Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC releases January enforcement actions
On February 28, the FDIC released a list of administrative enforcement actions taken against banks and individuals in January. The FDIC issued 18 orders, which “consisted of two consent orders; one civil money penalty; three removal and prohibition orders; eight section 19 orders; three terminations of consent orders and cease and desist orders; and one order terminating prompt corrective action.” Among the actions was a civil money penalty assessed against a Montana-based bank for allegedly violating the Flood Disaster Protection Act by failing to obtain adequate flood insurance coverage on certain loans and failing to provide borrowers with notice of the availability of federal disaster relief assistance. Separately, in a joint action with the California Department of Business Oversight, the agency issued a consent order against a California-based bank related to alleged weaknesses in its Bank Secrecy Act and anti-money laundering (BSA/AML) compliance program. Among other things, the bank was ordered to (i) retain qualified management to ensure compliance with applicable laws and regulations; (ii) “correct all violations of law to the extent possible”; (iii) implement a revised, written BSA compliance program to address BSA/AML deficiencies; (iv) establish a written Customer Due Diligence Program to ensure the reasonable detection of suspicious activity and the identification of higher-risk customers; (v) adopt a process for reviewing transaction monitoring alerts; and (vi) “ensure that suspicious activity monitoring system is independently validated.”
OCC releases January enforcement actions
On February 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include four civil money penalty orders, three cease and desist orders, five removal/prohibition orders, and a termination of an existing enforcement action. Included among the actions is a January 30 Consent Order to resolve the OCC’s claims that a New York-based bank engaged in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program violations. According to the consent order, an OCC examination identified alleged deficiencies in the bank’s BSA/AML compliance program, including (i) failure to “assess and monitor high risk customer activity flowing to or from high risk jurisdictions”; (ii) deficient BSA/AML policies, procedures, systems and controls; (iii) inadequate suspicious activity monitoring and suspicious activity reporting (SAR) to FinCEN; (iv) deficient Customer Due Diligence processes, including failure to appoint a BSA officer; and (v) failure to sufficiently monitor or provide controls for increased wire and ACH transactions. The consent order requires the bank to, among other things, (i) appoint a compliance committee within 30 days; (ii) submit a written strategic plan to the OCC covering at least the next three years; (iii) appoint a “permanent, qualified, and experienced BSA Officer” with sufficient staff; (iv) create and adopt a “written program of internal control policies and procedures to provide for the compliance with the BSA”; and (v) adopt and deploy a “written system of internal controls and processes to ensure compliance with the requirements to file SARs.”
FinCEN focuses on securities industry BSA/AML information sharing
On February 6, Financial Crimes Enforcement Network (FinCEN) Deputy Director Jamal El-Hindi delivered remarks at the Securities Industry and Financial Markets Association’s 20th Anti-Money Laundering (AML) and Financial Crimes Conference discussing, among other things, the agency’s focus on the Bank Secrecy Act (BSA). Specifically, El-Hindi stressed the importance of information sharing in the BSA context, remarking that the financial sector is “in an evolutionary state” dealing with “new technologies and new payment systems, such as those that involve virtual currency.” He asserted that innovators in the development of cryptocurrencies and messaging systems “cannot turn a blind eye to illicit transactions that they may be fostering,” and noted that FinCEN will regulate these emerging systems in accordance with existing principles that underlie the BSA and AML rules and regulations for the financial sector. El-Hindi encouraged the securities industry to share information, observing that only 14 percent of eligible securities companies are registered to take part in the 314(b) business-to-business information sharing program. He suggested that the industry needs better communication and cooperation to increase the effectiveness of BSA information collection. El-Hindi also discussed how cooperation has helped FinCEN’s cross-agency coordination and enhanced the agency’s rulemaking and guidance—specifically in the establishment of the Customer Due Diligence and Beneficial Ownership rule, but recognized that the lack of information collected regarding the formation of new corporations can frustrate the agency’s risk assessment abilities. To motivate information sharing, El-Hindi emphasized the importance of BSA information financial companies collect, sharing that SARs filings by securities companies have “increased roughly eight-fold” from 2003 to 2019, and that data provided from BSA filings is used frequently by law enforcement and regulators to inform their investigations and examinations and to “identify trends and focus resources.”
SEC announces 2020 OCIE exam priorities
On January 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of its 2020 Examination Priorities. The annual release of exam priorities provides transparency into the risk-based examination process and lists areas that pose current and potential risks to investors. OCIE’s 2020 examination priorities include:
- Retail investors, including seniors and those saving for retirement. OCIE places particular emphasis on disclosures and recommendations provided to investors.
- Information security. In addition to cybersecurity, top areas of focus include: risk management, vendor management, online and mobile account access controls, data loss prevention, appropriate training, and incident response.
- Fintech and innovation, digital assets and electronic investment advice. OCIE notes that the rapid pace of technology development, as well as new uses of alternative data, presents new risks and will focus attention on the effectiveness of compliance programs.
- Investment advisers, investment companies, broker-dealers, and municipal advisers. Risk-based exams will continue for each of these types of entities, with an emphasis on new registered investment advisers (RIA) and RIAs that have not been examined. Other themes in exams of these entities include board oversight, trading practices, advice to investors, RIA activities, disclosures of conflicts of interest, and fiduciary obligations.
- Anti-money laundering. Importance will be placed on beneficial ownership, customer identification and due diligence, and policies and procedures to identify suspicious activity.
- Market infrastructure. Particular attention will be directed to clearing agencies, national securities exchanges and alternative trading systems, and transfer agents.
- FINRA and MSRB. OCIE exams will emphasize regulatory programs, exams of broker-dealers and municipal advisers, as well as policies, procedures and controls.
Fed issues enforcement order for BSA/AML compliance
On January 9, the Federal Reserve Board announced that it entered into a cease and desist order on December 30 with a Texas state-chartered bank due to “significant deficiencies” in the bank’s Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance program that were discovered in its latest examination of the bank. The requirements set out for the bank in the order include:
- Board oversight. The bank must submit a board-approved, written plan to improve oversight of BSA/AML requirements.
- BSA/AML compliance program. The bank must submit a written BSA/AML compliance program that includes BSA/AML training; independent testing of the compliance program; management of the program by a qualified compliance officer with adequate staffing support; BSA/AML compliance internal controls; and a BSA/AML risk assessment of the bank, its products and services, and its customers.
- Customer due diligence. The bank must submit a revised customer due diligence program that includes policies and procedures to ensure accurate client account information; a plan to bring existing accounts into compliance with due diligence requirements; a method to assign risk ratings to account holders; policies and procedures to ensure proper customer information is obtained according to the risk of the account holder; and risk-based monitoring procedures and updates to accounts.
- Suspicious activity monitoring and reporting. The bank must submit a written suspicious activity monitoring and reporting program that includes a documented process for establishing monitoring rules; policies and procedures for review of monitoring rules; customer and transaction monitoring; and policies and procedures for the review of suspicious activity.
FDIC releases November enforcement actions
On December 27, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in November. The 14 orders include “two consent orders; one civil money penalty; one order terminating consent order; one supervisory prompt corrective directive action; five section 19 orders (prohibiting persons who have been convicted of any criminal offense involving dishonesty, breach of trust, or money laundering from serving as institution-affiliated parties with respect to an insured depository institution); two removal and prohibition orders; and two orders terminating prompt supervisory corrective action directives.” In one action, the FDIC issued a consent order against an Illinois-based bank related to alleged weaknesses in its Bank Secrecy Act (BSA) compliance program. Among other things, the bank is ordered to (i) implement a revised, written BSA compliance program to address BSA and FinCEN regulation provisions, such as suspicious activity reporting, customer due diligence, and beneficial ownership; (ii) update its Customer Due Diligence Program to assure the reasonable detection of suspicious activity; (iii) implement a process for account transaction monitoring; (iv) retain qualified BSA management to ensure compliance with applicable laws and regulations; (v) implement a comprehensive BSA training program for appropriate personnel; (vi) address automated clearing house (ACH) activity and update policies and procedures to monitor credit risk associated with ACH transactions; and (vii) refrain from entering into any new lines of business prior to conducting appropriate due diligence.
FATF issues an advisory on jurisdictions with AML/CFT deficiencies
On November 12, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on the Financial Action Task Force (FATF)-identified jurisdictions with “strategic deficiencies” in their anti-money laundering and combating the financing of terrorism (AML/CFT) regimes. As previously covered by InfoBytes, in October, FATF updated the list of jurisdictions to include the Bahamas, Botswana, Cambodia, Ghana, Iceland, Mongolia, Pakistan, Panama, Syria, Trinidad and Tobago, Yemen, and Zimbabwe. At the time, FATF noted that several jurisdictions had not yet been reviewed, and that it “continues to identify additional jurisdictions, on an ongoing basis, that pose a risk to the international financial system.”
The FinCEN advisory reminds financial institutions of the FATF October updates and emphasizes that financial institutions should consider both the FATF Public Statement and the Improving Global AML/CFT Compliance: On-going Process documents when reviewing due diligence obligations and risk-based policies, procedures, and practices. Moreover, the advisory includes public statements on the status of, and obligations involving, the Democratic People’s Republic of Korea (DPRK) and Iran, in particular. The advisory reminds jurisdictions of the actions the United Nations and the U.S. have taken with respect to sanctioning the DPRK and Iran and emphasizes that financial institutions must comply “with the extensive U.S. restrictions and prohibitions against opening or maintaining any correspondent accounts, directly or indirectly, with foreign banks licensed by the DPRK or Iran.”
FATF updates jurisdictions with AML/CFT deficiencies
On October 18, the Financial Action Task Force (FATF) published its updated list of jurisdictions identified as having “strategic deficiencies” in their anti-money laundering and combating the financing of terrorism (AML/CFT) regimes that have also developed action plans with the FATF to address the deficiencies. The list of jurisdictions includes the Bahamas, Botswana, Cambodia, Ghana, Iceland, Mongolia, Pakistan, Panama, Syria, Trinidad and Tobago, Yemen, and Zimbabwe. Notably, Ethiopia, Sri Lanka, and Tunisia have been removed from the list and are no longer subject to the FATF’s AML/CFT compliance process due to making “significant progress” in their regimes, while Iceland, Mongolia, and Zimbabwe have been added since the last update in June (covered by InfoBytes here). The FATF further notes that several jurisdictions have not yet been reviewed, and that it “continues to identify additional jurisdictions, on an ongoing basis, that pose a risk to the international financial system.” While the FATF does not instruct members to apply enhanced due diligence to these jurisdictions, it encourages members to take this information into account when conducting money laundering risk assessments and due diligence.
FATF updates standards to prevent misuse of virtual assets; reviews progress on jurisdictions with AML/CFT deficiencies
On October 19, the Financial Action Task Force (FATF) issued a statement urging all countries to take measures to prevent virtual assets and cryptocurrencies from being used to finance crime and terrorism. FATF updated The FATF Recommendations to add new definitions for “virtual assets” and “virtual asset service providers” and to clarify how the recommendations apply to financial activities involving virtual assets and cryptocurrencies. FATF also stated that virtual asset service providers are subject to Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) regulations, which require conducting customer due diligence, such as ongoing monitoring, record-keeping, and suspicious transaction reporting, and commented that virtual asset service providers should be licensed or registered and will be subject to compliance monitoring. However, FATF noted that its recommendations “require monitoring or supervision only for purposes of AML/CFT, and do not imply that virtual asset service providers are (or should be) subject to stability or consumer/investor protection safeguards.”
The same day, FATF announced that several countries made “high-level political commitment[s]” to address AML/CFT strategic deficiencies through action plans developed to strengthen compliance with FATF standards. These jurisdictions are the Bahamas, Botswana, Ethiopia, Ghana, Pakistan, Serbia, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, and Yemen. FATF also issued a public statement calling for continued counter-measures against the Democratic People's Republic of Korea due to significant AML/CFT deficiencies and the threats posed to the integrity of the international financial system, and enhanced due diligence measures with respect to Iran. However, FATF will continue its suspension of counter-measures due to Iran’s political commitment to address its strategic AML/CFT deficiencies.
OCC issues guidance regarding implied sovereign support and credit risk ratings
On August 28, the OCC issued Bulletin 2018-25, which provides guidance regarding the role of informal or implied expressions of support from foreign governments (implied sovereign support) in determining a borrower’s obligor and facility credit risk ratings. The Bulletin expands on Appendix E of the “Rating Credit Risk” booklet of the Comptroller’s Handbook and encourages banks to analyze, among other things, the sovereign’s legal and financial obligations and the relationship between the obligor and the sovereign. The OCC notes that the obligor’s importance to the sovereign’s local economy does not necessarily demonstrate “willingness to provide an obligor with financial support.” Additionally, the Bulletin provides guidance regarding bank policies regarding the use and application of implied sovereign support to determine a final regulatory risk rating. The OCC states that a sound policy would incorporate the following three elements: (i) defined criteria on how a risk rating may be changed for an obligor due to recognition of implied sovereign support; (ii) methods for determining whether implied sovereign support will be considered in the risk rating decision, including periodic reevaluations of the assessment; and (iii) appropriate documentation standards, including a tracking process that promotes “consistent and appropriate” application of the defined criteria.
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit