InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Congress overrides veto of NDAA with significant BSA/AML provisions
On January 1, the U.S. Senate voted to override President Trump’s veto of the National Defense Authorization Act (NDAA) for Fiscal Year 2021, following a similar vote in the House a few days prior. As previously covered by InfoBytes, the NDAA includes significant changes to the Bank Secrecy Act (BSA) and anti-money laundering (AML) laws under the Anti-Money Laundering Act of 2020, such as:
- Establishing federal disclosure requirements of beneficial ownership information, including a requirement that reporting companies submit, at the time of formation and within a year of any change, their beneficial owner(s) to a “secure, nonpublic database at FinCEN”;
- Expanding the declaration of purpose of the BSA and establishing national examinations and supervision priorities;
- Requiring streamlined, real-time reporting of Suspicious Activity Reports;
- Establishing a Subcommittee on Innovation and Technology within the Bank Secrecy Act Advisory Group to encourage and support technological innovation in the area of AML and countering the financing of terrorism and proliferation (CFT);
- Expanding the definition of financial institution under the BSA to include dealers in antiquities;
- Requiring federal agencies to study the facilitation of money laundering and the financing of terrorism through the trade of works of art; and
- Including digital currency in AML-CFT enforcement by, among other things, expanding the definition of financial institution under the BSA to include businesses engaged in the transmission of “currency, funds or value that substitutes for currency or funds.”
OFAC amends Venezuela and Ukraine-related general licenses
On December 23, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued General License (GL) 5F, “Authorizing Certain Transactions Related to the Petróleos de Venezuela, S.A. 2020 8.5 Percent Bond on or After July 21, 2021,” which replaces and supersedes GL 5E. OFAC also amended related FAQ 595, which reminds parties that, until July 21, 2021, transactions related to the sale or transfer of CITGO shares in connection with the PdVSA 2020 8.5 percent bond are prohibited, unless specifically authorized by OFAC.
Additionally, OFAC concurrently announced the issuance of Ukraine-related GLs 13P and 15J. GL 13P, “Authorizing Certain Transactions Necessary to Divest or Transfer Debt, Equity, or Other Holdings in GAZ Group,” is effective December 23 and replaces and supersedes GL 13O. Additionally, GL 15J, “Authorizing Certain Activities Involving GAZ Group,” is also effective on December 23 and replaces and supersedes GL 15I.
OFAC issues FAQs on E.O. prohibiting investments supporting Chinese military companies
On December 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published FAQs covering Executive Order (E.O.) 13959, “Addressing the Threat from Securities Investments that Finance Communist Chinese Military Companies.” As previously covered by InfoBytes, the E.O. generally prohibits “any transaction in publicly traded securities, or any securities that are derivative of, or are designed to provide investment exposure to such securities, of any Chinese military company. . .by any US person.” The E.O. establishes the deadlines for divestment of investments in companies currently listed as Chinese military companies as well as companies that later may be added to the list of Chinese military companies pursuant to Section 1237, or those that the Secretary of the Treasury publicly lists as meeting the criteria set forth in Section 1237(b). In addition to the FAQs, OFAC published a list of the entities identified pursuant to the E.O. as Communist Chinese military companies, along with additional identifying information.
OFAC sanctions additional actors in Iranian steel sector
On January 5, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against a Chinese supplier of graphite electrodes, 12 Iranian producers of steel and other metal products, and a major Iranian metals and mining holding company’s three foreign-based sales agents. OFAC’s actions are taken pursuant to Executive Order 13871 (covered by InfoBytes here), which authorizes the imposition of sanctions on persons determined to operate in Iran’s iron, steel, aluminum, and copper sectors, which OFAC identified as providing “funding and support for the proliferation of weapons of mass destruction, terrorist groups and networks, campaigns of regional aggression, and military expansion.” As a result of the sanctions, “all property and interests in property of these persons that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.” OFAC further noted that its regulations “generally prohibit all dealings by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked or designated persons,” and warned foreign financial institutions that knowingly conducting or facilitating significant transactions for or on behalf of the designated persons could subject them to U.S. correspondent account or payable-through sanctions.
OFAC settles with digital asset company over multiple sanctions violations
On December 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a nearly $100,000 settlement with a California-based digital asset security company for 183 apparent violations of multiple sanctions programs. According to OFAC, between March 2015 and December 2019, the company processed 183 digital currency transactions, totaling over $9,000, on behalf of individuals who were located in sanctioned jurisdictions, such as the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria. OFAC notes that, prior to April 2018, the company allowed users to open accounts by providing only a name and email address, and while it then amended its policies to require all new accountholders to verify the country in which they were located, it did not perform additional verification or diligence on their actual location.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that the company (i) failed to implement appropriate, risk-based sanctions compliance controls; and (ii) had reason to know that some of its users were located in sanctioned jurisdictions based on users’ IP address data.
OFAC also considered various mitigating factors, such as (i) the company not having received a penalty notice from OFAC in the proceeding five years; (ii) the company cooperating with the investigation; and (iii) the company having undertaken remedial measures, including hiring a Chief Compliance Officer and implementing a new OFAC policy.
SBA issues notice detailing remittance of EIDL advances
On January 8, the Small Business Administration (SBA) issued a procedural notice discussing the repeal of Section 1110(e)(6) of the CARES Act, which required the SBA to deduct the amount of any Economic Injury Disaster Loan (EIDL) advance received by a Paycheck Protection Program (PPP) borrower from the PPP forgiveness payment from the SBA to the PPP lender. According to the notice, effective immediately, the SBA will no longer deduct EIDL advances from PPP forgiveness payments and will apply this change to any SBA forgiveness payments that were confirmed by December 29, 2020 or later.
Additionally, for any forgiveness payments that were already reduced by an EIDL advance, the SBA will automatically remit a reconciliation payment to the PPP lender that will include the advance amount, plus interest through the remittance date. The SBA notes that the PPP lender does not need to request the reconciliation payment, but must notify the borrower of the payment, re-amortize the loan, and notify the borrower of the next payment amount or whether the loan has been paid in full.
SEC issues whistleblower awards totaling over $5.2 million
On December 22, the SEC announced a more than $1.6 million award to a whistleblower whose critical information and assistance led to a successful SEC enforcement action. According to the redacted order, the whistleblower provided ongoing assistance to SEC staff as well as “original information that solidified their suspicions about certain defendants’ fraudulent” actions despite concerns about personal safety.
Earlier, on December 18, the SEC announced whistleblower awards totaling over $3.6 million in three separate enforcement actions. According to the first redacted order, the SEC awarded a whistleblower more than $1.8 million for voluntarily providing significant information and substantial assistance to SEC staff in a successful enforcement action. The whistleblower provided information—which “revealed a hard to detect fraudulent scheme” leading to the return of millions of dollars to harmed investors—and also “took immediate steps to mitigate the harm to investors and suffered hardships for doing so.”
In the second redacted order, the SEC awarded a whistleblower over $1.2 million for providing information leading to a successful enforcement action, although the Commission noted that the award amount was impacted after it determined the whistleblower “was culpable for actively participating in and financially benefiting from the fraudulent scheme” and “unreasonably delayed reporting” the scheme to the SEC.
In the third redacted order, a whistleblower was awarded more than $500,000 for providing significant information and ongoing assistance to SEC staff in a successful enforcement action. However, the SEC rejected the whistleblower’s claim that a higher award amount was warranted after it determined, among other things, that the whistleblower “unreasonably delayed reporting the misconduct for several years while investors were being harmed.”
The SEC has now paid approximately $736 million to 128 individuals since the inception of the program.
State AGs reach $2 million settlement to resolve data breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised more than 22 million consumers’ personal information. According to the Assurance of Voluntary Compliance, the retailer failed to detect a data breach that allowed an unidentified attacker to obtain information including Social Security numbers and tax identification numbers. After learning about the vulnerability from a third-party security researcher, the retailer issued a patch to remediate the vulnerability and required users to reset passwords on their customer accounts. However, the AGs claim that the retailer took nearly six months to conduct a full investigation into whether its user database had been breached, and, after determining that users’ personal information was for sale on the dark web, later began notifying affected users of the breach.
In addition to paying $2 million to the AGs, which is partially suspended due to the retailer’s financial condition, the retailer—who has not admitted to the alleged violations—has agreed to (i) develop and implement a comprehensive information security program; (ii) design an incident response and data breach notification plan to encompass preparation, detection and analysis, containment, eradication, and recovery; (iii) ensure personal information safeguards and controls are in place, such as encryption, segmentation, penetration testing, risk assessment, password management, logging and monitoring, personal information deletion, and account closure notification; and (iv) ensure third-party security assessments occur biennially for the next five years.
CSBS challenges OCC’s pending fintech charter
On December 22, the Conference of State Bank Supervisors (CSBS) filed a complaint in the U.S. District Court for the District of Columbia opposing the OCC’s impending approval of a national bank charter for a financial services provider (company), arguing that the OCC is exceeding its chartering authority. According to the complaint, the company’s charter is close to being formally approved by the OCC after being “solicited, vetted and in November 2020 accepted as complete” by the agency. The complaint asserts the company will continue its lending and payment activities (which are currently state-regulated) without obtaining deposit insurance from the FDIC. The complaint alleges that the company is applying for the OCC’s nonbank charter, which was invalidated by the U.S. District Court for the Southern District of New York in October 2019 (which concluded that the OCC’s Special Purpose National Bank Charter (SPNB) should be “set aside with respect to all fintech applicants seeking a national bank charter that do not accept deposits,” covered by InfoBytes here). CSBS argues that “by accepting and imminently approving” the company’s application, the “OCC has gone far beyond the limited chartering authority granted to it by Congress under the National Bank Act (the “NBA”) and other federal banking laws,” as the company is not engaged in the “business of banking.” CSBS seeks to, among other things, have the court declare the agency’s nonbank charter program unlawful and prohibit the approval of the company’s charter under the NBA without obtaining FDIC insurance.
Court grants preliminary approval of CCPA class action settlement
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the California Consumer Privacy Act (CCPA) after suffering a data breach and potentially exposing customers’ personal information (PII) used to purchase products from the company’s website. After the company issued a notice of the security incident in January 2020, the plaintiffs filed the class action alleging the company failed to (i) “adequately protect its users’ PII”; (ii) “warn users of its inadequate information security practices”; and (iii) “effectively monitor [the company]’s website and ecommerce platform for security vulnerabilities and incidents.”
After mediation, the plaintiffs filed an unopposed motion for preliminary approval of class action settlement, which provides for a $400,000 settlement fund to cover approximately 200,000 class members who made purchases through the company’s website from September 16, 2019 to November 11, 2019. Class members have the option of claiming a cash payment of up to $500 for a Basic Award or of up to $5,000 for a Reimbursement Award, with amounts increasing or decreasing pro rata based on the number of claimants. Additionally, the company agreed to certain business practice changes, including conducting a risk assessment of its data assets and environment and enabling multi-factor authentication for all cloud services accounts. When granting preliminary approval, the court concluded that the agreement does “not improperly grant preferential treatment to any individual or segment of the Settlement Class and fall[s] within the range of possible approval as fair, reasonable, and adequate.”