InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC sanctions Iranian leaders
On October 26, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13553 against 10 Iranian officials related to the ongoing crackdown on nationwide protests in Iran and internet censorship, as well as two Iranian intelligence actors and two Iranian entities involved in the Iranian government’s efforts to disrupt digital freedom. As previously covered by InfoBytes, on October 6, OFAC sanctioned seven senior leaders within Iran’s government and security apparatus for the shutdown of Iran’s internet access. OFAC also sanctioned Iran’s Morality Police along with seven senior leaders who oversee Iran’s security organizations (covered by InfoBytes here). According to OFAC, the recently announced sanctions “coupled with additional initiatives such as the release of Iran General License D-2, which expands and clarifies the range of U.S. software and internet services available to Iranians under OFAC’s sanctions program, demonstrate the United States’ commitment to support the Iranian people’s call for accountability and justice, as well as their right to freely exchange information, including online.” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons must be blocked and reported to OFAC. U.S. persons are also prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, and “persons that engage in certain transactions with the individuals or entities designated today may themselves be exposed to sanctions,” OFAC said. Additionally, OFAC warned that “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.”
FAFT restricts Russia’s membership, takes action on corruption and drug trafficking
On October 20, the U.S. Treasury Department announced that the Financial Action Task Force (FATF) concluded its first plenary of the Singaporean presidency, in which it, among other things, took steps to combat corruption and illegal fentanyl trafficking and enhance financial transparency. During the meeting, FATF agreed to seek public input on draft guidance for implementing the FATF standard on beneficial ownership transparency for legal persons. The efforts to improve transparency in beneficial ownership “seek to improve the ability of law enforcement to trace, report, and seize illicit proceeds, and to make it harder for criminals and others to exploit opaque legal structures such as shell companies to hide and launder the proceeds of their crimes.” FATF also adopted a U.S.-led report on money laundering related to the illicit trafficking of synthetic opioids, including fentanyl, which provides information and best practices so that law enforcement and financial investigators around the world can expand their work on complex, cross-border money laundering investigations involving the proceeds of drug trafficking. The FATF also agreed to additional restrictions on the membership rights of the Russian Federation due to its war against Ukraine, including by barring them from participating in current and future FATF project teams.
France fines facial recognition company €20 million for GDPR violations
On October 20, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €20 million penalty against a facial recognition company for violating the EU’s General Data Protection Regulation (GDPR). In 2020, CNIL opened an investigation after receiving complaints from individuals about the company’s facial recognition software. CNIL stated in its announcement that it cooperated with its European counterparts to share the results of the investigations, as each authority is permitted to act on its own territory since the company has no establishment in Europe. The investigations identified several violations of the GDPR, including that the company allegedly unlawfully processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). A formal notice was issued to the company last year requiring it to stop collecting and using data belonging to persons on French territory without a legal basis. The company was also ordered to “facilitate the exercise of individuals’ rights and to comply with requests for erasure.” CNIL contended that after the company failed to respond to the formal notice, it referred the matter to a restricted committee for sanctions.
The restricted committee imposed the maximum financial penalty (€20 million) under article 83 of the GDPR, and ordered the company “to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months.” Failure to comply within this time frame will result in a €100,000 penalty per day of delay. The restricted committee also cited the company for breaching its obligation to cooperate with CNIL.
OFAC sanctions Nicaraguan mining authority; Biden issues new E.O. expanding Treasury’s authority to hold Nicaraguan regime accountable
On October 24, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order (E.O.) 13851 against the Nicaraguan mining authority General Directorate of Mines and a Government of Nicaragua official. OFAC stated that the mining authority is “being designated for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly,” the Nicaraguan Minister of Energy and Mines whose property and interests in property were blocked in 2021. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons in the U.S. are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more in the aggregate by one or more of such persons are also blocked.” U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
The same day, President Biden signed a new E.O., Taking Additional Steps to Address the National Emergency With Respect to the Situation in Nicaragua, to amend E.O. 13851 and, according to the announcement, expand Treasury’s “authority to hold the Ortega-Murillo regime accountable for its continued attacks on Nicaraguans’ freedom of expression and assembly.” The new E.O. grants Treasury authority to target certain persons operating or that have operated in Nicaragua’s gold sector, as well as other sectors identified by Treasury in consultation with the State Department. According to OFAC’s announcement, the E.O. “provides expanded sanctions authorities that could be used to prohibit new U.S. investment in certain identified sectors in Nicaragua, the importation of certain products of Nicaraguan origin into the United States, or the exportation, from the United States, or by a United States person, wherever located, of certain items to Nicaragua.” In conjunction with the E.O., OFAC issued Nicaragua-related General License 4, which authorizes the wind down of transactions involving the Directorate General of Mines of the Nicaraguan Ministry of Energy and Mines that are otherwise normally prohibited by the Nicaragua Sanctions Regulations, and issued one related frequently asked question regarding that General License.
UK Information Commissioner fines company £4.4 million for data breach
On October 24, the UK Information Commissioner fined a construction company £4.4 million for a data breach that allegedly allowed hackers to access thousands of employees’ personal data. According to the monetary penalty notice, the company failed to process personal data in a manner that ensured the appropriate security of individuals’ personal data as required by Article 5(1)(f) and Article 32 of the EU’s General Data Protection Regulation. This includes protecting against unauthorized or unlawful processing, against accidental loss, destruction, or damage, and using appropriate technical and organizational measures, the regulator said. As a result of insufficient security measures, the company was exposed to a cyber-attack that affected the personal data of up to 113,000 company employees, including personal information such as phone numbers, email addresses, national insurance numbers, and bank account details, among others. An investigation found that the company allegedly failed to follow-up on a suspicious activity alert, used outdated software systems and protocols, and lacked adequate staff training and insufficient risk assessments. The regulator warned companies that “[t]he biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.” The regulator further stressed that failure to regularly monitor for suspicious activity, act on warnings, update software, or provide training may expose other companies to a similar fine.
OCC releases enforcement actions
On October 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included among the actions is a cease and desist order against an New York branch of an India-based bank for allegedly engaging in Bank Secrecy Act/anti-money laundering (BSA/AML) program violations. The bank allegedly “failed to establish and maintain a reasonably designed BSA/AML compliance program ('BSA/AML Program') that adequately covers the required BSA/AML Program components. Deficiencies include (i) a weak system of internal controls; (ii) a weak BSA Officer function; and (iii) an insufficient training program.” The order requires the bank to, among other things, submit a BSA/AML action plan and develop a written suspicious activity monitoring and reporting program.
OFAC sanctions drug network
On October 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14059 against an individual and a drug trafficking organization, two Mexican nationals and members of the designated drug trafficking organization, and three Mexico-based transportation companies. According to OFAC, the designated network evolved into a sophisticated network that is involved in the importation and transport of multi-ton quantities of illicit drugs from Mexico to the U.S. OFAC noted that the designations are the result of OFAC’s ongoing collaboration with Homeland Security Investigations San Diego Strike Force Group, U.S. Customs and Border Protection’s National Targeting Center, and the Government of Mexico. As a result of the sanctions, all property and interests in property belonging to the sanctioned entities in the U.S. are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC also noted that “persons that engage in certain transactions with the individuals and entities designated today may themselves be exposed to sanctions or subject to an enforcement action.”
OFAC sanctions Russian military technology procurement network
On October 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14024 against a Russian military technology procurement network for allegedly procuring military and sensitive dual-use technologies from U.S. manufacturers and supplying them to Russian end-users. The individual and his two companies are designated as part of a joint action with the DOJ and FBI and highlights the U.S. government’s on-going “efforts to hinder Russia’s ability to wage its war of aggression in Ukraine, including by holding accountable those who support Russia’s military by disrupting its illicit defense and technology procurement networks around the world.” The action builds upon an October 14 alert issued by OFAC and the Department of Commerce’s Bureau of Industry and Security and the Department of State, which details the impact of international sanctions and export controls (covered by InfoBytes here). The alert followed the convergence of top officials representing ministries of finance and other government agencies from 33 countries who met to discuss the effects of international sanctions and export controls on Russia’s military-industrial complex and critical defense supply chains.
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more in the aggregate by one or more of such persons are also blocked.” U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
The same day, the DOJ (with the support of the Department’s Task Force KleptoCapture) unsealed indictments against nearly a dozen individuals and several entities, including the sanctioned Russian national and his two companies, accused of scheming to export military technologies to Russia.
Treasury releases CFIUS Enforcement and Penalty Guidelines
On October 20, the U.S. Treasury Department released CFIUS Enforcement and Penalty Guidelines to provide the public with information on how the Committee on Foreign Investments in the United States (CFIUS) assesses violations of laws and regulations on transaction parties. The guidelines inform the public about how CFIUS—which is tasked with identifying and mitigating certain national security risks related to foreign investments—assesses whether to impose a penalty or take other enforcement action for a violation of a party’s obligation, as well as factors that CFIUS considers when making such a determination. “The vast majority of those who come before CFIUS abide by their legal obligations and work collaboratively with the Committee to mitigate any national security risks arising from the transaction; however, those who fail to comply with CFIUS mitigation agreements or other legal obligations will be held accountable,” Assistant Secretary of the Treasury for Investment Security Paul Rosen stressed. “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”
New Jersey reaches $495 million RMBS settlement with Swiss bank
On October 17, the New Jersey attorney general’s office announced it had reached a $495 million agreement in principle with a Swiss bank to resolve allegations related to its residential mortgage-backed securities (RMBS) practices leading up to the 2008 financial crisis. The AG stated that if finalized, the settlement will be one of the state’s largest civil monetary recoveries in history. According to the AG, the bank violated New Jersey’s securities laws by making material misrepresentations about the risks of the RMBS in offering documents, including by purportedly failing to disclose to investors material defects about the underlying mortgages. The announcement further stated that the bank allegedly sold the RMBS through registration statements, prospectuses, and other offering materials that contained fraudulent representations about the quality of the underlying loans, and allegedly “failed to disclose to investors the wholesale abandonment of underwriting guidelines designed to ensure that the mortgage loans underlying its securities trusts were made in accordance with appropriate lending guidelines; that numerous loan originators had poor track records of defaults and delinquencies; and that some loan originators had even been suspended from doing business with [the bank].” While neither admitting nor denying the allegations, the bank agreed to pay a $100 million civil monetary penalty and will provide approximately $300 million in restitution for affected investors. The bank is also permanently enjoined from future violations of state securities laws.