InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Treasury discusses combating corruption
On September 7, U.S. Treasury Department Assistant Secretary for Terrorist Financing and Financial Crimes Elizabeth Rosenberg spoke at the Brookings Institution as part of a series of discussions regarding corruption and the Department’s efforts to strengthen global beneficial ownership standards against corruption. During her remarks, she discussed Treasury’s focus on three efforts to counter corruption: (i) analyzing the risks associated with corruption; (ii) putting in place an effective legal framework to prevent corruption in our financial system; and (iii) implementing targeted measures, such as sanctions, to expose and hold accountable corrupt individuals and their facilitators. She noted that her office’s 2022 Money Laundering Risk Assessment “described the persistent themes of corrupt individuals engaging in fraud, embezzlement, bribery, extortion, and the misuse of companies and other legal entities.” (Covered by InfoBytes here.) Rosenberg also discussed strengthening global beneficial ownership standards at the intergovernmental Financial Action Task Force “to focus the body’s efforts on the effective implementation of the UN Convention on Corruption, on the misuse of citizenship-by-investment programs by corrupt individuals and their families, and on financial gatekeepers that get rich helping senior officials steal from their citizens.” She further described Treasury efforts, both public and non-public, to expose corrupt officials. She closed her prepared remarks by committing to continue both defensive and offensive strategies to counter corruption and to advance rules that are designed to “make our financial system more resilient and bring forward new analysis on vulnerabilities to corruption in our economy.”
SEC warns Chinese companies against switching auditors to avoid compliance
On September 6, SEC acting Chief Accountant Paul Munter issued a warning to Chinese companies that they may face enforcement actions if they switch auditing firms to remain listed in the U.S. that do not follow applicable standards. Munter pointed to instances of foreign issuers, especially those located in China or Hong Kong, “changing their lead auditor from a local registered public accounting firm to a registered public accounting firm located either in the U.S. or elsewhere, generally within the same network.” According to Munter, these types of arrangements create “special challenges that raise questions about whether the newly engaged registered public accounting firms—whether located in the U.S. or elsewhere—will be able to satisfy their responsibilities to serve as the lead auditor.” Munter noted that the U.S. Public Company Accounting Oversight Board (PCAOB), the China Securities Regulatory Commission, and the Ministry of Finance of the People’s Republic of China, recently signed a Statement of Protocol governing inspections and investigations of audit firms based in China or Hong Kong. He said, however, that certain issuers based in China and Hong Kong have started structuring audits with registered public accounting firms located either in the U.S. or elsewhere “to avoid the potential of consecutive PCAOB [Holding Foreign Companies Accountable Act] determinations and a potential resultant trading prohibition.” Issuers and firms looking to avoid compliance could result in investigations and enforcement actions by the PCAOB, the SEC, or both.
OFAC amends cyber-related sanctions regulations
On September 2, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced that it is amending, and reissuing in their entirety, the Cyber-Related Sanctions Regulations. OFAC noted that this administrative action replaces regulations that were published in abbreviated form on December 31, 2015, with a more comprehensive set of regulations that includes additional interpretive and definitional guidance, general licenses, and other regulatory provisions that will provide further guidance to the public. As previously covered by InfoBytes, the regulations prohibited all transactions described in Executive Order (E.O.) 13694, including dealing in the property or interests in property, that come within the United States, of blocked persons. Among other things, under E.O. 13694, a party may be blocked if the U.S. government finds the party “to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the U.S. that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” and that have one of the purposes or effects enumerated in the order. The sanctions became effective September 6.
Additionally, OFAC noted that “the publication of this final rule has triggered an automatic administrative update to a number of sanctions entries.” OFAC listed unique identifier numbers (UIDs) for the affected entries as part of the administrative update and provided FAQs to clarify UIDs.
OCC orders bank to improve oversight of fintech partnerships
Recently, a national bank disclosed an agreement reached with the OCC that requires the bank to improve its oversight and management of third-party fintech partnerships. According to an SEC filing, the OCC found unsafe or unsound practices related to the bank’s third-party risk management, Bank Secrecy Act (BSA)/anti-money laundering risk management, suspicious activity reporting, and information technology control and risk governance. Under the terms of the agreement, the bank must, within 10 days of the agreement, appoint a compliance committee comprised mostly of members from outside the bank to meet at least quarterly and provide progress reports outlining the results and status of the mandated corrective actions. Within 60 days of the agreement, the bank must also adopt and implement guidelines for assessing risks posed by third-party fintech partnerships and address how the bank “identifies and assesses the inherent risks of the products, services, and activities performed by the third-parties, including but not limited to BSA, compliance, operational, liquidity, counterparty and credit risk as applicable.” Additionally, the bank must establish criteria for their board of directors' review and approval of third-party fintech relationship partners, as well as how it will assess “BSA risk for each third-party fintech relationship partner, including risk associated with money laundering, terrorist financing, and sanctions risk as well as the third-party’s processes for mitigating such risks and complying with applicable laws and regulations.” The agreement also requires due diligence, monitoring, and contingency plan measures.
The agreement further stipulates that the bank’s board and management shall, within 90 days, (i) set up written BSA risk assessment guidelines; (ii) adopt an independent audit program; (iii) implement expanded risk-based policies, procedures, and processes to obtain and analyze appropriate customer due diligence, enhanced due diligence, and beneficial ownership information, including for fintech businesses; (iv) develop and adhere to a set of standards to ensure timely suspicious activity monitoring and reporting; and (v) establish a program to assess and manage the bank’s information technology activities, including those conducted by third-party partners. The bank must also conduct a suspicious activity review lookback within 30 days.
Treasury caps Russian oil sales; OFAC guidance coming soon
On September 2, the U.S. Treasury Department announced that G7 Finance Ministers confirmed their joint intention to implement a price cap on Russian-origin crude oil and petroleum products. According to the statement, G7 countries, along with other allies and partners, “plan to prohibit the provision of services that enable maritime transportation of such oil and products unless purchased at or below a price level determined by the coalition of countries adhering to and implementing the price cap.” Secretary of the Treasury Janet L. Yellen issued a statement commending the action. She noted that the price cap will “help deliver a major blow for Russian finances and will both hinder Russia’s ability to fight its unprovoked war in Ukraine and hasten the deterioration of the Russian economy,” while also maintaining supplies to global energy markets by keeping Russian oil flowing at lower prices.
In conjunction with the announcement, OFAC said it plans to publish preliminary guidance on implementing the price cap later this month. The guidance will provide a high-level overview of the mechanism, including how U.S. persons can comply in advance of formal guidance and legal implementation which will be issued at a later date.
OFAC issues updated Iran general license and related FAQ
On August 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued Iran General License (GL) M-2, “Authorizing the Exportation of Certain Graduate Level Educational Services and Software,” which authorizes accredited graduate and undergraduate degree-granting academic institutions in the U.S. to engage with Iranian students in online educational services and exploration of software through September 1, 2023, provided certain criteria are met. OFAC also published an updated FAQ related to GL M-2. Effective August 25, GL M-2 supersedes and replaces GL M-1.
House Republican concerned about Treasury sanctions on virtual currency mixer
On August 23, Representative Tom Emmer (R-MN) sent a letter to Treasury Secretary Janet Yellen raising privacy and due process concerns related to recent “first-of-their-kind” sanctions issued against a virtual currency mixer accused of allegedly laundering more than $7 billion in virtual currency, including more than $455 million stolen by a Democratic People’s Republic of Korea state-sponsored hacking group that is separately subject to U.S. sanctions (covered by InfoBytes here). The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) said the sanctions resulted from the company “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” (Covered by InfoBytes here.)
Emmer stressed, however, that adding the company to OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List seemed to diverge from previous OFAC precedent since several of the company’s designated “smart contract addresses” do not appear to be a person, entity, or property, but rather are distributed technological tools that are not controlled by any entity or natural person. “OFAC has a long, commendable history of utilizing financial sanctions to enhance the national security of the United States,” the letter said. “Nonetheless, the sanctioning of neutral, open-source, decentralized technology presents a series of new questions, which impact not only our national security but the right to privacy of every American citizen.” Emmer referenced May 2019 guidance issued by FinCEN (covered by InfoBytes here), which he said drew “a distinction between ‘providers of anonymizing services’ (including ‘mixers’)” which are subject to Bank Secrecy Act obligations and “‘anonymizing software providers’” which are not. Emmer recognized that OFAC is not bound by FinCEN regulations, but said it is his understanding that the sanctioned company is “simply the anonymizing software deployed on the blockchain.”
Emmer requested clarification from Treasury on several questions, including the factors OFAC considers when designating technology to the SDN List and how OFAC plans to “uphold the appeals process for the sanctioned addresses that have no ability to appeal the sanction to OFAC” because they “are smart contracts with no agency, corporate or personal, and as such cannot speak for themselves or those whose funds they hold.”
OFAC issues new Russia-related general licenses
On August 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued Russia-related General License (GL) 38A and GL 50. GL 38A authorizes transactions related to pension payments to U.S. persons or non-U.S. persons not located in the Russian Federation that are normally prohibited by Executive Order (E.O.) 14024 “provided that the only involvement of blocked persons is the processing of funds by financial institutions blocked pursuant to E.O. 14024.” GL 50 authorizes “the closing of an account of an individual, wherever located, who is not a blocked person” held at financial institutions blocked pursuant to E.O. 14024. GL 50 also permits “the unblocking and lump sum transfer of all remaining funds and other assets in the account to the account holder, including to an account of the account holder held at a non-blocked financial institution.”
Fed urges banks to assess legality of crypto activities
On August 16, the Federal Reserve Board issued supervisory letter SR 22-6 recommending steps that Fed-supervised banking organizations engaging or seeking to engage in crypto-asset-related activities should take. The Fed stressed that organizations must assess whether such activities are legally permissible and determine whether any regulatory filings are required under the federal banking laws. Organizations should also notify the regulator and “have in place adequate systems, risk management, and controls to conduct such activities in a safe and sound manner” prior to commencing such activities. Risk management controls should cover, among other things, “operational risk (for example, the risks of new, evolving technologies; the risk of hacking, fraud, and theft; and the risk of third-party relationships), financial risk, legal risk, compliance risk (including, but not limited to, compliance with the Bank Secrecy Act, anti-money laundering requirements, and sanctions requirements), and any other risk necessary to ensure the activities are conducted in a manner that is consistent with safe and sound banking and in compliance with applicable laws, including applicable consumer protection statutes and regulations,” the supervisory letter explained, adding that state member banks are also encouraged to contact their state regulator before engaging in any crypto-asset-related activity. Organizations already engaged in crypto activities should contact the Fed “promptly” if they have not already done so, the agency said, noting that supervisory staff will provide any relevant supervisory feedback in a timely manner.
The supervisory letter follows an interagency statement released last November by the Fed, OCC, and FDIC (covered by InfoBytes here), which announced the regulators’ intention to provide greater clarity on whether certain crypto-asset-related activities conducted by banking organizations are legally permissible.
2nd Circuit affirms acquittal of former transportation and energy industry executive
On August 12, the U.S. Court of Appeals for the Second Circuit upheld a lower court’s decision to partially acquit a former executive of a French multinational transportation and energy company after a federal jury found him guilty of seven counts related to the Foreign Corrupt Practices Act (FCPA) and four counts of money laundering. The former executive, a British national, was employed by the company’s U.K. subsidiary and involved in a bribery scheme to secure public contracts in Indonesia for the company’s U.S. subsidiary. The 2nd Circuit agreed that the government failed to prove that the former executive was covered by the FCPA as an agent of a domestic concern, but left the money laundering convictions intact.
In 2019, a jury in the U.S. District Court for the District of Connecticut found the defendant guilty of one count of conspiracy to violate the FCPA, six counts of substantive FCPA violations, and four counts of money laundering, for his involvement in a scheme to bribe Indonesian officials in exchange for granting his company’s U.S. subsidiary, a power generation equipment manufacturer, a power plant construction contract. After the guilty verdict, he filed a Rule 29(a) motion for a judgment of acquittal, arguing as to the FCPA counts that the government “failed to prove that he was an agent of [the subsidiary], the relevant domestic concern.” The 2nd Circuit had previously held that accomplice and co-conspirator liability was not available in the case, leaving agency liability. (Covered by InfoBytes here.)
As previously covered by InfoBytes, in 2020, the district court agreed that the evidence at trial did not establish that the subsidiary exercised “control over [the former executive’s] actions sufficient to demonstrate agency” and acquitted him of the FCPA-related counts after determining that the government failed to prove at trial that the defendant was an “agent” of a domestic concern.
On appeal, a divided three-judge panel affirmed the lower court’s decision, concluding that “[t]here was no explicit or implied agency or employee relationship between [the defendant and the company’s U.S. subsidiary] such that the elements of an agency relationship were proven beyond a reasonable doubt.” The majority held that lack of control held by the subsidiary over the defendant was fundamental in determining whether he was acting as an agent of the subsidiary. A principal’s accountability for the actions of an agent depends on its ability to select and control the agent and terminate the agency relationship, as well as an agent’s agreement to act on the principal’s behalf, the majority wrote. “[T]he fact that [the defendant] collaborated with and supported [the subsidiary and a co-defendant] does not mean he was under their control within the meaning of the FCPA,” the majority explained.