InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN further extends FBAR filing deadline for certain individuals
On December 9, the Financial Crimes Enforcement Network (FinCEN) issued Notice 2022-1 to further extend the time for certain Report of Foreign Bank and Financial Accounts (FBAR) filings in light of the agency’s March 2016 notice of proposed rulemaking, which proposed to revise the Bank Secrecy Act’s implementing regulations regarding FBARs. (See previous InfoBytes coverage on the 2016 NPR here.) Specifically, one of the proposed amendments seeks to “expand and clarify the exemptions for certain U.S. persons with signature or other authority over foreign financial accounts,” but with no financial interest, as outlined in FinCEN Notice 2021-1 issued December 9, 2021. FinCEN noted that because the proposal has not been finalized, it is further extending the filing due date to April 15, 2024, for individuals who previously qualified for a filing due date extension under Notice 2021-1. All other individuals must submit FBAR filings by April 15, 2023.
G7 Cyber Expert Group releases reports on ransomware and third-party risk
On December 8, the G7 Cyber Expert Group (CEG) – co-chaired by the Bank of England and the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure – released two reports addressing ransomware and third-party risk in the financial sector. According to the announcement, the reports “are intended to help financial sector entities better understand cybersecurity topics as agreed upon by a multilateral consensus.”
The Fundamental Elements of Ransomware Resilience for the Financial Sector provides financial entities with high-level building blocks for addressing ransomware threats. The “non-prescriptive and non-binding” report is meant to guide public and private financial institutions for their own internal ransomware mitigation activities and “provide[s] an overview of the current policy approaches, industry guidance, and best practices in place throughout the G7.”
The Fundamental Elements of Third-Party Risk Management for the Financial Sector updates a previous version published in 2018. According to the announcement, the updated report was necessary due to the increase in use of service providers by financial institutions in their central operational functions and subsequent vulnerabilities as a result of such reliance. The update includes explicit recommendations for monitoring risks along the supply chain and identifying systemically important third-party providers and concentration risks.
Danish financial institution fined $2 billion for anti-money-laundering compliance failures
On December 13, a Danish global financial institution pled guilty to conspiring to commit bank fraud and agreed to forfeit approximately $2 billion. According to court documents, the financial institution defrauded U.S. banks at which it held correspondent accounts by misrepresenting the state of its AML controls and transaction monitoring capabilities. According to the Department of Justice, between 2008 and 2016, the financial institution offered banking services through its Estonia branch, including a business line serving non-resident customers (known as “NRP”). The Estonia branch allowed NRP customers to transfer large amounts of money with little to no oversight, and branch employees conspired with NRP customers to hide the true nature of the transactions, including through the use of shell companies that obscured the actual owners of the funds. During this period, the Estonia branch processed $160 billion through U.S. banks on behalf of NRP customers.
The financial institution and its Estonia branch were required to provide information to U.S. banks in order to open and maintain correspondent accounts. This included information related to AML controls, transaction monitoring, and customers. By at least February 2014, the financial institution became aware of some NRP customers who were engaged in highly suspicious and potentially criminal transactions, including through U.S. banks. The DOJ noted that the financial institution was also aware that the Estonia branch’s AML program and procedures were not appropriate to meet the risks associated with NRP customers, but instead of providing truthful information, the financial institution lied about the state of the Estonia branch’s AML compliance program.
Under the terms of the plea agreement, the bank has agreed to a criminal forfeiture of $2.059 billion. The bank will also enter into separate criminal or civil resolutions with domestic and foreign authorities. The DOJ will credit approximately $850 million in payments made by the financial institution to resolve related parallel investigations by other domestic and foreign authorities. The DOJ noted that the financial institution “received full credit for cooperation and remediation because it provided full cooperation with the investigation and demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct.”
The same day, the SEC announced fraud charges against the financial institution in connection with a related, parallel proceeding. The financial institution agreed to pay roughly $413 million, including a $178.6 million civil monetary penalty, as well as $178.6 million in disgorgement and $55.8 million in prejudgment interest. The SEC said it will deem the disgorgement and prejudgment interest satisfied by forfeiture and confiscation ordered in parallel criminal cases with the DOJ, the United States Attorney’s Office for the Southern District of New York, and Denmark’s Special Crime Unit.
Treasury supports resolution establishing humanitarian carveout across UN sanctions regimes
On December 9, Secretary of the Treasury Janet L. Yellen issued a statement on the adoption of United Nations Security Council Resolution 2664, which establishes a standardized humanitarian carveout across UN sanctions regimes. Yellen explained that while sanctions are an important tool for globally combating key threats such as money laundering and terrorist financing, Treasury also recognized the potential for unintended consequences and strongly recommended streamlining humanitarian authorizations across sanctions programs. Resolution 2664 “further enables the flow of legitimate humanitarian assistance supporting the basic human needs of vulnerable populations while continuing to deny resources to malicious actors,” Yellen said.
OFAC designates sanctions evasion network connected to IRGC-QF
On December 8, the U.S. Treasury Department’s Office of Foreign Assets Control announced sanctions pursuant to Executive Order 13224 against a sanctions evasion network for facilitating and concealing the sale and shipment of hundreds of millions of dollars’ worth of oil for Iran’s Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF). According to OFAC, the designated individual’s companies “established international sales contracts for Iranian oil with foreign purchasers, arranged shipments of oil, and helped launder the proceeds, obscuring the oil’s Iranian origin and the IRGC-QF’s interest in the sales.” The action supplements designations announced in May, which targeted an element of this network responsible for facilitating millions of dollars’ worth of Iranian oil sales for both the IRGC-QF and Hizballah, backed by senior levels of the Russian Federation government and state-run entities (covered by InfoBytes here). As a result, all property, and interests in property of the designated individuals and entities, “and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” U.S. persons are generally prohibited from engaging in transactions with the designated persons unless authorized by a general or specific OFAC license or are otherwise exempt. OFAC further warned that “engaging in certain transactions with the individuals and entities designated today entails risk of secondary sanctions.”
OFAC sanctions over 40 individuals and entities in nine countries
On December 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against 40 individuals and entities that are connected to corruption or human rights abuse across nine countries, in recognition of International Anti-Corruption Day and Human Rights Day. According to OFAC, throughout 2022, Treasury “took numerous actions to promote accountability for human rights abusers and corrupt actors across the world, including sanctions on dozens of individuals and entities including in the Western Balkans, Belarus, Liberia, Guatemala, the Russian Federation, Burma, and Iran. Treasury utilized various tools and authorities — including Executive Order 13818, which builds upon and implements the Global Magnitsky Human Rights Accountability Act — to demonstrate the U.S. government’s focus on promoting respect for human rights and countering corruption.” As a result of the sanctions, all transactions by U.S. persons or in the U.S. that involve any property or interests in property of designated or otherwise blocked persons are generally prohibited. Additionally, “any entities that are owned, directly or indirectly 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
DOJ, SEC reach $460 million FCPA settlement with global technology company
On December 2, the DOJ announced that it fined a Swiss-based global technology company $315 million to settle criminal charges related to allegations that, from 2015 to 2017, the company engaged in a bribery scheme with an electricity provider owned by the South African government. As part of the scheme, the company arranged to use a third party to pay a high-ranking South African government official at the electricity provider in exchange for awarding business to the global technology company. The settlement was the DOJ’s first coordinated resolution with authorities in South Africa. Authorities in South Africa separately brought corruption charges against the high-ranking South African government official. In addition to the financial penalty, the company entered into a three-year deferred prosecution agreement in connection with a criminal information charging the company with conspiracy to violate the FCPA’s anti-bribery provisions, conspiracy to violate the FCPA’s books and records provisions, and substantive violations of the FCPA. Two of the company’s subsidiaries located in Switzerland and South Africa each pleaded guilty to conspiracy to violate the anti-bribery provisions of the FCPA.
The next day on December 3, the SEC announced that the company agreed to pay $75 million to settle the SEC’s claims. The company consented to the SEC’s cease-and-desist order which stated that it violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA and the Exchange Act. The SEC also ordered the company to pay more than $72 million in disgorgement. However, the Commission deemed the disgorgement order satisfied by the company’s reimbursement of its ill-gotten gains to the South African government as part of an earlier civil settlement based largely on the same underlying facts as the SEC’s action.
Treasury official flags “de-risking” as a concern in combating illicit financial risks
On December 5, Assistant Secretary for Terrorist Financing and Financial Crimes at the U.S. Department of Treasury Elizabeth Rosenberg outlined key illicit finance risks impacting the broader financial system during the ABA/ABA Financial Crimes Enforcement Conference. Rosenberg noted that for many nations, the illicit finance threat posed by Russia related to its invasion into Ukraine is a top priority. She commented that more than 30 countries immediately implemented sanctions or other economic measures against Russia, and that since then, the U.S. and other countries have created an expansive, multilateral web of restrictions targeting Russia’s ability to fund its war. Rosenberg also recognized that by reassessing their understanding of Russian illicit financial risks and implementing adaptive measures, companies and financial institutions play an important role in providing critical insight into emerging threats. Rosenberg also discussed Treasury’s risk-based approach to crafting policy responses, including those related to beneficial ownership transparency, investment adviser misuse, and the use of residential and commercial real estate to hide and grow illicit funds.
Rosenberg warned, however, that there are challenges in implementing a truly risk-based approach. She pointed to observations made by the Financial Action Task Force, which showed that while many countries and their financial institutions “are keenly aware of where enhanced due diligence is needed,” many “often can not readily identify the inverse: places where simplified due diligence should be expected and permitted.” She cautioned that focusing on high-risk areas rather than lower-risk parts “is not without costs,” and illustrated a common form of de-risking that occurs “when financial institutions categorically cut off relationships or services to avoid perceived risks—for example, certain geographic regions—rather than applying a nuanced, risk-based approach.” Doing so can lead to “deleterious effects,” she warned, such as excluding businesses based on their location or status, or impacting emerging markets that could serve underbanked populations. Rosenberg said Treasury intends to study these concerns through the Anti-Money Laundering Act of 2020, and will develop a strategy for addressing de-risking, including recommendations on ways to improve public-private engagement on the issue, regulatory guidance and adjustments, and international supervision.
FinCEN’s Das discusses agency’s priorities
On December 6, FinCEN acting Director Himamauli Das spoke before the ABA/ABA Financial Crimes Enforcement Conference about how FinCEN is addressing new threats, new innovations, and new partnerships, in addition to its efforts to implement the AML Act. Das first began by speaking about beneficial ownership requirements of the Corporate Transparency Act (CTA). He noted that a final rule was issued in September, which implemented the beneficial ownership information reporting requirements (covered by InfoBytes here). He also stated that a second rulemaking, concerning access protocols to the beneficial ownership database by law enforcement and financial institutions, may be released before the end of the year, and that work is currently underway on a third rulemaking concerning revisions to the customer due diligence rule. With regard to anti-corruption, Das noted that the agency has been working with the Biden administration, and highlighted three alerts issued by FinCEN in 2022 that highlight “the risks of sanctions and export controls evasion by Russian actors, including through real estate, luxury goods, and other high-value assets.” Das explained that the alerts “complement ongoing U.S. government efforts to isolate sanctioned Russians from the international financial system.”
Transitioning into discussing effective AML/CFT programs, Das said that the “AML Act’s goal of a strengthened, modernized, and streamlined AML/CFT framework will ultimately play out over a series of steps as we implement all of the provisions of the AML Act.” He then described how the AML Act requires FinCEN to work with the FFIEC and law enforcement agencies to establish training for federal examiners in order to better align the examination process. He further noted that the AML/CFT priorities and their incorporation into risk-based programs as part of the AML Program Rule are “crucial” for providing direction to examiners on approaches that improve outcomes for law enforcement and national security.
Das also highlighted the digital asset ecosystem as a key priority area for FinCEN and acknowledged that the area has seen “continuing evolution” since 2013 and 2019, when the agency released its latest related guidance documents on the topic. Das explained that FinCEN is taking a “close look” at the elements of its AML/CFT framework applicable to virtual currency and digital assets to determine whether additional regulations or guidance are necessary, which “includes looking carefully at decentralized finance and its potential to reduce or eliminate the role of financial intermediaries that play a critical role in our AML/CFT efforts.”
9th Circuit revives data breach class action against French cryptocurrency wallet provider
On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.
On appeal, the 9th Circuit concluded that dismissal was improper because the French wallet provider’s contracts with California were sufficient to establish jurisdiction under the “purposeful availment” framework. The appellate court explained that because the French wallet provider sold roughly 70,000 wallets in the state, collected California sales tax, and shipped wallets directly to California addresses, the “facts suffice to establish purposeful availment because [the French wallet provider’s] contacts with the forum cannot be characterized as ‘random, isolated, or fortuitous.’” However, the 9th Circuit limited the claims to only those brought by California residents under the state’s consumer protection laws. A forum-selection clause in the French wallet provider’s privacy policy and terms of use documents provided that disputes would be subject to the exclusive jurisdiction of French courts, the appellate court said, which was enforceable except with respect to the class claims of California residents brought under California law “because it violated California public policy against waiver of consumer rights under California’s Consumer Legal Remedies Act.”
The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”