InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Republicans say social media company made misleading statements on China data-sharing practices
On November 22, Ranking Member James Comer (R-KY), Committee on Oversight and Reform, and Ranking Member Cathy McMorris Rodgers (R-WA), Committee on Energy and Commerce, sent a follow-up letter to a global social media company claiming it may have provided misleading or false information about its data sharing and privacy practices related to China. According to the lawmakers, the company claimed in a briefing to the committee that it does not track users’ internet data if they are not using the app, and that China-based employees cannot access U.S. users’ location-specific data—both of which appear to be “misleading at best, and at worst, false.” The lawmakers referenced reports alleging the company “clandestinely” gathers U.S. users’ sensitive internet history, and expressed concerns about statements made by employees responsible for company data that “‘it is impossible to keep data that should not be stored in [China] from being retained in [China]-based servers.’” Claiming the company has withheld information, the lawmakers are seeking additional information, including documents and communications related to the monitoring of U.S. users’ browsing data and location tracking.
Irish DPC fines global social media company €265 million over data scraping claims
On November 28, the Irish Data Protection Commission (DPC) announced the conclusion of a “data scraping” inquiry into the practices of a global social media company’s European operations. The inquiry, which included cooperation from all of the other data protection supervisory authorities in the EU, was commenced in April 2021 following media reports that personal data for which the company was responsible was available on the internet. According to the DPC, the inquiry focused on questions related to the company’s compliance with the GDPR’s obligation for “Data Protection by Design and Default.” Specifically, the DPC “examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept).” The decision, adopted on November 25, and agreed upon by all the other EU supervisory authorities, found that the company violated Articles 25(1) and 25(2) of the GDPR. The decision imposes a reprimand and requires the company to bring its processing into compliance by implementing several specific remedial actions within a particular timeframe. In addition, the company must pay an administrative fine of €265 million.
EU increases financial sector cybersecurity
On November 28, the Council of the European Union (EU) announced that it adopted legislation for a new cybersecurity directive intended to improve resilience and incident response capacities across the EU by replacing the NIS, the current directive on the security of network and information systems. According to the announcement, the new directive, called NIS2, is intended “to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states.” Among other things, the directive establishes minimum rules for a regulatory framework and mechanisms for effective cooperation among relevant authorities in each member state, according to the EU. Additionally, the directive updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement. The new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.
OFAC settles with virtual currency exchange to resolve IP address screening deficiencies
On November 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $362,158 settlement with a global virtual currency exchange for allegedly exporting services to users who appeared to be located in Iran when they engaged in virtual currency transactions on the exchange’s platform. According to OFAC’s web notice, the exchange’s platform allows users to buy, sell, hold, or exchange cryptocurrencies. Users can also trade fiat currency for cryptocurrency on the platform. The exchange’s anti-money laundering and sanctions compliance program screens customers at onboarding and daily thereafter, and reviews information about IP addresses generated at the time of onboarding to prevent users in sanctioned jurisdictions from opening accounts and conducting transactions. OFAC stated, however, that between October 2015 and June 2019, the exchange allegedly processed 826 transactions totaling roughly $1.6 million on behalf of individuals who appeared to be in Iran when the transactions happened. OFAC maintained that because the exchange failed to implement IP address blocking on transactional activity across its platform, “account holders who established their accounts outside of sanctioned jurisdictions appear to have accessed their accounts and transacted on Kraken’s platform from a sanctioned jurisdiction.” As a result, the exchange allegedly violated the Iranian Transactions and Sanctions Regulations.
In arriving at the settlement amount, OFAC determined that the exchange failed to exercise due caution or care for its sanctions compliance obligations by only applying its geolocation controls at the time of onboarding and not with respect to subsequent transactional activity even though it knew customers were located worldwide.
OFAC also considered various mitigating factors, including that the exchange has not received a penalty notice from OFAC in the preceding five years, the exchange voluntarily self-disclosed the alleged violations and undertook significant remedial measures, such as (i) “adding geolocation blocking to prevent clients in prohibited locations from accessing their accounts” on the exchange’s platform; (ii) implementing blockchain analysis tools to assist with sanctions monitoring; (iii) expanding staff and providing compliance training; (iv) adding “additional screening capabilities to ensure compliance with OFAC’s ‘50 Percent Rule,’ including detailed reports on beneficial ownership; (v) contracting a vendor to assist with the identification and nationality verification through the use of artificial intelligence tools; and (vi) implementing automated controls designed to block certain accounts. In addition, the exchange agreed to invest an additional $100,000 in certain sanctions compliance controls as part of the settlement.
Providing context for the settlement, OFAC stated that this action “highlights the importance of using geolocation tools, including IP blocking and other location verification tools, to identify and prevent users located in sanctioned jurisdictions from engaging in prohibited virtual currency-related transactions”—both at the time of onboarding and throughout the lifetime of the account.
OFAC issues Venezuela-related general licenses
On November 26, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued Venezuela-related General License (GL) 41 following the resumption of talks in Mexico City to alleviate the suffering of Venezuelan people and restore democracy. GL 41 authorizes certain transactions related to the identified corporation and its subsidiaries’ joint ventures in Venezuela involving Petróleos de Venezuela, S.A (PdVSA) or any entity owned directly or indirectly, 50 percent or more, that would otherwise be prohibited by Executive Order (E.O.) 13850, as amended by E.O.s 13857 or 13884. OFAC noted that GL 41 prevents PdVSA from receiving profits from the oil sales by the identified corporation, and only authorizes certain specific activities. Other Venezuela-related sanctions and restrictions imposed by the U.S. remain in place. Concurrent with the issuance of GL 41, OFAC issued GL 8K, “Authorizing Transactions Involving Petróleos de Venezuela, S.A. (PdVSA) Necessary for the Limited Maintenance of Essential Operations in Venezuela or the Wind Down of Operations in Venezuela for Certain Entities,” as well as two new related FAQs. According to the announcement, “U.S. persons are authorized to provide goods and services for certain activities as specified in GL 41,” and “non-U.S. persons generally do not risk U.S. sanctions exposure for facilitating transactions that are authorized by GL 41.”
ECJ invalidates AML directive granting public access to beneficial ownership information
On November 22, the European Court of Justice (ECJ) announced a ruling invalidating a provision of the 2018 amended EU anti-money laundering directive that guaranteed public access to the beneficial ownership information of legal entities incorporated within member states. The case was referred to the ECJ by a Luxembourg court following two actions that disputed the compatibility of this directive with the beneficial owners’ fundamental right to privacy. The ECJ was asked to issue a preliminary ruling on a series of questions concerning the interpretation of “exceptional circumstances” and “disproportionate risk,” as well as the directive’s compatibility with the Charter of Fundamental Rights of the European Union (Charter) and the GDPR. Under the directive, member states are required to enter and maintain beneficial ownership information in registers that are accessible to the general public. The directive is intended to prevent the financial system from being exploited for the purposes of money laundering or terrorist financing, and requires, with limited exemptions, that member states provide information on “the beneficial owner’s name, month and year of birth, nationality and country of residence, as well as the nature and extent of his or her beneficial interests.”
In its announcement, the ECJ said that public access to beneficial ownership information “constitutes a serious interference with the fundamental rights to respect for private life and the protection of personal data” provided in Articles 7 and 8 of the Charter. “[T]he potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated,” the ECJ wrote in the judgment, adding that “in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.”
While the ECJ found that, by the measure at issue, the EU legislature is pursuing “an objective of general interest capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter, and that the general public’s access to information on beneficial ownership is appropriate for contributing to the attainment of that objective,” the “interference entailed by that measure is neither limited to what is strictly necessary nor proportionate to the objective pursued.” Additionally, the ECJ held that the amended “directive amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter” without being offset by any benefits that may result from the amended directive as compared to the previous version in terms of combating money laundering and terrorist financing. However, the ECJ did recognize that civil society and the press have a legitimate interest in accessing such information, given their role in the fight against money laundering.
OFAC sanctions Iranian companies for petrochemicals and petroleum sales
On November 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13846, against 13 companies in multiple jurisdictions for their involvement in the sale of Iranian petrochemicals and petroleum products to buyers in East Asia on behalf of sanctioned Iranian petrochemical brokers. According to OFAC, the designations are the fifth round of designations targeting Iran’s illicit petroleum and petrochemical trade since June 2022. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the individuals or entities designated today may themselves be exposed to sanctions or subject to enforcement. Additionally, OFAC warned that “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals designated today could be subject to U.S. sanctions.”
OFAC issues Russia-related general licenses
On November 21, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced the issuance of Russia-related General License (GL) 13C, which authorizes certain administrative transactions normally prohibited by Directive 4 under Executive Order 14024, Prohibitions Related to Transactions Involving the Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation, and the Ministry of Finance of the Russian Federation. According to GL 13C, authorized transactions must be “ordinarily incident and necessary to the day-to-day operations in the Russian Federation of such U.S. persons or entities.” GL 13C also provides a list of transactions that are not authorized.
Earlier, OFAC issued GL 54, which authorizes certain transactions “ordinarily incident and necessary to the purchase or receipt of any debt or equity securities” of the identified company that would normally be prohibited by Executive Order 14071, provided the debt or equity securities were issued before June 6, 2022.
Counter ISIS Finance Group wants group isolated from international financial system
On November 18, the U.S. Treasury Department announced the release of a joint statement by the Counter ISIS Finance Group (CIFG) of the Global Coalition to Defeat ISIS, which coordinates efforts to isolate the Islamic State of Iraq and Syria (ISIS) from the international financial system and eliminate revenue sources. CIFG held its seventeenth meeting on November 8-9 to discuss ongoing efforts to combat ISIS financing worldwide. During the meeting, attendees discussed ISIS financing in the Middle East, Europe, Africa, and South and Southeast Asia, as well as “key systemic vulnerabilities in the global anti-money laundering and countering the financing of terrorism (AML/CFT) regime.” CIFG noted that ISIS facilitators prefer informal funds transfer methods, and to a lesser degree, virtual asset service providers most likely “because they offer anonymity, lack oversight across many jurisdictions, charge relatively low service fees, and often conduct quicker transactions than banks and registered money services businesses.” Attendees also exchanged case studies of recent investigations and prosecutions, and discussed other efforts to implement AML/CFT reforms to disrupt ISIS fundraising and financial facilitation networks. With a focus on international cooperation, CIFG members said they will continue to closely work with counterterrorism partners to disrupt ISIS funding sources and methods.
OFAC issues guidance on the Russian price cap policy for crude oil; issues Russia-related general licenses
On November 22, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published a Determination Pursuant to Executive Order (E.O.) 14071 concerning the implementation of a price cap policy for crude oil of Russian Federation origin. The determination states that the prohibitions of E.O. 14071 apply to U.S. persons providing covered services (including (i) trading/commodities brokering; (ii) financing; (iii) shipping; (iv) insurance, including reinsurance and protection and indemnity; (v) flagging; and (vi) customs brokering) as they relate to the maritime transport of Russian Federation crude oil, provided, however, that such covered services are authorized if the Russian oil is purchased at or below the price cap. Additionally, OFAC published guidance on the implementation of a policy for crude oil of Russian Federation origin to provide an overview of the determination and the price cap. OFAC also issued Russia-related General License (GL) 55, GL 56, and GL 57. GL 55 authorizes certain services related to Sakhalin-2; GL 56 authorizes certain services with respect to the European Union; and GL 57 authorizes certain services related to vessel emergencies.