Following up on its Notice of Proposed Rulemaking (“NPR”), which we discussed back in March, the Financial Crimes Enforcement Network (FinCEN) released on August 28th a final rule extending Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) requirements to certain investment advisers (Final Rule).

The Final Rule adds “investment adviser” to the definition of “financial institution” at 31 C.F.R. 1010.100(t).  The Final Rule applies to registered investment advisers (RIAs), and investment advisers (IAs) that report information to the Securities Exchange Commission (SEC) as exempt reporting advisers (ERAs), subject to certain exceptions. IAs generally must register with the SEC if they have over $110 million in assets under management (AUM). ERAs are investment advisers that (1) advise only private funds and have less than $150 million in AUM in the United States or (2) advise only venture capital funds.  

The Final Rule requires certain IAs to: (1) develop and maintain an AML/CFT compliance program; (2) file Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs); (3) comply with the Recordkeeping and Travel Rules; (4) respond to Section 314(a) requests; and (5) implement special due diligence measures for correspondent and private banking accounts.

FinCEN released a Fact Sheet in conjunction with the Final Rule, which becomes effective January 1, 2026.  

Continue Reading  FinCEN Finalizes Rule Subjecting Investment Advisers to AML/CFT Regulations

On August 27, 2024, the New York State Department of Financial Services (“NYDFS”) announced a consent order involving a $35 million settlement with Nordea Bank Abp (“Nordea”) for alleged significant failures related to anti-money laundering (“AML”) compliance. Nordea, headquartered in Helsinki, Finland, operates globally, including through a licensed branch in New York, which has its own AML and transaction monitoring requirements.

The enforcement action, which followed revelations from the Panama Papers leak, found that Nordea allegedly failed to conduct proper due diligence on high-risk correspondent banking relationships and maintained inadequate AML controls.  According to the NYDFS, the Panama Papers implicated Nordea in aiding clients in establishing offshore shell companies in order to facilitate illicit activities.

The consent order alleges that Nordea violated New York law by allowing compliance failures in its AML program and procedures to persist.  Meanwhile, Danish officials recently charged Nordea with repeatedly violating Denmark’s anti-money laundering act between 2012 and 2015, thereby exposing Nordea, potentially, to extremely significant fines.  As we will discuss, although the consent order implicates many different issues, the NYDFS enforcement action represents, in part, the latest chapter in the continued fall-out from the massive AML scandal involving Dankse Bank.  The consent order also highlights, once again, the particular risks posed by correspondent banking relationships, on which we repeatedly have blogged (for example, here, here, and here).

Continue Reading  NYDFS Imposes $35 Million Fine on Nordea Bank for Alleged AML Failures Following Panama Papers Revelations

With Guest Speaker Nick St. John

We are very fortunate to have Nick St. John, Director of Federal Compliance at America’s Credit Unions, as our guest speaker in this podcast on the Notice of Proposed Rulemaking issued by the Financial Crimes Enforcement Network and federal banking regulators regarding the enhancement and modernization of anti-money

The Federal Reserve Bank of Philadelphia (the “Philly Fed”) recently executed an agreement (the “Agreement”) with Pennsylvania-based Customers Bank (and its Customers Bancorp, Inc. holding entity) (collectively, “Customers”).  According to the Agreement, “the most recent examinations and inspections” of Customers by the Philly Fed identified “significant deficiencies” related to the bank’s risk management practices, Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) compliance, and regulations issued by the Office of Foreign Assets Control (“OFAC”).  

The source of these alleged deficiencies is alluded to by the Agreement, which immediately highlights two “digital assets-friendly” elements of Customers’ business model:

  • Customers’ “digital asset strategy”, i.e., “offering banking services to digital asset customers”; and, relatedly,
  • Customers’ facilitation of “dollar token activities,” which refers to the bank’s operation of an “instant payments platform” that allows the bank’s commercial clients “to make tokenized payments over a distributed ledger technology system” – though only to other Customers’ commercial clients.

The Agreement calls for Customers to submit a number of plans to the Philly Fed by October 5, 2024, several of which explicitly require the Philly Fed’s approval.

Continue Reading  Bank’s Digital Assets Business Strategy Draws Federal Reserve Scrutiny

As we previously blogged, a Florida law (Fla. Stat. § 655.0323, entitled “Unsafe and unsound practices”) which became effective July 1, 2024 prohibits federal and state depository institutions conducting business in the state from denying services based on religion or political beliefs and activities. Every year, financial institutions must attest to their compliance with the Florida law. When he signed the bill into law, Governor Ron DeSantis said, “We are not going to allow big banks to discriminate based on someone’s political or religious beliefs, and we will continue to fight back against indoctrination in education and the workplace.”

As we will discuss, the Florida law also prohibits a financial institution acting on the basis of “any factor if it is not a quantitative, impartial, and risk-based standard, including any such factor related to the person’s business sector[.]” This prohibition in particular creates a clear challenge for implementing an anti-money laundering/countering the financing of terrorism (“AML/CFT”) compliance program, which inherently involves subjective judgments and an assessment of the risk presented by a customer based on its line of business. The problematic implications of the Florida law did not go unnoticed by the U.S. Congress or the U.S. Department of the Treasury (“Treasury”).

Continue Reading  Three Members of Congress and U.S. Treasury Express Concerns that Florida Law Prohibiting Banks from Considering Customers’ Business Sectors or Political or Religious Beliefs Conflicts with Federal AML/CFT Requirements

The federal banking agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (collectively the “Agencies”), issued a notice of proposed rulemaking (“Agencies’ NPRM”) to modernize financial institutions’ anti-money laundering and countering terrorist financing (“AML/CFT”) programs. The Agencies’ NPRM is consistent with FinCEN’s recent AML/CFT modernization proposal (“FinCEN’s NPRM”), on which we blogged here.

The Agencies’ NPRM does not substantively depart from FinCEN’s NPRM and requires the same program requirements. Although the Anti-Money Laundering Act (“AML Act”) did not require the Agencies to amend their regulations, the Agencies’ goal is to maintain consistent program requirements. The NPRM states that financial institutions will not be subject to any additional burdens in complying with differing standards between FinCEN and the Agencies.   

Continue Reading  Federal Banking Agencies Issue NPRM Consistent with FinCEN’s AML/CFT Modernization Proposal

On July 3, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (NPRM) as part of a broader initiative to “strengthen, modernize, and improve” financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs. In addition, the NPRM seeks to promote effectiveness, efficiency, innovation, and flexibility with respect to AML/CFT programs; support the establishment, implementation, and maintenance of risk-based AML/CFT programs; and strengthen the cooperation between financial institutions (“FIs”) and the government.

This NPRM implements Section 6101 of the Anti-Money Laundering Act of 2020 (the “AML Act”).  It also follows up on FinCEN’s September 2020 advanced notice of proposed rulemaking soliciting public comment on what it described then as “a wide range of questions pertaining to potential regulatory amendments under the Bank Secrecy Act (‘BSA’) . . . . to re-examine the BSA regulatory framework and the broader AML regime[,]” to which FinCEN received 111 comments.

As we will discuss, the NPRM focuses on the need for all FIs to implement a risk assessment as part of an effective, risk-based, and reasonably designed AML/CFT program.  The NPRM also focuses on how consideration of FinCEN’s AML/CFT Priorities must be a part of any risk assessment.  However, in regards to addressing certain important issues, such providing comfort to FIs to pursue technological innovation, reducing the “de-risking” of certain FI customers and meaningful government feedback on BSA reporting, the NPRM provides nothing concrete.

FinCEN has published a five-page FAQ sheet which summarizes the NPRM.  We have created a 35-page PDF, here, which sets forth the proposed regulations themselves for all covered FIs.

The NPRM has a 60-day comment period, closing on September 3, 2024.  Particularly in light of the Supreme Court’s recent overruling of Chevron deference, giving the courts the power to interpret statutes without deferring to the agency’s interpretation, this rulemaking, once finalized, presumably will be the target of litigation challenging FinCEN’s interpretation of the AML Act. 

Continue Reading  FinCEN Issues Proposed Rulemaking Aimed at Strengthening and Modernizing AML Programs Across Multiple Industries

Enforcement Trends, Gaming, Crypto — and More

I am very pleased to co-chair again the Practicing Law Institute’s 2024 Anti-Money Laundering Conference on May 23, 2024, starting at 9 a.m. in New York City (the event also will be virtual). 

I am also really fortunate to be working with my fabulous co-chair Elizabeth (Liz) Boison

On May 3, 2024, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released the “Third-Party Risk Management: A Guide for Community Banks” (the “Guide”), presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices.

The Guide serves as a companion to the Interagency Guidance on Third-Party Relationship: Risk Management issued in June 2023 (on which we blogged, here).  It also relates to the OCC’s Fall 2023 Semiannual Risk Perspective, which emphasizes the need for banks to maintain prudent risk management practices – including practices tailored to address Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.

The Guide acknowledges the widespread collaborations between community banks and third-party entities, and recognizes the strategic importance for such partnerships to improve competitiveness and adaptability. These collaborations provide community banks with access to a diverse array of resources, such as new technologies, risk management tools, skilled personnel, delivery channels, products, services, and market opportunities.

However, the Guide underscores that reliance on third parties entails a loss of direct operational control, thereby exposing community banks to a spectrum of risks.  Banks are still accountable for executing all activities in compliance with applicable laws and regulations.  “These laws and regulations include . . . those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).”  Accordingly, the Guide emphasizes that the engagement of third parties does not absolve a bank of its responsibility to operate in a safe and sound manner and to comply with regulatory requirements, “just as if the bank were to perform the service or activity itself.”  The Guide sets forth this concept in bold, on the first page. 

The Guide’s emphasis on governance practices highlights the critical role of oversight, accountability, and documentation in ensuring regulatory compliance and safeguarding the interests of both banks and their customers.   Although the Guide styles itself as offering a framework tailored to the specific needs and challenges faced by community banks, it also offers direction to all financial institutions in regards to effective third-party risk management. 

Continue Reading  Federal Banking Agencies Issue Guide to Third-Party Risk Management Practices for Community Banks

In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders (here and here) with two banks who partner with fintechs to offer “banking as a service” (BaaS) related to safety and soundness concerns relating to compliance with the Bank Secrecy Act (BSA), compliance with applicable laws, and third-party oversight. 

BaaS refers to arrangements in which banks integrate their banking products and services into the services of non-bank third-party distributors and the distributors deliver the integrated banking services directly to the customer.  A common example of BaaS is banks’ delivery of lending services through fintech partners’ digital platforms.  BaaS has gained popularity in recent years as the bank partner can generally roll out banking services to customers at a much faster pace and for lower costs than traditional banking products and services.

These two consent orders do not arise in a vacuum.  In June 2023, the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.  The guidance explained that supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.  At that time, we noted that we expected increased regulatory attention to bank/fintech partnership programs like the BaaS relationships addressed here.  Although these FDIC consent orders did not specifically cite to the interagency guidance, the guidance presumably was used to support the third-party oversight criticisms in the supervisory examinations of the two banks.

Continue Reading  Recent FDIC Consent Orders Reflect Ongoing Scrutiny of Bank Relationships with Fintechs