InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CISA urges companies to take action to combat malicious cyber activity
On September 14, the Cybersecurity and Infrastructure Security Agency, along with several other federal agencies and international partners, released a joint cybersecurity advisory (CSA) highlighting continued malicious cyber activity taken by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). The CSA recommended that companies continually test their security programs to protect against longstanding online threats that may arise from IRGC-affiliated actors known for exploiting vulnerabilities for ransom operations. “Our unified purpose is to drive timely and prioritized adoption of mitigations and controls that are most effective to reducing risk to all cyber threats,” CISA said in its announcement. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson added that the U.S. Treasury Department “is dedicated to collaborating with other U.S. government agencies, allies, and partners to combat and deter malicious cyber-enabled actors and their activities, especially ransomware and cybercrime that targets economic infrastructure.” He noted that the CSA provides information on specific tactics, techniques, and procedures used by IRGC-affiliated actors, and advised both the public and private sector to use the information to strengthen cybersecurity resilience and reduce the risk of ransomware incidents. Organizations are encouraged to review a 2021 Treasury advisory, which highlights the sanctions risks associated with ransomware payments and provides steps for companies to take to mitigate the risk of being a victim of ransomware (covered by InfoBytes here).
FINRA fines broker dealer for AML failures
On September 9, FINRA settled charges with a broker dealer (respondent) for alleged failures in its anti-money laundering (AML) compliance program. According to the letter of acceptance, waiver, and consent, the respondent allegedly failed to, among other things: (i) establish a reasonably designed AML program; (ii) implement a customer identification program; (iii) reasonably supervise for potentially manipulative trading; and (iv) preserve and maintain certain electronic communications. Additionally, FINRA found that the respondent unreasonably relied on manual reviews of the daily trade blotter to identify market manipulation. FINRA’s order includes alleged violations of FINRA Rule 2010, Rule 3110, Rule 3310(a)-(b) and Rule 4511. FINRA also determined that the respondent violated Securities Exchange Act of 1934 Section 17(a) and Rule 17a-4(b)(4). The respondent agreed to pay a $450,000 civil monetary penalty to FINRA and is prohibited from providing market access for two years.
OFAC issues Zimbabwe-related sanctions
On September 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13469 against a Zimbabwe individual for his role in undermining Zimbabwe’s democratic processes and institutions. OFAC also removed eleven others from the Specially Designated Nationals List (SDN List) under the Zimbabwe sanctions program. According to OFAC, the sanctioned individual, among other things, undermined political parties that opposed the policies of the ruling Zimbabwe African National Union-Patriotic Front party, and, in 2020, supported Zimbabwe security services’ use of pressure and intimidation on prominent opposition figures. As a result of the sanctions, all property and interests in property belonging to the sanctioned individual that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned 50 percent or more by one or more designated persons” are blocked. Additionally, U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
OFAC publishes additional guidance related to sanctioned virtual currency “mixer”
On September 13, the U.S. Treasury Department’s Office of Foreign Assets Control published new cyber-related frequently asked questions concerning transactions involving a virtual currency mixer sanctioned last month for allegedly laundering more than $7 billion in virtual currency since 2019. As previously covered by InfoBytes, the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis,” and provided financial, material, or technological support for, or in support of, cyber-enabled activity contributing to a significant threat to the national security, foreign policy, or economic health or financial stability of the U.S. The FAQs outline requirements for completing virtual currency transactions without violating U.S. sanctions regulations, discuss whether OFAC reporting obligations apply to transactions involving unsolicited and nominal amounts of virtual currency, and reiterate that transactions involving identified virtual currency wallet addresses are prohibited absent a specific OFAC license. The FAQs noted that as part of the SDN List entry, OFAC included as identifiers certain virtual currency wallet addresses associated with the company as well as the company’s URL address. OFAC provided additional clarification on interactions with open-source code that does not involve a prohibited transaction with the sanctioned company.
OFAC sanctions individuals and entities connected to IRGC-QF
On September 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions as part of a joint action with the DOJ, Department of State, FBI, U.S. Cyber Command, National Security Agency, and Cybersecurity and Infrastructure Security Agency, against ten individuals and two entities for their roles in conducting malicious cyber acts, including ransomware activity. The individuals and entities designated are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), which “is known to exploit software vulnerabilities in order to carry out their ransomware activities, as well as engage in unauthorized computer access, data exfiltration, and other malicious cyber activities.” OFAC also noted that a joint cyber security advisory was published to highlight continued malicious cyber activity by advanced persistent threat actors that the authoring agencies assess are affiliated with IRGC. As a result of the sanctions, all property, and interests in property of the designated individuals and entities, “and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” U.S. persons are generally prohibited from engaging in transactions with the designated persons. OFAC further warned that engaging in certain transactions with the individuals and entities designated today entails risk of additional sanctions.
OFAC sanctions Iranians involved in production of UAVs to Russia
On September 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Orders 13382 and 14024 against an Iran-based air transportation service provider, as well as three companies and one individual involved in the research, development, production, and procurement of Iranian unmanned aerial vehicles (UAVs) and UAV components. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson reiterated that the U.S. “is committed to strictly enforcing our sanctions against both Russia and Iran and holding accountable Iran and those supporting Russia’s war of aggression against Ukraine,” and stressed that the U.S. will “not hesitate to target producers and procurers who contribute to Iran and its IRGC’s UAV program, further demonstrating [the U.S.’s] resolve to continue going after terrorist proxies that destabilize the Middle East.” The sanctions follow designations implemented by OFAC last year against members of a network of companies and individuals that provided critical support to Iran’s Islamic Revolutionary Guard Corps Qods Force’s use of UAVs (previously covered by InfoBytes here).
As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Additionally, OFAC warned that “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.”
OFAC sanctions Iran’s MOIS over cyber activities
On September 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order (E.O.) 13694 against Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for conducting malicious cyber-enabled activities targeting government and private-sector organizations and across various critical infrastructure sectors, including the U.S. and its allies. OFAC noted that in July, MOIS and the Iranian government sponsored cyber-threat actors who disrupted the Albanian government computer systems. OFAC previously flagged MOIS pursuant to E.O.s 13224, 13472, and 13553 for supporting multiple terrorist groups, as well as for commissioning serious human rights abuses against the Iranian people.
As a result of the sanctions, all property and interests in property belonging to the sanctioned targets that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned 50 percent or more by one or more designated persons” are blocked. Additionally, U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license. Additionally, OFAC warned that “any foreign financial institution that knowingly conducts or facilitates a significant transaction for or on behalf of the persons designated today could be subject to U.S. correspondent or payable-through account sanctions.”
FinCEN stresses importance of reliable digital interactions
On September 7, speaking before the 2022 Federal Identity Forum & Exposition in Atlanta, Georgia, acting Deputy Director of FinCEN Jimmy Kirby addressed the importance digital identity plays in FinCEN’s mission as it relates to privacy and cybersecurity, particularly with respect to protecting the U.S. financial system from illicit finance. This includes helping financial institutions comply with various reporting requirements, such as filing suspicious activity reports and currency transaction reports and ensuring that recordkeeping requirements under the Customer Identification Program and Customer Due Diligence rules are met. While Kirby recognized that digital identity frameworks have the potential to “spur innovation in financial products and services across the legacy financial system, as well as digital assets and emerging central bank digital currencies,” he stressed it is vital that digital identity is handled correctly through the implementation of “identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system.” Focusing on topics related to emerging threats and responsible innovation, Kirby emphasized the need for financial institutions to implement measures for knowing who their customers are, both on the front end and throughout the customer relationship, and to take steps to prevent identity theft and fraud. Kirby also discussed the importance of fostering responsible innovation and developing infrastructure, information sharing, and standards that mitigate the risks associated with digital identities.
Treasury issues guidance on Russian oil sales cap
On September 9, the U.S. Treasury Department announced preliminary guidance on implementing a maritime services policy and related price exception for seaborne Russian oil. As previously covered by InfoBytes, OFAC recently announced that it planned to publish preliminary guidance on implementing the price cap to provide a high-level overview of the directive, including how U.S. persons can comply in advance of formal guidance and legal implementation. According to the preliminary guidance, the policy is intended to establish a framework for Russian oil to be exported by sea under a capped price, and establish a ban on services for any shipments of seaborne Russian oil above the capped price. Objectives of the guidance include: (i) maintaining a reliable supply of seaborne Russian oil to the global market; (ii) reducing upward pressure on energy prices; and (iii) reducing the revenues the Russian Federation earns from oil after its own war of choice in Ukraine has inflated global energy prices. The policy contains an exception, which applies to “jurisdictions or actors that purchase seaborne Russian oil at or below a price cap to be established by the coalition (the “price exception”).” The policy, which relates to a broad range of services in connection with the maritime transportation of Russian Federation origin crude oil and petroleum products, will become effective December 5, 2022 for the maritime transportation of crude oil and on February 5, 2023 for the maritime transportation of petroleum products.
Fed vice chair for supervision outlines future priorities
On September 7, Federal Reserve Board Vice Chair for Supervision Michael Barr laid out his goals for making the financial system safer and fairer during a speech at the Brookings Institution, highlighting priorities related to risk-focused capital frameworks and bank resiliency, mergers and acquisitions, digital assets and stablecoins, climate-related financial risks, innovation, and Community Reinvestment Act modernization plans. Addressing issues related to resolvability, Barr signaled that the Fed would begin “looking at the resolvability of some of the other largest banks [in addition to globally systemically important banks] as they grow and as their significance in the financial system increases.” With respect to bank mergers, Barr commented that “the advantages that firms seek to gain through mergers must be weighed against the risks that mergers can pose to competition, consumers and financial stability.” He said he plans to work with Fed staff to assess how the agency performs merger analysis and whether there are areas for improvement. Barr also discussed financial stability risks posed by new forms of private money created through stablecoins and stressed that Congress should work quickly to enact legislation for bringing stablecoins (especially those intended to serve as a means of payment) within the prudential regulatory perimeter. He added that the Fed plans to make sure that the crypto activity of supervised banks “is subject to the necessary safeguards that protect the safety of the banking system as well as bank customers,” and said “[b]anks engaged in crypto-related activities need to have appropriate measures in place to manage novel risks associated with those activities and to ensure compliance with all relevant laws, including those related to money laundering.”