InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN renews real estate GTOs
On April 17, FinCEN renewed its Geographic Targeting Orders (GTOs) which require title insurance companies to identify the real owners of shell companies involved in cash real estate purchases. This renewal is effective from April 19, through October 15, and applies to specified counties and cities across various states, including California, Florida, New York, and the District of Columbia. The GTOs aim to gather data on potential illicit activities in the housing market and support regulatory initiatives. The minimum property purchase price for reporting remains at $300,000, except in Baltimore, where it is $50,000. FinCEN is also processing feedback from a February proposed rulemaking on anti-money laundering measures for the residential real estate sector.
FinCEN FAQs regarding the GTOs are available here.
FinCEN releases notice on U.S. passport card’s counterfeit use in finance
On April 15, FinCEN, along with the Department of State, released its notice on the apparent rise of counterfeit use of U.S. passport cards at financial institutions. FinCEN urged financial institutions to be “vigilant” in the fight against identity theft and fraud schemes, especially under their BSA practices. Since 2018, the Department of State has identified a “concerning increase” in counterfeit use of U.S. passport cards with apparently over 4,000 victims. FinCEN released this notice to help financial institutions identify and report suspicious activity by promoting three areas: (i) providing an overview of common scenarios and typologies; (ii) highlighting several red flags in areas of concern; and (iii) reminding financial institutions of their BSA obligations.
The notice discussed suspicious behavior, namely how individuals and fraud rings are falsely “making, selling, and using” counterfeit U.S. passport cards to access accounts at financial institutions. FinCEN noted actors prefer using U.S. passport cards since they are a less familiar form of identification and cheaper to counterfeit (compared to passport books). On fraudulent activity, FinCEN stated actors will use counterfeit U.S. passport cards to impersonate the victim at the victim’s “known financial institution branch.” After accessing the account successfully, the Department of State highlighted three types of attempted transactions: (1) asking questions on account balance and withdrawal limits and withdrawing large amounts of cash below the Currency Transaction Reporting (CTR) threshold; (2) cashing stolen or forged checks to obtain funds; and (3) establishing a new joint account with a second illicit actor as a joint owner. FinCEN outlined technical, behavioral, and financial red flags to help financial institutions detect and report suspicious activity. Red flags may include technical issues with a U.S. passport card’s photo, such as lack of raised text, and discrepancies in its holographic seal, among others. Last, FinCEN reminded financial institutions of BSA obligations, including, but not limited to, filing Suspicious Activity Reports (SARs) and CTRs.
FinCEN seeks public comment for changing SSN requirements during customer identification
On March 29, FinCEN published a request for information (RFI) and comment in the Federal Register, in consultation with the OCC, FDIC, NCUA, and the Fed, to receive more information on the Customer Identification Program (CIP) Rule requirement. This announcement extended the comment period as the regulators explored how banks can better collect a customer’s social security number (SSN). Specifically, FinCEN sought information on the “potential risks and benefits” if banks were to be allowed to collect partial SSNs from customers, and then used a “reputable” third-party source to obtain the full SSN. FinCEN noted there has been “expressed interest” in permitting this practice. Written comments must be received on or before May 28.
Alabama judge finds the Corporate Transparency Act unconstitutional, DOJ quickly appeals
On March 1, the federal district court in the Northern District of Alabama entered a final declaratory judgment concluding that the Corporate Transparency Act (CTA) is unconstitutional. The plaintiffs, including a non-profit small business association consisting of more than 60,000 small business members as well as an individual small business owner, sued the Treasury Department, Secretary Janet Yellen, and FinCEN Acting Director Himamauli Das in their official capacities, alleging that the CTA’s mandatory disclosure requirements violate the First, Fourth, Fifth, Ninth, and Tenth Amendments and exceed Congress’s authority under Article I of the Constitution.
Corporations, LLCs, or other similar entities that are either “(i) created by the filing of a document with a secretary of state… or (ii) formed under the law of a foreign country and registered to do business in the United States” are required to provide certain beneficial ownership information, as well as disclose any related changes to FinCEN under the CTA, excluding exempt entities. The CTA was passed in 2021 as part of the National Defense Authorization Act and required most entities incorporated under state law to disclose beneficial ownership information to FinCEN to prevent financial crimes often committed through shell corporations. In September 2022, FinCEN issued a final rule implementing the CTA, which went into effect on January 1 of this year, and required currently existing entities and five million new entities formed each year from 2025 to 2034 to disclose the identity and information of any “beneficial owner” to FinCEN (see Orrick Insight here).
According to the court, the CTA exceeds the Constitution’s limits on Congress’s power and does not have a strong enough connection to any of Congress’s listed powers to be considered a necessary or appropriate way to reach Congress’s policy objectives. The court rejected the government’s claims that the CTA is covered by various constitutional provisions, including the Commerce Clause, Taxing Clause, Necessary and Proper Clause, and Congress’s powers related to foreign affairs and national security.
The judgment permanently enjoined the Department of the Treasury and FinCEN from enforcing the CTA against the plaintiffs and as a result they are not required to report beneficial ownership information to FinCEN at this time. The order does not ban enforcement of the CTA and its beneficial ownership disclosure requirements to FinCEN generally.
On March 11, the U.S. Department of Justice filed a notice of appeal to the U.S. Court of Appeals for the Eleventh Circuit after U.S. District Judge Liles C. Burke’s March 1 ruling.
Fed finds CEO engaged in crypto “pig butchering” scam which led to bank failure
On February 7, the Federal Reserve issued an evaluation report, as required by the Federal Deposit Insurance Act (where a loss to the deposit insurance fund is considered material), on a recently failed bank; the Fed concluded the bank failed due to alleged fraudulent activity by the bank’s CEO. In particular, the Fed found that the CEO initiated a series of wire transfers over the course of three months totaling about $47.1 million of the bank’s money as part of a cryptocurrency scam known as “pig butchering.” According to a FinCEN alert, “pig butchering” occurs when a scammer convinces its victims to invest in purportedly legitimate cryptocurrency investments but then steals the victim’s money.
The Fed found that the bank’s employees neglected to follow proper internal controls and policies that could have “prevented or detected” the alleged fraudulent activity, attributing the failure to a reluctance to challenge the CEO given the CEO’s “dominant role in the bank and prominent role in the community.” Specifically, the employees did not comply with the bank’s BSA/AML policy or file suspicious activity reports as outlined under the policy. As a result, the Fed recommended (i) increasing the awareness among state member banks of cryptocurrency scams; and (ii) providing training to examiners on cryptocurrency scams.
FinCEN issues FAQs on PPP
On January 12, FinCEN and the SBA issued FAQs on the Paycheck Protection Program (“PPP”), established under the CARES Act, to assist borrowers and lenders in interpreting the CARES act and the PPP Interim Final Rule. Among the issues addressed in the FAQs, FinCEN and the SBA provided guidance regarding whether under the CDD Rule, lenders are required to collect, certify, or verify beneficial ownership information for existing customers, stating that it is not necessary to re-verify “[i]f the PPP loan is being made to an existing customer, and the existing customer and the necessary information was previously verified. Additionally, FinCEN and the SBA addressed the question of whether a lender’s collection of the information required with respect to owners of 20% or greater interest in PPP applicants is sufficient to satisfy a lender’s obligation to collect beneficial ownership information under the Bank Secrecy Act. FinCEN and the SBA stated that for lenders with existing customers the lender does not need to reverify beneficial ownership information for owners that hold ownership interests of at least 20 percent, and with respect to new customers with the same ownership interest, all natural persons will need to provide the same information in order to satisfy BSA requirements. FinCEN also answered more FAQs on its April 2020 FAQs regarding the PPP on Second Draw PPP Loans, on BSA/AML compliances, and on SBA Procedural Notice 5000-835955, the last stating that a “PPP lender may reveal the existence of a SAR to the SBA when requesting a guaranty purchase (without charge-off) from the SBA.”
The Corporate Transparency Act: FinCEN Finalizes Beneficial Ownership Information Access Rule as Reporting Rule Takes Effect
The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has issued a final rule (the Access Rule) regarding access to and use of beneficial ownership information (BOI) maintained by FinCEN.
The Access Rule details the circumstances under which FinCEN can disclose BOI to authorized recipients. It also spells out how FinCEN will protect that information and outlines data protection protocols and oversight mechanisms for those who receive beneficial ownership information. The rule takes effect February 20, 2024. It is the second of three FinCEN rulemakings to implement the Corporate Transparency Act (CTA).
The first rule, the Beneficial Ownership Reporting Rule, took effect January 1, 2024. As covered previously, it requires certain domestic and foreign companies created, or registered to conduct business, in the United States to report information to FinCEN regarding their beneficial owners – individuals who directly or indirectly own or control 25 percent or more of the ownership interests of a reporting company or who exercise substantial control over such an entity.
FinCEN report on identity fraud in 2021 outlines statistics and processes
On January 9, FinCEN published a report titled “Identity-Related Suspicious Activity: 2021 Threats and Trends” which focuses on patterns in reported Bank Secrecy Act (BSA) data linked to suspicious activity from 2021. The report is part of a broader set of financial trend analyses conducted by FinCEN under section 6206 of the Anti-Money Laundering Act of 2020. During 2021, about 1.6 million of all BSA reports (or 42 percent) on suspicious activity were related to identity, equaling $212 billion in suspicious activity.
Key findings in the report included: (i) 69 percent of identity-related BSA reports indicate attackers have impersonated others; (ii) depository institutions have filed the most BSA reports at 54 percent, with the next highest being money services businesses at 21 percent; (iii) general fraud was the most reported typology with 1.2 million BSA reports totaling $149 billion in suspicious amounts, with the next two being false records and identity theft, respectively; and (iv) there were a significant number of identity-related exploitations based on BSA report volumes and dollar values. FinCEN reported three identity-related exploitations, including how attackers (a) impersonate others; (b) dodge or exploit verification processes; and (c) use compromised credentials. A model on page six of the report provides further clarity on how attackers undermine identity processes, such as through bust out schemes (attackers open credit card accounts then max out the cards), check fraud, credit and debit card fraud, and Covid-19 fraud.
FinCEN, IRS issue alert on Covid-19 employee retention credit fraud schemes
On November 22, FinCEN and the IRS issued an alert to financial institutions regarding Covid-19 Employee Retention Credit (ERC)-related fraud schemes. Authorized by the CARES Act, the ERC is a tax credit aimed at incentivizing businesses to retain employees on payroll during the Covid-19 pandemic, through which fraud and scams have been carried out, FinCEN explained. The alert offers insights into typologies linked to ERC fraud and scams, emphasizes specific warning signs to aid financial institutions in detecting and reporting suspicious activities, and reinforces these institutions' obligations to report under the Bank Secrecy Act (BSA).
According to the alert, “[d]uring the 2023 tax season, the IRS noted various scammers appeared throughout the [U.S.] using the false pretense of being tax credit experts to convince businesses to file for the ERC.” Third-party ERC promoters misled taxpayers about eligibility, aiming to profit from filing ERC claims without verifying qualifications, FinCEN added. As a result, the alert mentioned that victims risk claim denial or repayment, while scammers profit regardless of the claim's outcome, involving both willing and unaware businesses in these schemes. FinCEN added that businesses must meet specific ERC requirements, and those who received PPP loans cannot use the same wages counted in the PPP loan for the ERC application. Despite this, some may file amended tax returns misrepresenting their eligibility for the ERC by falsifying staff wages or claiming their operations were partially or fully suspended during the pandemic. FinCEN listed “red flags” indicative of ERC fraud that financial institutions should be cognizant of, including, among others, (i) a business account that receives multiple ERC check deposits over several days; (ii) small business accounts that receive ERC check deposits disproportionate to their size, employee count, and transaction volume; and (iii) a new account for an established business that only receives ERC deposits, suggesting possible identity theft using the business as a front for fraudulent claims. The alert also reminds financial institutions of their obligation to file suspicious activity reports and to keep a copy of the reports for five years from the date of the filing.
FinCEN announces NPRM for new regulation to combat CVC mixing
On October 19, FinCEN announced a notice of proposed rulemaking (NPRM) that identifies international Convertible Virtual Currency mixing (CVC) as a primary money laundering concern. In its NPRM, FinCEN highlighted the prevalence of illicit actors, including Hamas and Palestinian Islamic Jihad, who use CVC mixing to fund their illegal activity, and how increased transparency can combat their efforts. According to FinCEN, CVC mixing is used to conceal the source, destination, or amount involved in transactions. The proposed rule would require covered financial institutions to collect records of, and report suspicious CVC mixing transactions, as defined, to FinCEN within 30 days of initial detection. The proposed rule would not require covered financial institutions to source additional report information from the transactional counterparty, adding that the information required for the report is similar to information already collected by financial institutions. FinCEN also noted this is its first ever use of its authority under Section 311 of the USA PATRIOT Act.
FinCEN invites comments for the proposed rule, including responses to questions addressing the impact of the proposed rule, definitions, reporting, and recordkeeping. Comments must be received by January 22, 2024, and they can be submitted via instructions found in the announcement.