyber-enabled crime information sharing, pursuant to Section 314(b) of the USA PATRIOT Act, between financial institutions.
Treasury Issues Joint BSA/AML Fact Sheet
On August 30, the Department of the Treasury, along with the OCC, FDIC, Federal Reserve and NCUA, issued a joint fact sheet on foreign correspondent banking. The fact sheet provides a summary of the agencies’ (i) expectations for BSA/AML and OFAC risk management at U.S. depository institutions; (ii) risk-based approach to the supervisory examination process; and (iii) use of enforcement as an “extension of the supervisory process.” As highlighted in a corresponding blog post, the fact sheet explains that about “95% of BSA/OFAC compliance deficiencies identified by the [Federal Banking Agencies], FinCEN, and OFAC are corrected by the institution’s management without the need for any enforcement action or penalty.” The fact sheet notes that, under existing regulations there is no general requirement for depository institutions to conduct due diligence on an individual customer of a foreign financial institution (FFI). But it also notes that “[i]n determining the appropriate level of due diligence necessary for an FFI relationship, U.S. depository institutions should consider the extent to which information related to the FFI’s markets and types of customers is necessary to assess the risks posed by the relationship, satisfy the institution’s obligations to detect and report suspicious activity, and comply with U.S. economic sanctions. This may require U.S. depository institutions to request additional information concerning the activity underlying the FFI’s transactions in accordance with the suspicious activity reporting rules and sanctions compliance obligations.”
SEC Charges Brokerage Firm with AML Failures
On June 1, the SEC announced that a Wall Street-based brokerage firm agreed to pay a $300,000 penalty to settle charges that it failed to sufficiently evaluate or monitor customers’ trading for suspicious activity and to file suspicious activity reports (SARs) in an alleged willful violation of Section 17(a) of the Exchange Act and Rule 17a-8. The broker-dealer was required to have written AML policies and procedures, which outlined specific examples of suspicious activities that, according to the SEC, “should have triggered internal reviews and, in a number of instances, [(SAR)] filings.” According to the SEC, the broker-dealer failed to file SARs on the following activity: (i) accounts that traded an aberrational percentage of a given stock in a particular day; (ii) accounts of entities that had executives charged with criminal securities fraud; (iii) customer trading that was the subject of grand jury subpoenas and regulatory inquiries; (iv) liquidation of securities followed immediately by large cash transfers; (v) transactions in securities that were subsequently subject to SEC trading suspensions; and (vi) rejections by other broker-dealers of attempts by the firm to transfer customers’ securities. Despite these red flags, the brokerage firm failed to file SARs for more than five years. The case represents the SEC’s first against a firm for solely failing to file SARs.
FinCEN Assesses Civil Money Penalty Against Nevada-Based Casino for BSA/AML Violations
On April 5, FinCEN assessed a civil money penalty against a Nevada-based casino for willfully violating the anti-money laundering provisions of the BSA. From 2010 through November 2013, the casino allegedly failed to (i) establish and implement an effective, written anti-money laundering program; (ii) establish and maintain appropriate internal controls in compliance with the BSA’s reporting requirements; (iii) conduct independent testing of its AML program; (iv) implement automated data processing systems that ensured compliance with the BSA and the casino’s AML program; (v) report suspicious activity; and (vi) secure and retain certain required records. According to FinCEN, the casino generally “lacked a culture of compliance” and had a “blatant disregard for AML compliance permeat[ing] at all levels.” The casino agreed to a $1 million civil money penalty and admitted to willfully violating the BSA’s program, reporting, and recordkeeping requirements.
FinCEN Updates FATF AML/CFT Deficient Jurisdictions List
On January 19, FinCEN issued an advisory, FIN-2016-A001, to provide financial institutions with guidance on reviewing their obligations and risk-based approaches with respect to certain jurisdictions. According to the advisory, on October 23, the Financial Action Task Force (FATF) updated two documents identifying the following: (i) jurisdictions that are either subject to the FATF’s call to apply countermeasures, or to Enhanced Due Diligence (EDD) due to their AML/CFT deficiencies; and (ii) jurisdictions with AML/CFT deficiencies. FinCEN’s recently issued advisory summarizes the changes made to the respective lists and reiterates that a financial institution must file a Suspicious Activity Report if it “knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity or that a customer has otherwise engaged in activities indicative of money laundering, terrorist financing, or other violation of federal law or regulation.”
FinCEN Director Highlights the Significance of SAR Filings
On December 9, FinCEN Director Calvery highlighted at a joint FBIIC-FSSCC meeting the role of FinCEN in gathering and analyzing financial intelligence and the value of Suspicious Activity Reports (SARs) in curtailing malicious cyber activity. Calvery noted the importance of attribution information, such as IP addresses, timestamps, e-mail addresses, and the nature of the suspicious activity, when included in SAR filings, in helping FinCEN and law enforcement agencies deflect cyber-attacks, detect the source of such attacks, and identify members of money laundering networks. “For example, SARs filed by several different financial institutions played a vital role in furthering an investigation where a regional Florida bank had nearly $7 million fraudulently wired out of one of its accounts,” Calvery explained. Calvery emphasized the importance of including cyber-derived information (such as IP addresses and bitcoin wallet addresses) in SAR filings, noting that while less than two percent of filed SARs contain IP addresses, the information is “incredibly important to FinCEN analysts and law enforcement investigators working to combat cyber-crimes.”
FinCEN's Associate Director for Enforcement Delivers Remarks at BSA Conference
On June 18, FinCEN’s Associate Director for Enforcement, Stephanie Brooker, delivered remarks at the Bank Secrecy Act Conference, focusing on three main areas: (i) BSA filing trends, the value of BSA data, and compliance development in the casino industry over the past year; (ii) FinCEN’s enforcement approach and recent enforcement developments; and (iii) the significance of establishing and maintaining a culture of compliance throughout the business and compliance sides of casinos and card clubs. In addition, Brooker noted certain principles at the core of FinCEN’s enforcement program: (i) transparency in the agency’s rationale behind its enforcement actions; (ii) accountability, ensuring that financial institutions, and any individual related to the financial institution, take responsibility for violations of the BSA; and (iii) giving credit where credit is due by considering an institution’s “documented improvements in AML compliance over time.” Finally, Brooker stressed that in order for a financial institution to successfully maintain a culture of compliance, its business side and business leaders must take AML controls and BSA compliance seriously, meaning that “every casino employee, from the top down, views AML compliance as part of his or her responsibility.”