In its first use of Section 9714(a) of the Combating Russian Money Laundering Act, the Financial Crimes Enforcement Network (“FinCEN”) issued a notice of enforcement order (the “Order”) on January 18, 2023 against the cryptocurrency exchange Bitzlato Limited (“Bitzlato”), which has operated globally and is registered in Hong Kong.  The Order was issued in conjunction with the Department of Justice’s (“DOJ”) arrest of Bitzlato’s founder, Russian national Anatoly Legkodymov.  Bitzlato has processed over four billion dollars in cryptocurrency transactions since 2018.  According to the government, a substantial portion of those transactions involved criminal proceeds.

Legkodymov, who resided in China until his arrest in the United States, has been charged initially, via complaint and warrant, with conducting an unlicensed money-transmitting business under 18 U.S.C. § 1960, although the allegations against Bitzlato appear to extend far beyond mere unlicensed money transmission. Both the Order and the lengthy affidavit in support of the complaint stress that Bitzlato openly touted its intentional lack of any sort of real anti-money laundering (“AML”) program.  For example, “Bitzlato’s website advertised for years (and as recently as March 31, 2022) that the site offered ‘Simple Registration without KYC.  Neither selfies nor passports required.  Only your email needed.’  Similarly, a blog post on Bitzlato’s website stated:  ‘On Bitzlato no KYC is required for you to trade.’”

This post will focus on FinCEN’s Order, which identifies Bitzlato as a “primary money laundering concern,” and prohibits certain money transmission involving Bitzlato by covered financial institutions.  The Order also highlights the threats posed to U.S. national security and the integrity of the U.S. financial sector by Bitzlato’s active facilitation of laundering of Russian illicit finance. However, FinCEN’s press release makes clear that Bitzlato is just one part of a larger ecosystem of Russian cybercriminals, including ransomware attackers, operating with impunity in Russia.

Continue Reading FinCEN Issues Enforcement Order Against Crypto Exchange Bitzlato in First-Time Use of Section 9714(a)

The Financial Crimes Enforcement Network (FinCEN) issued on January 13, 2023 an alert (the “Alert”) to financial institutions regarding the detection of financial activity related to human smuggling along the U.S. southwest border (“SW border”). The Alert builds upon FinCEN’s prior 2020 and 2014 human smuggling and human trafficking advisories in order to provide trends and typologies specifically related to human smuggling along the SW border. It also provides red flag indicators regarding transactions potentially related to human smuggling.

The Alert effectively lays out the breadth of the problem.  Effectively detecting and reporting human smuggling and trafficking, however, can be difficult, given the extensive use of cash.

Continue Reading FinCEN Issues Alert on Human Smuggling and Trafficking Along the Southwest Border:  Methodologies, Typologies and Red Flags

Factual Statement Is a Tale of Whistleblowing, High-Risk Customers, and Misleading U.S. Banks

Earlier this month, Danske Bank was sentenced in the Southern District of New York to three years of probation and forfeiture of $2.059 billion.  The sentencing capped a tumultuous and global scandal that became public several years ago, as the enormous scope of the bank’s anti-money laundering (“AML”) compliance problems emerge:  several hundred billion in suspicious transactions allegedly were processed over time at the bank’s former Estonian branch.  As a result of the sentencing, Danske Bank was ordered to make an actual payment of $1,209,062,646; the bank received credit for the rest of the forfeiture amount on the basis of a $178.6 million payment to the Securities and Exchange Commission and a $672.3 million payment to Denmark authorities.

Danske Bank was charged not with violating the Bank Secrecy Act (“BSA”), but rather with bank fraud.  According to the press release issued in December 2022  by the Department of Justice (“DOJ”) at the time of the bank’s plea, the bank had “defrauded U.S. banks regarding Danske Bank Estonia’s customers and [AML] controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.”  The DOJ’s choice to charge bank fraud presumably was predicated upon issues relating to U.S. jurisdiction and the actual applicability of the BSA to Danske Bank and activities in Estonia – but the heart of the criminal case is that Danske Bank allegedly hid its own AML failures from three U.S. banks, thereby thwarting the U.S. banks’ own AML programs and compliance with the BSA.

The plea agreement contains a lengthy statement of facts full of eye-catching allegations.  As we describe, it sets forth a tale of intentional and sometimes brazen misconduct by Estonian branch employees, coupled with lax oversight and implicit approval, or at least tolerance, of such conduct by some people in upper management.  Further, it involves another example of a financial institution, in the eyes of law enforcement and regulators, over-valuing profit and under-valuing compliance systems.  The case also highlights, again, the potential risks associated with correspondent bank accounts held by non-U.S. banks, the importance of having fully integrated and coordinated monitoring systems, and the potential role of whistleblowers.

Finally, this saga is not necessarily over entirely.  Danske Bank is subject to three years of probation.  The plea agreement requires numerous compliance commitments by the bank, including signed certificates of compliance and self-reporting of potential AML failures.  Danske Bank’s troubles also have involved lawsuits brought by investors claiming to have been defrauded, although the bank has had success in fending off these actions (see here, here and here).

Continue Reading SDNY Sentences Danske Bank in Massive AML Scandal

Form Repeatedly Invites Response of “Unknown” As to Critical Information

The Financial Crimes Enforcement Network (“FinCEN”) has issued a notice and request for comment (“Notice”) on the proposed form to collect and report to FinCEN the beneficial ownership information (“BOI”) for entities covered by the Corporate Transparency Act (“CTA”).  We have blogged extensively on the CTA and FinCEN’s final and proposed regulations (here, here and here), and will not repeat our analysis of these regulations – other than to note that the stated primary goal of the CTA was to enable law enforcement and regulators to obtain information on the “real” beneficial owners of so-called “shell companies,” including foreign entities registered in the United States, in order to “crack down” on the misuse of such companies for potential money laundering, tax evasion and other offenses.

The Notice dutifully references the Paperwork Reduction Act and walks the reader through FinCEN’s various (very) detailed estimates of hours to be spent on compliance by filers.  But, the Notice then sets forth – without any comment or analysis – the actual proposed reporting form (“Form”), on which we focus here.  Because the Federal Register is not always user friendly, we have created this separate document clearly setting forth the Form and its questions.

As other commentators have observed (for example, see the comment by Jim Richards to FinCEN regarding the Form, here), the Form seemingly provides its filers with opportunities to avoid the statutory dictates of the CTA by not actually answering any of the core questions for beneficial owners and company applicants, and instead simply state that required information is “unknown” or not available.  This includes basic information under the CTA regarding names, addresses and other identifying information.  This problem appears to be an oversight by FinCEN.  Perhaps, it is a function of the fact that the CTA did not address the issue of good-faith filers encountering difficulty in obtaining complete information – which is a legitimate and real-world issue.  Although this situation is arguably analogous to sections of the Suspicious Activity Report form where a filer can put “N/A” for some “critical” fields, this situation seems distinguishable, because the filer of the CTA Form presumably should have direct access to BOI information, as opposed to a financial institution filling out a SAR regarding a third party.

Thus, the Form appears to invite, unwittingly, widespread game-playing by bad actors, both in the U.S. and abroad, who may claim that key BOI, unfortunately, just could not be attained.  Nor does the Form ask filers to describe the efforts made to obtain purportedly non-obtainable BOI.  Further, the Notice – just like other final and pending CTA regulations – does not discuss how to address filers who simply respond, “I don’t know” or “I can’t figure it out.” 

Given the fact that FinCEN estimates that over 30 million Forms will be filed in the first effective year of the CTA, it is easy to imagine that obfuscation by bad actors will be lost within the data haystack – a phenomenon on which bad actors can rely.  The Form also appears to not appreciate the practical problems that financial institutions (“FIs”) will face when they attempt to access the BOI database to verify information already provided to FIs by entity customers under the CDD Rule, and the entity customer has told FinCEN “I don’t know” on the Form.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

As we have blogged (here, hereherehere and here), the Anti-Money Laundering Act of 2020 (“the AMLA”) amended the Bank Secrecy Act (“BSA”) to expand whistleblower incentives and strengthen whistleblower protections.  At a high level, the AMLA amended 31 U.S.C. § 5323 to provide that if the government recovers more than $1 million through an AML enforcement action, any qualifying whistleblower will receive a mandatory reward of up to 30% of the collected amount.  Although this amendment was heralded as a major change, whistleblower attorneys and watch dog groups bemoaned the fact that there was no guaranteed monetary floor for an award (i.e., it could be zero to 30%), and that Congress had not actually provided for funding of awards. 

Congress addressed these perceived deficiencies by passing the “Anti-Money Laundering Whistleblower Improvement Act” (“the Act”), which was signed into law on December 29, 2022.  The Act presumably will motivate both would-be whistleblowers and the plaintiffs’ bar to pursue AML-related claims more vigorously, now that Congress has sweetened the pot.

First, the Act entitles whistleblowers to an award of between 10 and 30 percent of the value of “monetary sanctions” above $1 million collected as a result of an enforcement action (importantly, “monetary sanctions” do not include forfeiture).  For “related actions” in which the whistleblower may be paid by another whistleblower award program for his or her information, awards can dip below these percentages.

Second, the Act creates a “Financial Integrity Fund” to pay for whistleblower awards, which can hold up to $300 million.  The Department of Treasury can administer this fund independently of Congress, without the need for legislative appropriation.  The Fund will receive monetary sanctions collected by the Secretary of the Treasury or the Attorney General through BSA enforcement, or through enforcement of certain provisions of the International Emergency Economic Powers Act, the Trading with the Enemy Act, and the Foreign Narcotics Kingpin Designation Act.

As we have blogged, the Acting Director of the Financial Crimes Enforcement Network (“FinCEN”) has emphasized the fact that FinCEN recently created an “Office of the Whistleblower,” hired “key personnel” to build and supervise the whistleblower program, and now accepts whistleblower tips while FinCEN develops a “more formal” system.  Moreover, FinCEN is drafting proposed regulations to implement the AMLA’s whistleblower provisions.

The potential importance of AML whistleblowers is highlighted by the recent guilty plea entered by Danske Bank in the Southern District of New York to bank fraud, based on alleged AML failures.  This massive case arose because of concerns raised by former Danske Bank employee and whistleblower Howard Wilkinson.  Danske Bank was sentenced yesterday to forfeiture of $2 billion and three years of probation, with the bank to receive credit for $851 million in combined prior monetary penalties paid to the SEC and Danish criminal authorities.  Ironically, the Act would not provide for a whistleblower award based on the forfeiture payment by Danske Bank.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

The Federal Reserve Board, Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have issued a joint statement on crypto-asset risks to banking organizations.  The term “crypto-asset” refers to any digital asset implemented using cryptographic techniques.

The statement begins with the agencies’ observations that “[t]he events of the past year have been marked by significant volatility and the exposure of vulnerabilities in the crypto-asset sector” and that “[t]hese events highlight a number of key risks associated with crypto-assets and crypto-asset sector participants that banking organizations should be aware of.”  These observations are followed by descriptions of key risks associated with crypto-assets and the crypto-asset sector.

Highlighting the importance of insulating the banking system from risks related to the crypto-asset sector that cannot be mitigated or controlled, the agencies state that they “continue to take a careful and cautious approach related to current or proposed crypto-asset-related activities and exposures at each banking organization.”  While affirming that “[b]anking organizations are neither prohibited nor discouraged from providing banking services to customers of any specific class or type, as permitted by law or regulation,” the agencies also state that they “are continuing to assess whether or how current and proposed crypto-asset-related activities by banking organizations can be conducted in a manner that adequately addresses safety and soundness, consumer protection, legal permissibility, and compliance with applicable laws and regulations, including anti-money laundering and illicit finance statutes and rules.”  They identify “issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system” as “highly likely” to be inconsistent with safe and sound banking practices and indicate that they also have “significant” safety and soundness concerns “with business models that are concentrated in crypto-asset-related activities or have concentrated exposures to the crypto-asset sector.”

The agencies note that each of them has developed a process for banking organizations to “engage in robust supervisory discussions regarding proposed and existing crypto-asset-related activities.”  Banks are advised to “ensure that crypto-asset-related activities can be performed in a safe and sound manner, are legally permissible, and comply with applicable laws and regulations, including those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices).  They are also advised to “ensure appropriate risk management, including board oversight, policies, procedures, risk assessments, controls, gates and guardrails, and monitoring, to effectively identify and manage risks.”

If you would like to subscribe to Money Laundering Watch, please click here. To learn more about Ballard Spahr’s Anti-Money Laundering Team, please click here.

The Financial Crimes Enforcement Network (“FinCEN”) issued on December 22 a Financial Trend Analysis regarding Bank Secrecy Act (“BSA”) filings during the period of March to October 2022 (the “Report”) reflecting financial activity by Russian oligarchs the time of Russia’s unprovoked military invasion of Ukraine. This publication also refers to three prior alerts issued by FinCEN highlighting red flags on Russian oligarchs, high-ranking officials, and sanctioned individuals, on which we blogged here, here, and here.  FinCEN published the Report pursuant to the Anti-Money Laundering Act’s requirement that FinCEN periodically publish threat pattern and trend information derived from BSA filings.

Overall, FinCEN found that BSA data filed on financial transactions of Russian oligarchs, high-ranking officials, sanctioned individuals, and their family members in 2022 showed transactional patterns indicative of corruption and sanctions evasion, including:

  • the movement or transfer of funds or ownership of assets and trusts;
  • the purchase of high-value goods or property; and
  • changes in financial flows with links to property or companies in the United States.
Continue Reading Russian Oligarchs and Suspicious Financial Flows: A FinCEN Analysis

Farewell to 2022, and welcome 2023.  As we do every year, let’s look back.

We highlight 12 of our most-read blog posts from 2022, which address many of the key issues we’ve examined during the past year: the Corporate Transparency Act (“CTA”) and beneficial ownership reporting; sanctions — particularly sanctions involving Russia; cryptocurrency and digital assets; BSA/AML compliance and its tension with de-risking; and implementation of the AML Act:

We now move on to 2023.  This year also will be an important and interesting year for BSA/AML and money laundering issues: criminal and civil enforcement cases continue to unfold across industries, crypto is undergoing intense scrutiny, and FinCEN must issue final regulations under the CTA and AML Act — and, possibly, as to the real estate industry.  We look forward to keeping you informed throughout 2023 on these and other developments.

We also want to thank our many readers around the world who continue to make this blog such a success. The feedback we receive from financial industry professionals, compliance officers, in-house and external lawyers, BSA/AML consultants, government personnel, journalists, and others interested in this field is invaluable, and we hope you will continue to share your perspectives with us.  We pride ourselves on providing in-depth discussions of the important developments in this ever-evolving area.

If you would like to subscribe to Money Laundering Watch, please click here. To learn more about Ballard Spahr’s Anti-Money Laundering Team, please click here.

A Deep Dive Into FinCEN’s Latest Proposals Under the CTA

On December 16, the Financial Crimes Enforcement Network (“FinCEN”) issued a 54-page notice of proposed rulemaking (“NPRM”) regarding access by authorized recipients to beneficial ownership information (“BOI”) that will be reported to FinCEN under the Corporate Transparency Act (“CTA”).  The CTA requires covered entities – including most domestic corporations and foreign entities registered to do business in the U.S. – to report BOI and company applicant information to a database created and run by FinCEN upon the entities’ creation or registration within the U.S.  This database will be accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions (“FIs”) seeking to comply with their own Customer Due Diligence (“CDD”) compliance obligations, which requires covered FIs to obtain BOI from many entity customers when they open up new accounts.

In regards to this NPRM, FinCEN’s declared goal is to ensure that

(1) only authorized recipients have access to BOI; (2) authorized recipients use that access only for purposes permitted by the CTA; and (3) authorized recipients only redisclose BOI in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA’s objective of making BOI available to a range of users for purposes specified in the CTA.

Further, FinCEN has indicated that, “[c]oincident with the protocols described in this NPRM, FinCEN is working to develop a secure, non-public database in which to store BOI, using rigorous information security methods and controls typically used in the Federal government to protect non-classified yet sensitive information systems at the highest security levels.”

The comment period for the NPRM is 60 days.  The NPRM proposes an effective date of January 1, 2024, consistent with when the final BOI reporting rule at 31 C.F.R. § 1010.380 becomes effective.  The proposed BOI access regulations will be set forth separately at 31 C.F.R. § 1010.955, rather than existing 31 C.F.R. § 1010.950, which governs the disclosure of other Bank Secrecy Act (“BSA”) information.

This NPRM relates to the second of three sets of regulations which FinCEN ultimately will issue under the CTA.  As we have blogged (here and here), FinCEN already has issued regulations regarding the BOI reporting obligation itself.  FinCEN still must issue proposed regulations on “reconciling” the new BOI reporting regulations and the existing CDD regulations applicable to covered FIs for obtaining BOI from their own entity customers.

As we discuss, the lengthy NPRM suggests answers to some questions, but it of course also raises other questions.  Although domestic and even foreign government agencies will have generally broad access to the BOI database, assuming that they satisfy various requirements, the NPRM’s proposed access for FIs to the BOI database is relatively limited.

Continue Reading Privacy, Cybersecurity and Access to Beneficial Ownership Information:  FinCEN Issues Notice of Proposed Regulations Under the Corporate Transparency Act

On December 15, 2022, the New York Department of Financial Services (“NYDFS”) published an Industry Letter detailing the Department’s guidance regarding banking organizations that wish to engage in virtual currency-related activities. Specifically, while the guidance reminds New York banking organizations, branches, and agencies of foreign banking organizations licensed by the Department (together, “Covered Institutions”) of the preexisting obligation to seek approval from the Department before engaging in new or significantly different virtual currency-related activity, the guidance describes the process and types of information that the Department considers relevant to its approval process.  The guidance is effective as of December 15, 2022, and was accompanied by a press release from NYDFS’ Superintendent Adrienne A. Harris.

For the purposes of the Industry Letter, “virtual currency-related activity” includes “all ‘virtual currency business activity,’ as that term is defined in 23 NYCRR § 200.2(q), as well as the direct or indirect offering or performance of any other product, service, or activity involving virtual currency that may raise safety and soundness concerns for the Covered Institution or that may expose New York customers of the Covered Institution or other users of the product or service to risk of harm.”  As we will discuss, any Covered Institution seeking NYDFS approval should focus in part on addressing the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) and Office of Foreign Asset Control (“OFAC”)-related risks posed by the virtual currency-related activity.

Continue Reading NYDFS Releases Virtual Currency Guidance for Banking Organizations