Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 23, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to a digital asset trading platform. The redacted opinion letter examines whether the inquiring Company (a registered money services business) requires licensure under the MTA. The Company requesting an interpretive opinion operates a software platform that allows retail and institutional investors to buy and sell digital assets, including cryptocurrency, and access related services, within the platform. The letter explains that U.S. customers must fund an account on the Company’s platform prior to purchasing cryptocurrency with either fiat currency (U.S. dollars) or cryptocurrency. The letter also describes, among other things, how customers can buy from and sell to the Company cryptocurrencies on one or more cryptocurrency exchanges using the platform. In these transactions, the Company would sell or buy cryptocurrency from the customer at the selected price and settle the trade using fiat or cryptocurrency held in its own accounts. Simultaneously, the Company would execute a trade for its own benefit on the exchange offering the price selected by the customer. Customer funds would not be used to buy or sell cryptocurrency from or to the exchange. After executing a transaction, a customer may choose to withdraw all or part of the customer’s fiat or cryptocurrency from the platform, or may choose to maintain a balance to execute future transactions.
The DFPI stated that it “has not concluded whether a wallet storing cryptocurrency constitutes a form of monetary value representing a claim against the issuer and accepted for use as a means of redemption for money or monetary value or payment for goods or services.” As such, the DFPI will not require the Company to be licensed under the MTA to provide customers with an account via a proprietary software platform to transfer and store cryptocurrency in order to execute trades directly with the Company.
On March 10, the Financial Crimes Enforcement Network (FinCEN) announced updates to the Financial Action Task Force (FATF) statements concerning jurisdictions with strategic anti-money laundering, countering the financing of terrorism, and combating weapons of mass destruction proliferation financing (AML/CFT/CPF) deficiencies. Specifically, to ensure compliance with international standards, FAFT updated the following two statements: (i) Jurisdictions under Increased Monitoring, which identifies jurisdictions with strategic deficiencies in their AML/CFT/CPF regimes that have committed to, or are actively working with, FATF to address those deficiencies in accordance with an agreed upon timeline and; (ii) High-Risk Jurisdictions subject to a Call for Action, which identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and instructs FATF members to apply enhanced due diligence, and in the most serious cases, apply counter-measures to protect the international financial system from such risks. Among other things, through the announcement, FinCEN reminded covered financial institutions of their obligations to comply with due diligence obligations for foreign financial institutions (in addition to their general obligations) to ensure their due diligence programs “include appropriate, specific, risk-based, and, where necessary, enhanced policies, procedures, and controls that are reasonably designed to detect and report known or suspected money laundering activity conducted through or involving any correspondent account established, maintained, administered, or managed in the United States.” Money service businesses are also required to establish appropriate policies to address money laundering and terrorism financing risks posed by their relationships with foreign agents or foreign counterparties. FinCEN further instructed financial institutions to comply with U.S. prohibitions against the opening or maintaining of any correspondent accounts, whether directly or indirectly, for North Korean or Iranian financial institutions, which are already prohibited under existing U.S. sanctions and FinCEN regulations. As previously covered by InfoBytes, FinCEN last announced updates to the FATF statements in October.
On March 7, FinCEN issued an alert advising financial institutions to be vigilant against potential attempts to evade sanctions levied against Russian individuals, banks, and other entities in response to the situation in Ukraine. FinCEN provided several examples of red flag indicators that could help identify attempted sanctions evasions, including actions by state actors and oligarchs, and reminded financial institutions of their Bank Secrecy Act (BSA) reporting obligations.
The alert stressed that all financial institutions, including those with visibility into convertible virtual currency (CVC) flows identify and promptly report associated suspicious activity, and conduct appropriate, risk-based customer due diligence or enhanced due diligence as required. This includes CVC exchangers and administrators within or outside of Russia (which are generally considered to be money services businesses under the BSA) that retain at least some access to the international financial system. FinCEN noted that “[w]hile large scale sanctions evasion using [CVC] by a government such as the Russian Federation is not necessarily practicable, CVC exchangers and administrators and other financial institutions may observe attempted or completed transactions tied to CVC wallets or other CVC activity associated with sanctioned Russian, Belarusian, and other affiliated persons.”
Financial institutions are instructed to specifically watch for (i) transactions initiated from IP addresses located in Russia, Belarus, FATF-identified jurisdictions with anti-money laundering/countering the financing of terrorism/counter-proliferation deficiencies, or other sanctioned jurisdictions; (ii) transactions connected to CVC addresses listed on OFAC’s Specially Designated Nationals and Blocked Persons List; and (iii) customers’ use of a CVC exchanger or foreign-located money service businesses in high-risk jurisdictions, including those with inadequate “know-your-customer” or customer due diligence measures. FinCEN also warned financial institutions of the dangers posed by Russian-related ransomware campaigns and encouraged financial institutions to refer to FinCEN and OFAC resources to help detect, prevent, and report potential suspicious activity.
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.
On January 3, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $91,172 settlement against a registered money services business for allegedly processing payment transactions for guests traveling to Cuba "for reasons outside of OFAC’s authorized categories” and failing to maintain certain required records associated with Cuba-related transactions. These actions, OFAC, stated, allegedly violated the Cuban Assets Control Regulations (CACR). According to OFAC’s web notice, as the company scaled up its traveler services in Cuba, its technology platforms were allegedly unable to manage the associated sanctions risks, which led to the alleged violations. Among other things, OFAC maintained that the company used a manual process to screen hosts and guests for potential sanctions issues until it began using a customized IP blocking system. Additionally, the company’s alleged recordkeeping violations were primarily attributed to technical defects involving an older version of the company’s mobile application that could be used for Cuba-related travel without “maintain[ing] complete functionality for [g]uests to make an attestation regarding their reason for travel to Cuba.”
In arriving at the settlement amount, OFAC considered various aggravating factors, including, among other things, that the company is a large, sophisticated U.S.-based technology company, and that its alleged violations followed a 2015 foreign policy change with respect to Cuba, as well as associated changes to the CACR, which maintained certain specified restrictions. OFAC also considered various mitigating factors, including that the company (i) did not receive a penalty notice or finding of violation in the past five years preceding the earliest transaction giving rise to this settlement; (ii) conducted a comprehensive review of its sanctions compliance program, voluntarily reported its findings to OFAC, and substantially cooperated with the investigation; and (iii) undertook significant remedial measures to ensure sanctions compliance.
On October 18, the Conference of State Bank Supervisors (CSBS) issued a request for public comments on behalf of NMLS-participating state regulatory agencies on proposed changes to the NMLS Money Services Businesses Call Report (MSBCR). The MSBCR seeks to create “a nationwide repository of standardized information available to state regulators concerning the financial condition and activities of their Money Services Businesses licensees.” CSBS requests comments on edits to existing virtual currency transaction line items, new virtual currency line items addressing activities not already covered, revisions to the definition of existing permissible investments, and edits to definitions and titles of existing financial condition line items. Comments are due December 17.
On June 10, the U.S. District Court for the Middle District of Pennsylvania granted the DOJ’s unopposed motion to dismiss anti-money laundering charges brought against a money services business, ending an extended deferred prosecution agreement (DPA) related to deficiencies in the company’s anti-fraud and anti-money laundering (AML) programs. As previously covered by InfoBytes, the DOJ filed charges against the company in 2012 for allegedly “willfully failing to maintain an effective AML program and aiding and abetting wire fraud,” including scams targeting the elderly and other vulnerable groups that involved victims sending funds through the company’s money transfer system. In 2018, the DOJ and the company extended and amended the DPA through May 2021 after the DOJ alleged that the company continued to experience significant weaknesses in its AML and anti-fraud programs. At the time, the company agreed to, among other things, comply with additional enhanced anti-fraud and AML compliance obligations. The DOJ noted in its motion to dismiss with prejudice that the company has forfeited $225 million as required and has “satisfied the conditions and obligations imposed under the DPA and the Amendment.” Additionally, the DOJ confirmed that an independent compliance monitor has certified that the company’s “anti-fraud and anti-money laundering compliance program, including its policies and procedures, are reasonably designed and implemented to detect and prevent fraud and money laundering and to comply with the Bank Secrecy Act.”
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Jeffrey P. Naimon to provide “An update on key fair lending cases and the CRA and UDAAP rules” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The Evolving Regulatory Landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference