In a closely watched and complicated case, Van Loon et al. v. Dep’t of the Treasury et al., the U.S. Court of Appeals for the Fifth Circuit ruled that the Office of Foreign Assets Control (“OFAC”) cannot sanction Tornado Cash, “an open-source, crypto-transactions software protocol that facilitates anonymous transactions by obfuscating the origins and destinations of digital asset transfers.” The opinion, which reversed the ruling of the District Court, is here.  A recording of the oral argument is here. The opinion is complex but written in a very clear style.

We previously blogged on OFAC’s designation of Tornado Cash (here) and the resulting civil suit (here). We also covered the indictment returned against the alleged developers of Tornado Cash, Roman Storm and Roman Semenov, who were charged with conspiring to commit money laundering, operating an unlicensed money transmitting business, and violating sanctions under the International Emergency Economic Powers Act, or IEEPA (here). The DOJ subsequently obtained a superseding indictment against Storm only (here); Storm’s trial currently is scheduled for April 2025). When the initial indictment was unsealed, Treasury simultaneously sanctioned Semenov, who remains outside the U.S., by adding him to OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List. 

These actions are a reminder that, putting aside the complex issues presented by the Fifth Circuit decision regarding OFAC’s (in)ability to sanction a technology, law enforcement and regulators still can pursue people for related alleged conduct. And, invariably, people are involved in a technology.

Continue Reading Fifth Circuit Rejects OFAC Designation of Tornado Cash Immutable Smart Contracts

On November 13, 2024, the Financial Crimes Enforcement Network (FinCEN) issued FIN-2024-Alert004 to help financial institutions identify fraud schemes associated with the use of deepfake media created with generative artificial intelligence (GenAI) in response to increased suspicious activity reporting. “Deepfake media” are a type of synthetic content that use artificial intelligence/machine learning to create realistic but inauthentic videos, pictures, audio, and text to circumvent identity verification and authentication methods.

FinCEN reports that fraudsters are using GenAI as a low cost tool to exploit financial institutions’ identity verification processes.  The SAR filings indicated the fraudsters are using GenAI to open accounts to funnel money and perpetrate fraud schemes, such as check fraud, credit card fraud, authorized push payment fraud, loan fraud, or unemployment fraud.

Deepfake media also may be used in phishing attacks and scams to defraud business and consumers by using GenAI to impersonate trusted individuals.

Red flag indicators to detect deepfake media include the following:

  • A customer’s photo is internally inconsistent (e.g., shows visual tells of being altered) or is inconsistent with their other identifying information (e.g., a customer’s date of birth indicates that they are much older or younger than the photo would suggest).
  • A customer presents multiple identity documents that are inconsistent with each other.
  • A customer uses a third-party webcam plugin during a live verification check. Alternatively, a customer attempts to change communication methods during a live verification check due to excessive or suspicious technological glitches during remote verification of their identity.
  • A customer declines to use multifactor authentication to verify their identity.
  • A reverse-image lookup or open-source search of an identity photo matches an image in an online gallery of GenAI-produced faces.
  • A customer’s photo or video is flagged by commercial or open-source deepfake detection software.
  • GenAI-detection software flags the potential use of GenAI text in a customer’s profile or responses to prompts.
  • A customer’s geographic or device data is inconsistent with the customer’s identity documents.
  • A newly opened account or an account with little prior transaction history has a pattern of rapid transactions; high payment volumes to potentially risky payees, such as gambling websites or digital asset exchanges; or high volumes of chargebacks or rejected payments.

FinCEN has identified the following practices as tools to attempt to reduce a financial institution’s vulnerability to deepfake identity documents:

  • Multifactor authentication (MFA), including phishing-resistant MFA; and
  • Live verification checks in which a customer is prompted to confirm their identity through audio or video.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

    As we previously blogged, the Financial Crimes Enforcement Center (“FinCEN”) published Anti-Money Laundering Regulations for Residential Real Estate Transfers (“Final Rule”) regarding residential real estate.  The Final Rule, set to go into effect on December 1, 2025, institutes a new Bank Secrecy Act reporting form – the “Real Estate Report” (“Report”) – which imposes a nation-wide reporting requirement for the details of residential real estate transactions, subject to certain exceptions, in which the buyer is a covered entity or trust.

    FinCEN has now published the proposed Report, which is here, and requested comments within 60 days.  The Reports are to be filed through FinCEN’s electronic online reporting system. 

    Continue Reading FinCEN Issues Proposed Reporting Form for Residential Real Estate Deals

    In the possible final stage of the Alpine Securities saga (as we blogged about here, here and here), Judge Clark Waddopous of the United States District Court for the District of Utah issued an opinion granting the Securities and Exchange Commission’s (“SEC”) motion to dismiss the amended complaint filed by plaintiff brokerage firm Scottsdale Capital Advisors (“SCA”).

    SCA’s suit, distilled greatly, challenged the SEC’s authority to enforce, administer and interpret the Suspicious Activity Report (“SAR”) regulations issued under the Bank Secrecy Act (“BSA”) and incorporated into the securities laws. What makes this case interesting is that the SEC did not impose penalties for failure to comply with the SAR requirements against SCA; rather, the agency sought penalties against SCA’s contractual partner, Alpine Securities Corporation (“Alpine”), a Salt Lake City-based brokerage firm. SCA became involved because it agreed to act as an introducing broker-dealer for transactions cleared through Alpine. SCA’s amended complaint alleged that it had suffered harm as a result of the SEC’s improper enforcement action against Alpine.

    The ultimate reason the Court dismissed the suit is because SCA had to show standing under the Administrative Procedures Act, 5 U.S.C. §§ 550, et seq., (“APA”) and failed to satisfy this requirement because there was neither a “final agency action” nor an “injury” for APA purposes.

    The opinion is important because all types of financial institutions covered by the BSA routinely enter into contracts with third parties (which themselves may or may not be covered by the BSA) involving the fulfillment of anti-money laundering (“AML”) compliance requirements.  These relationships can involve fintech-bank partnerships, third parties tasked with collecting customer information, and much more.  As the opinion reflects, if a regulator goes after an entity’s contractual partner for alleged AML failures, that entity can suffer downstream consequences – including a contract and indemnification dispute – with little to no ability to affect the regulator’s actions through the APA.

    Continue Reading Another Chapter in the Alpine Securities Saga:  District Court Grants Motion to Dismiss Complaint Challenging AML Enforcement Action Against Contractual Partner

    On October 23rd, the Financial Crimes Enforcement Network (“FinCEN”) issued a supplementary alert regarding countering financing of the U.S.-designated foreign terrorist organization Hizballah (the “Alert”). In May 2024, FinCEN published an initial alert that focused on the countering of financing Iran-backed terrorist organizations, including Hizaballah. This Alert focuses solely on Hizballah and indicates that as part of the U.S. Department of the Treasury’s (“Treasury”) campaign against Hizballah for the past two decades, financial institutions (“FIs”) must remain vigilant in identifying suspicious activity of the terrorist organization.

    According to the Alert, is it estimated that Iran has provided $700 million per year in support of Hizballah. Hizballah is known to generate revenue through various illicit activities including oil smuggling, money laundering, black market money exchange, counterfeiting, and illegal weapons procurement. Funds are laundered through businesses in West Africa, Europe, and South America.

    In an accompanying press release, FinCEN Director Gacki noted that the Alert was released in part due to Hizaballah’s recent attacks against Israel. In addition, the Alert is consistent with FinCEN’s National Priorities, which include domestic and foreign terrorism.

    Continue Reading FinCEN Issues Alert on Countering Financing of Hizballah and Terrorist Activities

    New State Laws Create Tension with Federal AML Requirements

    An increasing number of states have either enacted or are considering enacting legislation requiring financial institutions to provide persons (both existing customers and prospective customers) who are not ordinarily protected by the federal anti-discrimination statutes with “fair access” to financial services.

    For example, and as we have blogged, a new Florida law (Fla. Stat. § 655.0323, entitled “Unsafe and unsound practices”) prohibits federal and state depository institutions conducting business in the state from denying services based on religion or political beliefs and activities.  As we also have blogged, this Florida law prohibits a financial institution acting on the basis of “any factor if it is not a quantitative, impartial, and risk-based standard, including any such factor related to the person’s business sector[.]” This prohibition creates a clear challenge for implementing an anti-money laundering/countering the financing of terrorism (“AML/CFT”) compliance program, which inherently involves subjective judgments and an assessment of the risk presented by a customer based on its line of business.

    This podcast provides an in-depth exploration of these state laws and the challenges they present.  Alan Kaplinsky, Senior Counsel and former chair for 25 years of the firm’s Consumer Financial Services Group, moderates this podcast.  We are grateful to be joined by Brian Knight, Senior Research Fellow at the Mercatus Center of George Mason University, and Professor Peter Conti-Brown of the Wharton School of the University of Pennsylvania.

    We hope you enjoy the podcast.

    If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. To learn more about Ballard Spahr’s Anti-Money Laundering Team, please click here.  

    Card Club Will Pay $900,000 and Undertake AML Program Review

    The Financial Crimes Enforcement Network (“FinCEN”) has entered into a Consent Order with the Sahara Dunes Casino, doing business as the Lake Elsinore Hotel and Casino (“Lake Elsinore”).  The Consent Order describes Lake Elsinore, located in California, as a “medium-sized card club” with 22 tables offering card games such as poker.

    In the Consent Order, Lake Elsinore has admitted to willful violations of the Bank Secrecy Act (“BSA”), including failing to implement and maintain an effective Anti-Money Laundering (“AML”) compliance program, failing to file Currency Transaction Reports (“CTRs”) and Suspicious Activity Reports (“SARs”), and recordkeeping failures involving a negotiable instruments log, which is supposed to list each transaction between a casino or card club and its customers involving certain monetary instruments with a face value of $3,000 or more. Lake Elsinore has agreed to pay a $900,000 penalty and be subject to an AML program review. 

    The conduct at issue in the Consent Order is old:  it occurred from about September 2014 through February 2019.  The enforcement action arose from a 2017 examination of Lake Elsinore by the California Bureau of Gambling Control (“CABGC”).  The Consent Order illustrates how a federal enforcement action can flow from a state regulatory agency working with FinCEN – as well as just how long that process can take.  The Consent Order further illustrates that some BSA-covered institutions will operate with little to no day-to-day AML compliance until an exam occurs.

    Continue Reading FinCEN Issues Consent Order Against Card Club for “Fundamentally Unsound” AML Program

    On October 22, 2024, the U.S. Court of Appeals for the Second Circuit ruled that Türkiye Halk Bankası A.Ş. (“Halkbank”), owned by the Republic of Turkey, can be prosecuted for allegedly helping Iran evade U.S. sanctions and committing related money laundering and bank fraud.

    The court rejected Halkbank’s claim of immunity, stating that foreign state-owned companies are not protected from prosecution for commercial, non-governmental activities under U.S. common law. This decision allows U.S. prosecutors to pursue charges against Halkbank for allegedly laundering $20 billion of restricted funds through the use of money services businesses and front companies, coupled with the making of false statements to the U.S. Department of the Treasury regarding transactions with Iran to conceal the scheme.

    The Second Circuit’s ruling underscores a pivotal point: foreign state-owned corporations cannot claim blanket immunity from prosecution in the U.S. for commercial activities under either the common law or the Foreign Sovereign Immunities Act (“FSIA”).  This will be particularly true in cases involving charges of money laundering, which necessarily involve financial transactions.  Further, the alleged involvement of foreign government officials in the charged schemes will not bestow, standing alone, immunity from prosecution.

    Continue Reading Halkbank Faces Prosecution: U.S. Court of Appeals Denies Sovereign Immunity

    The Bank Policy Institute (“BPI”) has issued its comment on the Federal Functional Regulators’ (the OCC, the Board of Governors of the Federal Reserve System, the FDIC, and the National Credit Union Administration) notice of proposed rulemaking (“NPRM”) to modernize financial institutions’ anti-money laundering and countering terrorist financing (“AML/CFT”) programs (“Comment”). The agencies’ NPRM, on which we blogged here, is consistent with FinCEN’s similar and earlier AML/CFT modernization proposal (“FinCEN’s NPRM”), on which we blogged here (please also see our podcast on these regulatory proposals here). 

    The Comment, which generally tracks BPI’s earlier comment on FinCEN’s NPRM, is detailed and 23-pages long.  We only summarize it here.  The Comment is not a positive proponent of the NPRM and suggests significant changes.

    Broadly, the Comment initially asserts that “[t]he proposed rule will neither implement the intent of Congress in enacting the AML Act nor facilitate a risk-based approach to identifying and disrupting financial crime.”  Likewise, the Comment asserts that “[i]n practice, [bank] examiners are exactingly focused on technical compliance . . . rather than effectiveness.  This approach is utterly divorced from a focus on management of true risk.”  According to BPI, “the status quo examination oversight of [the AML/CFT] regime does not expressly instruct institutions to dedicate efforts to detecting suspected crime or engaging in innovation to this end—efforts that are surely foundational to the integrity of the banking and financial system.” 

    The Comment also fires a shot across the bow by suggesting the possibility of future litigation by stating – albeit in a footnote – that “BPI has significant concerns that the proposed rule does not align with the letter and spirit of the AML Act and provides for arbitrary procedural requirements that could render the rule vulnerable to challenge [under the Administrative Procedures Act].”

    The Comment then dives into the details. 

    Continue Reading Bank Policy Institute Critiques Notice of Proposed Rulemaking to Modernize AML/CFT Programs

    A Gesture Providing Limited Solace to a Now-Defunct Bank

    Riga, Latvia

    Six years ago, in early 2018, we blogged about the U.S. Department of the Treasury’s Financial Crimes Enforcement Network’s (“FinCEN’s”) designation of ABLV Bank, AS (“ABLV”), then the second-largest bank in Latvia, as a foreign financial institution “of primary money laundering concern” pursuant to Section 311 of the U.S.A. Patriot Act, on the stated grounds that ABLV had made money laundering a pillar of its business practices, had lax and non-existent risk mitigation and anti-money laundering (“AML”) policies, and facilitated, inter alia, transactions for individuals connected to entities involved in procurement or export of ballistic missiles by the North Korean regime. This designation effectively served to sever ABLV’s access to the U.S. financial system by restricting U.S. financial institutions from opening or maintaining correspondent accounts with or on behalf of ABLV.

    Last month, in an action without recent precedent, FinCEN announced that it had submitted a notice to the Federal Register withdrawing that designation. As laid out in more detail in the Notice of Withdrawal, FinCEN ascribed this reversal to “material subsequent developments” which have served to “mitigate[] the money laundering risks associated with ABLV.” Most significantly, in the wake of FinCEN’s 2018 designation, ABLV had its banking license withdrawn by the European Central Bank (“ECB”) on the basis of the ECB’s determination that the bank was failing. As a result, ABLV no longer functions as a depository institution, thus depriving it of the bulk of its utility in a money laundering scheme. More fundamentally, the bank as it existed in 2018 has been, essentially, dismantled: the Latvian government is supervising its irrevocable liquidation, and the authorities have brought criminal charges against its owners and senior management in connection with the bank’s previous illicit activities.

    This FinCEN action should not be seen as existing in a vacuum; in fact, it may be viewed as another in a series of steps by the U.S. to integrate the former Soviet republics more closely with the West’s financial system by promoting anti-corruption initiatives (a stated “core national security interest” of the Biden Administration) in the face of renewed efforts by Russia to expand its sphere of influence. FinCEN’s press release makes a point of “recogniz[ing] the notable progress made by the Government of Latvia to substantially strengthen its AML/CFT regime through a series of meaningful legal and regulatory reforms of its financial sector.” The message is clear – follow through on these reforms, clean up your problem institutions, and the U.S. will notice and respond accordingly.

    If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.