InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC releases enforcement actions
On March 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against a New York-based bank for allegedly engaging in unsafe or unsound practices related to its information technology security and controls, as well as its information technology risk governance and board of director/management oversight of its corporate risk governance processes. The OCC also found alleged deficiencies (including unsafe or unsound practices) in the bank’s Bank Secrecy Act (BSA)/anti-money laundering risk management controls in the following areas: “internal controls, BSA officer, customer identification program, customer due diligence, enhanced due diligence, [] beneficial ownership,” and suspicious activity monitoring and reporting. The order requires the bank to, among other things, maintain a compliance committee, develop a corporate governance program to ensure appropriate board oversight, establish a written strategic plan and conduct an internal audit to assess the sufficiency of the bank’s internal controls program, implement information technology governance and security programs, and adopt an automated clearing house risk management program. The bank is also required to appoint a BSA officer to ensure adherence to the bank’s BSA/AML internal controls, conduct a suspicious activity review lookback, implement a customer information program that is reasonably designed to identify and verify beneficial owners of legal entity customers, and develop and adopt a BSA/AML model risk management process.
U.S., German law enforcement disable darknet crypto mixer
On March 15, U.S. law enforcement, along with German criminal authorities, disabled a darknet cryptocurrency “mixing” service used to allegedly launder more than $3 billion in cryptocurrency underlying ransomware, darknet market activities, fraud, cryptocurrency heists, hacking schemes, and other activities. According to the DOJ’s announcement, law enforcement agencies seized two domains and back-end servers, as well as more than $46 million in cryptocurrency. The DOJ claimed the mixing service allowed criminals to obfuscate the source of stolen cryptocurrency by commingling users’ cryptocurrency in a way that made it difficult to trace the transactions. In conjunction with the action taken against the mixing service, a Vietnamese national responsible for creating and operating the online infrastructure was charged with money laundering, operating an unlicensed money transmitting business, and identity theft connected to the mixing service. Separate actions have also been taken by German law enforcement authorities, the DOJ said. “Criminals have long sought to launder the proceeds of their illegal activity through various means,” Special Agent in Charge Jacqueline Maguire of the FBI Philadelphia Field Office said in the announcement. “Technology has changed the game, though[.] In response, the FBI continues to evolve in the ways we ‘follow the money’ of illegal enterprise, employing all the tools and techniques at our disposal and drawing on our strong partnerships at home and around the globe.”
FinCEN comments on Russia’s suspended FATF membership; issues statements on jurisdictions with AML/CFT/CPF deficiencies
On March 9, FinCEN informed U.S. financial institutions that last month the Financial Action Task Force (FATF) suspended the Russian Federation’s membership after determining that the country’s “actions unacceptably run counter to the FATF core principles aiming to promote security, safety, and the integrity of the global financial system.” (Covered by InfoBytes here.) FATF also urged jurisdictions to monitor for and mitigate emerging risks resulting “from the circumvention of measures taken in order to protect the international financial system.”
Additionally, FinCEN noted that at the end of February, FATF issued public statements updating its lists of jurisdictions with strategic deficiencies in anti-money laundering (AML), countering the financing of terrorism (CFT), and countering the financing of proliferation of weapons of mass destructions (CPF) regimes. These include (i) Jurisdictions under Increased Monitoring, “which publicly identifies jurisdictions with strategic deficiencies in their AML/CFT/CPF regimes that have committed to, or are actively working with, the FATF to address those deficiencies in accordance with an agreed upon timeline,” and (ii) High-Risk Jurisdictions Subject to a Call for Action, “which publicly identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and calls on all FATF members to apply enhanced due diligence, and, in the most serious cases, apply counter-measures to protect the international financial system from the money laundering, terrorist financing, and proliferation financing risks emanating from the identified countries.”
With respect to jurisdictions under increased monitoring, FinCEN’s announcement reminded U.S. covered financial institutions of their due diligence obligations for foreign financial institutions (including correspondent accounts maintained for foreign banks), and instructed them to ensure that they implement “appropriate, specific, risk-based, and, where necessary, enhanced policies, procedures, and controls that are reasonably designed to detect and report known or suspected money laundering activity conducted through or involving any correspondent account established, maintained, administered, or managed in the United States.” Money services business are reminded of parallel requirements with respect to foreign agents or counterparties. Members were informed that FATF removed Cambodia and Morocco from its list of Jurisdictions under Increased Monitoring but added Nigeria and South Africa to the list.
FinCEN’s announcement also informed members that Burma remains on the list of High-Risk Jurisdictions Subject to a Call for Action, and advised U.S. financial institutions to apply enhanced due diligence. Moreover, U.S. financial institutions should continue to refer to existing FinCEN and OFAC guidance on engaging in financial transactions with Burma. With respect to the Democratic People’s Republic of Korea and Iran, “financial institutions must comply with the extensive U.S. restrictions and prohibitions against opening or maintaining any correspondent accounts, directly or indirectly, for North Korean or Iranian financial institutions,” FinCEN said, adding that “[e]xisting U.S. sanctions and FinCEN regulations already prohibit any such correspondent account relationships.”
FDIC issues January enforcement actions
On February 24, the FDIC released a list of administrative enforcement actions taken against banks and individuals in January. The FDIC made public 11 orders, including “four combined orders of prohibition and orders to pay civil money penalties, one 8(b) consent order, one order to pay civil money penalty, three orders of prohibition, one order terminating a Section 19 order, and one order terminating consent order.”
The actions include a civil money order against a Pennsylvania-based bank related to alleged violations of the Flood Disaster Protection Act (FDPA). The FDIC determined that the bank had engaged in a pattern or practice of violating the FDPA by failing to provide required notices of lender-placed flood insurance to borrowers in 16 instances.
Additionally, the FDIC issued a consent order against an Iowa-based bank alleging the bank engaged in “unsafe or unsound banking practices and violations of law or regulations” relating to, among other things, its process for testing a proposed debit/prepaid card program. The FDIC stipulated that before starting the testing phase of any new debit card program or similar program, the bank “must develop, adopt, and implement an effective program addressing anti-money laundering (AML) / combating the financing of terrorism (CFT) controls” for the new program and conduct an independent assessment. The bank is also ordered to revise its AML/CFT policy and conduct a review of its information security program to ensure it reflects current risks.
FinCEN warns financial institutions of surge in mail theft-related check fraud
On February 27, FinCEN issued an alert to financial institutions on the nationwide surge in check fraud schemes targeting the U.S. mail. Mail theft-related check fraud, FinCEN explained, generally relates to the fraudulent negotiation of checks stolen from the U.S. postal service, and represents one of the most significant money laundering threats to the U.S. The alert is intended to ensure financial institutions file suspicious activity reports (SARs) that appropriately identify and report suspected check fraud schemes possibly linked to mail theft. The alert highlighted red flags to help financial institutions identify and report suspicious activity, and reminded financial institutions of their Bank Secrecy Act (BSA) reporting requirements. According to FinCEN, BSA reporting for check fraud has increased significantly over the past three years. “In 2021, financial institutions filed over 350,000 [SARs] to FinCEN to report potential check fraud, a 23 percent increase over the number of check fraud-related SARs filed in 2020,” the agency said, adding that in 2022, SARs related to check fraud reached over 680,000. When suspecting this type of fraud, financial institutions are advised to refer customers to the United States Postal Inspection Service in addition to filing a SAR.
CSBS says state regulators need access to FinCEN’s beneficial ownership database
On February 14, the Conference of State Bank Supervisors commented that FinCEN should be more explicit in its inclusion of state regulators as agencies that can request access to FinCEN’s forthcoming secure, non-public beneficial ownership information database. (See comment letter here.) As previously covered by InfoBytes, last December FinCEN issued a notice of proposed rulemaking (NPRM) to implement provisions of the Corporate Transparency Act (CTA) that govern the access to and protection of beneficial ownership information (BOI). The NPRM proposed regulations for establishing who may request beneficial ownership information, how the information must be secured, and non-compliance penalties, and also addressed aspects of the database that are currently in development. Agreeing that the new database would help enhance anti-money laundering and countering the financing of terrorism standards and help prevent the use of privacy to hide illicit activity from law enforcement and government authorities, CSBS asked that the final rule “explicitly define state regulators so that there is no confusion about their ability to access BOI when examining state-chartered banks and non-depository trust companies for compliance with customer due diligence requirements under the Bank Secrecy Act (BSA).” According to CSBS, state regulators conducted over 1,200 BSA exams in 2021. CSBS further pointed out that being able request BOI on an as needed basis would aid investigative and enforcement responsibilities for both state-chartered banks and state-licensed nonbank financial services providers.
U.S.-EU release statement on Joint Financial Regulatory Forum
On February 7-8, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S.-EU Joint Financial Regulatory Forum to continue their ongoing financial regulatory dialogue. According to a joint statement issued by the participants, the matters discussed focused on six themes: “(1) market developments and financial stability risks; (2) sustainable finance and climate-related financial risks; (3) regulatory developments in banking and insurance; (4) operational resilience and digital finance; (5) regulatory and supervisory cooperation in capital markets; and (6) anti-money laundering and countering the financing of terrorism (AML/CFT).”
The joint statement acknowledged that the Russia/Ukraine conflict, coupled with global economic uncertainty and inflationary pressures, have exposed “the financial system to downside risk both in the EU and in the U.S,” with participants stressing the importance of international coordination in monitoring vulnerabilities and building resilience against stability risks. During the forum, participants discussed recent developments related to sustainability-related financial disclosures, climate-related financial risks, cross-border bank resolution coordination, the transition away from LIBOR, digital finance operational resilience, and progress made in strengthening their respective AML/CFT frameworks.
Treasury official warns Turkish companies on engaging with Russian entities
On February 3, Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, met with the Banks Association of Turkey to discuss international sanctions actions against Russia for its war against Ukraine. Nelson highlighted global illicit finance challenges and stressed the importance of addressing weaknesses within the financial system “to root out financial crime, shine light on the financial shadows that illicit actors exploit, and work toward a more equitable and inclusive global economy.” Nelson commented on potential areas for cooperation between Turkish banks and the broader international finance community, pointing to opportunities for the U.S. and Turkey to work together to mitigate anti-money laundering vulnerabilities in the real estate sector. He also focused on Russia’s “abuse of the global financial system to fund” its war in Ukraine as a main factor in international cooperation for preventing Russia from circumventing sanctions and financial controls “in dozens of countries, including [Turkey].” While Nelson recognized Turkey’s reliance on Russian energy and agriculture, he said that “the marked rise over the past year in non-essential Turkish exports or re-exports to Russia makes the Turkish private sector particularly vulnerable to reputational and sanctions risks.” Engaging with sanctioned Russian entities puts Turkish banks and businesses “at risk of sanctions and a potential loss of access to G7 markets and correspondent relationships,” Nelson stressed, calling upon Turkish financial institutions to conduct “enhanced due diligence” in all transactions with Russian entities and individuals—especially within vulnerable sectors.
Luetkemeyer accuses DOJ of incomplete BSA/AML data
On February 1, Representative Blaine Luetkemeyer (R-MO) sent a letter to Attorney General Merrick Garland asking for an explanation as to why the DOJ has not complied with a provision in the 2021 National Defense Authorization Act (2021 NDAA), which requires the Department to report metrics on its use of Bank Secrecy Act (BSA) data to the Treasury Department. According to Luetkemeyer, section 6201 of the 2021 NDAA requires the DOJ to also report “on the use of data derived from financial institutions reporting under the [BSA]” in order to increase transparency on the usefulness of BSA data filed with FinCEN from financial institutions and ensure bad actors are not using the U.S. financial system to fund illicit activities.
Specifically, the DOJ is required by the 2021 NDAA to examine how often the reported data contains actionable information, the number of legal entities and individuals identified within the reported data, and information on investigations resulting from the reported data that are conducted by state and federal authorities, the letter said. Citing a Government Accountability Office report (which found that the DOJ’s report failed to “include new statistics on the use and impact of BSA reports, including the summary statistics required under the act”), Luetkemeyer claimed the lack of transparency “begs the question if the burdensome reporting is worthwhile” and prevents “FinCEN and Congress from determining the effectiveness of the U.S. anti-money laundering regime.” Luetkemeyer asked the DOJ for an explanation as to why it failed to provide the required information.
Senators exploring bank’s dealings with collapsed crypto exchange
On January 30, Senators Elizabeth Warren (D-MA), John Kennedy (R-LA), and Roger Marshall (R-KS) sent a follow-up letter to a California-based bank asking for additional responses to questions related to the bank’s relationship with several cryptocurrency firms founded by the CEO of a now-collapsed crypto exchange. As previously covered by InfoBytes, the senators pressed the CEO for an explanation for why the bank failed to monitor for and report suspicious transactions to the Financial Crimes Enforcement Network, and asked for information about how deposits it was holding on behalf of the collapsed exchange and related firm were being handled. The senators stressed that the bank has a legal responsibility under the Bank Secrecy Act to maintain an effective anti-money laundering program that may have flagged suspicious activity.
In the letter, the senators accused the bank of evading their previous questions in its December response, writing that while the bank’s answers confirm the extent of its failure to monitor and report suspicious financial activity, it failed “to provide key information needed by Congress to understand why and how these failures occurred.” The bank’s “repeated reference to ‘confidential supervisory information’” as a justification for its refusal to provide the requested information “is simply not an acceptable rationale,” the senators said. They also noted that the bank’s recent advance from the Federal Home Loan Bank of San Francisco—intended “to ‘stave off a further run on deposits’”—has introduced additional crypto market risks into the traditional banking system, especially should the bank fail. The bank was asked to explain how it plans to use the $4.3 billion it received.
The senators further commented that additional findings have revealed that neither the Federal Reserve nor the bank’s independent auditors were able to identify the “extraordinary gaps” in the bank’s due diligence process. The senators asked the bank to provide responses to questions related to its risk management policies, as well as how many safety and soundness exams were conducted, and whether any of the bank’s executives were “held accountable” for the failures related to the collapsed exchange, among other things.