As anticipated, the Office of the Comptroller of the Currency, the Federal Reserve Board, and the FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”). The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic. It places new reporting requirements on both
On October 15, 2021, the Financial Crimes Enforcement Network (“FinCEN”) issued a financial trend analysis on ransomware relating to Suspicious Activity Reports (“SARs”) filed in the first half of this year (“Analysis”). According to the Analysis, U.S. banks and financial institutions reported $590 million in suspected ransomware payments in SARs filed between January and June 2021, more than the total for all of 2020. FinCEN found that ransomware payments are often made using virtual currency, such as Bitcoin (“BTC”). The Office of Foreign Assets Control (“OFAC”) also released guidance in tandem with the FinCEN Analysis, addressing how the virtual currency industry can address sanctions-related risks.
Ransomware appears to be top-of-mind at the U.S. Treasury, as we have blogged. FinCEN’s Analysis and OFAC’s guidance came quickly on the heels of OFAC issuing on September 21 a six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action against a ransomware victim that halts an attack by making the demanded payment to attackers who were sanctioned or otherwise had a sanctions nexus. Also on September 21, 2021, OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange “for its part in facilitating financial transactions for ransomware variants.”
Continue Reading FinCEN Reports Spiraling SARs Relating to Ransomware
On October 6, the Department of Justice (“DOJ”) announced the creation of a National Cryptocurrency Enforcement Team (“NCET”). The DOJ press release is set forth in part below, without further commentary, other than to observe that the NCET’s stated goals are to address issues on which we repeatedly have blogged: crypto exchangers and their AML
OFAC Updates Advisory on Enforcement Risks Relating to Agreeing to Pay RansomwareOn September 21, 2021 OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange, SUEX OTC, S.R.O. (SUEX) “for its part in facilitating financial transactions for ransomware variants.” Although this is a unique development, the broader and more important issue for any financial institution or company facing a ransomware attack is the continuing problem encapsulated in OFAC’s six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which OFAC released in conjunction with the announcement of the SUEX designation. The Updated Advisory illustrates a “Catch 22” scenario, in which a victim that halts a ransomware attack by making the demanded payment then may find itself under scrutiny from OFAC on a strict-liability basis if it turns out that the attackers were sanctioned or otherwise had a sanctions nexus. The Updated Advisory states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action.
OFAC has been busy. Tomorrow, we will blog on a more traditional action announced by OFAC right before the SUEX designation: OFAC’s designation of members of a network of financial conduits funding Hizballah and Iran’s Islamic Revolutionary Guard Corps-Qods Force. This designation is notable for the targets’ alleged use of gold as a vehicle to launder illicit funds through front companies.
Continue Reading OFAC Targets Virtual Currency Exchange For Ransomware Attack
Breadth of List Undermines Usefulness to IndustryAs required by the Anti-Money Laundering Act (“AML Act”), the Financial Crimes Enforcement Network (“FinCEN”) issued on June 30, 2021 the first government-wide list of priorities for anti-money laundering and countering the financing of terrorism (“AML/CFT”) (the “Priorities”). The Priorities purport to identify and describe the most significant AML/CFT threats facing the United States. The Priorities have been much-anticipated because, under the AML Act, regulators will review and examine financial institutions in part according to how their AML/CFT compliance programs incorporate and further the Priorities, “as appropriate.”
Unfortunately, and as we will discuss, there is a strong argument that FinCEN has prioritized almost everything, and therefore nothing.
Continue Reading FinCEN Identifies AML/CFT “Priorities” For Financial Institutions
Last week, the law enforcement agencies across the globe executed a historic two-day takedown of hundreds of alleged criminals who used securely encrypted communication devices to further their criminal enterprises. The operation, dubbed “Operation Trojan Shield,” involved over 9,000 law enforcement officers deployed worldwide to search more than 700 locations, which resulted in more than 800 arrests. Their secret weapon? The encrypted communication devices used by these criminal organizations were manufactured and distributed by a company called ANOM, which just happens to be owned and operated by the Federal Bureau of Investigation (“FBI”).
To date, government press releases throughout the world have focused on the arrests and the seizures of contraband: more than eight tons of cocaine; 22 tons of marijuana; two tons of methamphetamine/amphetamine; six tons of precursor chemicals; 250 firearms; and more than $48 million in various worldwide currencies and cryptocurrencies. However, law enforcement agencies also have been clear that, of course, spin-off investigations are in the works. As we discuss, money laundering already is a focus, and presumably numerous money laundering charges will be forthcoming over the years as a result of this operation, including as to any third parties or professionals knowingly involved in helping to move the massive amount of illicit proceeds.
Continue Reading The Ultimate Inside Job: FBI-Owned Encrypted Communication Devices Take Down Criminal Syndicates Worldwide – With Money Laundering Cases Across the Globe to Follow
On May 12, 2021, the Securities and Exchange Commission (“SEC”) issued an Order instituting a cease-and-desist proceeding under Sections 15(b) and 21C of the Securities and Exchange Act of 1934 (the “Exchange Act”), and imposed a $1.5 million monetary penalty against broker-dealer, GWFS Equities, Inc. (“GWFS”) for its alleged violations of the Bank Secrecy Act (“BSA”) due to its claimed failure to file Suspicious Activity Reports (“SARs”) when it was required to do so, and because certain filed SARs were inadequate. The suspicious activity at issue involved primarily so-called “account takeovers” by cyber criminals, which is of course a growing and pernicious threat.
What is particularly notable about the case is that the SEC targeted GWFS for enforcement for allegedly filing 297 deficient SARs between September 2015 through October 2018 (the “Relevant Period”), despite GWFS having a seemingly otherwise robust anti-money laundering (“AML”) program, a designated and capable BSA/AML Officer, a SAR review committee, written supervisory procedures that stressed the importance of providing “clear, complete, and concise descriptions of” suspicious activity, including the five essential elements of the suspicious activity—who, what, when, where and why (the “five essential elements”)—and GWFS providing formal and informal training to combat and report suspicious activity. Stated otherwise, this AML enforcement action involves an actor clearly serious in general about compliance, rather than a compliance “outlier” representing an easy enforcement target. Crucially, cetain filed SARs allegedly omitted the “five essential elements” required in a SAR, even though GWFS allegedly knew the information and also knew that it was obligated to include the information in its SARs. Instead, GWFS utilized a generic format for its SARs that did not contain much useful information.
The lesson here is clear: in regards to the allegedly inadequate filed SARs, the SEC is sending a message that a perceived cookie-cutter, cut-and-paste approach to fulfilling one’s obligations under the BSA will not be enough to stave off scrutiny and potential costly liability from government regulators. With incidences of identity theft and other cybercrimes showing no signs of abating, and the government’s interest in ensuring that financial institutions are playing their role to guard against and to combat cybercrime, additional regulatory actions for deficient compliance are likely to follow. It is not enough to just have a compliance program in place. Broker-dealers should ensure that their compliance staff is well-trained and reports suspicious activity through the issuance of SARs that, at a minimum, contain the five essential elements.
Continue Reading SEC Extracts AML Settlement From Broker-Dealer Based on Alleged Failure to Comply with “Five Essential Elements” of SAR Filings Regarding Cyber Crime
As we recently blogged, the Financial Crimes Enforcement Network (“FinCEN”) issued an advance notice of proposed rulemaking (“ANPRM”) on April 5, 2021 to solicit public comment on the implementation of the Corporate Transparency Act (“CTA”). In response, FinCEN received over 200 letters from industry stakeholders. This post will focus on one such letter, from the American Bankers Association (“ABA”), which highlights the industry perspective of large financial institutions.
The CTA, passed as part of the Anti-Money Laundering Act of 2020 (“AMLA”), requires certain legal entities to report their beneficial owners to a database accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions seeking to comply with their own Anti-Money Laundering (“AML”) compliance obligations, particularly FinCEN’s existing BO regulation which is part of the Customer Due Diligence Rule (“CDD Rule”) implemented in 2018. The beneficial ownership database is one of the most important and long-awaited changes to the AML legal framework in the United States.
To understand the paradigm shift, it is useful to recall the CDD rule currently in existence. Under FinCEN’s existing regulations, covered financial institutions have the requirement to collect and verify beneficial ownership information from their customers, and maintain records of such information. But until now their customers, which may include individuals and companies of all sizes, did not have to report such information to the government. The CTA makes companies (like LLCs and corporations) subject to such beneficial ownership reporting requirements. The CTA also requires FinCEN to revise the CDD Rule to try to make it consistent with the CTA and remove any unnecessary or duplicative burdens on financial institutions and legal entity customers.
In anticipation of these significant changes, industry groups have submitted comments to FinCEN on topics ranging from who will be covered to the logistics of implementation. The ABA, representing large banks, submitted a lengthy comment letter showcasing a strong interest in how these regulations shake out. The ABA first makes clear its support for Congress and FinCEN in ramping up efforts to combat money laundering and terrorism financing. It then lays out its recommendations for filling in gaps left by the CTA, largely tracking the questions that FinCEN solicited in its ANPRM. We summarize the most salient points below.
Continue Reading American Bankers Association Weighs in on the Corporate Transparency Act
Seventh Post in an Extended Series on Legislative Changes to BSA/AML Regulatory RegimeOn April 5, 2021, the Financial Crimes Enforcement Network (“FinCEN”) issued an advance notice of proposed rulemaking (“ANPRM”) to solicit public comment on questions pertaining to the implementation of the Corporate Transparency Act (“CTA”), passed as part of the Anti-Money Laundering Act of 2020 (“AMLA”). The CTA requires certain legal entities to report their beneficial owners at the time of their creation to a database accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions seeking to comply with their own Anti-Money Laundering (“AML”) and Customer Due Diligence (“CDD”) compliance obligations.
According to the ANPRM, the ability to operate through legal entities without requiring the identification of beneficial owners is a key risk for the U.S. financial system. The CTA seeks to mitigate the risk by reducing an individual’s ability to use corporate structures to conceal illicit activity such as money laundering, financing of terrorism, proliferation financing, serious tax fraud and human and drug trafficking. The CTA seeks to set a clear federal standard for incorporation practices, protect vital U.S. national security interests, protect interstate and foreign commerce, better enable various law enforcement agencies to counter illicit activities and bring the U.S. into compliance with international standards. With the goals of the CTA in mind, the ANPRM seeks public input on procedures and standards for reporting companies to submit information to FinCEN about their beneficial owners, and input on the implementation and maintenance of a database safeguarding disclosed information subject to appropriate protocols.
Written comments on the ANPRM are due soon – by May 5, 2021. The CTA is a critical development in AML regulation, and FinCEN can expect a considerable response to this important ANPRM, both from the businesses that are covered and the financial institutions that would have access to the beneficial ownership database. Although the ANPRM is detailed and poses many questions, the ultimate, real-world implementation of the CTA will involve even more questions.
Continue Reading FinCEN Seeks Comments on Corporate Transparency Act Implementation
Sixth Post in an Extended Series on Legislative Changes to BSA/AML Regulatory RegimeAs we have blogged, the Anti-Money Laundering Act of 2020 (“AMLA”) contains major changes to the Bank Secrecy Act (“BSA”), coupled with other changes relating to money laundering, anti-money laundering (“AML”), counter-terrorism financing (“CTF”), and protecting the U.S. financial system against illicit foreign actors.
A recurring theme of the changes offered by AMLA is information sharing. AMLA mandates that the Department of Treasury’s supervision priorities must include “appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities.” The increased emphasis on information sharing is accompanied by provisions requiring confidentiality and data security protocols.
The Financial Crimes Enforcement Network (“FinCEN”) is already beginning to address AMLA’s focus on the sharing and protection of information, as it explained in its recent detailed Report on FinCEN’s Innovation Hours Program, which focuses on fostering technological innovation in AML/CTF compliance. In this post, we explore AMLA’s expansion of information sharing, corresponding privacy and data security protections, and the tensions that lie therein.
Continue Reading AMLA Information-Sharing and Privacy and Data Security Concerns