InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC sanctions nine Nicaraguan officials and one entity
On November 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13851 against nine officials of the Nicaraguan government and one entity for allegedly engaging in actions or policies that undermine democratic processes or institutions in Nicaragua. According to OFAC, the designations “target[ed] those who are repressing Nicaraguans for exercising their human rights and fundamental freedoms.” As a result, all property and interests in property of the sanctioned individuals and entities, and any entities that own, directly or indirectly, 50 percent or more of such persons subject to U.S. jurisdiction, are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from entering into transactions with the sanctioned persons.
U.S. and Israel form partnership to combat ransomware; U.S. enters cybersecurity initiative with France
On November 14, the U.S. Treasury Department announced the establishment of a bilateral partnership with the Israeli Ministry of Finance as part of the Biden Administration’s efforts to crackdown on ransomware. The partnership is part of the U.S.-Israeli Task Force on Fintech Innovation and Cybersecurity, which was launched the same day. During the launch of the partnership, Treasury Department Deputy Secretary Wally Adeyemo and Israeli counterparts affirmed their commitment for encouraging robust fintech innovation and reinforced the importance of working together to combat cyber threats posed by nation-state and criminal actors to the global economy. The Task Force will take several measures, including immediately developing a Memorandum of Understanding that will support “(1) permissible information sharing related to the financial sector, including cybersecurity regulations and guidance, cybersecurity incidents, and cybersecurity threat intelligence; (2) staff training and study visits to promote cooperation in the area of cybersecurity and the financial system; and, (3) competency-building activities such as the conduct of cross-border cybersecurity exercises linked to global financial institutions financial and investment flows.” The Task Force also plans to launch a series of expert technical exchanges to support fintech innovation and examine ways cyber-analytics firms and fintech/regtech innovations are developing new measures to combat illicit finance risk and enhance public sector analytical and enforcement activities. According to Adeyemo, international cooperation is vital for addressing virtual currency abuses and disrupting the ransomware business model.
Separately, on November 10, Vice President Kamala Harris announced, among other initiatives, an international cybersecurity initiative with France to combat cyber threats. Harris stated that the U.S. will support the Paris Call for Trust and Security in Cyberspace, which the White House described as “a voluntary commitment to work with the international community to advance cybersecurity and preserve the open, interoperable, secure, and reliable internet.” According to the announcement, the U.S. “looks forward to continued partnership with France and other governments, private sector, and civil society around the world to advance and promote norms of responsible behavior in cyberspace.” Harris’ announcement builds on recent counter-ransomware actions taken to increase international cooperation to combat cybercrime. (Covered previously by InfoBytes here.)
OFAC designates entities and individuals, issues general license and related Ethiopian FAQs
On November 12, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order (E.O.) 14046 against four entities and two individuals associated with the military conflict and human rights crisis in Ethiopia. OFAC noted that the E.O., which was signed by President Biden on September 17, authorized targeting of actors that contribute to the ongoing crisis in Ethiopia and is not directed at Ethiopian or Eritrean people (covered by InfoBytes here). As a result of the sanctions, all property and interests in property belonging to the sanctioned entities and individuals subject to U.S. jurisdiction are blocked and must be reported to OFAC. OFAC further noted that no entity is to be blocked “pursuant to E.O. 14046 solely because it is owned in whole or in part, directly or indirectly, by one or more sanctioned persons, unless the entity is itself a sanctioned person.”
The same day, OFAC issued Ethiopia General License 4, “Authorizing the Wind Down of Transactions Involving Hidri Trust or Red Sea Trading Corporation,” which are two of the four entities for which sanctions were announced. Ethiopia General License 4 authorizes “all transactions and activities prohibited by Executive Order (E.O.) 14046 that are ordinarily incident and necessary to the wind down of transactions involving Hidri Trust or Red Sea Trading Corporation” through December 14, provided certain criteria are met. OFAC also updated FAQ 927, which provides clarification on non-U.S. persons’ risk exposure to U.S. sanctions for engaging in transactions and activities that would be authorized for U.S. persons pursuant to the prior E.O. of September 17. Additionally, OFAC published two new FAQs (935 and 936), which provide further information on Ethiopia-related sanctions.
FinCEN final rule updates reporting and recordkeeping requirements
On November 15, the Financial Crimes Enforcement Network (FinCEN) published a final rule in the Federal Register, which updates regulation 31 CFR 1010.370 to mirror statutory amendments to Section 5326 of the Bank Security Act (BSA). Specifically, Section 5326 has been amended three times (in 1992, 2001, and 2017) to expand the authority of the Secretary of the Department of the Treasury. The final rule updates the regulation to reflect the subsequent statutory amendments by, among other things, updating the authority of FinCEN to issue orders imposing additional reporting and recordkeeping requirements on financial institutions and nonfinancial trades or businesses in a geographic area. The final rule also notes that since the amendments promulgated by the rule conform the regulation to the statute and reflect no discretionary or substantive determination, no public comment was solicited; therefore, the final rule is effective immediately.
President Biden extends national emergency prohibiting securities investments in Chinese military companies
On November 9, President Biden issued a notice, extending for one year, the national emergency declared pursuant to Executive Order (E.O.) 13959, as expanded by E.O. 14032, involving securities investments related to Chinese military companies. As previously covered by InfoBytes, E.O. 14032 generally prohibits U.S. persons from “the purchase or sale of any publicly traded securities, or any securities that are derivative of such securities, or are designed to provide investment exposure to such securities, of” any listed Chinese military company. The E.O. also establishes deadlines for divestment of investments in companies currently listed as Chinese military companies as well as companies that later may be added to the list of Chinese military. Among other things, E.O. 14032 also prohibits any transactions by U.S. persons or within the U.S. that evade or avoid, have the purpose of evading or avoiding, cause a violation of, or attempt to violate the provisions set forth in the order, as well as any conspiracy to violate any of these prohibitions.
In continuing the national emergency underlying these actions and extending E.O. 14032, Biden stated the “threat from securities investments that finance certain companies of the [People’s Republic of China] and certain uses and development of Chinese surveillance technology continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
District Court dismisses data breach claims due to lack of jurisdiction
On November 8, the U.S. District Court for the Northern District of California dismissed a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor after determining that the court does not have jurisdiction over the companies. Plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of vendor customers. Plaintiffs contended that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach. Plaintiffs also alleged that an unauthorized third party gained access to the wallet provider’s e-commerce database and obtained the email addresses of one million customers as well as physical contact information for 9,500 customers. According to the plaintiffs, the wallet provider did not disclose that the attack on its website and the vendor’s data theft were connected, and it downplayed the seriousness of the attack. As a result, plaintiffs were allegedly subject to “phishing scams, cyber-attacks, and demands for ransom and threats.” Plaintiffs claimed that the companies failed to implement appropriate security measures to protect customer data, and brought claims against the companies for injunctive relief and other remedies under California’s unfair competition law, Georgia’s Fair Business Practices Act, and New York’s General Business Law. The defendant companies moved to dismiss, arguing that the court lacked personal jurisdiction and that plaintiffs failed to state a claim.
The court determined that it does not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The court further held that the fact that the vendor was headquartered in California at the time the breach occurred is not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the court wrote, dismissing the case with prejudice.
OFAC issues Cambodia advisory; sanctions Cambodian officials
On November 10, OFAC published a Cambodia Business Advisory on High-Risk Investments and Interactions, which addresses two primary areas of risk exposure for U.S. companies: (i) illicit finance activities in Cambodia and related risks for certain sectors; and (ii) involvement with Cambodian entities connected to trafficking in persons, wildlife, and narcotics trafficking in Cambodia and associated risks for certain sectors.
The same day, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13818 against two Cambodian government officials under the Global Magnitsky Human Rights Accountability Act. According to OFAC, the sanctioned individuals, among other things, allegedly conspired to inflate the cost of facilities at a Cambodian naval base and personally benefit from the proceeds.
SEC approves PCAOB Rule under the Holding Foreign Companies Accountable Act
On November 5, the SEC announced it approved the Public Company Accounting Oversight Board’s (PCAOB) Rule 6100, Board Determinations Under the Holding Foreign Companies Accountable Act, which establishes a framework for the PCAOB’s determinations under that act “that the PCAOB is unable to inspect or investigate completely registered public accounting firms located in a foreign jurisdiction because of a position taken by an authority in that jurisdiction.” According to the Commission order, PCAOB Rule 6100 establishes, among other things: (i) the factors the PCAOB will evaluate and the information the PCAOB will consider when assessing if a determination is warranted; (ii) the form, public availability, effective date, and duration of such determinations; and (iii) the process by which the board will reaffirm, modify, or vacate any such determinations. According to a statement released by SEC Chair Gary Gensler, the rule is an “important step to protect U.S. investors,“ and it is “critical that the Commission and the PCAOB work together to ensure that the auditors of foreign companies accessing U.S. capital markets play by the same rules.”
UK Supreme Court rules claimant cannot bring privacy claims against U.S. tech company
On November 10, the UK Supreme Court issued a judgment in an appeal addressing whether a claimant can bring data privacy claims in a representative capacity against a global technology company in a class action suit. The claimant sought compensation on behalf of a class under section 13 of the Data Protection Act 1998 (DPA 1998) for damages suffered when the tech company allegedly tracked millions of iPhone users’ internet activity in England and Wales over a period of several months between 2011 and 2012, and used the collected data without users’ knowledge or consent for commercial purposes. The DPA 1998 was replaced by the UK General Data Protection Regulation and the Data Protection Act 2018 but was in force at the time of the alleged breaches and is applicable to this claim, the Court explained in a press summary. The Court also noted that, except in antitrust cases, UK legislation does not allow class actions and Parliament has not yet legislated to establish a class action regime related to data protection claims. The Court noted that the claimant sought to use “same interest” precedent, which allows a claim to be brought “by or against one or more persons who have the same interest as representatives of any other persons who have that interest.”
The Court reasoned that the case was “doomed to fail” because “the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by [the tech company] of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by [the tech company].” The Court added that users’ “loss of control” over personal data did not constitute “damage” under section 13 of the DPA 1998 because the users were not shown to have lost money or suffer distress. If the case had been allowed to proceed, the tech company could have faced a £3 billion damages award.
UAE bank fined $100 million for Sudanese sanctions violations
On November 9, NYDFS announced that a United Arab Emirates bank will pay a $100 million penalty to resolve an investigation into payments it allegedly processed through financial institutions in the state, including one of the bank’s New York branches. These transactions, NYDFS stated, were in violation of Sudan-related U.S. sanctions. According to NYDFS’ investigation, the bank instructed employees to avoid including certain details in messages sent between banks that would have linked the transactions to Sudan. By concealing these details, the transactions bypassed other banks’ sanctions filters, which otherwise might have triggered alerts or transaction freezes, NYDFS said. As a result, between 2005 and 2009, the bank illegally processed more than $4 billion of payments tied to Sudan. Following an announcement in 2009 that a Swiss bank used by the bank to process these transactions was being investigated by the New York County District Attorney’s Office for violating economic sanctions rules, the bank closed all U.S. dollar accounts held by Sudanese banks, but failed to disclose the prohibited transactions to NYDFS as required until 2015. NYDFS asserted that “despite having ample notice of the prohibited nature of the Sudan-related [transactions] by 2009,” the bank’s New York branch processed an additional $2.5 million in Sudan-related payments. Under the terms of the consent order, the bank—which was previously cited by NYDFS for anti-money laundering and sanctions compliance deficiencies in a 2018 consent order that included a $40 million fine—is also required to provide a status report on its U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) compliance program, in addition to paying the $100 million penalty. NYDFS acknowledged the bank’s substantial cooperation and ongoing remedial efforts.
NYDFS coordinated its investigation with the Federal Reserve Board and OFAC, both of which announced separate settlements with the UAE bank the same day. The Fed’s announcement of its order to cease and desist cites the bank for having insufficient policies and procedures in place to ensure that activities involving branches outside the U.S. were in compliance with U.S. sanctions laws. Under the terms of the order, the bank is required, among other things, to implement an enhanced compliance program to ensure global compliance with U.S. sanctions, and must also conduct annual reviews, including a “risk-focused sampling” of its U.S. dollar payments, led by an independent external party. The order did not include any additional monetary penalties for the bank.
OFAC also issued a finding of violation (FOV) for violations of the now-repealed Sudanese Sanctions Regulations related to the bank’s actions. These violations included 1,760 transactions that involved USD transfers from Sudanese banks that were processed by the bank’s London branch and routed through U.S. banks. In determining that the appropriate administrative action was an FOV rather than a civil monetary penalty, OFAC stated the bank “voluntarily entered into a retroactive statute of limitations waiver agreement, without which OFAC would have been time-barred from charging the violations.” Because the payment messages did not include the originating Sudanese bank, U.S. correspondent banking partners “could not interdict the payments, and the payments were successfully processed through the U.S. financial system,” OFAC stated. However, OFAC credited the bank with providing substantial cooperation during the investigation, and noted that the bank had taken “extensive remediation” efforts before the investigation began in 2015, and has spent more than $122 million on compliance enhancements.