InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN offers suspicious activity reporting guidance for human smuggling along U.S.- Mexico border
On January 13, the Financial Crimes Enforcement Network (FinCEN) issued an alert advising financial institutions on how to detect and report suspicious financial activity that may be related to human smuggling along the southwest border of the United States. Highlighting that human smuggling is one of the eight Anti-Money Laundering and Countering the Financing of Terrorism National Priorities identified by FinCEN, the agency pointed out that human smuggling along the southwest border generates an estimated $2 billion to $6 billion in yearly revenue for illicit actors. The alert, which builds on FinCEN’s 2020 and 2014 human smuggling and human trafficking advisories (covered by InfoBytes here and here), provides trends, typologies, and red flag indicators to help financial institutions better identify and file suspicious activity reports potentially related to such activity. “Financial institutions need to know that their vigilance and prompt Bank Secrecy Act reporting matters—it aids investigations tied to human smuggling and transnational organized crime, and can ultimately save lives,” FinCEN Acting Director Himamauli Das said in the announcement.
OFAC issues Russia-related general licenses for some transactions
On January 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued several Russia-related General Licenses (GLs), including: (i) General License (GL) 6C, which authorizes transactions related to agricultural commodities, medicine, medical devices, replacement parts and components, or software updates, Covid-19 pandemic, or clinical trials; (ii) GL 54A, which authorizes certain transactions involving certain holdings prohibited by Executive Order 14071; and (iii) GL 28B, which authorizes the wind down and rejection of certain transactions involving a public joint stock company and Afghanistan. OFAC also announced that it is amending four Russia-related Frequently Asked Questions 982, 1054, 1055, and 1059.
DOJ revises corporate enforcement policy applicable to all criminal matters including FCPA cases
On January 17, Assistant Attorney General Kenneth A. Polite, Jr. delivered remarks at Georgetown University Law Center, during which he announced changes to the DOJ’s Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy. Polite provided background information on the DOJ Criminal Division’s voluntary self-disclosure incentive program, the FCPA Pilot Program, that was announced in 2016 and expanded in 2017 to become the FCPA Corporate Enforcement Policy (covered by InfoBytes here). This policy, Pilot said, has been applied to all corporate cases prosecuted by the Criminal Division since at least 2018, and provided, among other things, that “if a company voluntarily self-discloses, fully cooperates, and timely and appropriately remediates, there is a presumption that [the DOJ] will decline to prosecute absent certain aggravating circumstances involving the seriousness of the offense or the nature of the offender.” The policy also provided a maximum 50 percent reduction off the low end of the applicable sentencing guidelines penalty range to companies that self-disclosed violations where a criminal resolution is warranted. Last year, following a request by the Deputy Attorney General to have all DOJ components write voluntary self-disclosure policies, the Criminal Division conducted an assessment of its existing policy. Pilot said the division is now announcing the first significant changes to the policy since 2017.
Under the updated policy, companies are offered “new, significant and concrete incentives to self-disclose misconduct,” Polite said, explaining that “even in situations where companies do not self-disclose, the revisions to the policy provide incentives for companies to go far above and beyond the bare minimum when they cooperate with [DOJ] investigations.” He emphasized that the revisions clarify that companies will face very different outcomes if they do not self-disclose, meaningfully cooperate with investigations, or remediate. However, the revisions provide a path that incentivizes even more robust compliance on the front-end in order to prevent misconduct and requires even more robust cooperation and remediation on the back-end should a crime occur.
Polite stated that prosecutors might decline to bring charges against a company over crimes with aggravating factors if the company can demonstrate that it: (i) made voluntary disclosures immediately upon becoming aware of an allegation of misconduct; (ii) had an effective compliance program already in place at the time of the misconduct that allowed it to identify the misconduct and led it to voluntarily self-disclose; and (iii) provided exceptional cooperation and extraordinary remediation. Should a company fail to take these steps, it risks “increasing its criminal exposure and monetary penalties,” Polite warned, emphasizing that the DOJ’s “job is not just to prosecute crime, but to deter and prevent criminal conduct.” He added that the DOJ will recommend a reduction in fines of at least 50 percent and up to 75 percent (except in the case of a criminal recidivist) for companies that voluntarily report wrongdoing and fully cooperate with investigations. Even companies that do not voluntarily disclose wrongdoing but still fully cooperate with an investigation and timely and appropriately remediate could still receive a 50 percent reduction off the low end of the guidelines for fines, Polite said. “The policy is sending an undeniable message: come forward, cooperate, and remediate. We are going to be closely examining how companies discipline bad actors and reward the good ones.”
FinCEN solicits feedback on beneficial ownership reporting requirements
On January 17, the Financial Crimes Enforcement Network (FinCEN) published two notices and requests for comment in the Federal Register related to the reporting process the agency intends to use to collect beneficial ownership data pursuant to the Beneficial Ownership Information Reporting Requirements final rule (published last September and covered by InfoBytes here). Under the final rule, most corporations, limited liability companies, and other entities created in or registered to do business in the U.S. will be required to report information about their beneficial owners to FinCEN. The first notice and request for comments invites interested parties to provide feedback on the application that will be used to collect information from individuals who seek to obtain an optional FinCEN identifier. The second notice and request for comments requests feedback on a report that certain entities will be required to file with FinCEN. The electronically filed report will identify the reporting entity’s beneficial owners, and—in certain cases—the individual who “directly filed the document with specified governmental authorities that created the entity or registered it to do business, as well as the individual who was primarily responsible for directing or controlling such filing, if more than one individual was involved in the filing of the document.” Comments on both notices are due by March 20.
OFAC issues amended Venezuela-related GL and FAQ
On January 17, the U.S. Treasury Department’s Office of Foreign Assets Control issued Venezuela-related General License (GL) 5J, which supersedes GL 5I and authorizes certain transactions otherwise prohibited under Executive Orders 13835 and 13857 related to, or that provide financing for, dealings in the Petróleos de Venezuela, S.A. 2020 8.5 Percent Bond on or after April 20, 2023. GL 5J does not authorize any transactions or activities otherwise prohibited by the Venezuela Sanctions Regulations. Concurrently, OFAC updated Venezuela-related FAQ 595 to provide clarification on authorized transactions as well as licensing requirements.
OFAC issues extended counter-terrorism GL and amended FAQ
On January 12, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued Counter Terrorism General License (GL) 21B, “Authorizing Limited Safety and Environmental Transactions Involving Certain Vessels,” to authorize limited safety and environmental transactions involving certain persons or vessels that are normally prohibited by the Global Terrorism Sanctions Regulations (GTSR) through 12:01 a.m. EST, April 13, 2023. OFAC explained that such transactions are authorized as long as payments to a blocked person are made into a blocked account in accordance with the GTSR. A list of authorized blocked persons and vessels listed on OFAC’s Specially Designated Nationals and Blocked Persons List is also included. OFAC also amended related FAQ 1097 to provide additional clarification on permitted transactions.
OFAC issues and amends Iran-related FAQ
On January 11, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an Iran-related frequently asked question (FAQ) and amended several other Iran-related FAQs. New FAQ 1110 clarifies Iran General License (GL) D-1 and GL D-2. Specifically, OFAC noted that because GL D-1 was issued in 2014, the types of software and services that support communication over the internet have changed. Therefore, to reflect technological developments in communication-related software and services since the issuance of GL D-1 (including in cloud-based services), OFAC issued GL D-2 to expand and clarify the range of U.S. software and services available to Iranians under OFAC’s sanctions program.
OFAC issues Venezuela-related general license for some transactions
On January 9, the U.S. Treasury Department’s Office of Foreign Assets Control issued Venezuela-related General License (GL) 31B, “Certain Transactions Involving the IV Venezuelan National Assembly and Certain Other Persons.” GL 31B authorizes certain transactions ordinarily prohibited by Executive Order (E.O.) 13884, as incorporated into the Venezuela Sanctions Regulations (VSR), involving the IV Venezuelan National Assembly, its Delegated Commission, any entity established by, or under the direction of, the IV National Assembly to exercise its mandate, or any person appointed or designated by, or whose appointment or designation is retained by, the IV National Assembly, its Delegated Commission, or a IV National Assembly Entity, including their respective members and staff. GL 31B also authorizes U.S. persons to engage in all transactions prohibited by E.O. 13850, as amended by E.O. 13857 (and incorporated into the VSR), involving “any person appointed or designated by, or whose appointment or designation is retained by, the IV National Assembly, its Delegated Commission, or a IV National Assembly Entity to the board of directors (including any ad hoc board of directors) or as an executive officer of a Government of Venezuela entity (including entities owned or controlled, directly or indirectly, by the Government of Venezuela).” OFAC noted that GL 31B does not authorize transactions involving the Venezuelan National Constituent Assembly convened by Nicolas Maduro or the National Assembly seated on January 5, 2021 (including their respective members and staff), or any transactions otherwise prohibited by the Venezuela Sanctions Regulations, including those involving blocked persons unless allowed by GL 31B or separately authorized. In conjunction with GL 31B, OFAC amended related FAQs 522, 547, 660, 679, and 680.
France fines software company €60 million for data violations
In December, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €60 million penalty against a global software development company accused of making it harder for users of its search engine to reject cookies than to accept them. Based on investigations conducted in September 2020 and May 2021, CNIL claims that when users visited the search engine, cookies used for advertising purposes and countering advertising fraud, among other things, were automatically deposited on their terminal without the users’ consent. Under French law, these types of cookies may only be deposited after users have expressed their consent, according to CNIL. CNIL further observed that while the search engine offered a button to accept cookies immediately, it did not offer an equivalent button to allow the user to refuse the cookies as easily. By making the refusal mechanism more complex, users are discouraged from refusing cookies and are instead encouraged “to prefer the ease of the consent button in the first window,” CNIL said, adding that “such a procedure infringed the freedom of consent of Internet users.” Claiming violations of Article 82 of the French Data Protection Act, CNIL ordered the company to take measures within three months to modify its practices for obtaining consent from users residing in France. CNIL further stated that additional fines of €60,000 will be imposed per day of non-compliance following the end of the three-month period.
Irish DPC fines global social media company €390 million over targeted ads
On January 4, the Irish Data Protection Commission (DPC) announced the conclusion of two inquiries into the data processing practices of a global social media company’s European operations. Collectively, the DPC imposed fines totaling €390 million against the company for allegedly requiring users to accept targeted ads when accepting the company’s social media platform terms of service. Complaints were raised in 2018 by data subjects in Austria and Belgium, claiming that the company violated the GDPR by conditioning access to its services on users’ acceptance of the company’s updated terms of service, thereby “forcing” them to consent to the processing of their personal data for behavioral advertising and other personalized services. The company maintained that once a user accepted the updated terms of service, a contract was formed, and that processing user data in connection with the delivery of its social media services was necessary for the performance of that contract (including the provision of personalized services and behavioral advertising). According to the company, “such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the ‘contract’ legal basis for processing).”
The DPC issued draft decisions, finding that (i) the company breached its transparency obligations because the “contract” legal basis for processing was not clearly disclosed to users, but that, (ii) in principle, the GDPR did not preclude the company’s reliance on such basis.
In accordance with the GDPR, the draft decisions were submitted to DPC’s EU peer regulators (Concerned Supervisory Authorities or “CSAs”). Regarding the question of whether the company had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions but concluded that higher fines should be imposed. Ten of the 47 CSAs, however, concluded that the company “should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalized advertising . . . could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.” The DPC disagreed, arguing that personalized advertising is “central to the bargain struck between users and their chosen service provider” as part of the contract that is established when a user accepts the terms of service. The dispute was referred to the European Data Protection Board (EDPB) after the regulators were unable to reach a consensus.
The EDPC determined that, “as a matter of principle,” the company “is not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioral advertising.” The DPC adopted the EDPC’s determination and issued final decisions, finding, among other things, that the company’s processing of users’ data in purported reliance on the “contract” legal basis amounts to a contravention of Article 6 of the GDPR. The decisions require the company to bring its processing operations into compliance with the GDPR within a three-month period and impose administrative fines higher than those originally proposed, in line with the EDPC’s direction to increase the fines.
The company released a statement following the decisions. According to the company, “[t]here has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time. This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether.” The company added that “we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”