Ruling Could Influence FinCEN in Forthcoming Regulations Under the CTA

On November 22nd, an appeals court in Luxembourg issued a decision that highlights the tensions between anti-money laundering (“AML”) goals and privacy concerns, and could impact impending beneficial ownership regulations to be issued under the U.S. Corporate Transparency Act (“CTA”).  Specifically, the appeals court decided that the general public’s access to beneficial ownership information (“BOI”) interfered with the fundamental right of privacy granted under the Charter of Fundamental Rights of the European Union (“EU”).

Luxembourg Court Strikes Down Public Access to BO Database

In 2019, pursuant to an AML Directive to Member States of the EU, Luxembourg established a Register of Beneficial Ownership (“Register”) for information on beneficial owners of corporate entities. BOI provided by a corporate entity is generally available to regulators, law enforcement and financial institutions conducting due diligence on the corporate entity.  Further, some BOI from the Register is available publicly, including through the internet – but upon request from a beneficial owner, the administrator of the Register could place restrictions on the broad access of certain information of that beneficial owner.  To restrict public access, the beneficial owner must show that “access to [BOI] would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable.”

A case was brought by two companies and their beneficial owners after the beneficial owners unsuccessfully requested that the administrator of the Register prevent public access to information concerning them. The Luxembourg district court found that the beneficial owners’ claims of privacy violations raised issues of fundamental rights under European law and sent questions to the appeals court for a preliminary ruling. As noted, the appeals court ruled that the general public’s access to BOI through the Register constituted a “serious interference” with the fundamental right of privacy granted under the Charter of Fundamental Rights of the European Union:

[I]n so far as the information made available to the general public relates to the identity of the beneficial owner as well as to the nature and extent of the beneficial interest held in corporate or other legal entities, that information is capable of enabling a profile to be drawn up concerning certain personal identifying data more or less extensive in nature depending on the configuration of national law, the state of the person’s wealth and the economic sectors, countries and specific undertakings in which he or she has invested.

In addition, it is inherent in making that information available to the general public in such a manner that it is then accessible to a potentially unlimited number of persons, with the result that such processing of personal data is liable to enable that information to be freely accessed also by persons who, for reasons unrelated to the [AML] objective pursued by that measure, seek to find out about, inter alia, the material and financial situation of a beneficial owner . . . . That possibility is all the easier when, as is the case in Luxembourg, the data in question can be consulted on the internet.

Furthermore, the potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated and that, in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.

Importantly, when the appeals court balanced the right of privacy against the AML objectives of the Directive, it found that the AML objectives were critical enough to justify “even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter.” Nonetheless, the appeals court found the public nature of the Register to reach beyond the AML objectives and tip the scale in favor of privacy rights. Luxembourg’s method of storing BOI, which required a person or entity to be able to demonstrate a legitimate interest in the information before it was disclosed, did not run afoul of European privacy rights. However, the appeals court found that there was insufficient AML benefit derived from allowing public access to the Register to justify such access.  Specifically, the appeals court noted that although “the general public’s access to information on beneficial ownership ‘can contribute’ to combating the misuse of corporate and other legal entities and [public access] ‘would also help’ criminal investigations, it must be found that such considerations are also not such as to demonstrate that [public access] is strictly necessary to prevent money laundering and terrorist financing.”

Privacy Implications for FinCEN and the CTA

As we have blogged, the Financial Crimes Enforcement Network (“FinCEN”) has issued a final rule regarding the BOI reporting requirements pursuant to the CTA. The Final Rule will require millions of corporate entities registered to do business in the United States to report their BOI to FinCEN. While FinCEN and AML watchdog groups view this development as a “historic step in support of U.S. government efforts to crack down on illicit finance and enhance transparency,” there are also those who are concerned with the privacy risks involved in housing BOI in a government database.  FinCEN still needs to issue further regulations under the CTA, including as to how the BOI data base will be maintained and accessed.

The CTA itself addresses privacy concerns in several ways, and does so in a manner that is dramatically different than the AML Directive.  For example, BOI is only available to government agencies that send a written request, including a basis for the request, and is not generally available to the public. Within the Department of the Treasury specifically, access to beneficial ownership information is limited to officers and employees whose official duties require them to inspect the information and who have been appropriately trained and authorized. Overall, the CTA requires that FinCEN “maintain information security protections, including encryption, for information reported to FinCEN . . . . and ensure that the protections . . . prevent the loss of confidentiality, integrity, or availability of information that may have a severe or catastrophic adverse effect.”

One of the most telling aspects of the CTA’s intent to protect privacy are the penalties for unauthorized disclosure of information: up to $500 per day for each day the violation continues, and/or imprisonment for up to five years. These penalties actually outweigh the penalties under the CTA for not registering as a beneficial owner, or for providing false BOI: up to $500 per day for each day the violation continues, and/or imprisonment for up to two years.

As noted, FinCEN still must issue regulations on the creation and mechanics of the BOI database. Given the privacy protections baked into the CTA by Congress, FinCEN already will be required to craft regulations that strongly protect BOI and restrict access.  Even so, the recent decision in Luxembourg should put even more pressure on FinCEN to be careful.  Certainly, the decision will provide industry commentators to the forthcoming regulations with more ammunition.

New York Considers an Alternative Approach

In March 2022, New York proposed legislation that would require limited liability companies registered in the state to disclose the names and addresses of their beneficial owners to the New York Department of State. Contra the CTA, and more akin to the EU AML Directive, the proposed legislation contemplates a public database to house BOI – although the information available to the greater public would be limited to which LLCs share common ownership. The public database would not contain names or addresses of beneficial owners; rather, if someone wanted to request that information, they would need to submit a formal request to law enforcement, similar to the federal Freedom of Information Act (FOIA).

New York is the only state to propose this type of BOI database at the state level, and the legislative intent offers insight into why New York has a particular focus on BOI. One of the Democratic Senators who proposed the bill said that “[m]oney laundering, tax avoidance, evasion of sanctions, and systemic code violations have been protected for too long in New York by the veil of LLC anonymity. Sometimes tenants don’t even know who their landlord actually is.” Thus, while AML objectives are certainly relevant at the state level, the New York legislation also seeks to address non-AML concerns, such as providing information to tenants and watchdog groups on otherwise unknown landlords who may be contributing to the deterioration of neighborhoods.


In the three approaches reflected by the EU AML Directive, the CTA and the proposed New York legislation, there is a balancing act between collecting and allowing access to BOI in order to fight money laundering and terrorist financing, and protecting privacy rights enshrined in our foundational legal texts like the EU Charter or U.S. Constitution. Beyond those considerations, this spectrum of privacy approaches raises the question of how global AML programs and requirements can be implemented with maximum consistency.  Finally, looming over all of the government-maintained BOI databases is the specter of data breaches and cyber attacks, which threaten not only the individuals whose BOI is affected, but the government agencies themselves.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

The Office of Foreign Assets Control (“OFAC”) announced (here and here) yesterday that virtual currency exchange Payward, Inc. – better known as Kraken – has agreed to pay $362,158.70 in order to settle its potential civil liability for apparent violations of the sanctions against Iran. Kraken also has agreed to invest an additional $100,000 in certain sanctions compliance controls.  According to OFAC, “[d]ue to Kraken’s failure to timely implement appropriate geolocation tools, including an automated internet protocol (IP) address blocking system, Kraken exported services to users who appeared to be in Iran when they engaged in virtual currency transactions on Kraken’s platform.” 

Compared to OFAC’s recent settlement with Bittrex, which agreed to pay a total of $29,280,829.20 to OFAC and the Financial Crimes Enforcement Network (“FinCEN”) in order to resolve allegations of sanctions and Bank Secrecy Act violations, the settlement amount is relatively low – and, as OFAC noted in its announcement, Kraken faced an astronomical statutory maximum civil monetary penalty of $272,228,964.  OFAC has stated that “[t]he settlement amount reflects OFAC’s determination that Kraken’s apparent violations were non-egregious and voluntarily self-disclosed.”

Continue Reading Kraken Settlement Demonstrates Importance of Sanctions Monitoring for Transactions — Not Just When Onboarding Customers

In our last post discussing the new regulations issued under the Corporate Transparency Act (“CTA”), we suggested that “time will tell whether industry groups will launch lawsuits challenging the Final Rule.”  That time has apparently come: on November 15, 2022, the National Small Business Association (“NSBA”) filed a complaint (“Complaint”) challenging the reporting requirements set forth in the CTA and the accompanying regulations issued by the Financial Crimes Enforcement Network (“FinCEN”). 

The Complaint names Treasury Secretary Janet Yellen, the U.S. Treasury Department, and FinCEN Acting Director Himamauli Das as defendants. 

This post describes the allegations made in the Complaint and offers some commentary on its merits. Spoiler: while the Complaint’s allegations that the CTA will impose significant burdens on reporting entities are well-taken, its constitutional claims largely face an uphill battle.  Rather than attacking the potential, narrow legal grounds suggested in our last blog post – did the CTA really authorize FinCEN to require covered businesses to report as a beneficial owner more than just one person with “substantial authority” – the NSBA instead has launched a constitutional broad side.

Continue Reading Small Business Interest Group Challenges CTA’s Constitutionality

Today we are very pleased to welcome, once again, guest blogger Dr. Kateryna Boguslavska of the Basel Institute on Governance (“Basel Institute”), who will discuss the Basel Institute’s recent release of the Basel AML Index for 2022 (the “Index”). The data-rich annual Index is a research-based ranking that assesses countries’ risk exposure to money laundering and terrorist financing. It is one of several excellent online tools developed by the Basel Institute to help both public- and private-sector practitioners tackle financial crime.  We are excited to continue this annual dialogue between the Basel Institute and Money Laundering Watch.

Established in 2003, the Basel Institute, an Associated Institute of the University of Basel, is a not-for-profit Swiss foundation dedicated to working with public and private partners around the world to prevent and combat corruption. The Institute’s work involves action, advice and research on issues including anti-corruption collective action, asset recovery, corporate governance and compliance, and more.

Dr. Kateryna Boguslavska is Project Manager for the Basel AML Index at the Basel Institute. A political scientist, she holds a PhD in Political Science from the National Academy of Science in Ukraine, a master’s degree in Comparative and International Studies from ETH Zurich as well as a master’s degree in Political Science from the National University of Kyiv-Mohyla Academy in Ukraine. Before joining the Basel Institute, Dr. Boguslavska worked at Chatham House in London as an Academy Fellow for the Russia and Eurasia program.

This blog post again takes the form of a Q & A session, in which Dr. Boguslavska responds to several questions posed by Money Laundering Watch about the Basel AML Index 2022. We hope you enjoy this discussion of global money laundering risks — which addresses enforcement, virtual assets, environmental crime, AML for lawyers, how the U.S. is performing, and more.  –Peter Hardy

Continue Reading The Basel AML Index 2022: One Step Forward, Four Steps Back. A Guest Blog.

Report Previews Potential Implications for the United States

The European Commission (“Commission”) recently released its 2022 Supranational Risk Assessment Report (“SNRA Report”) to the European Parliament and Counsel regarding the “risk of money laundering and terrorist financing affecting the internal market and relating to cross-border activities.”  The SNRA Report analyzes, on a broad scale, money laundering and terrorism financing risks and proposes a plan of action to address them.  The Report also examines more specifically “sectors or products where relevant changes have been detected.” 

The SNRA Report flags the “Gambling Sector” as a “high risk” area of Anti-Money Laundering (“AML”) and Countering the Financing of Terrorism (“CFT”) concern, with a particular focus on online gambling.  According to the Commission, online gambling presents a particularly high AML/CFT risk due to factors such as “the non-face-to face element, [and] huge and complex volumes of transactions and financial flows.”  The potential use of e-money and virtual currencies, as well as the emergence of unlicensed online gambling sites, exacerbates this risk.

As the European Union (“EU”) considers how to tackle the potential risks of online gambling, the United States is simultaneously grappling with the rapid expansion of online gambling and online sports betting in particular.  Before May 2018, when the Supreme Court struck down a 1992 federal law that effectively banned commercial sports betting in most states, Nevada was the only state with legalized sports betting in the United States.  Although California ballot Proposition 27, which would have legalized online and mobile sports betting in California, failed to pass during last week’s national and state elections, more than 30 states still have legalized some form of sports betting, and there is politial pressure to continue to expand online gambling and other forms of gaming.  As Americans jockey for the immense potential receipts that the expansion of online gambling can bring, it may be worth taking a page out of the EU’s book in order to consider the potential money laundering and terrorist financing risks that can accompany it.

Continue Reading European Commission Highlights Online Gambling’s Money Laundering Risks

The “Highlights” — To Russia, With Crypto

The Financial Crimes Enforcement Network (“FinCEN”) issued on November 1 a Financial Trend Analysis regarding ransomware-related Bank Secrecy Act (“BSA”) filings during the second half of 2021 (the “Report”).  This publication follows up on a similar ransomware trend analysis issued by FinCEN regarding the first half of 2021, on which we blogged here.  

In the most recent analysis, FinCEN found that both the number of ransomware-related Suspicious Activity Reports (“SAR”) filed, and the dollar amounts at issue, nearly tripled from 2020 to 2021.  The notable takeaways from the Report include:

  • Ransomware-related SARs were the highest ever in 2021 (both in number of SARs and in dollar amounts of activity reported).
  • Ransomware-related SARs reported amounts totaling almost $1.2 billion in 2021.
  • Approximately 75% of ransomware-related incidents between June 2021 and December 2021 were connected to Russia-related ransomware variants.

The Report, which stated that the majority of these ransomware payments were made in Bitcoin, serves as a particular reminder to cryptocurrency exchanges of their role in both identifying and reporting ransomware-related transactions facilitated through their platforms.  The Report stresses that SAR filings play an essential role in helping FinCEN identify ransomware trends.

Continue Reading FinCEN Reports Staggering Increase in Reported Ransomware Attacks

On October 19, 2022, the U.S. Attorney’s Office for D.C., on behalf of the Financial Crimes Enforcement Network (“FinCEN”), filed a civil complaint against Larry Dean Harmon (“Harmon”), seeking $60 million in civil penalties for alleged violations of the Bank Secrecy Act (“BSA”) in connection with Harmon’s involvement in now-defunct cryptocurrency services Helix and Coin Ninja LLC.  The complaint seeks to obtain a judgment on FinCEN’s 2020 Assessment of Civil Money Penalty against Harmon (“Assessment”), which is attached to the complaint and includes a detailed statement of facts.

As we have blogged, Harmon previously pled guilty to operating an unlicensed money transmitter business.  Harmon’s sentencing hearing in the criminal case has been continued, and he reportedly has been attempting to cooperate with the government.  It appears that the civil complaint may represent something of a formality:  it seeks to reduce the assessment against Harmon to an actual civil judgment, upon which the government can collect in theory, in anticipation of Harmon’s criminal sentencing and any potential additional matters in which he may attempt to cooperate.

According to the complaint, starting in 2014, Harmon operated Helix, a bitcoin “mixing” service, which Harmon allegedly advertised explicitly as a way for customers to conceal their identities from the government.  The statement of facts attached to the Assessment alleged that Harmon “publicly advertised Helix on Reddit forums dedicated to darknet marketplaces, actively seeking out and facilitating high-risk transactions directly through customer service and feedback.”  Such “mixing” services – designed to maximize anonymity – increasingly have drawn the ire of the government, as reflected by the recent and controversial action by the Office of Foreign Assets Control to sanction virtual currency “mixer” – or passive technology – Tornado Cash.  

Continue Reading DOJ Files Lawsuit for $60 Million in Civil Penalties for Alleged BSA Violations by Crypto “Mixer”

FinCEN announced yesterday that, once again, it is extending the Geographic Targeting Order, or GTO, which requires U.S. title insurance companies to identify the natural persons behind so-called “shell companies” used in purchases of residential real estate not involving a mortgage.  FinCEN also has expanded slightly the reach of the GTOs.

The new GTO is here.  FinCEN’s press release is here.  FAQs issued by FinCEN on the GTOs are here.  This is a topic on which we previously have blogged extensively.

The terms of the new GTO are effective beginning October 27, 2022, and ending on April 24, 2023.   The only change is that FinCEN has expanded the coverage of the GTO to counties encompassing the Texas cities of Houston and Laredo.  The effective period of the GTOs for purchases in these newly added areas begins on November 25, 2022.  The GTO will continue to cover certain counties within the following major U.S. metropolitan areas:  Boston; Chicago; Dallas-Fort Worth; Honolulu; Las Vegas; Los Angeles; Miami; New York City; San Antonio; San Diego; San Francisco; Seattle; parts of the District of Columbia, Northern Virginia, and Maryland (DMV) metropolitan area, the Hawaiian islands of Maui, Hawaii, and Kauai, and Fairfield County, Connecticut.  The purchase amount threshold remains $300,000 for each covered metropolitan area, with the exception of the City and County of Baltimore, where the purchase threshold is $50,000.

The GTO continuation and expansion is not occurring in a regulatory vacuum.  FinCEN issued on December 6, 2021 an Advanced Notice of Proposed Rulemaking (“AMPRM”) to solicit public comment on potential requirements under the Bank Secrecy Act for certain persons involved in real estate transactions to collect, report, and retain information.  As we have blogged, the ANPRM envisions imposing nationwide recordkeeping and reporting requirements on specified participants in transactions involving non-financed real estate purchases, with no minimum dollar threshold. 

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.  Please also check out our detailed chapter on these issues, The Intersection of Money Laundering and Real Estate,

Actions Highlight Risky Mix of Sanctions Law, Inadequate Transaction Monitoring and Dealing with Anonymity-Enhanced Cryptocurrencies

The Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”) announced on October 11 simultaneous settlements with Bittrex, Inc. (“Bittrex”), a virtual currency exchange and hosted wallet provider. Under the OFAC settlement, Bittrex has agreed to pay $24,280,829.20 to settle its potential civil liability for 116,421 alleged violations of multiple sanctions programs. Under the FinCEN consent order, Bittrex agreed to pay a civil penalty of $29,280,829.20 for alleged anti-money laundering (“AML”) violations under the Bank Secrecy Act (“BSA”). FinCEN has agreed to credit Bittrex’s payment to OFAC against its penalty because it found that the alleged BSA violations “stem from some of the same underlying conduct”; thus, Bittrex’s total payments to the two regulators come to $29,280,829.20. 

According to the Department of the Treasury dual press release, the two settlements represent the first parallel enforcement actions by FinCEN and OFAC in the virtual currency and sanctions space. Also, it is OFAC’s largest virtual currency enforcement action to date. To further highlight the importance of the settlements, the press release quotes the OFAC Director Andrea Gacki and FinCEN Acting Director Himamauli Das, both sternly warning operators in the same environment as Bittrex to implement effective AML compliance and sanction screening programs.

It is conceivable that Bittrex, for years now, has been on notice that federal and state regulators are closely watching and expecting more comprehensive risk assessment programs and procedures from businesses transacting with virtual currency. As we previously blogged here, in 2019 the New York Department of Financial Services (“NYDFS”) denied Bittrex’s application for a Bitlicense, citing: “deficiencies in Bittrex’s BSA/AML/OFAC compliance program; a deficiency in meeting the Department’s capital requirement; and deficient due diligence and control over Bittrex’s token and product launches.”  In its letter denying Bittrex’s application, NYDFS set forth in detail the deficiencies it found in Bittrex’s BSA/AML/OFAC compliance program, noting that Bittrex’s compliance policies and procedures “are either non-existent or inadequate.”

As we will discuss, the FinCEN consent order highlights Bittrex’s alleged failure to address adequately the overall risk environment in which it operated, including transactions involving anonymity-enhanced cryptocurrencies, or AECs.  The consent order also highlights two repeated themes in enforcement actions: lack of adequate compliance staff, and a seemingly robust written compliance policy that was not matched by an effective day-to-day transaction monitoring system.

Continue Reading OFAC and FinCEN Settle with Bittrex in Parallel Virtual Currency Enforcements

With Guest Speaker Matthew Haslinger of M&T Bank

We are extremely pleased to offer a podcast (here) on the legal and logistical issues facing financial institutions as they implement the regulations issued by the Financial Crimes Enforcement Network (FinCEN) pursuant to the Anti-Money Laundering Act of 2020 (AMLA) and the Corporate Transparency Act (CTA), and as they try to anticipate future related regulations.

We are very fortunate to have Matthew Haslinger as our guest speaker.  Mr. Haslinger serves as the Chief BSA/AML/OFAC Officer for M&T Bank.  He began his career as a federal prosecutor in the Bank Integrity Unit of the U.S. Department of Justice’s Money Laundering and Asset Recovery Section, where he investigated and prosecuted complex national and international money laundering and sanctions-related matters.  Mr. Haslinger then moved to M&T Bank, where he initially headed the Financial Investigations Unit and was responsible for day-to-day operations and strategic decision-making relating to enterprise-wide transaction monitoring, customer investigations and suspicious activity report filing for the bank.  In July 2020, he became the Chief BSA/AML Officer.  In this role, Mr. Haslinger is now responsible for oversight, implementation, and strategic direction of the enterprise-wide programs for Bank Secrecy Act (BSA), Anti-Money Laundering (AML) and Governmental Sanctions compliance.

In this podcast, we dive into the historic changes made by the AMLA and the CTA.  After reviewing how the AMLA expands the BSA’s goals, we look at some of the AMLA provisions which have the most impact on BSA compliance, including the AMLA’s emphasis on information sharing, FinCEN’s “national priorities” and the value of threat pattern and trend information to bank compliance efforts, and the AMLA’s expansion of the U.S. government’s authority to subpoena information from foreign financial institutions that maintain correspondent banking relationships with U.S. banks. We also review the CTA’s new beneficial ownership reporting requirements and discuss how they may interact with existing customer due diligence (CDD) requirements and the need to align CTA and CDD regulations.

This podcast is the latest episode in Ballard Spahr’s Consumer Financial Monitor Podcast series — a weekly podcast focusing on the issues that matter most, from new product development and emerging technologies to regulatory compliance and enforcement and the ramifications of private litigation.  We hope that you enjoy the podcast.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. To learn more about Ballard Spahr’s Anti-Money Laundering Team, please click here.  To visit Ballard Spahr’s Consumer Financial Monitor blog, please click here.