InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Treasury discusses combating corruption
On September 7, U.S. Treasury Department Assistant Secretary for Terrorist Financing and Financial Crimes Elizabeth Rosenberg spoke at the Brookings Institution as part of a series of discussions regarding corruption and the Department’s efforts to strengthen global beneficial ownership standards against corruption. During her remarks, she discussed Treasury’s focus on three efforts to counter corruption: (i) analyzing the risks associated with corruption; (ii) putting in place an effective legal framework to prevent corruption in our financial system; and (iii) implementing targeted measures, such as sanctions, to expose and hold accountable corrupt individuals and their facilitators. She noted that her office’s 2022 Money Laundering Risk Assessment “described the persistent themes of corrupt individuals engaging in fraud, embezzlement, bribery, extortion, and the misuse of companies and other legal entities.” (Covered by InfoBytes here.) Rosenberg also discussed strengthening global beneficial ownership standards at the intergovernmental Financial Action Task Force “to focus the body’s efforts on the effective implementation of the UN Convention on Corruption, on the misuse of citizenship-by-investment programs by corrupt individuals and their families, and on financial gatekeepers that get rich helping senior officials steal from their citizens.” She further described Treasury efforts, both public and non-public, to expose corrupt officials. She closed her prepared remarks by committing to continue both defensive and offensive strategies to counter corruption and to advance rules that are designed to “make our financial system more resilient and bring forward new analysis on vulnerabilities to corruption in our economy.”
OCC orders bank to improve oversight of fintech partnerships
Recently, a national bank disclosed an agreement reached with the OCC that requires the bank to improve its oversight and management of third-party fintech partnerships. According to an SEC filing, the OCC found unsafe or unsound practices related to the bank’s third-party risk management, Bank Secrecy Act (BSA)/anti-money laundering risk management, suspicious activity reporting, and information technology control and risk governance. Under the terms of the agreement, the bank must, within 10 days of the agreement, appoint a compliance committee comprised mostly of members from outside the bank to meet at least quarterly and provide progress reports outlining the results and status of the mandated corrective actions. Within 60 days of the agreement, the bank must also adopt and implement guidelines for assessing risks posed by third-party fintech partnerships and address how the bank “identifies and assesses the inherent risks of the products, services, and activities performed by the third-parties, including but not limited to BSA, compliance, operational, liquidity, counterparty and credit risk as applicable.” Additionally, the bank must establish criteria for their board of directors' review and approval of third-party fintech relationship partners, as well as how it will assess “BSA risk for each third-party fintech relationship partner, including risk associated with money laundering, terrorist financing, and sanctions risk as well as the third-party’s processes for mitigating such risks and complying with applicable laws and regulations.” The agreement also requires due diligence, monitoring, and contingency plan measures.
The agreement further stipulates that the bank’s board and management shall, within 90 days, (i) set up written BSA risk assessment guidelines; (ii) adopt an independent audit program; (iii) implement expanded risk-based policies, procedures, and processes to obtain and analyze appropriate customer due diligence, enhanced due diligence, and beneficial ownership information, including for fintech businesses; (iv) develop and adhere to a set of standards to ensure timely suspicious activity monitoring and reporting; and (v) establish a program to assess and manage the bank’s information technology activities, including those conducted by third-party partners. The bank must also conduct a suspicious activity review lookback within 30 days.
OFAC sanctions “mixer” for laundering over $7 billion in virtual currency
On August 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 against a virtual currency mixer accused of allegedly laundering more than $7 billion in virtual currency since 2019. According to OFAC, this amount includes more than $455 million stolen by a previously sanctioned Democratic People’s Republic of Korea state-sponsored hacking group (covered by InfoBytes here). OFAC stated that the designations resulted from the company “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, added that the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis,” and stressed that Treasury “will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.” As previously covered by InfoBytes, in 2020, Treasury’s FinCEN penalized a bitcoin mixer $60 million for violating the Bank Secrecy Act.
As a result of the sanctions, all property and interests in property of the sanctioned entity that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC, as well as “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons.” OFAC noted that its regulations prohibit U.S. persons from participating in transactions with designated persons unless authorized by a general or specific license issued by OFAC or exempt.
Treasury further stressed that players in the virtual currency industry should take a risk-based approach for assessing risks associated with different virtual currency services, implementing measures to mitigate risks, and addressing the challenges anonymizing features can present to anti-money laundering/countering the financing of terrorism sanctions obligations. “[M]ixers should in general be considered as high-risk by virtual currency firms, which should only process transactions if they have appropriate controls in place to prevent mixers from being used to launder illicit proceeds,” Treasury said.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
NYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
FDIC releases June enforcement actions
On July 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in June. During the month, the FDIC made public twelve orders consisting of “three consent orders, one order to pay civil money penalty, four orders of prohibition, one section 19 order, one order terminating consent order, two orders of termination of insurance, one Notice of Intention to Prohibit from Further Participation, Notice of Assessment of Civil Money Penalties, Findings of Fact and Conclusions of Law, Order to Pay, Notice of Hearing, and Prayer for Relief.” The FDIC imposed a civil money penalty against a Missouri-based bank for alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank “made, increased, extended or renewed a loan secured by a building or mobile home located or to be located in a special flood hazard area without providing timely notice to the borrower and/or the servicer as to whether flood insurance was available for the collateral.” The bank must pay a $7,000 civil money penalty.
The actions also include a consent order with a Georgia-based bank, which alleged that the bank violated “law or regulation related to weaknesses in the Bank’s compliance with the Bank Secrecy Act.” According to the consent order, the bank must, among other things: (i) “enhance its oversight of the Bank’s BSA/AML Compliance Program and assume full responsibility for the approval of sound BSA/AML policies, procedures, and processes”; (ii) “revise, adopt, and implement a written BSA/AML Compliance Program, including policies and procedures”; and (iii) “review and revise as appropriate its written policies, procedures, and processes for assessing the money laundering, terrorist financing, and other illicit financial activities risk profile of the Bank.”
U.S.-EU release statement on Joint Financial Regulatory Forum
On July 20, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S. – EU Joint Financial Regulatory Forum to continue their ongoing financial regulatory dialogue. Matters discussed focused on six themes: “(1) market developments and financial stability risks, (2) sustainable finance and climate-related financial risks, (3) regulatory developments in banking and insurance, (4) regulatory and supervisory cooperation in capital markets, (5) operational resilience and digital finance, and (6) anti-money laundering and countering the financing of terrorism (AML/CFT).”
The statement acknowledged that the Russia/Ukraine conflict, as well as “inflationary pressures”, exposes “a series of downside risks to financial markets both in the EU and in the U.S.” The statement notes that financial markets have so far proven to be “resilient” and stressed that “[i]nternational cooperation in monitoring and mitigating financial stability risks remains essential in the current global environment in light of the negative impacts on global energy and commodities markets.” During the Forum, participants also discussed recent developments related to digital finance and crypto-assets, including so-called stablecoins, as well as potential central bank digital currencies. Additionally, participants discussed various issues related to third-party providers; climate-related financial risks and challenges, including sustainability reporting standards; the transition away from LIBOR; and progress made in strengthening their respective AML/CFT frameworks.
House passes bill to expand AML regulation
On July 20, the U.S. House passed H.R. 7900 with a 329-101 vote. Section 5401 of the bill, if passed, would amend the Bank Secrecy Act to require that professional service providers who “serve as key gatekeepers to the U.S. financial system adopt anti-money laundering procedures that can help detect and prevent the laundering of corrupt and other criminal funds into the United States.” Section 5401 calls for the imposition of anti-money laundering requirements on any person, excluding any governmental entity, employee, or agent, who engages in any activity which the Secretary determines by regulation to be the provision, with or without compensation, of (i) corporate or other legal entity arrangement, association, or formation services; (ii) trust services; or (iii) third party payment services, among other things. The strategy is intended to combat money laundering through shell companies by imposing anti-money laundering requirements on persons who act as gatekeepers for legal entities to enter the United States.
OFAC settles with bank for alleged Foreign Narcotics Kingpin Sanctions Regulations violations
On July 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $430,500 settlement with a subsidiary of a national bank for allegedly processing transactions in violation of the Foreign Narcotics Kingpin Sanctions Regulations. According to OFAC’s web notice, between May 2018 and July 2018, the bank allegedly processed 214 transactions totaling $155,189, in violation of OFAC’s Kingpin sanctions. Specifically, OFAC noted that the processed transactions were for an account whose supplemental card holder was designated in connection with illegal drug distribution and money laundering.
In arriving at the settlement amount of $430,500, OFAC considered various aggravating factors, including that the bank “is a large and sophisticated financial institution with a global presence,” and “conferred $155,189.42 in economic benefit to an account associated with a [person] who was designated for involvement in illegal drug distribution and money laundering.” OFAC also considered various mitigating factors, including that the bank cooperated with OFAC throughout the investigation, and has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
FDIC releases May enforcement actions
On June 24, the FDIC released a list of 14 public enforcement actions taken against banks and individuals in May. These orders consist of “two consent orders, one modification of an 8(e) prohibition order, three orders to pay civil money penalty, three orders of prohibition, two section 19 orders, and one order of prohibition from further participation and order to pay, one order terminating amended supervisory prompt corrective action directive, and one order of termination of insurance.” Included is an order to pay a civil money penalty imposed against a Texas-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank failed “to obtain flood insurance or obtain an adequate amount of insurance coverage, at or before loan origination, for all structures in a flood zone, including multiple structures,” and failed “to force-place flood insurance, after loan origination, when the insurance on buildings securing the loan” was insufficient or nonexistent. The order assessed a $2,000 civil money penalty.
The FDIC also issued a consent order against a Utah-based bank based on alleged unsafe or unsound banking practices relating to the Bank Secrecy Act. The bank neither admitted nor denied the alleged violations but agreed to, among other things, “increase its oversight of the Bank's compliance with the BSA” and “conduct a comprehensive assessment of BSA/AML staffing needs.”