Today, the Financial Crimes Enforcement Network (“FinCEN”) issued a Notice regarding online child sexual exploitation.  Given its brevity, its text is set forth below in its entirety, without the footnotes.  There is a final section to the Notice, not included below, which provides filing instructions regarding related Suspicious Activity Reports, or SARs.  We offer no commentary, other than to reiterate FinCEN’s claims that child sexual exploitation has increased during COVID-19, and that virtual currency and payment processors play a role in such offenses.

[FinCEN] is issuing this Notice to call attention to an increase in online child sexual exploitation (OCSE). This Notice provides financial institutions with specific suspicious activity report (SAR) filing instructions, and highlights some financial trends related to OCSE.

Crimes related to OCSE, including the funding, production, and distribution of child sexual  abuse materials (CSAM), have increased during the COVID-19 pandemic, according to multiple  law enforcement authorities. This increase in activity is likely due to a confluence of factors, including: (1) increased internet usage by children who are spending more time online, both unsupervised and during traditional school hours; (2) restricted travel during the COVID-19 pandemic resulting in more sex offenders being online; and (3) increased access to and use of technology, including encrypted communications, bulk data transfer, cloud storage, live streaming, and anonymized transactions.

Another trend is the rise in sextortion of minors, who are coerced or exploited into exchanging sexual images via the internet, mobile devices, and social media platforms. OCSE offenders often groom minors to share or post self-generated content online in exchange for money.

FinCEN performed a review of OCSE-related SARs and observed the following trends. Between 2017 and 2020, there was a 147 percent increase in OCSE-related SAR filings, including a 17 percent year-over-year increase in 2020. FinCEN also observed that OCSE offenders are increasingly using convertible virtual currency (CVC) (some of which provide anonymity), peer-to-peer mobile applications, the darknet, and anonymization and encryption services to try to avoid detection. CVC in particular is increasingly the payment method of choice for OCSE offenders who make payments to websites that host CSAM.

Finally, FinCEN found that OCSE facilitators attempt to conceal their illicit file sharing and streaming activities by transferring funds via third-party payment processors.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

Copenhagen, Denmark

Danske Bank (Danske) recently secured a big victory in the United States Court of Appeals for the Second Circuit.  On August 25, 2021, the appellate court unanimously affirmed the Southern District of New York’s dismissal of an investor lawsuit brought by purchasers of DB American Depository Receipts (ADR) against Danske and its former officers and board members over alleged misrepresentations about Danske’s financial condition.  We previously blogged about the lower court’s decision here.  As we have blogged about hereherehere, and here, Danske Bank has been the subject of significant regulatory oversight due to its alleged AML failures of historical proportions, which has resulted in a foreseeable onslaught of investor lawsuits.

Although much of the Second Circuit’s opinion is focused on timing issues relevant to almost any investor lawsuit based on material misstatements and omissions, portions of the opinion are particularly relevant to investor claims resting on alleged AML failures and money laundering by financial institution customers.  Importantly, neither knowledge of potential misconduct by customers gained by an institution from either its AML-related monitoring or whistleblower reporting, nor generalized claims to investors by an institution of robust AML compliance, will – standing alone – result in liability. Continue Reading Danske Bank Secures a Big Victory in Investor Suit Based on Alleged AML Violations

Amicus Briefs Urge that Only FinCEN, Not the SEC, Should Enforce the BSA in Regards to Broker-Dealers

In the next stage of the Alpine Securities saga (as we blogged about here, here and here), a petition for a writ of certiorari is pending before the Supreme Court, asking the Court to decide whether the Southern District of New York and the Second Circuit correctly decided that the Securities Exchange Commission (“SEC”) may bring suit directly to enforce compliance with the Bank Secrecy Act (“BSA”).  Distilled, the Second Circuit and the District Court ruled that by promulgating Rule 17a-8, which states in part that “[e]very registered broker or dealer who is subject to the requirements of the [BSA] shall comply with the reporting, recordkeeping and record retention requirements of [BSA regulations promulgated by FinCEN],” the SEC is properly exercising its own independent authority under Rule 17a-8 and Section 17(a) of the Exchange Act when it regulates broker-dealers for the record-keeping and reporting requirements of the BSA.

Alpine Securities’ petition (the “Petition”) has received support in the form of amicus briefs from former officials of the Financial Crimes Enforcement Network (“FinCEN”) and the Cato Institute (“CATO”), both of which argue the SEC does not have the power to enforce violations of the BSA.  As we will discuss, the amicus briefs argue that only FinCEN may enforce the BSA, and that a contrary system would undermine FinCEN and create unacceptably conflicting interpretations, standards, and penalties for BSA/anti-money laundering (“AML”) compliance. Continue Reading Circular Delegation: Amicus Support By Former FinCEN Officials and the Cato Institute in the Alpine Securities Saga

The OCC, FDIC, and Federal Reserve Board have issued a guide that is intended to assist community banks in conducting due diligence when considering relationships with financial technology (fintech) companies (Guide).

The issuance of the Guide follows the agencies’ July 2021 release of proposed interagency guidance for banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.  The proposal sets forth principles for managing risk in each stage of a third-party relationship life cycle, including conducting due diligence.  In the introduction to the Guide, the agencies indicate that the Guide draws from their existing guidance and is consistent with the proposed interagency guidance.

The agencies also note in the Guide’s introduction that while the Guide is written from a community bank perspective, the fundamental concepts discussed may be useful for banks of varying sizes and for other types of third-party relationships.  Banks are instructed to reference relevant guidance from the agencies that is listed in a footnote.

In the Guide’s introduction, the agencies indicate that because the Guide does not anticipate all types of third-party relationships and risk, a community bank can tailor how it uses information in the Guide based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service or activity offered by the fintech company.  They also advise community banks that the scope and depth of due diligence will depend on the risk to the bank from the nature and criticality of the prospective activity to be performed by the fintech company.

The Guide discusses a series of topics to be considered by a community bank when conducting due diligence on a fintech company and provides potential sources of information and illustrative examples for each topic.  These topics consist of a fintech’s:

  • Business experience, business strategies and plans, and the qualifications and backgrounds of directors and principals;
  • Financial condition and competitive market environment and client base;
  • Legal and regulatory compliance;
  • Risk management policies, processes, and controls;
  • Information security program and information systems; and
  • Business continuity planning, incident response plan, and reliance on subcontractors.

The publication of the Guide is another indication of the increased attention that regulators seem to be paying of late to the area of third-party relationship risk management.  Whether this increased attention and guidance will translate to a heavier emphasis on such topics in the course of regulatory examinations remains to be seen.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

Government Alleges Systemic and Deliberate AML Failures

Filings Describe Tools for CVC Exchanges to Use for Customer Due Diligence and Transaction Monitoring

The Financial Crimes Enforcement Network (“FinCEN”) and the Commodity Futures Trading Commission (“CFTC”) announced on August 10 (here and here) settlements with the operators of the BitMEX cryptocurrency trading platform for alleged anti-money laundering (“AML”) violations under the Bank Secrecy Act (“BSA”), and for allegedly failing to register with the CFTC.  More specifically, FinCEN’s assessment of a civil monetary penalty and the CFTC’s consent order both involved the five companies operating the BitMEX platform: HDR Global Trading Limited, 100x Holding Limited, ABS Global Trading Limited, Shine Effort Inc Limited, and HDR Global Services (Bermuda) Limited (collectively, “BitMEX”).

BitMEX will pay regulators up to a combined $100 million civil monetary penalty; perform a “lookback” regarding the potential need to file additional Suspicious Activity Reports (“SARs”); and hire an independent consultant to conduct two reviews of BitMEX’s operations, policies, procedures, and controls, in order to confirm that BitMEX is not operating in the U.S., and that no U.S. customers are able to trade with the BitMEX platform.

According to the government filings, BitMEX is one of the oldest cryptocurrency derivative exchanges, with 1.3 million user accounts and a collection of annual fees in excess of $1 billion.  Combined, the government filings allege that for a period of six years between November 2014 and October 1, 2020, BitMEX offered trading of cryptocurrency derivatives to retail and institutional customers in the U.S. and worldwide through BitMEX’s website. Customers in the U.S. placed orders to buy or sell contracts directly through the website and BitMEX was aware that U.S. customers could access the BitMEX platform via virtual private network (“VPN”).

The civil penalty will be split between FinCEN and the CFTC.  However, the settlement involves an interesting “carrot” offered by the regulators:  $20 million of the penalty is suspended pending the successful completion of the SAR lookback and the two independent consultant reviews.

According to the government’s allegations, BitMEX deliberately ignored for years the most basic AML requirements, resulting in multitudinous violations and inviting – and even encouraging – its customers to launder illicit funds.  As we will describe, the government has alleged that BitMEX operated on the announced pretext that it was not subject to the BSA or U.S. commodities laws because it had no U.S. customers or operations, when senior management knew otherwise. Continue Reading FinCEN and CFTC Reach Groundbreaking $100 Million AML Settlement with BitMEX

European Commission Proposes EU-Level Supervisory Authority and Cryptocurrency Travel Rule

European Banking Authority Offers New Guidelines on AML Compliance Officers

Just as the United States has expanded significantly its anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulatory and enforcement regime through recent passage of the AML Act of 2020, the European Union (“EU”) has taken significant steps this summer towards implementing a rigorous new transnational AML enforcement framework.  Recent legislative proposals by the European Commission (the EU’s executive branch) aim to combat cross-border crime by ensuring uniform implementation and enforcement of AML/CFT principles, rules, and regulations, and by creating new recordkeeping requirement for certain cryptocurrency transactions.  Following the announcement of these legislative proposals, the European Banking Authority proposed in late July new EU-wide guidelines for AML/CFT compliance officers.  We examine each of these in turn. Continue Reading European Union Round-Up:  A Summer of AML Enforcement and Compliance Proposals

Case Presages Mandatory BSA Obligations for Antiquities Dealers under the AML Act

Exhibit A to the Amended Forfeiture Complaint: The Dream Tablet

In the midst of the invasion of Iraq and the subsequent civil instability, thousands of cultural artifacts were stolen from the National Museum of Iraq.  Among them: the Dream Tablet of Gilgamesh (the “Dream Tablet”), a clay tablet at least 3,000 years old, inscribed with part of the oldest works of narrative poetry in the world, the Epic of Gilgamesh.

The Dream Tablet illegally wound its way to the United States in 2003, and Hobby Lobby purchased it in 2014 for $1.67 million.  Now, it is returning to Iraq.  Per a July 27, 2021 Department of Justice (“DOJ”) press release, the Eastern District of New York ordered Hobby Lobby to forfeit the Dream Tablet because its importation violated the United States’ ban on the importation of Iraqi archaeological and ethnological materials.

Although this is not a pure money laundering case, this forfeiture action implicates the intersection of the antiquities and art trades and anti-money laundering (“AML”) concerns, a subject we cover frequently, including in a recent guest post by on potential AML regulations for the antiquities and art market.  Of course, the Anti-Money Laundering Act of 2020 (“AML Act”) in part imposes Bank Secrecy Act (“BSA”) obligations on antiquities dealers by defining a “person engaged in the trade of antiquities, including an advisor, consultant, or any other person who engages as a business in the solicitation or the sale of antiquities” as a “financial institution” covered by the BSA.  The Dream Tablet case illustrates the issues that antiquities dealers will have to face under a mandatory BSA/AML regime, including the filing of Suspicious Activity Reports (“SARs”). Continue Reading DOJ Obtains Forfeiture of the Dream Tablet of Gilgamesh

Fourth and Final Post in a Series on the FATF Plenary Outcomes

As we have previously blogged (here, here and here), the Financial Action Task Force (“FATF”) held its fourth Plenary on June 21-25, inviting delegates from around the world to meet (virtually) and discuss a wide range of global financial crimes and ongoing risk areas. Following the Plenary, FATF issued reports to detail their findings on specific topics. This post highlights three takeaways from the report entitled Second 12-Month Review of the Revised FATF Standards on Virtual Assets (“Report”).

Background

In June 2019, the FATF issued guidance instructing its 180 international member governments to demand that virtual asset service providers (“VASPs), such as cryptocurrency exchanges and digital wallet providers, collect “accurate originator information and required beneficiary information” on transactions totaling $1,000 or more (see here for our detailed blog post on this subject).

The FATF also agreed to undertake a yearlong review documenting the progress that its member countries have made towards implementing its guidance on regulation of VASPs. It released the findings of that review in July 2020 and committed to a second 12-month review by June 2021. The Report, based on the findings of a self-assessment questionnaire provided to 128 jurisdictions, sets out the findings of the second 12-month review. Continue Reading FATF Continues to Stress AML Risks From Virtual Asset Service Providers

A Guest Blog by Angelena Bradfield

Today we are very pleased to welcome guest blogger Angelena Bradfield, who is the Senior Vice President of AML/BSA, Sanctions & Privacy for the Bank Policy Institute. BPI is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks. Its members include universal banks, regional banks and the major foreign banks doing business in the United States.  BPI has been engaged in efforts to modernize the U.S. anti-money laundering/ countering the financing of terrorism (AML/CFT) regime for almost half a decade and worked closely with Senate and House leadership throughout the introduction and final passage of the Anti-Money Laundering Act of 2020 (AML Act). Angelena previously was a Vice President at The Clearing House Association, where she supported its regulatory affairs department in similar policy areas. Before that, she supported comprehensive immigration reform efforts at ImmigrationWorks USA and worked on various domestic policy issues at the White House where she served as a staff assistant in both the Domestic Policy Council and Presidential Correspondence offices.

We reached out to Angelena regarding BPI’s recent letter to the Financial Crimes Enforcement Network (FinCEN) commenting on its implementation of the Corporate Transparency Act (CTA).  Congress passed the CTA on January 1, 2021, as part of the AML Act.  The CTA requires certain legal entities to report their beneficial owners to a directory accessible by U.S. and foreign law enforcement and regulators.  This directory also will be accessible to U.S. financial institutions seeking to comply with their own AML obligations, particularly the beneficial ownership regulation, otherwise known as the Customer Due Diligence Rule (CDD Rule), already applicable to banks and other financial institutions. The CTA’s beneficial ownership directory is one of the most important and long-awaited changes to the BSA/AML regulatory regime, but it presents many challenges, both legal and logistical.  On April 5, 2021, FinCEN issued an advance notice of proposed rulemaking to solicit public comment on the CTA’s implementation.  In response, FinCEN received over 200 letters from industry stakeholders – including the letter from BPI.

This blog post again takes the form of a Q&A session, in which Angelena responds to questions posed by Money Laundering Watch about the CTA and how it should be implemented.  We hope you enjoy this discussion on this important topic. – Peter Hardy and Shauna Pierson Continue Reading Implementing the Corporate Transparency Act:  A Guest Blog

U.S. Federal Reserve Building

The Federal Reserve, FDIC, and OCC released on July 13, 2021 proposed guidance for banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.  The proposal is the first time that the three agencies have proposed third-party risk management guidance on an interagency basis.  Comments on the proposal will be due no later than 60 days after the date it is published in the Federal Register.  The proposed guidance covers all types of third-party relationships, including those involving regulatory compliance under the Bank Secrecy Act.

The proposed guidance is based on the OCC’s existing 2013 third-party risk management guidance and includes changes to reflect that the guidance’s applicability would be extended to banking organizations supervised by all three federal banking agencies.  In March 2020, the OCC issued a revised set of FAQs to supplement its 2013 guidance that was intended to clarify the existing guidance and reflect evolving industry trends.  The proposed guidance includes the revised FAQs as an exhibit and the agencies seek comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance and whether there are additional concepts that would be helpful to include.

The proposed guidance states:

A third-party relationship is any business arrangement between a banking organization and another entity, by contract or otherwise.  A third-party relationship may exist despite a lack of contract or remuneration.  Third-party relationships can include relationships with entities such as vendors, financial technology (fintech) companies, affiliates, and the banking organization’s holding company.  While a determination of whether a banking organization’s relationship constitutes a business arrangement may vary depending on the facts and circumstances, third-party business arrangements generally exclude a bank’s customer relationships.

The proposed guidance sets forth principles for managing risk in each stage of a third-party relationship life cycle consisting of:

  • Planning for a relationship
  • Due diligence and third-party selection
  • Contract negotiation
  • Oversight and accountability
  • Ongoing monitoring
  • Termination

The proposed guidance also discusses the process that examiners will typically follow when reviewing a banking organization’s third-party risk management.

The principles provided by the proposed guidance are generalized in nature and there is no discussion in the guidance of how such principles should be applied to specific types of third-party relationships.  The OCC’s 2020 revised FAQs did address specific types of third-party relationships, such as relationships with data aggregators that collect customer-permissioned data from banks (including where aggregators engage in screen scraping activities), cloud computing providers, and relationships involving the use of alternative data.  As noted above, the agencies ask for comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance and whether there are additional concepts that would be helpful to include.  In addition, the series of questions on which the agencies request comment include:

  • Whether there is a need for greater detail in any areas
  • How the proposed description of third-party relationships could be clearer
  • The extent to which the discussion of “business arrangement” in the proposed guidance provides sufficient clarity to permit banking organizations to identify those arrangements for which the guidance is appropriate
  • What additional information the guidance could provide on managing the risks associated with third-party platforms that directly engage with end customers
  • How the guidance could further assist banking organizations in appropriately managing the compliance risks of business arrangements in which a third party engages in activities for which there are regulatory compliance requirements
  • What additional information the proposed guidance could provide for banking organizations to consider when managing risks related to different types of relationships with third parties (e.g. partnerships, joint ventures), including technology companies
  • What revisions would better assist banking organizations in assessing’s third-party risk as technologies evolve

CFPB-supervised banks and CFPB supervised non-banks to which the banking agencies’ guidance would not apply should take note that in 2016, the CFPB began to examine service providers to institutions it supervises on a regular, systematic basis, particularly those supporting the mortgage industry.  In 2016, the CFPB issued a revised bulletin titled “Compliance Bulletin and Policy Guidance 2016-02, Service Providers” setting forth its expectations for managing the risks of service provider relationships.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. To learn more about Ballard Spar’s Anti-Money Laundering Team, please click here.