Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 22, FinCEN issued a statement providing clarity to banks on the application of a risk-based approach to conducting customer due diligence (CDD) on independent Automated Teller Machine (ATM) owners or operators, consistent with FinCEN’s 2016 CDD Rule. As previously covered by InfoBytes, FinCEN issued a final rule imposing standardized CDD requirements for banks, broker-dealers, mutual funds, futures commission’s merchants, and brokers in commodities in May 2016. The rule established that covered institutions must identify any natural person that owns, directly or indirectly, 25 percent or more of a legal entity customer or that exercises control over the entity. The rule also established ongoing monitoring for reporting suspicious transactions and, on a risk basis, updating customer information. The recently released statement explained that the level of money laundering and terrorism financing risk varies with these customers, and that they do not automatically present a higher level of risk. FinCEN pointed to certain customer information that may be useful for banks in making determinations on the risk profile of independent ATM owner or operator customers, including, among other things: (i) organizational structure and management; (ii) operating policies, procedures, and internal controls; (iii) currency servicing arrangements; (iv) source of funds if a bank account is not used to replenish the ATM; and (v) description of expected and actual ATM activity levels.
On December 4, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), fining a New York-based member firm $55,000 for allegedly failing to implement a reasonable anti-money laundering (AML) program for transactions involving low-priced securities. The firm also allegedly failed to establish a due diligence program for monitoring and reporting “known or suspected money laundering activity conducted through or involving correspondent accounts for foreign financial institutions.” According to FINRA, the firm failed to, among other things, (i) “include reasonable procedures for the surveillance of potentially suspicious trading in low-priced securities,” such as listing “some of the most relevant red flags”; (ii) ensure its surveillance reports and tools were “reasonably designed to detect and cause the reporting of potentially suspicious activity”; and (iii) reasonably respond to red flags received from a clearing firm related to potentially suspicious activity. FINRA also claimed that the firm failed to identify all of its foreign financial institution accounts (FFIs) due to a lack of systems or processes to do so. Specifically, the firm allegedly failed to review 33 correspondent accounts for FFIs, nor did it identify 15 of these 33 accounts as FFIs. As a result, the firm allegedly violated FINRA Rules 3310(b) and 2010. The firm neither admitted nor denied the findings set forth in the AWC agreement but agreed to pay the fine, address identified deficiencies in its programs to ensure compliance with its AML obligations, and provide a certification of compliance with FINRA Rule 3310.
On August 13, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, the “agencies”) issued a joint statement, which clarifies how the agencies apply the enforcement provisions of the Bank Secrecy Act (BSA) and related anti-money laundering (AML) laws and regulations. Specifically, the statement discusses the conditions that require the issuance of a mandatory cease and desist order under sections 8(s) and 206(q). According to the agencies, there are no new exceptions or standards created by document. Among other things, the statement:
- Provides examples of when an agency shall issue a cease and desist order in accordance with sections 8(s)(3) and 206(q)(3) for “[f]ailure to establish and maintain a reasonably designed BSA/AML Compliance Program. The statement notes that an institution would be subject to a cease and desist order when the one component of their compliance program “fails with respect to either a high-risk area or multiple lines of business… even if the other components or pillars are satisfactory.”
- Describes circumstances in which an agency may use its discretion to issue formal or informal enforcement actions related to unsafe or unsound BSA-related practices. The statement notes that the “form and content” of the enforcement action will depend on a variety factors, including “the capability and cooperation of the institution’s management.”
- Describes how the agencies incorporate customer due diligence regulations and recordkeeping requirements as part of the internal controls pillar of an institutions BSA/AML compliance program.
- Discusses the treatment of isolated or technical compliance program requirements that are generally not issues resulting in an enforcement action.
On February 28, the FDIC released a list of administrative enforcement actions taken against banks and individuals in January. The FDIC issued 18 orders, which “consisted of two consent orders; one civil money penalty; three removal and prohibition orders; eight section 19 orders; three terminations of consent orders and cease and desist orders; and one order terminating prompt corrective action.” Among the actions was a civil money penalty assessed against a Montana-based bank for allegedly violating the Flood Disaster Protection Act by failing to obtain adequate flood insurance coverage on certain loans and failing to provide borrowers with notice of the availability of federal disaster relief assistance. Separately, in a joint action with the California Department of Business Oversight, the agency issued a consent order against a California-based bank related to alleged weaknesses in its Bank Secrecy Act and anti-money laundering (BSA/AML) compliance program. Among other things, the bank was ordered to (i) retain qualified management to ensure compliance with applicable laws and regulations; (ii) “correct all violations of law to the extent possible”; (iii) implement a revised, written BSA compliance program to address BSA/AML deficiencies; (iv) establish a written Customer Due Diligence Program to ensure the reasonable detection of suspicious activity and the identification of higher-risk customers; (v) adopt a process for reviewing transaction monitoring alerts; and (vi) “ensure that suspicious activity monitoring system is independently validated.”
On February 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include four civil money penalty orders, three cease and desist orders, five removal/prohibition orders, and a termination of an existing enforcement action. Included among the actions is a January 30 Consent Order to resolve the OCC’s claims that a New York-based bank engaged in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program violations. According to the consent order, an OCC examination identified alleged deficiencies in the bank’s BSA/AML compliance program, including (i) failure to “assess and monitor high risk customer activity flowing to or from high risk jurisdictions”; (ii) deficient BSA/AML policies, procedures, systems and controls; (iii) inadequate suspicious activity monitoring and suspicious activity reporting (SAR) to FinCEN; (iv) deficient Customer Due Diligence processes, including failure to appoint a BSA officer; and (v) failure to sufficiently monitor or provide controls for increased wire and ACH transactions. The consent order requires the bank to, among other things, (i) appoint a compliance committee within 30 days; (ii) submit a written strategic plan to the OCC covering at least the next three years; (iii) appoint a “permanent, qualified, and experienced BSA Officer” with sufficient staff; (iv) create and adopt a “written program of internal control policies and procedures to provide for the compliance with the BSA”; and (v) adopt and deploy a “written system of internal controls and processes to ensure compliance with the requirements to file SARs.”
On February 6, Financial Crimes Enforcement Network (FinCEN) Deputy Director Jamal El-Hindi delivered remarks at the Securities Industry and Financial Markets Association’s 20th Anti-Money Laundering (AML) and Financial Crimes Conference discussing, among other things, the agency’s focus on the Bank Secrecy Act (BSA). Specifically, El-Hindi stressed the importance of information sharing in the BSA context, remarking that the financial sector is “in an evolutionary state” dealing with “new technologies and new payment systems, such as those that involve virtual currency.” He asserted that innovators in the development of cryptocurrencies and messaging systems “cannot turn a blind eye to illicit transactions that they may be fostering,” and noted that FinCEN will regulate these emerging systems in accordance with existing principles that underlie the BSA and AML rules and regulations for the financial sector. El-Hindi encouraged the securities industry to share information, observing that only 14 percent of eligible securities companies are registered to take part in the 314(b) business-to-business information sharing program. He suggested that the industry needs better communication and cooperation to increase the effectiveness of BSA information collection. El-Hindi also discussed how cooperation has helped FinCEN’s cross-agency coordination and enhanced the agency’s rulemaking and guidance—specifically in the establishment of the Customer Due Diligence and Beneficial Ownership rule, but recognized that the lack of information collected regarding the formation of new corporations can frustrate the agency’s risk assessment abilities. To motivate information sharing, El-Hindi emphasized the importance of BSA information financial companies collect, sharing that SARs filings by securities companies have “increased roughly eight-fold” from 2003 to 2019, and that data provided from BSA filings is used frequently by law enforcement and regulators to inform their investigations and examinations and to “identify trends and focus resources.”
On January 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of its 2020 Examination Priorities. The annual release of exam priorities provides transparency into the risk-based examination process and lists areas that pose current and potential risks to investors. OCIE’s 2020 examination priorities include:
- Retail investors, including seniors and those saving for retirement. OCIE places particular emphasis on disclosures and recommendations provided to investors.
- Information security. In addition to cybersecurity, top areas of focus include: risk management, vendor management, online and mobile account access controls, data loss prevention, appropriate training, and incident response.
- Fintech and innovation, digital assets and electronic investment advice. OCIE notes that the rapid pace of technology development, as well as new uses of alternative data, presents new risks and will focus attention on the effectiveness of compliance programs.
- Investment advisers, investment companies, broker-dealers, and municipal advisers. Risk-based exams will continue for each of these types of entities, with an emphasis on new registered investment advisers (RIA) and RIAs that have not been examined. Other themes in exams of these entities include board oversight, trading practices, advice to investors, RIA activities, disclosures of conflicts of interest, and fiduciary obligations.
- Anti-money laundering. Importance will be placed on beneficial ownership, customer identification and due diligence, and policies and procedures to identify suspicious activity.
- Market infrastructure. Particular attention will be directed to clearing agencies, national securities exchanges and alternative trading systems, and transfer agents.
- FINRA and MSRB. OCIE exams will emphasize regulatory programs, exams of broker-dealers and municipal advisers, as well as policies, procedures and controls.
On January 9, the Federal Reserve Board announced that it entered into a cease and desist order on December 30 with a Texas state-chartered bank due to “significant deficiencies” in the bank’s Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance program that were discovered in its latest examination of the bank. The requirements set out for the bank in the order include:
- Board oversight. The bank must submit a board-approved, written plan to improve oversight of BSA/AML requirements.
- BSA/AML compliance program. The bank must submit a written BSA/AML compliance program that includes BSA/AML training; independent testing of the compliance program; management of the program by a qualified compliance officer with adequate staffing support; BSA/AML compliance internal controls; and a BSA/AML risk assessment of the bank, its products and services, and its customers.
- Customer due diligence. The bank must submit a revised customer due diligence program that includes policies and procedures to ensure accurate client account information; a plan to bring existing accounts into compliance with due diligence requirements; a method to assign risk ratings to account holders; policies and procedures to ensure proper customer information is obtained according to the risk of the account holder; and risk-based monitoring procedures and updates to accounts.
- Suspicious activity monitoring and reporting. The bank must submit a written suspicious activity monitoring and reporting program that includes a documented process for establishing monitoring rules; policies and procedures for review of monitoring rules; customer and transaction monitoring; and policies and procedures for the review of suspicious activity.
On December 27, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in November. The 14 orders include “two consent orders; one civil money penalty; one order terminating consent order; one supervisory prompt corrective directive action; five section 19 orders (prohibiting persons who have been convicted of any criminal offense involving dishonesty, breach of trust, or money laundering from serving as institution-affiliated parties with respect to an insured depository institution); two removal and prohibition orders; and two orders terminating prompt supervisory corrective action directives.” In one action, the FDIC issued a consent order against an Illinois-based bank related to alleged weaknesses in its Bank Secrecy Act (BSA) compliance program. Among other things, the bank is ordered to (i) implement a revised, written BSA compliance program to address BSA and FinCEN regulation provisions, such as suspicious activity reporting, customer due diligence, and beneficial ownership; (ii) update its Customer Due Diligence Program to assure the reasonable detection of suspicious activity; (iii) implement a process for account transaction monitoring; (iv) retain qualified BSA management to ensure compliance with applicable laws and regulations; (v) implement a comprehensive BSA training program for appropriate personnel; (vi) address automated clearing house (ACH) activity and update policies and procedures to monitor credit risk associated with ACH transactions; and (vii) refrain from entering into any new lines of business prior to conducting appropriate due diligence.
On November 12, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on the Financial Action Task Force (FATF)-identified jurisdictions with “strategic deficiencies” in their anti-money laundering and combating the financing of terrorism (AML/CFT) regimes. As previously covered by InfoBytes, in October, FATF updated the list of jurisdictions to include the Bahamas, Botswana, Cambodia, Ghana, Iceland, Mongolia, Pakistan, Panama, Syria, Trinidad and Tobago, Yemen, and Zimbabwe. At the time, FATF noted that several jurisdictions had not yet been reviewed, and that it “continues to identify additional jurisdictions, on an ongoing basis, that pose a risk to the international financial system.”
The FinCEN advisory reminds financial institutions of the FATF October updates and emphasizes that financial institutions should consider both the FATF Public Statement and the Improving Global AML/CFT Compliance: On-going Process documents when reviewing due diligence obligations and risk-based policies, procedures, and practices. Moreover, the advisory includes public statements on the status of, and obligations involving, the Democratic People’s Republic of Korea (DPRK) and Iran, in particular. The advisory reminds jurisdictions of the actions the United Nations and the U.S. have taken with respect to sanctioning the DPRK and Iran and emphasizes that financial institutions must comply “with the extensive U.S. restrictions and prohibitions against opening or maintaining any correspondent accounts, directly or indirectly, with foreign banks licensed by the DPRK or Iran.”
- Jedd R. Bellman to discuss “The CFPB’s crackdown on collection junk fees and the growing anti-CFPB rhetoric” at an Accounts Recovery webinar
- Benjamin W. Hutten to discuss “Latest on AML regulations and impact of economic sanctions” at a Mortgage Bankers Association webinar
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar