Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 16, a United Arab Emirates cigarette filter and tear tape manufacturer settled OFAC and DOJ charges for apparent violations of the North Korea Sanctions Regulations (NKSR) 31 C.F.R. part 510 and the International Emergency Economic Powers Act (IEEPA). According to OFAC’s release, the company allegedly violated the NKSR by (i) engaging in deceptive practices in order to export cigarette filters to North Korea through a network of front companies in China and other countries; and (ii) receiving three wire transfers totaling more than $330,000 in accounts at a U.S. bank’s foreign branch as payment for exporting the filters. OFAC noted that the conduct leading to the apparent violations included aggravating factors such as (i) the company’s senior manager and customer-facing employee willfully violated the NKSR by agreeing to, among other things, transact with non-North Korean front companies to conceal the North Korea connection despite a company policy that “warned that its banks would not handle transactions with sanctioned jurisdictions” including North Korea; and (ii) the senior manager and customer-facing employee were aware that the filters would be sent to North Korea. OFAC also considered various mitigating factors, including that the company substantially cooperated with OFAC’s investigation and agreed to provide ongoing cooperation. Under the terms of the settlement agreement, the company is required to pay a $665,112 civil monetary penalty to OFAC, which will be deemed satisfied by payment of the fine assessed by the DOJ arising out of the same conduct.
In the parallel criminal enforcement action, the company entered into a deferred prosecution agreement with the DOJ, accepting responsibility for its criminal conduct and agreeing to pay a $666,543.88 fine. According to the DOJ, this is the Department’s first corporate enforcement action for violations of the IEEPA. In addition, the company agreed to, among other things, fully cooperate with any investigation, implement a compliance program designed to prevent and detect any future violations of U.S. economic sanctions regulations, provide quarterly reports to the DOJ regarding the status of compliance improvements, provide OFAC-related training, and annually certify to OFAC that it has implemented and has continued to uphold its compliance-related commitments.
On July 16, the Financial Crimes Enforcement Network (FinCEN) issued an alert warning financial institutions about a scam using social media accounts to solicit fraudulent payments denominated in convertible virtual currency (CVC). According to FinCEN, high-profile social media accounts were compromised and used to solicit payments to CVC accounts, with claims that any CVC sent would be “doubled and returned to the sender.” The alert reminds financial institutions to report suspicious transactions involving this type of activity as soon as possible, and that “[a]ny data or information that helps identify the activity as suspicious can be included as an indicator” on their Suspicious Activity Report (SAR) form. The alert notes several indicators to assist financial institutions in identifying activity related to the scam, including (i) communications soliciting payments with misspellings; (ii) social media posts soliciting donations from unverified accounts; and (iii) multiple accounts communicating the same message soliciting funds for an unknown purpose.
On July 17, the U.S. Treasury Department issued a joint statement on the EU - U.S. Financial Regulatory Forum, which met virtually on July 14 and 15 and included participants from Treasury, the Federal Reserve Board, CFTC, FDIC, SEC, and OCC. Forum participants discussed six key themes: (i) potential financial stability implications and economic responses to the Covid-19 pandemic; (ii) capital market supervisory and regulatory cooperation, including cross-border supervision; (iii) “multilateral and bilateral engagement in banking and insurance,” including “cross-border resolution of systemic banks” and Volcker Rule implementation; (iv) approaches to anti-money laundering/countering the financing of terrorism financing and remittances; (v) the regulation and supervision of digital finance and financial innovation, such as “digital operational resilience and developments in crypto-assets, so-called stablecoins, and central bank digital currencies”; and (vi) sustainable finance developments. EU and U.S. participants recognized the importance of communicating mutual supervisory and regulatory concerns to “support financial stability, investor protection, market integrity, and a level playing field.”
Terrorist Financing Targeting Center designates ISIS-affiliated financial facilitators and money services businesses
On July 15, the U.S. Treasury Department announced that the seven member nations of the Terrorist Financing Targeting Center (TFTC) have jointly designated six targets affiliated with the Islamic State of Iraq and Syria (ISIS), including three key money services businesses. Four targets are designated for providing “a critical financial and logistical lifeline to ISIS, its branches, and its global facilitation networks,” while two targets are designated for “abus[ing] the goodwill of the international community under the auspices of charitable giving to facilitate the transfer of funds for and to support the activities of ISIS’s branch in Afghanistan, ISIS-Khorasan (ISIS-K).” Since 2017, the participating TFTC members—Saudi Arabia, Bahrain, Kuwait, Oman, Qatar, the United Arab Emirates, and Treasury’s Office of Foreign Assets Control (OFAC)—have issued five rounds of joint designations against 60 terrorist targets globally, in an effort to challenge ISIS’s ability to finance its operations through money service businesses and charities operating under false pretenses.
As a result of the sanctions, “all property and interests in property of these targets that are or come within the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.” OFAC noted that its regulations “generally prohibit all dealings by U.S. persons or within the United States that involve any property or interests in property of blocked persons.” OFAC further warned that persons that engage in transactions with one of the designated individuals maybe be exposed to sanctions or subject to an enforcement action. Additionally, foreign financial institutions that knowingly facilitate significant transactions to the designated entities may be subject to prohibitions or strict conditions by OFAC.
On July 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Orders 13848, 13694, and 13661 against three individuals and five entities located in Sudan, Hong Kong, and Thailand, for allegedly enabling a Russian financier to evade U.S. sanctions. According to OFAC, the financier supported the Internet Research Agency (IRA), a Russian “troll farm” designated by OFAC in 2018, and is believed to be the financier behind Private Military Company, a “designated Russian Ministry of Defense proxy force.” OFAC alleged that this operation “advocated for the use of social media-enabled disinformation campaigns similar to those deployed by the IRA, and the staging of public executions to distract protestors seeking reforms.” Additionally, OFAC alleged that the individual and Thailand and Hong Kong-based entities “facilitated over 100 transactions exceeding $7.5 million that were sent in the interest of [the financier].” As a result, all property and interests in property belonging to, or owned by, the identified individuals and entities subject to U.S. jurisdiction are blocked, and “any entities that are owned, directly or indirectly, 50 percent or more by the designated entities, are also blocked.” U.S. persons are generally prohibited from dealing with any property or interests in property of blocked or designated persons.
Court of Justice of the European Union invalidates EU-U.S. Privacy Shield; standard contractual clauses survive (for now)
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its opinion in the Schrems II case (Case C-311/18). In its opinion, the CJEU concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. However, the Court invalidated the EU-U.S. Privacy Shield. The ruling cannot be appealed.
In 2015, a privacy campaigner named Max Schrems filed a complaint with Ireland’s Data Protection Commissioner challenging a global social media company’s use of data transfers from servers in Ireland to servicers in the U.S. Schrems argued that U.S. laws did not offer sufficient protection of EU customer data, that EU customer data might be at risk of being accessed and processed by the U.S. government once transferred, and that there was no remedy available to EU individuals to ensure protection of their personal data after transfer to the U.S. Schrems sought the suspension or prohibition of future data transfers, which were executed by the company through standard data protection contractual clauses (a method approved by the Court in 2010 by Decision 2010/87). The social media company had utilized these standard contractual clauses after the CJEU invalidated the U.S. – EU Safe Harbor Framework in 2015.
Following the complaint, Ireland’s Data Protection Commissioner brought proceedings against the social media company in the Irish High Court, which referred numerous questions to the CJEU for a preliminary ruling, including questions addressing the validity of the standard contractual clauses and the EU-U.S. Privacy Shield.
CJEU Opinion – Standard Contractual Clauses (Decision 2010/87)
Upon review of the recommendations from the CJEU’s Advocate General published on December 19, 2019, the CJEU found the Decision approving the use of contractual clauses to transfer personal data valid.
The CJEU noted that the GDPR applies to the transfer of personal data for commercial purposes by a company operating in an EU member state to another company outside of the EU, notwithstanding the third-party country’s processing of the data under its own security laws. Moreover, the CJEU explained that data protection contractual clauses between an EU company and a company operating in a third-party country must afford a level of protection “essentially equivalent to that which is guaranteed within the European Union” under the GDPR. According to the CJEU, the level of protection must take into consideration not only the contractual clauses executed by the companies, but the “relevant aspects of the legal system of that third country.”
As for the Decision 2010/87, the CJEU determined that it provides effective mechanisms to, in practice, ensure contractual clauses governing data transfers are in compliance with the level of protection requirement by the GDPR, and appropriately requires the suspension or prohibition of transfers in the event the clauses are breached or unable to be honored. The CJEU specifically highlighted the certification required by the EU data exporter and the third-party country recipient to verify, prior to any transfer, (i) the level of data protection in the third-party country prior to any transfer; and (ii) abilities to comply with the data protection clauses.
CJEU Opinion - EU-U.S. Privacy Shield, (Decision 2016/1250)
The CJEU decided to examine and rule on the validity of the EU – U.S. Privacy Shield. The CJEU determined that because the requirements of U.S. national security, public interest and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR. Specifically, the CJEU held that the surveillance programs used by U.S. authorities are not proportionally equivalent to those allowed under the EU law because they are not “limited to what is strictly necessary,” nor, under certain surveillance programs, does the U.S. “grant data subjects actionable rights before the courts against the U.S. authorities.” Moreover, the CJEU rejected the argument that the Ombudsperson mechanism satisfies the GDPR’s right to judicial protection, stating that it “does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by [the GDPR],” and the Ombudsperson “cannot be regarded as a tribunal.” Thus, on those grounds, the CJEU declared the EU-U.S. Privacy Shield invalid.
On July 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued Venezuela General License (GL) 5D, which supersedes GL 5C and authorizes certain transactions otherwise prohibited under Executive Orders 13835 and 13857 related to, or that provide financing for, dealings in the Petróleos de Venezuela, S.A. 2020 8.5 Percent Bond on or after October 20, 2020. Concurrently, OFAC issued a new Venezuela-related frequently asked question regarding GL 5D.
On July 14, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to inform financial institutions of updates to the Financial Action Task Force (FATF)-identified jurisdictions with “strategic deficiencies” in their anti-money laundering and combating the financing of terrorism (AML/CFT) and counter-proliferation financing deficiencies. FATF notes that in response to measures taken by countries in response to the Covid-19 pandemic, it has temporarily paused reviewing most counties with strategic deficiencies. The advisory reminds members that its February 2020 statement High-Risk Jurisdictions Subject to a Call for Action remains in effect and urges “all jurisdictions to impose countermeasures on Iran and the Democratic People’s Republic of Korea (DPRK) to protect the international financial system from significant strategic deficiencies in their AML/CFT regimes.” The advisory also emphasizes that financial institutions should consider the Jurisdictions under Increased Monitoring document and consult the list of identified countries when reviewing due diligence obligations and risk-based policies, procedures, and practices. The advisory also outlines AML program risk assessment considerations, as well as suspicious activity report filing guidance.
On July 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13818 against a Chinese government entity and four current or former government officials for alleged corruption violations of the Global Magnitsky Human Rights Accountability Act. According to OFAC, the sanctioned persons are connected to serious human rights abuse against ethnic monitories in the Xinjiang region. The sanctions follow an advisory issued by the U.S. Departments of State, Treasury, Commerce, and Homeland Security advising “[b]usinesses with potential exposure in their supply chain to entities that engage in human rights abuses in Xinjiang or to facilities outside Xianjiang. . .[to consider] the reputational, economic, and legal risks of involvement with such entities.” As a result of the sanctions, all property and interests in property of the designated persons within U.S. jurisdiction must be blocked and reported to OFAC. OFAC notes that its regulations “generally prohibit” U.S. persons from participating in transactions with these individuals and entities. The prohibitions also “include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the receipt of any contribution or provision of funds, goods or services from any such person.”
On July 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $134,523 settlement with a Washington-based company that provides retail, e-commerce, and digital services worldwide. According to OFAC, due to deficiencies in the company’s sanctions screening process, between 2011 and 2018, the company provided goods and services to OFAC sanctioned persons; to persons located in the sanctioned region or countries of Crimea, Iran, and Syria; and “for persons located in or employed by the foreign missions of Cuba, Iran, North Korea, Sudan, and Syria.” Additionally, the company allegedly accepted and processed orders that primarily consisted of low-value retail goods and services from persons listed on OFAC’s List of Specially Designated Nationals and Blocked Persons who were blocked pursuant to sanctions regulations involving the Democratic Republic of Congo, Venezuela, Zimbabwe, among others. These apparent violations occurred “primarily because [the company’s] automated sanctions screening processes failed to fully analyze all transaction and customer data relevant to compliance with OFAC’s sanctions regulations,” OFAC stated, claiming the company also “failed to timely report several hundred transactions conducted pursuant to a general license issued by OFAC that included a mandatory reporting requirement, thereby nullifying that authorization with respect to those transactions.”
In arriving at the settlement amount, OFAC considered various mitigating factors, including that the apparent violations were non-egregious and (i) the company voluntarily disclosed the violations and cooperated with the investigation; and (ii) the company has undertaken significant remedial efforts to address the deficiencies and to minimize the risk of similar violations from occurring in the future.
OFAC also considered various aggravating factors, including that the company failed to exercise due caution or care to ensure its sanctions screening process was able to properly flag transactions involving blocked persons and sanctioned jurisdictions. “This case demonstrates the importance of implementing and maintaining effective, risk-based sanctions compliance controls,” OFAC stated. “[G]lobal companies that rely heavily on automated sanctions screening processes should take reasonable, risk-based steps to ensure that their processes are appropriately configured to screen relevant customer information and to capture data quality issues.”
- APPROVED Webcast: Remote examinations and complaints — The “new normal”
- Sasha Leonhardt to discuss "Privacy laws clarified" at the National Settlement Services Summit (NS3)
- Amanda R. Lawrence to discuss "New privacy legislation: Preparing for a major source of class action and enforcement activity going forward" at the American Conference Institute Consumer Finance Class Actions, Litigation & Government Enforcement Actions
- Sherry-Maria Safchuk and Lauren Frank to discuss "New CFPB interpretation on UDAAP" at a California Mortgage Bankers Association Mortgage Quality and Compliance Committee webinar
- Daniel P. Stipano to discuss "High standards: Best practices for banking marijuana-related businesses" at the ACAMS AML & Anti-Financial Crime Conference
- Daniel P. Stipano to discuss "Wait wait ... do tell me! Where the panelists answer to you" at the ACAMS AML & Anti-Financial Crime Conference
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute