Compliance Program

Subscribe to Compliance Program

The Office of the Comptroller of the Currency (“OCC”) entered into a Consent Order (available here) with Anchorage Digital Bank (“Anchorage”), which requires Anchorage to create a compliance committee and take steps to remediate alleged shortcomings with respect to the implementation and effectiveness of Anchorage’s Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) program.  Notably, Anchorage will pay no civil penalty.

Anchorage is not any regular entity overseen by the OCC:  it is a cryptocurrency custodian.  As we will discuss, the timing of the Consent Order indicates that even when regulators permit crypto activities by financial institutions, they remain cautious, particularly as to BSA/AML compliance.  The OCC’s actions send a clear message that regulated entities offering emerging technology financial services must adhere to the same BSA/AML monitoring and reporting requirements as more traditionally regulated entities.
Continue Reading  OCC Targets BSA/AML Compliance by Anchorage Digital Bank – Only 15 Months After Granting National Trust Bank Charter to the Crypto Custodian

Consent Order Stresses that Only Three AML Analysts Struggled to Review 100 “Alerts” Per Day, Each – and Notes in Passing that “Outside Examiners” Blessed the Bank’s AML Program for the Same Five Years that the Bank Allegedly Maintained a Willfully Deficient Program

On December 16, 2021, the Financial Crimes Enforcement Network (“FinCEN”) entered into a Consent Order with CommunityBank of Texas, N.A. (“CBOT”), in which CBOT admitted to major shortcomings with respect to the implementation and effectiveness of its anti-money laundering (“AML”) program. The monetary penalties imposed on CBOT are substantial: FinCEN assessed an $8 million penalty, although CBOT will receive credit for a separate $1 million penalty to be paid to the Office of the Comptroller of the Currency (“OCC”).

The Consent Order, available here, offers valuable insight into FinCEN’s reasoning for its enforcement actions.  According to the Consent Order, CBOT has a regional footprint and operates several branches in Texas.  It serves small and medium-sized businesses and professionals.  And, in the “back of the house,” CBOT established a typical AML system designed to detect and escalate alerts for suspicious activity for investigation and potential filing of Suspicious Activity Reports (“SARs”). However, FinCEN alleged that over a period of at least four years, CBOT “willfully” failed to effectively implement its AML, program, leading to a failure to file SARs and otherwise detect specific suspicious activity.  As detailed below, many of the alleged shortcomings of CBOT’s AML program flowed from a lack of compliance resources and personnel between 2015 and 2019: too few analysts were assigned to review and investigate potentially suspicious transactions, and as a result, downstream investigations and due diligence suffered, including an alleged failure to file at least 17 specific SARs.

Because the detailed Consent Order offers a somewhat rare opportunity to glean FinCEN’s reasoning behind its enforcement actions generally, we explore the alleged failures in some detail below.  Then, we summarize key details of the Consent Order, offer key takeaways, and note several questions that the Consent Order still leaves unresolved.
Continue Reading  FinCEN Assesses Civil Penalty Against CommunityBank of Texas for AML Program Weaknesses

On December 1, 2021, the Federal Financial Institutions Examination Council (“FFIEC”) released updates to its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (the “Manual”), which provides guidance to examiners for evaluating a financial institution’s BSA/AML compliance program and its compliance with related regulatory requirements.  This update is the third of 2021: the FFIEC also released updates to the Manual on February 25, 2021 and June 21, 2021.

This most recent update to the Manual adds a new introductory section, Introduction – Customers.  The updated Manual also includes changes to sections pertaining to Charities and Nonprofit Organizations, Independent Automated Teller Machine Owners or Operators, and Politically Exposed Persons (“PEP”).  The breadth of this most recent Manual update is consistent with the previous 2021 updates.  In February, FFIEC released an introductory section and updates to three sections pertaining to Customer Identification Programs (“CIP”), Currency Transaction Reporting (“CTR”), and Transactions of Exempt Persons.  In June, the FFIEC released updates to four sections pertaining to International Transportation of Currency or Monetary Instruments Reporting, Purchase and Sale of Monetary Instruments Recordkeeping, Reports of Foreign Financial, and Special Measures.

Consistent with prior FFIEC Interagency press releases associated with Manual updates, the FFIEC explained that “[t]he updates should not be interpreted as new requirements or as a new or increased focus on certain areas,” but rather “provide information and considerations related to certain customers that may indicate the need for bank policies, procedures, and processes to address potential money laundering, terrorist financing, and other illicit financial activity risks.”  Despite this disclaimer, the updates provide helpful insight into what examiners prioritize with regard to BSA/AML compliance.
Continue Reading  The FFIEC’S Third 2021 Update to the BSA/AML Examination Manual

Meaningful Overlap or Superficial Similarities?

On October 3, the release of the Pandora Papers flooded the global media, as millions of documents detailed incidents of wealthy and powerful people allegedly using so-called offshore accounts and other structures to shield wealth from taxation and other asset reporting. Data gathered by the International Consortium of Investigative Journalists, the architect of the Pandora Papers release, suggests that governments collectively lose $427 billion each year to tax evasion and tax avoidance. These figures and the identification of high-profile politicians and oligarchs involved in the scandal (Tony Blair, Vladimir Putin, and King Abdullah II of Jordan, to name a few) have grabbed headlines and spurred conversations about fairness in the international financial system – particularly as COVID-19 has highlighted and exacerbated economic disparities.

Much of the conduct revealed by the Pandora Papers appears to involve entirely legal structures used by the wealthy to – not surprisingly – maintain or enhance wealth.  Thus, the core debate implicated by the Pandora Papers is arguably one of social equity and related reputational risk for financial institutions (“FIs”), rather than “just” crime and anti-money laundering (“AML”). Media treatment of the Pandora Papers often blurs the distinction between AML and social concerns – and traditionally, there has been a distinction.

This focus on social concerns made us consider the current interest by the U.S. government, corporations and investors in ESG, and how ESG might begin to inform – perhaps only implicitly – aspects of AML compliance and examination.  ESG, which stands for Environmental, Social, and Governance, are criteria that set the foundation for socially-conscious investing that attempts to identify related business risks.  At first blush, the two are separate fields.  But as we discuss, there are ESG-related issues that link concretely to discrete AML issues: for example, transaction monitoring by FIs of potential environmental crime by customers for the purposes of filing a Suspicious Activity Report, or SAR, under the Bank Secrecy Act (“BSA”).  Moreover, there is a bigger picture consideration regarding BSA/AML relating to ESG:  will regulators and examiners of FIs covered by the BSA now consider – consciously or unconsciously – whether FIs are providing financial services to customers that are not necessarily breaking the law or engaging in suspicious activity, but whose conduct is inconsistent with ESG principles?

If so, then ESG concerns may fuel the phenomenon of de-risking, which is when FIs limit, restrict or close the accounts of clients perceived as being a high risk for money laundering or terrorist financing.  Arguably, and as we discuss, there also would be a historical and controversial analog – Operation Chokepoint, which involved a push by the government (not investors) for FIs to de-risk certain types of customers.  Regardless, interest in ESG means that FIs have to be even more aware of potential reputational risk with certain clients.  Even if the money in the accounts is perfectly legal, the next data breach can mean unwanted publicity for servicing certain clients.

These concepts are slippery, involve emerging trends that have yet to play out fully, and the similarities between AML and ESG can be overstated.  Nonetheless, it is possible that these two fields, both of which are subject to increasing global interest, may converge in important respects.  A preliminary discussion seems merited, however caveated or subject to debate.
Continue Reading  ESG, AML Compliance and the Convergence of Social Concerns

OFAC Updates Advisory on Enforcement Risks Relating to Agreeing to Pay Ransomware

First Post in a Two-Part Series on Recent OFAC Designations

On September 21, 2021 OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange, SUEX OTC, S.R.O. (SUEX) “for its part in facilitating financial transactions for ransomware variants.”  Although this is a unique development, the broader and more important issue for any financial institution or company facing a ransomware attack is the continuing problem encapsulated in OFAC’s six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which OFAC released in conjunction with the announcement of the SUEX designation.  The Updated Advisory illustrates a “Catch 22” scenario, in which a victim that halts a ransomware attack by making the demanded payment then may find itself under scrutiny from OFAC on a strict-liability basis if it turns out that the attackers were sanctioned or otherwise had a sanctions nexus.  The Updated Advisory states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action.

OFAC has been busy.  Tomorrow, we will blog on a more traditional action announced by OFAC right before the SUEX designation:  OFAC’s designation of members of a network of financial conduits funding Hizballah and Iran’s Islamic Revolutionary Guard Corps-Qods Force.  This designation is notable for the targets’ alleged use of gold as a vehicle to launder illicit funds through front companies.
Continue Reading  OFAC Targets Virtual Currency Exchange For Ransomware Attack

European Commission Proposes EU-Level Supervisory Authority and Cryptocurrency Travel Rule

European Banking Authority Offers New Guidelines on AML Compliance Officers

Just as the United States has expanded significantly its anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulatory and enforcement regime through recent passage of the AML Act of 2020, the European Union (“EU”) has taken significant steps this summer towards implementing a rigorous new transnational AML enforcement framework.  Recent legislative proposals by the European Commission (the EU’s executive branch) aim to combat cross-border crime by ensuring uniform implementation and enforcement of AML/CFT principles, rules, and regulations, and by creating new recordkeeping requirement for certain cryptocurrency transactions.  Following the announcement of these legislative proposals, the European Banking Authority proposed in late July new EU-wide guidelines for AML/CFT compliance officers.  We examine each of these in turn.
Continue Reading  European Union Round-Up:  A Summer of AML Enforcement and Compliance Proposals

A Guest Blog by Angelena Bradfield

Today we are very pleased to welcome guest blogger Angelena Bradfield, who is the Senior Vice President of AML/BSA, Sanctions & Privacy for the Bank Policy Institute. BPI is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks. Its members include universal banks, regional banks and the major foreign banks doing business in the United States.  BPI has been engaged in efforts to modernize the U.S. anti-money laundering/ countering the financing of terrorism (AML/CFT) regime for almost half a decade and worked closely with Senate and House leadership throughout the introduction and final passage of the Anti-Money Laundering Act of 2020 (AML Act). Angelena previously was a Vice President at The Clearing House Association, where she supported its regulatory affairs department in similar policy areas. Before that, she supported comprehensive immigration reform efforts at ImmigrationWorks USA and worked on various domestic policy issues at the White House where she served as a staff assistant in both the Domestic Policy Council and Presidential Correspondence offices.

We reached out to Angelena regarding BPI’s recent letter to the Financial Crimes Enforcement Network (FinCEN) commenting on its implementation of the Corporate Transparency Act (CTA).  Congress passed the CTA on January 1, 2021, as part of the AML Act.  The CTA requires certain legal entities to report their beneficial owners to a directory accessible by U.S. and foreign law enforcement and regulators.  This directory also will be accessible to U.S. financial institutions seeking to comply with their own AML obligations, particularly the beneficial ownership regulation, otherwise known as the Customer Due Diligence Rule (CDD Rule), already applicable to banks and other financial institutions. The CTA’s beneficial ownership directory is one of the most important and long-awaited changes to the BSA/AML regulatory regime, but it presents many challenges, both legal and logistical.  On April 5, 2021, FinCEN issued an advance notice of proposed rulemaking to solicit public comment on the CTA’s implementation.  In response, FinCEN received over 200 letters from industry stakeholders – including the letter from BPI.

This blog post again takes the form of a Q&A session, in which Angelena responds to questions posed by Money Laundering Watch about the CTA and how it should be implemented.  We hope you enjoy this discussion on this important topic. – Peter Hardy and Shauna Pierson
Continue Reading  Implementing the Corporate Transparency Act:  A Guest Blog

Breadth of List Undermines Usefulness to Industry

As required by the Anti-Money Laundering Act (“AML Act”), the Financial Crimes Enforcement Network (“FinCEN”) issued on June 30, 2021 the first government-wide list of priorities for anti-money laundering and countering the financing of terrorism (“AML/CFT”) (the “Priorities”).  The Priorities purport to identify and describe the most significant AML/CFT threats facing the United States.  The Priorities have been much-anticipated because, under the AML Act, regulators will review and examine financial institutions in part according to how their AML/CFT compliance programs incorporate and further the Priorities, “as appropriate.”

Unfortunately, and as we will discuss, there is a strong argument that FinCEN has prioritized almost everything, and therefore nothing.
Continue Reading  FinCEN Identifies AML/CFT “Priorities” For Financial Institutions

On April 12, 2021, the Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Board”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”) and the Financial Crimes Enforcement Network (“FinCEN”) issued a Request for Information (“RFI”) requesting comment on the extent to which the agencies’ previous guidance on model risk management supports banks’ compliance with Bank Secrecy Act (“BSA) and Anti-Money Laundering (“AML”) regulations and Office of Foreign Asset Control (“OFAC”) requirements.

The RFI asks for comments from interested parties on suggested changes to guidance or regulations, and whether aspects of the agencies’ approaches to BSA/AML and OFAC compliance are either working well, or could be improved.  The agencies explained that the reason for the RFI is to further understand current bank practices, and determine whether additional explanation or clarification of their guidance may be helpful.  Although the genesis of the RFI is not entirely clear, it appears that it was issued in response to certain financial institution inquiries or comments regarding how the maintenance of their BSA/AML compliance programs should incorporate principles set forth in earlier, more general regulatory guidance on model risk management for banks, which we describe below.  Further, the RFI has not occurred in a vacuum, but rather has appeared in the midst of a major, ongoing overhaul of the BSA/AML legislative, regulatory and enforcement regime.  Comments to the RFI must be received by June 11, 2021.
Continue Reading  Risk Management: Agencies Issue Request for Information on Intersection of Model Risk Management Guidance and BSA/AML Compliance

On February 25, 2021, the Federal Financial Institutions Examination Council (“FFIEC”) released updates to the Bank Secretary Act/Anti-Money Laundering (“BSA/AML”) Examination Manual (the “Manual”), which provides guidance to examiners for evaluating a financial institution’s BSA/AML compliance program and its compliance with related regulatory requirements.

First, the Manual adds a new introductory section, Assessing Compliance with [BSA] Regulatory Requirements.  Second, the Manual updates the sections pertaining to Customer Identification Program (“CIP”), Currency Transaction Reporting (“CTR”), and Transactions of Exempt Persons. The Manual explains that, consistent with prior updates, that the “updates should not be interpreted as new instructions or as a new or increased focus on certain areas,” but are intended to “offer further transparency into the examination process and support risk-focused examination work.”

The 2021 updates are not quite as substantial as the 2020 updates to the Manual, which pertained to scoping and planning of examinations; the review of a financial institution’s BSA/AML risk assessment; the assessment of an institution’s BSA/AML compliance program; and guidance for examiners on developing conclusions and finalizing the examination.  Nonetheless, the updates provide useful insight into what examiners regard as important for BSA/AML compliance.
Continue Reading  The FFIEC Updates the BSA/AML Examination Manual