InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC issues sanctions to counter narcotics trafficking
On January 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14059 against the leader of a Mexico-based network and two associates for procuring precursor chemicals to manufacture and traffic illicit narcotics to the United States. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons.
FinCEN discusses digital identity threats
On January 25, FinCEN's acting Deputy Director, Jimmy Kirby, spoke before the Identity Policy Forum regarding digital identity threats, stating that FinCEN is “pragmatically focused” on protecting the U.S. financial system from illicit finance threats. According to Kirby, financial institutions must establish with confidence who their customers are on the front end and throughout the customer relationship. He noted that a failure or security compromise in any step of that process compromises the integrity of customer identity. Kirby also pointed out that security breaches have led to data hacks of centralized repositories of identity-related information, exposing personally identifiable information, and making those data sources less reliable, and that identity-related suspicious activity reports are increasing. Observing such threats, Kirby said that FinCEN designed the Identity Project to achieve three goals, to: (i) learn about financial institutions’ customer identification processes; (ii) quantify process breakdowns, vulnerabilities, and threats; and (iii) identify solutions, including digital identity. Kirby also discussed responsible innovation and emphasized the need to “foster development of infrastructure, information sharing, and standards that will safeguard the future of identity and the financial system.” Regarding expanding partnerships and feedback loops, Kirby said that the public sector must learn from each other, and that FinCEN is “also engaging with other domestic Federal agencies and regulators on digital identity, at FedID and throughout the year.”
OFAC announces sanctions against Paraguayan officials
On January 26, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against the former president of Paraguay and the current vice president for their involvement in corrupt actions that undermine democratic institutions in the country. OFAC also designated several companies that are owned or controlled by the former president. According to OFAC, the sanctioned persons are being designated as perpetrators of serious human rights abuse and corruption pursuant to Executive Order 13818, which builds up and implements the Global Magnitsky Human Rights Accountability Act. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” OFAC noted that its regulations generally prohibit U.S. persons from participating in transactions with these persons, which “include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person.”
FinCEN alert covers potential CRE investments by sanctioned Russians
On January 25, the Financial Crimes Enforcement Network (FinCEN) issued an alert to financial institutions on potential investments in the U.S. commercial real estate sector by sanctioned Russian elites, oligarchs, their family members, and the entities through which they act. The alert provides a list of possible red flags and typologies regarding attempted sanctions evasion in the commercial real estate sector and emphasizes financial institutions’ Bank Secrecy Act reporting obligations. The alert noted that banks frequently work with market participants who seek financing for commercial real estate projects, and that banks have customer due diligence obligations to verify the beneficial owners of legal entity customers. Specifically, the alert noted that “banks therefore may be in a position to identify and report suspicious activities associated with sanctioned Russian elites and their proxies including [politically exposed persons], among banks’ [commercial real estate]-related customers.” According to FinCEN, the recent alert builds on FinCEN’s March 2022 alert identifying real estate, luxury goods, and other high value assets involving sanctioned Russian and elites, and is the fourth alert issued by FinCEN on potential Russian illicit financial activity since Russia’s invasion of Ukraine in February 2022 (covered by InfoBytes here).
OFAC sanctions Russians individuals and entities
On January 26, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against six individuals and 12 entities connected to the Russian Federation. OFAC noted that the designations, which are concurrent with additional sanctions actions by the Department of State, target the infrastructure that supports battlefield operations in Ukraine, including producers of Russia’s weapons and those administering Russian-occupied areas of Ukraine. OFAC also noted that the action includes the designation of persons that support Russian defense-related entities. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons unless authorized by a general or specific license from OFAC.
Treasury announces task force with South Africa on wildlife trafficking
On January 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced that Treasury and South Africa’s National Treasury recently formed the U.S. – South Africa Task Force on Combating the Financing of Wildlife Trafficking. According to the announcement, the Task Force will combat illicit finance connected to illegal wildlife trade in three key areas:
- Prioritizing the sharing of financial red flags and indicators connected to wildlife trafficking cases. Specifically, the South African Anti-Money Laundering Integrated Task Force, a public private partnership, will play a key role working in coordination with FinCEN.
- Increasing information sharing between financial intelligence units to support key law enforcement agencies from South Africa and the U.S. This is intended to “bolster law enforcement efforts to use financial investigations to pursue and recover the illicit proceeds of wildlife criminals, especially transnational criminal organizations (TCOs) fueling and benefiting from corruption and the trafficking of, among other things, abalone, rhino horns, pangolins, and elephant ivory.”
- Bringing together government authorities, regulators, law enforcement, and the private sector to enhance controls to combat money laundering and the illicit proceeds connected to drug and wildlife trafficking.
Treasury Secretary Janet L. Yellen emphasized that in order “[t]o protect wildlife populations from further poaching and disrupt the associated illicit trade, we must ‘follow the money’ in the same way we do with other serious crimes.”
OFAC sanctions key Hizballah money exchanger
On January 24, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against several individuals and associated entities, including a Lebanese money exchanger and a money service business, for facilitating financial activities for Hizballah. Commenting that Treasury “is taking action against a corrupt money exchanger, whose financial engineering actively supports and enables Hizballah and its interests at the expense of the Lebanese people and economy,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson issued a warning that the U.S. is committed to holding persons accountable should they “exploit their privileged positions for personal gain.” The sanctions follow designations imposed last month against several individuals and companies that manage and enable Hizballah’s financial operations throughout Lebanon, including Hizballah’s “quasi-financial institution” and its central finance unit. (Covered by InfoBytes here.)
As a result of the sanctions, all property, and interests in property of the designated persons, “and of any entities that are owned, directly or indirectly 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” OFAC regulations generally prohibit all transactions by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of designated persons unless authorized by an OFAC general or specific license. OFAC further cautioned that “engaging in certain transactions with the individuals and entities designated today entails risk of secondary sanctions,” and noted that the designated persons are also subject to the Hizballah Financial Sanctions Regulations. Pursuant to these regulations, “OFAC can prohibit or impose strict conditions on the opening or maintaining in the United States of a correspondent account or a payable-through account by a foreign financial institution that either knowingly conducted or facilitated any significant transaction on behalf of an SDGT or, among other things, knowingly facilitates a significant transaction for Hizballah or certain persons designated for their connection to Hizballah.”
OFAC sanctions IRGC foundation and Iranian senior officials
On January 23, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13553 against Iran’s Islamic Revolutionary Guard Corps (IRGC) Cooperative Foundation, five of the foundation’s board members, the Deputy Minister of Intelligence and Security, and four senior IRGC commanders in Iran. According to OFAC, the sanctions—imposed in coordination with the UK and EU—target a key economic pillar of the IRGC.
OFAC stressed that this “is the ninth round of OFAC designations targeting actors responsible for the crackdown on peaceful demonstrators and efforts to disrupt and cut Iran’s access to the global internet since nationwide protests began in 2022.” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated persons may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the persons designated today could be subject to U.S. sanctions.”
U.S. messaging service fined €5.5 million for GDPR violations
On January 19, the Irish Data Protection Commission (DPC) announced the conclusion of an inquiry into the data processing practices of a U.S.-based messaging service’s Ireland operations and fined the messaging service €5.5 million. The investigation was part of a broader GDPR compliance inquiry prompted by a May 25, 2018 complaint from a German data subject.
The DPC noted that in advance of the date on which the GDPR became effective (May 25, 2018), the U.S. company updated its terms of service and notified users that, to continue accessing the messaging service, they would need to accept the updated terms by clicking “agree and continue.” The complainant asserted that, in doing so, the messaging service forced users to consent to the processing of their personal data for service improvement and security.
The company claimed that when a user accepted the updated terms of service, the user entered into a contract with the company. The company therefore maintained that “the processing of users’ data in connection with the delivery of its service was necessary for the performance of that contract, to include the provision of service improvement and security features, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the ‘contract’ legal basis for processing).” The complainant argued that, contrary to the company’s stated intention, the company was “seeking to rely on consent to provide a lawful basis for its processing of users’ data.”
The DPC issued a draft decision that was submitted to its EU peer regulators (Concerned Supervisory Authorities or “CSAs”). The DPC concluded that the company was in breach of its GDPR transparency obligations under Articles 12 and 13(1)(c), and stated that users had “insufficient clarity as to what processing operations were being carried out on their personal data.” With respect to whether the company was obliged to rely on consent as its legal basis in connection with the delivery of the service (including for service improvement and security purposes), the DPC disagreed with the complainant’s “forced consent” argument, finding that the company was not required to rely on user consent as providing a lawful basis for its processing of their personal data.
Noting that DPC had previously imposed a €225 million fine against the company last September for breaching its transparency obligations to users about how their information was being disclosed over the same time period (covered by InfoBytes here), the DPC did not propose an additional fine. Six of the 47 CSAs, however, objected to the DPC’s conclusion as to the “forced consent” aspect of its decision, arguing that the company “should not be permitted to rely on the contract legal basis on the basis that the delivery of service improvement and security could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.”
The dispute was referred to the European Data Protection Board (EDPB), which issued a final decision on January 12, where it found that, “as a matter of principle, [the company] was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security,” and that in doing so, the company contravened Article 6(1) of the GDPR.
The DPC handed down a €5.5 million administrative fine and ordered the company to bring its processing operations into compliance with the GDPR within a six-month period. Separately, the EDPB instructed the DPC “to conduct a fresh investigation” that would span all of the company’s processing operations to determine whether the company is in compliance with relevant GDPR obligations regarding the processing of personal data for behavioral advertising, marketing purposes, the provisions of metrics to third parties, and the exchange of data with affiliated companies for the purpose of service improvements.
The DPC challenged the EDPB’s decision, stating that the board “does not have a general supervision role akin to national courts in respect of national independent authorities, and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.” The DPC suggested that it is considering bringing an action before the Court of Justice of the European Union to “seek the setting aside of the EDPB’s direction.”
FinCEN prohibits engagement with virtual currency exchange connected to Russian finance
On January 18, the Financial Crimes Enforcement Network (FinCEN) issued its first order pursuant to section 9714(a) of the Combating Russian Money Laundering Act to identify a Hong Kong-registered global virtual currency exchange operating outside of the U.S. as a “primary money laundering concern” in connection with Russian illicit finance. FinCEN announced that the virtual currency exchange offers exchange and peer-to-peer services and “plays a critical role in laundering Convertible Virtual Currency (CVC) by facilitating illicit transactions for ransomware actors operating in Russia.” A FinCEN investigation revealed that the virtual currency exchange facilitated deposits and funds transfers to Russia-affiliated ransomware groups or affiliates, as well as transactions with Russia-connected darknet markets, one of which is currently sanctioned and subject to enforcement actions that have shuttered its operations. The investigation also found that the virtual currency exchange failed to meaningfully implement steps to identify and disrupt the illicit use and abuse of its services, and lacked adequate policies, procedures, or internal controls to combat money laundering and illicit finance.
Recognizing that the virtual currency exchange “poses a global threat by allowing Russian cybercriminals and ransomware actors to launder the proceeds of their theft,” FinCEN acting Director Himamauli Das emphasized that “[a]s criminals and criminal facilitators evolve, so too does our ability to disrupt these networks.” He warned that FinCEN will continue to leverage the full range of its authorities to prohibit these institutions from gaining access to and using the U.S. financial system to support Russian illicit finance. Effective February 1, covered financial institutions are prohibited from engaging in the transmittal of funds from or to the virtual currency exchange, or from or to any account or CVC address administered by or on behalf of the virtual currency exchange. Frequently asked questions on the action are available here.
Concurrently, the DOJ announced that the founder and majority owner of the virtual currency exchange was arrested for his alleged involvement in the transmission of illicit funds. Charged with conducting an unlicensed money transmitting business and processing more than $700 million of illicit funds, the DOJ said the individual allegedly “knowingly allowed [the virtual currency exchange] to become a perceived safe haven for funds used for and resulting from a variety of criminal activities,” and was aware that the virtual currency exchange’s accounts “were rife with illicit activity and that many of its users were registered under others’ identities.” While the virtual currency exchange claimed it did not accept users from the U.S., it allegedly conducted substantial business with U.S.-based customers and advised users that they could transfer funds from U.S. financial institutions.
Deputy Secretary of the Treasury Wally Adeyemo issued a statement following the announcement, noting that the action “is a unique step that has only been taken a handful of times in Treasury’s history for some of the most egregious money laundering cases, and is the first of its kind specifically under new authorities to combat Russian illicit finance.” He reiterated that the action “sends a clear message that we are prepared to take action against any financial institution—including virtual asset service providers—with lax controls against money laundering, terrorist financing, or other illicit finance.”