InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FINRA alerts firms about rising ACATS fraud
On October 6, FINRA issued Regulatory Notice 22-21, alerting member firms to the rising trend of fraudulent account transfers of customer accounts using the Automated Customer Account Transfer Service (ACATS)—an automated system that facilitates the transfer of customer account assets from one member firm to another. FINRA explained that “ACATS fraud is related to the growing threat of new accounts being opened online or through mobile applications using stolen or synthetic identities,” and may occur when the identity of a legitimate customer of a carrying member is stolen by a bad actor to open a brokerage account online or through a mobile app at a receiving member. Bad actors, FINRA warned, may open a new account using stolen information only or through a combination of stolen and false information, and will try to move the ill-gotten assets to an external account at a different financial institution. FINRA reminded members of regulatory obligations that may apply to ACATS fraud, including know-your-customer rules, Bank Secrecy Act/AML requirements, and the Identity Theft Red Flags Rule.
OCC releases bank supervision operating plan for FY 2023
On October 6, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2023. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) operational resiliency; (iii) third-party oversight and risk management; (iv) credit risk management with a focus on new products, areas of highest growth, and portfolios representing concentrations; (v) allowances for credit losses (ACL), including instances where ACL processes use third-party modeling techniques; (vi) interest rate risk; (vii) liquidity risk management; (viii) consumer compliance management systems with a focus on how programs are disclosed in relation to UDAP and UDAAP statutes; (ix) Bank Secrecy Act/AML compliance; (x) fair lending risks; (xi) Community Reinvestment Act strategies and the potential for modernization rulemaking; (xii) new products and services in areas such as payments, fintech, and digital assets; and (xiii) climate-change risk management. The plan will be used by OCC staff to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches and agencies of foreign banking organizations, and certain identified third-party service providers subject to OCC examination.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered here.
CFTC files charges against operators of unregistered digital asset exchange
On October 3, the CFTC filed a complaint against an individual and the four companies he controlled (collectively, “defendants”) in the U.S. District Court for the Southern District of Florida for allegedly operating a digital asset exchange that offered futures transactions on a platform other than a designated contract market. The defendants are also charged with attempting to manipulate the price of the exchange’s native token. According to the CFTC, the defendants used web-based solicitation to obtain customers even though the individual defendant was aware that such participation subjected the exchange to U.S. regulation. The CFTC also claimed that, in addition to allegedly violating certain registration and regulatory requirements, the defendants attempted to artificially inflate the price of the exchange’s “native currency.” Among other things, the defendants are also accused of failing to implement an effective AML program, know-your-customer procedures, or a customer information program to verify the identifies of the customers who purchased the digital assets. The complaint charges the defendants with violations of the Commodity Exchange Act (CEA), and seeks full restitution, disgorgement of ill-gotten gain, civil penalties, permanent trading and registration bans, and a permanent injunction against further CEA violations.
FINRA revises Sanctions Guidelines
On September 29, FINRA issued Regulatory Notice 22-20, announcing revisions to its Sanctions Guidelines to ensure they align with the levels of sanctions imposed in FINRA disciplinary proceedings and reflect the differences between types of respondents. Among other things, the revised guidelines: (i) differentiate current guidelines for individuals and firms; (ii) establish separate fine ranges for firms based on size; (iii) remove the upper limit of the fine range for mid- and large-size firms “to reflect the settlement amounts that FINRA frequently seeks for these types of violations and the fact that these guidelines address the most serious violations that FINRA pursues”; (iv) create six new AML guidelines (the revisions specify that the guidelines “have no upper limit on the fine range for mid-size and large-size firms for AML violations that involve the failure to reasonably monitor to report suspicious transactions”); (v) include a discussion of non-monetary sanctions for firms; (vi) create “single fine ranges for all actions in the Quality of Markets guidelines and other select guidelines”; (vii) establish a $5,000 minimum fine for all firms regardless of size; and (viii) delete certain infrequently used guidelines.
OCC issues $6 million penalty against national bank, terminates formal agreement
On September 27, the OCC announced a $6 million civil money penalty against a national bank for alleged unsafe or unsound practices related to a low-document mortgage loan program offered by the bank. According to the OCC, from mid-2011 to December 2019, the bank allegedly, among other things: (i) originated numerous loans that had false or fraudulent loan applications; (ii) falsified applicants’ information on supporting loan documents; (iii) failed to make a reasonable and good faith determination of applicants’ ability to repay; (iv) failed to ensure that documents used to verify applicants’ employment, income, and assets obtained from third parties, were reasonably reliable and accurate; (v) failed to properly disclose fees to third-party mortgage brokers on loan estimates and closing disclosures; and (vi) failed to implement an adequate system of Bank Secrecy Act/anti-money laundering internal controls and failed to file Suspicious Activity Reports in a timely manner. The bank must pay a $6 million civil penalty to the U.S. Treasury Department. The OCC also terminated a 2019 formal agreement between the OCC and the bank to remediate unsafe or unsound practices and violations of law. The OCC found that the bank implemented corrective actions required by the agreement and is in compliance with the enforcement action. The OCC also noted that it is continuing “to review the conduct of institution-affiliated parties subject to OCC jurisdiction who were associated with the now-ceased [program],” and that the “work remains ongoing.”
Treasury seeks info on illicit finance, national security risks of digital assets
On September 19, the U.S. Treasury Department issued a request for comment (RFC) seeking feedback on illicit finance and national security risks posed by digital assets. The RFC, issued pursuant to Executive Order 14067 “Ensuring Responsible Development of Digital Assets” (covered by InfoBytes here), requests public input on illicit finance risks, anti-money laundering and combating the financing of terrorism (AML/CFT) regulation and supervision, global implementation of AML/CFT standards, private sector engagement, and central bank digital currencies. The RFC also seeks feedback on actions the U.S. government and Treasury should take to mitigate these risks, in addition to whether public-private collaboration may improve efforts to address risks. Comments on the RFC are due November 3.
“Without appropriate controls and enforcement of existing laws, digital assets can pose a significant risk to national security by facilitating illicit finance, such as money laundering, cybercrime and terrorist actions,” U.S. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in the announcement. “As we work to implement the Illicit Finance Action Plan, hold bad actors accountable and identify potential gaps in existing enforcement, we look forward to receiving the public’s input on this urgent work.”
The RFC follows the September 16 release of Treasury’s Action Plan to Address Illicit Financing Risks of Digital Assets (covered by InfoBytes here).
FINRA fines broker dealer for AML failures
On September 9, FINRA settled charges with a broker dealer (respondent) for alleged failures in its anti-money laundering (AML) compliance program. According to the letter of acceptance, waiver, and consent, the respondent allegedly failed to, among other things: (i) establish a reasonably designed AML program; (ii) implement a customer identification program; (iii) reasonably supervise for potentially manipulative trading; and (iv) preserve and maintain certain electronic communications. Additionally, FINRA found that the respondent unreasonably relied on manual reviews of the daily trade blotter to identify market manipulation. FINRA’s order includes alleged violations of FINRA Rule 2010, Rule 3110, Rule 3310(a)-(b) and Rule 4511. FINRA also determined that the respondent violated Securities Exchange Act of 1934 Section 17(a) and Rule 17a-4(b)(4). The respondent agreed to pay a $450,000 civil monetary penalty to FINRA and is prohibited from providing market access for two years.
OFAC publishes additional guidance related to sanctioned virtual currency “mixer”
On September 13, the U.S. Treasury Department’s Office of Foreign Assets Control published new cyber-related frequently asked questions concerning transactions involving a virtual currency mixer sanctioned last month for allegedly laundering more than $7 billion in virtual currency since 2019. As previously covered by InfoBytes, the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis,” and provided financial, material, or technological support for, or in support of, cyber-enabled activity contributing to a significant threat to the national security, foreign policy, or economic health or financial stability of the U.S. The FAQs outline requirements for completing virtual currency transactions without violating U.S. sanctions regulations, discuss whether OFAC reporting obligations apply to transactions involving unsolicited and nominal amounts of virtual currency, and reiterate that transactions involving identified virtual currency wallet addresses are prohibited absent a specific OFAC license. The FAQs noted that as part of the SDN List entry, OFAC included as identifiers certain virtual currency wallet addresses associated with the company as well as the company’s URL address. OFAC provided additional clarification on interactions with open-source code that does not involve a prohibited transaction with the sanctioned company.
FinCEN stresses importance of reliable digital interactions
On September 7, speaking before the 2022 Federal Identity Forum & Exposition in Atlanta, Georgia, acting Deputy Director of FinCEN Jimmy Kirby addressed the importance digital identity plays in FinCEN’s mission as it relates to privacy and cybersecurity, particularly with respect to protecting the U.S. financial system from illicit finance. This includes helping financial institutions comply with various reporting requirements, such as filing suspicious activity reports and currency transaction reports and ensuring that recordkeeping requirements under the Customer Identification Program and Customer Due Diligence rules are met. While Kirby recognized that digital identity frameworks have the potential to “spur innovation in financial products and services across the legacy financial system, as well as digital assets and emerging central bank digital currencies,” he stressed it is vital that digital identity is handled correctly through the implementation of “identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system.” Focusing on topics related to emerging threats and responsible innovation, Kirby emphasized the need for financial institutions to implement measures for knowing who their customers are, both on the front end and throughout the customer relationship, and to take steps to prevent identity theft and fraud. Kirby also discussed the importance of fostering responsible innovation and developing infrastructure, information sharing, and standards that mitigate the risks associated with digital identities.
Fed vice chair for supervision outlines future priorities
On September 7, Federal Reserve Board Vice Chair for Supervision Michael Barr laid out his goals for making the financial system safer and fairer during a speech at the Brookings Institution, highlighting priorities related to risk-focused capital frameworks and bank resiliency, mergers and acquisitions, digital assets and stablecoins, climate-related financial risks, innovation, and Community Reinvestment Act modernization plans. Addressing issues related to resolvability, Barr signaled that the Fed would begin “looking at the resolvability of some of the other largest banks [in addition to globally systemically important banks] as they grow and as their significance in the financial system increases.” With respect to bank mergers, Barr commented that “the advantages that firms seek to gain through mergers must be weighed against the risks that mergers can pose to competition, consumers and financial stability.” He said he plans to work with Fed staff to assess how the agency performs merger analysis and whether there are areas for improvement. Barr also discussed financial stability risks posed by new forms of private money created through stablecoins and stressed that Congress should work quickly to enact legislation for bringing stablecoins (especially those intended to serve as a means of payment) within the prudential regulatory perimeter. He added that the Fed plans to make sure that the crypto activity of supervised banks “is subject to the necessary safeguards that protect the safety of the banking system as well as bank customers,” and said “[b]anks engaged in crypto-related activities need to have appropriate measures in place to manage novel risks associated with those activities and to ensure compliance with all relevant laws, including those related to money laundering.”