InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC sanctions target Russian financial facilitators
On April 12, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), in coordination with the United Kingdom, announced sanctions targeting Russian financial facilitators to curb the country’s access to the international financial system. The sanctions, issued pursuant to Executive Order 14024, target 25 individuals and 29 entities with touchpoints in 20 jurisdictions, and include the facilitation network of one of Russia’s wealthiest billionaires who is subject to sanctions in multiple jurisdictions, OFAC said. The designations also serve to reinforce existing measures and further disrupt Russia’s ability to import critical technologies for use in its war against Ukraine. Concurrently, the State Department designated several entities operating in Russia’s defense sector, as well as entities supporting Russia’s war efforts against Ukraine and entities associated with the country’s energy exports. (See also State Department’s fact sheet here.) The Commerce Department also added 28 entities to its entity list. “Today’s action underscores our dedication to implementing the G7 commitment to impose severe costs on third-country actors who support Russia’s war,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in the announcement.
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless authorized by a general or specific OFAC license, or otherwise exempt.
In conjunction with the sanctions, OFAC issued several Russia-related general licenses (see GLs 62, 63, 64, and 65), revoked GL 15, and published new FAQ 1122.
OFAC sanctions individuals involved in Syria’s drug production and trafficking
On March 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) designated key individuals for supporting the regime of Syrian President Bashar al-Assad and the regime’s billion-dollar illicit drug production and trafficking enterprise. Taken in coordination with the UK, the designations, issued pursuant to Executive Orders 13572, 13582, and 13224, “also highlight the important role of Lebanese drug traffickers—some of whom maintain ties to Hizballah—in facilitating the export of Captagon[,]” the dangerous amphetamine at issue. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions or subject to an enforcement action, OFAC warned.
OFAC, UK announce joint sanctions on Russia-based cybercrime gang
On February 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), in coordination with the UK, announced sanctions against seven individuals who allegedly are involved in a Russia-based cybercrime gang and are associated with the development or deployment of a range of ransomware strains designed to steal financial data. (See also UK’s announcement here.) The sanctions, taken pursuant to Executive Order (E.O.) 13694 as amended by E.O. 13757, represent the first sanctions of their kind for the UK, and come as a result of a partnership between OFAC and the U.K.’s Foreign, Commonwealth, and Development Office, the UK National Crime Agency, and His Majesty’s Treasury—all of which serve to disrupt Russian cybercrime and ransomware. “Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” Treasury Under Secretary Brian E. Nelson said in the announcement, stressing that “international cooperation is key to addressing Russian cybercrime.” Referring to an action taken by FinCEN last month, which identified a Russia-based virtual currency exchange “as a ‘primary money laundering concern’ in connection with Russian illicit finance” (covered by InfoBytes here), OFAC reiterated that the U.S. and UK are “committed to using all available authorities and tools to defend against cyber threats.” The designations follow other joint sanctions actions taken by the two countries and reflect findings that sanctions are most effective in coordination with international partners, OFAC said.
As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.”
FCA fines UK bank £108 million over AML controls
On December 9, the Financial Conduct Authority (FCA) fined a UK bank more than £107.7 million for allegedly maintaining inadequate anti-money laundering (AML) controls at its business banking division. The bank’s AML controls and attempts to correct the problems were inadequate according to the FCA and “created a prolonged and severe risk of money laundering and financial crime.” The FCA further claimed that these alleged “serious and persistent gaps” prevented the bank from adequately overseeing more than 560,000 business customers between December 2012 and October 2017. According to the FCA, due to the alleged deficiencies, the bank was purportedly unable to verify information provided by customers about their business intentions and was unable to properly monitor the money that customers claimed would be going through their accounts compared with what was actually being deposited. The FCA’s investigation also identified several other mismanaged accounts that left the bank vulnerable to money laundering risk and found examples where the bank failed to promptly address “red flags” associated with suspicious activity. As a result, more than £298 million was routed through the bank before the accounts were closed.
The FCA noted, however, that the fine was reduced from nearly £154 million (a 30 percent discount) due to the bank not disputing the findings. The bank, which has fully cooperated with the FCA’s investigation, released a statement emphasizing that while it took action to address the AML issues once they were identified, it accepts that its “AML framework at the time should have been stronger.” The bank has since implemented significant changes to address these issues by overhauling its financial crime technology, systems, and processes.
Chopra says CFPB is examining industry standard settings
On November 2, CFPB Director Rohit Chopra delivered prepared remarks before a public meeting of the Bureau’s Consumer Advisory Board briefly touching upon on several topics related to the Buy Now Pay Later market, big tech and data collection, peer-to-peer payment platforms, and Section 1033 rulemaking concerning consumers’ rights to their personal financial data. Notably, Chopra raised an area of discussion concerning industry standard-setting organizations and providers of critical infrastructure. Recognizing that private organizations play a major role in setting standards across sectors of the economy, Chopra emphasized that “[d]ecentralized, open banking will likely rely on fair standard-setting, through an amalgam of legally binding rules and industry developed standards.” He warned though that it “can be difficult to achieve fair standard-setting, since incumbents will have a strong economic interest when it comes to protecting their turf.” Chopra pointed to the telecommunications and health care industries as areas where private organizations “are not neutral, but are instead owned or governed by certain market participants” and where other players may also integrate a function akin to a lobbying or trade association. Explaining that the Bureau has been devoting a lot of time to this space, Chopra said the agency is gathering insights into other countries’ experiences, such as the UK’s Open Banking Implementation Entity (which was established to provide critical services and infrastructure), as well as domestic developments. He stated the Bureau will develop rulemaking with a practical mindset of how requirements would be operationalized in the market.
UK Information Commissioner fines company £4.4 million for data breach
On October 24, the UK Information Commissioner fined a construction company £4.4 million for a data breach that allegedly allowed hackers to access thousands of employees’ personal data. According to the monetary penalty notice, the company failed to process personal data in a manner that ensured the appropriate security of individuals’ personal data as required by Article 5(1)(f) and Article 32 of the EU’s General Data Protection Regulation. This includes protecting against unauthorized or unlawful processing, against accidental loss, destruction, or damage, and using appropriate technical and organizational measures, the regulator said. As a result of insufficient security measures, the company was exposed to a cyber-attack that affected the personal data of up to 113,000 company employees, including personal information such as phone numbers, email addresses, national insurance numbers, and bank account details, among others. An investigation found that the company allegedly failed to follow-up on a suspicious activity alert, used outdated software systems and protocols, and lacked adequate staff training and insufficient risk assessments. The regulator warned companies that “[t]he biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.” The regulator further stressed that failure to regularly monitor for suspicious activity, act on warnings, update software, or provide training may expose other companies to a similar fine.
U.S.-UK sanctions partnership to exchange best practices
On October 17, Andrea Gacki, Director of the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), and Giles Thomson, Director of the Office of Financial Sanctions Implementation (OFSI), HM Treasury, announced that in the upcoming months, officials will exchange best practices for enhancing and strengthening the U.S.-UK sanctions partnership. Among other things, OFAC and OFSI officials plan to identify opportunities for pooling expertise, and will explore ways to align the way sanctions are implemented and develop joint products and collaborative guidance to assist stakeholders. Gacki and Thomson noted that work is already underway on developing approaches for addressing shared priorities related to cyber threats, virtual asset misuse, information sharing, and making sure sanctions do not impede humanitarian trade and assistance. Recognizing that financial sanctions are most effective when implemented multilaterally, Gacki and Thomson discussed efforts taken by their respective countries to coordinate and implement sanctions programs, including measures designed to tackle corruption, kleptocracy, and other forms of economic crime. They recognized, however, “that the growing scale of sanctions has increased the complexities of their implementation,” and reiterated their commitment to engage with stakeholders and provide useful sanctions-related information and guidance.
U.S.-UK Data Access Agreement now in effect
On October 3, the DOJ announced that the U.S.-UK Data Access Agreement (Agreement) is now in effect. According to the DOJ, the Agreement, authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, is the first of its kind and will allow investigators from each country to gain better access to vital data to combat serious crime in a manner “consistent with privacy and civil liberties standards.” Under the Agreement, “service providers in one country may respond to qualifying, lawful orders for electronic data issued by the other country, without fear of running afoul of restrictions on cross-border disclosures,” the DOJ said. The Agreement is intended to foster “more timely and efficient access to electronic data required in fast-moving investigations through the use of orders covered by the Agreement,” and will greatly improve the two countries’ ability “to prevent, detect, investigate, and prosecute serious crime, including terrorism, transnational organized crime, and child exploitation, among others.” U.S. and UK officials are required to meet numerous requirements in order to invoke the Agreement, such as orders must relate to a serious crime and may not target persons located in the country for which the order is submitted. Authorities in both countries must also follow agreed upon requirements, limitations, and conditions when obtaining and using data obtained under the Agreement. The DOJ’s Office of International Affairs has been selected as the designated authority responsible for implementing the Agreement in the U.S. and “has created a CLOUD team to review and certify orders that comply with the Agreement on behalf of federal, state, local, and territorial authorities located in the United States, transmit certified orders directly to UK service providers, and arrange for the return of responsive data to the requesting authorities.”
U.S.-UK financial regulators discuss bilateral issues
On July 26, the U.S. Treasury Department issued a joint statement covering the recently held sixth meeting of the U.S.-UK Financial Regulatory Working Group. Participants included officials and senior staff from both countries’ treasury departments, as well as regulatory agencies including the Federal Reserve Board, CFTC, FDIC, OCC, SEC, the Bank of England, and the UK’s Financial Conduct Authority. The Working Group discussed, among other things, (i) market developments since the Russian invasion of Ukraine; (ii) continuing international and bilateral cooperation; (iii) the international financial sector priorities at the G7, the G20, the Financial Stability Board (FSB), and the International Organisation of Securities Commissions (IOSCO); (iv) the risks associated with the Non-Bank Financial Intermediation (NBFI) sector and interconnectedness with other financial and non-financial actors; and (v) “the mutual desire to promote multilateral cooperation around risk management in global derivatives and banking markets.” The Working Group participants will continue to engage bilaterally on these issues and others ahead of the next meeting, planned for later this year.
U.S.-UK partnership exchanges views on crypto, digital assets
On July 1, the U.S. Treasury Department issued a joint statement providing an overview of recent meetings of the U.S.-UK Financial Innovation Partnership (FIP) where Regulatory and Commercial Pillar participants exchanged views “on topics of mutual interest in the U.S. and UK regarding crypto and digital asset ecosystems.” Participants also discussed options for deepening ties between U.S. and UK financial authorities on financial innovation. As previously covered by InfoBytes, the FIP was created in 2019 as a way to expand bilateral financial services collaborative efforts, study emerging fintech innovation trends, and share information and expertise on regulatory practices. The first meeting of the FIP took place in August 2020 (covered by InfoBytes here). Topics discussed in the most recent meeting included, among other things, crypto-asset regulation and market developments, including recent developments related to stablecoins and the exploration of central bank digital currencies, and other recent market developments on digital assets. Participants acknowledged “the continued importance of the ongoing partnership on global financial innovation as an integral component of U.S.-UK financial services cooperation.”