InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Treasury announces task force with South Africa on wildlife trafficking
On January 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced that Treasury and South Africa’s National Treasury recently formed the U.S. – South Africa Task Force on Combating the Financing of Wildlife Trafficking. According to the announcement, the Task Force will combat illicit finance connected to illegal wildlife trade in three key areas:
- Prioritizing the sharing of financial red flags and indicators connected to wildlife trafficking cases. Specifically, the South African Anti-Money Laundering Integrated Task Force, a public private partnership, will play a key role working in coordination with FinCEN.
- Increasing information sharing between financial intelligence units to support key law enforcement agencies from South Africa and the U.S. This is intended to “bolster law enforcement efforts to use financial investigations to pursue and recover the illicit proceeds of wildlife criminals, especially transnational criminal organizations (TCOs) fueling and benefiting from corruption and the trafficking of, among other things, abalone, rhino horns, pangolins, and elephant ivory.”
- Bringing together government authorities, regulators, law enforcement, and the private sector to enhance controls to combat money laundering and the illicit proceeds connected to drug and wildlife trafficking.
Treasury Secretary Janet L. Yellen emphasized that in order “[t]o protect wildlife populations from further poaching and disrupt the associated illicit trade, we must ‘follow the money’ in the same way we do with other serious crimes.”
FinCEN prohibits engagement with virtual currency exchange connected to Russian finance
On January 18, the Financial Crimes Enforcement Network (FinCEN) issued its first order pursuant to section 9714(a) of the Combating Russian Money Laundering Act to identify a Hong Kong-registered global virtual currency exchange operating outside of the U.S. as a “primary money laundering concern” in connection with Russian illicit finance. FinCEN announced that the virtual currency exchange offers exchange and peer-to-peer services and “plays a critical role in laundering Convertible Virtual Currency (CVC) by facilitating illicit transactions for ransomware actors operating in Russia.” A FinCEN investigation revealed that the virtual currency exchange facilitated deposits and funds transfers to Russia-affiliated ransomware groups or affiliates, as well as transactions with Russia-connected darknet markets, one of which is currently sanctioned and subject to enforcement actions that have shuttered its operations. The investigation also found that the virtual currency exchange failed to meaningfully implement steps to identify and disrupt the illicit use and abuse of its services, and lacked adequate policies, procedures, or internal controls to combat money laundering and illicit finance.
Recognizing that the virtual currency exchange “poses a global threat by allowing Russian cybercriminals and ransomware actors to launder the proceeds of their theft,” FinCEN acting Director Himamauli Das emphasized that “[a]s criminals and criminal facilitators evolve, so too does our ability to disrupt these networks.” He warned that FinCEN will continue to leverage the full range of its authorities to prohibit these institutions from gaining access to and using the U.S. financial system to support Russian illicit finance. Effective February 1, covered financial institutions are prohibited from engaging in the transmittal of funds from or to the virtual currency exchange, or from or to any account or CVC address administered by or on behalf of the virtual currency exchange. Frequently asked questions on the action are available here.
Concurrently, the DOJ announced that the founder and majority owner of the virtual currency exchange was arrested for his alleged involvement in the transmission of illicit funds. Charged with conducting an unlicensed money transmitting business and processing more than $700 million of illicit funds, the DOJ said the individual allegedly “knowingly allowed [the virtual currency exchange] to become a perceived safe haven for funds used for and resulting from a variety of criminal activities,” and was aware that the virtual currency exchange’s accounts “were rife with illicit activity and that many of its users were registered under others’ identities.” While the virtual currency exchange claimed it did not accept users from the U.S., it allegedly conducted substantial business with U.S.-based customers and advised users that they could transfer funds from U.S. financial institutions.
Deputy Secretary of the Treasury Wally Adeyemo issued a statement following the announcement, noting that the action “is a unique step that has only been taken a handful of times in Treasury’s history for some of the most egregious money laundering cases, and is the first of its kind specifically under new authorities to combat Russian illicit finance.” He reiterated that the action “sends a clear message that we are prepared to take action against any financial institution—including virtual asset service providers—with lax controls against money laundering, terrorist financing, or other illicit finance.”
Crypto platform reaches $100 million settlement to resolve alleged compliance failures
On January 4, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of New York virtual currency, anti-money laundering, transaction monitoring, and cybersecurity regulations. According to the consent order, in 2020, NYDFS found significant deficiencies across the respondent’s compliance program, including its Know-Your Customer/Customer Due Diligence (KYC/CDD) procedures, Transaction Monitoring System (TMS), OFAC screening program, and AML risk assessments. As a result of these findings, the respondent agreed to improve its BSA/AML and OFAC compliance programs, including engaging an independent consultant to develop a remediation plan and improve its compliance program.
In 2021, NYDFS launched an investigation to determine whether the respondent’s compliance deficiencies had resulted in any legal violations. The investigation found “substantial lapses in [the respondent’s] KYC/CDD program, its TMS, and in its AML and OFAC sanctions controls systems, as well as issues concerning [the respondent’s] retention of books and records, and with respect to meeting certain of its reporting obligations to the Department.” NYDFS noted that in late 2020 and 2021, the respondent took steps to remediate the issues identified by the Department and the independent consultant; however, substantial weaknesses remained, and its compliance system was inadequate to handle the growing volume of the respondent’s business.
Under the terms of the consent order, the respondent must pay a $50 million civil penalty to NYDFS and invest $50 million in its compliance program. Additionally, an independent third party will continue to work with the respondent for another year, which may be extended at the Department’s sole discretion. NYDFS noted that the respondent has already taken steps to build a more effective and robust compliance program under the supervision of NYDFS and the NYDFS-appointed independent monitor. According to the respondent’s press release, the company “has taken substantial measures to address these historical shortcomings” and “remains committed to being a leader and role model in the crypto space, including partnering with regulators when it comes to compliance and other areas.”
CFTC orders respondent to pay $6.5 million for CEA violations
On December 20, the CFTC announced a settlement with a registered futures commission merchant (respondent) for allegedly violating the Commodity Exchange Act, Commission regulations, and Bank Secrecy Act compliance requirements. According to the CFTC, the respondent allegedly “failed to implement an adequate anti-money laundering [] program, particularly as applied to a futures and options trading account controlled by [a customer],” and “failed to implement risk-based limits concerning trading by [a customer].” The CFTC also alleged supervisory and recordkeeping failures stemming from the inadequate anti-money laundering program. The respondent is ordered to pay a $6.5 million civil money penalty and undertake certain remedial measures relating to the violations.
FCA fines UK bank £108 million over AML controls
On December 9, the Financial Conduct Authority (FCA) fined a UK bank more than £107.7 million for allegedly maintaining inadequate anti-money laundering (AML) controls at its business banking division. The bank’s AML controls and attempts to correct the problems were inadequate according to the FCA and “created a prolonged and severe risk of money laundering and financial crime.” The FCA further claimed that these alleged “serious and persistent gaps” prevented the bank from adequately overseeing more than 560,000 business customers between December 2012 and October 2017. According to the FCA, due to the alleged deficiencies, the bank was purportedly unable to verify information provided by customers about their business intentions and was unable to properly monitor the money that customers claimed would be going through their accounts compared with what was actually being deposited. The FCA’s investigation also identified several other mismanaged accounts that left the bank vulnerable to money laundering risk and found examples where the bank failed to promptly address “red flags” associated with suspicious activity. As a result, more than £298 million was routed through the bank before the accounts were closed.
The FCA noted, however, that the fine was reduced from nearly £154 million (a 30 percent discount) due to the bank not disputing the findings. The bank, which has fully cooperated with the FCA’s investigation, released a statement emphasizing that while it took action to address the AML issues once they were identified, it accepts that its “AML framework at the time should have been stronger.” The bank has since implemented significant changes to address these issues by overhauling its financial crime technology, systems, and processes.
Danish financial institution fined $2 billion for anti-money-laundering compliance failures
On December 13, a Danish global financial institution pled guilty to conspiring to commit bank fraud and agreed to forfeit approximately $2 billion. According to court documents, the financial institution defrauded U.S. banks at which it held correspondent accounts by misrepresenting the state of its AML controls and transaction monitoring capabilities. According to the Department of Justice, between 2008 and 2016, the financial institution offered banking services through its Estonia branch, including a business line serving non-resident customers (known as “NRP”). The Estonia branch allowed NRP customers to transfer large amounts of money with little to no oversight, and branch employees conspired with NRP customers to hide the true nature of the transactions, including through the use of shell companies that obscured the actual owners of the funds. During this period, the Estonia branch processed $160 billion through U.S. banks on behalf of NRP customers.
The financial institution and its Estonia branch were required to provide information to U.S. banks in order to open and maintain correspondent accounts. This included information related to AML controls, transaction monitoring, and customers. By at least February 2014, the financial institution became aware of some NRP customers who were engaged in highly suspicious and potentially criminal transactions, including through U.S. banks. The DOJ noted that the financial institution was also aware that the Estonia branch’s AML program and procedures were not appropriate to meet the risks associated with NRP customers, but instead of providing truthful information, the financial institution lied about the state of the Estonia branch’s AML compliance program.
Under the terms of the plea agreement, the bank has agreed to a criminal forfeiture of $2.059 billion. The bank will also enter into separate criminal or civil resolutions with domestic and foreign authorities. The DOJ will credit approximately $850 million in payments made by the financial institution to resolve related parallel investigations by other domestic and foreign authorities. The DOJ noted that the financial institution “received full credit for cooperation and remediation because it provided full cooperation with the investigation and demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct.”
The same day, the SEC announced fraud charges against the financial institution in connection with a related, parallel proceeding. The financial institution agreed to pay roughly $413 million, including a $178.6 million civil monetary penalty, as well as $178.6 million in disgorgement and $55.8 million in prejudgment interest. The SEC said it will deem the disgorgement and prejudgment interest satisfied by forfeiture and confiscation ordered in parallel criminal cases with the DOJ, the United States Attorney’s Office for the Southern District of New York, and Denmark’s Special Crime Unit.
FinCEN’s Das discusses agency’s priorities
On December 6, FinCEN acting Director Himamauli Das spoke before the ABA/ABA Financial Crimes Enforcement Conference about how FinCEN is addressing new threats, new innovations, and new partnerships, in addition to its efforts to implement the AML Act. Das first began by speaking about beneficial ownership requirements of the Corporate Transparency Act (CTA). He noted that a final rule was issued in September, which implemented the beneficial ownership information reporting requirements (covered by InfoBytes here). He also stated that a second rulemaking, concerning access protocols to the beneficial ownership database by law enforcement and financial institutions, may be released before the end of the year, and that work is currently underway on a third rulemaking concerning revisions to the customer due diligence rule. With regard to anti-corruption, Das noted that the agency has been working with the Biden administration, and highlighted three alerts issued by FinCEN in 2022 that highlight “the risks of sanctions and export controls evasion by Russian actors, including through real estate, luxury goods, and other high-value assets.” Das explained that the alerts “complement ongoing U.S. government efforts to isolate sanctioned Russians from the international financial system.”
Transitioning into discussing effective AML/CFT programs, Das said that the “AML Act’s goal of a strengthened, modernized, and streamlined AML/CFT framework will ultimately play out over a series of steps as we implement all of the provisions of the AML Act.” He then described how the AML Act requires FinCEN to work with the FFIEC and law enforcement agencies to establish training for federal examiners in order to better align the examination process. He further noted that the AML/CFT priorities and their incorporation into risk-based programs as part of the AML Program Rule are “crucial” for providing direction to examiners on approaches that improve outcomes for law enforcement and national security.
Das also highlighted the digital asset ecosystem as a key priority area for FinCEN and acknowledged that the area has seen “continuing evolution” since 2013 and 2019, when the agency released its latest related guidance documents on the topic. Das explained that FinCEN is taking a “close look” at the elements of its AML/CFT framework applicable to virtual currency and digital assets to determine whether additional regulations or guidance are necessary, which “includes looking carefully at decentralized finance and its potential to reduce or eliminate the role of financial intermediaries that play a critical role in our AML/CFT efforts.”
FDIC releases October enforcement actions
On November 25, the FDIC released a list of administrative enforcement actions taken against banks and individuals in October. During the month, the FDIC made public ten orders consisting of “one consent order; one amended and restated consent order; one personal cease and desist order; three orders to pay civil money penalties; two Section 19 orders; and two orders terminating consent orders.” Among the orders is an order to pay a civil money penalty imposed against a Mississippi-based bank related to 128 alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank failed to obtain the required flood insurance or obtain an adequate amount of insurance coverage, at or before loan origination, for all structures in a flood zone. The order requires the payment of a $320,500 civil money penalty.
The FDIC also issued a consent order to a New York-based bank, which alleged that the bank had unsafe or unsound banking practices relating to weaknesses in the Bank’s Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) Program. The bank neither admitted nor denied the alleged violations but agreed to, among other things, increase its supervision, direction, and oversight of AML/CFT personnel and its AML/CFT program.
OFAC settles with virtual currency exchange to resolve IP address screening deficiencies
On November 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $362,158 settlement with a global virtual currency exchange for allegedly exporting services to users who appeared to be located in Iran when they engaged in virtual currency transactions on the exchange’s platform. According to OFAC’s web notice, the exchange’s platform allows users to buy, sell, hold, or exchange cryptocurrencies. Users can also trade fiat currency for cryptocurrency on the platform. The exchange’s anti-money laundering and sanctions compliance program screens customers at onboarding and daily thereafter, and reviews information about IP addresses generated at the time of onboarding to prevent users in sanctioned jurisdictions from opening accounts and conducting transactions. OFAC stated, however, that between October 2015 and June 2019, the exchange allegedly processed 826 transactions totaling roughly $1.6 million on behalf of individuals who appeared to be in Iran when the transactions happened. OFAC maintained that because the exchange failed to implement IP address blocking on transactional activity across its platform, “account holders who established their accounts outside of sanctioned jurisdictions appear to have accessed their accounts and transacted on Kraken’s platform from a sanctioned jurisdiction.” As a result, the exchange allegedly violated the Iranian Transactions and Sanctions Regulations.
In arriving at the settlement amount, OFAC determined that the exchange failed to exercise due caution or care for its sanctions compliance obligations by only applying its geolocation controls at the time of onboarding and not with respect to subsequent transactional activity even though it knew customers were located worldwide.
OFAC also considered various mitigating factors, including that the exchange has not received a penalty notice from OFAC in the preceding five years, the exchange voluntarily self-disclosed the alleged violations and undertook significant remedial measures, such as (i) “adding geolocation blocking to prevent clients in prohibited locations from accessing their accounts” on the exchange’s platform; (ii) implementing blockchain analysis tools to assist with sanctions monitoring; (iii) expanding staff and providing compliance training; (iv) adding “additional screening capabilities to ensure compliance with OFAC’s ‘50 Percent Rule,’ including detailed reports on beneficial ownership; (v) contracting a vendor to assist with the identification and nationality verification through the use of artificial intelligence tools; and (vi) implementing automated controls designed to block certain accounts. In addition, the exchange agreed to invest an additional $100,000 in certain sanctions compliance controls as part of the settlement.
Providing context for the settlement, OFAC stated that this action “highlights the importance of using geolocation tools, including IP blocking and other location verification tools, to identify and prevent users located in sanctioned jurisdictions from engaging in prohibited virtual currency-related transactions”—both at the time of onboarding and throughout the lifetime of the account.
ECJ invalidates AML directive granting public access to beneficial ownership information
On November 22, the European Court of Justice (ECJ) announced a ruling invalidating a provision of the 2018 amended EU anti-money laundering directive that guaranteed public access to the beneficial ownership information of legal entities incorporated within member states. The case was referred to the ECJ by a Luxembourg court following two actions that disputed the compatibility of this directive with the beneficial owners’ fundamental right to privacy. The ECJ was asked to issue a preliminary ruling on a series of questions concerning the interpretation of “exceptional circumstances” and “disproportionate risk,” as well as the directive’s compatibility with the Charter of Fundamental Rights of the European Union (Charter) and the GDPR. Under the directive, member states are required to enter and maintain beneficial ownership information in registers that are accessible to the general public. The directive is intended to prevent the financial system from being exploited for the purposes of money laundering or terrorist financing, and requires, with limited exemptions, that member states provide information on “the beneficial owner’s name, month and year of birth, nationality and country of residence, as well as the nature and extent of his or her beneficial interests.”
In its announcement, the ECJ said that public access to beneficial ownership information “constitutes a serious interference with the fundamental rights to respect for private life and the protection of personal data” provided in Articles 7 and 8 of the Charter. “[T]he potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated,” the ECJ wrote in the judgment, adding that “in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.”
While the ECJ found that, by the measure at issue, the EU legislature is pursuing “an objective of general interest capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter, and that the general public’s access to information on beneficial ownership is appropriate for contributing to the attainment of that objective,” the “interference entailed by that measure is neither limited to what is strictly necessary nor proportionate to the objective pursued.” Additionally, the ECJ held that the amended “directive amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter” without being offset by any benefits that may result from the amended directive as compared to the previous version in terms of combating money laundering and terrorist financing. However, the ECJ did recognize that civil society and the press have a legitimate interest in accessing such information, given their role in the fight against money laundering.