Cybersecurity

Subscribe to Cybersecurity

A Deep Dive Into FinCEN’s Latest Proposals Under the CTA

On December 16, the Financial Crimes Enforcement Network (“FinCEN”) issued a 54-page notice of proposed rulemaking (“NPRM”) regarding access by authorized recipients to beneficial ownership information (“BOI”) that will be reported to FinCEN under the Corporate Transparency Act (“CTA”).  The CTA requires covered entities – including most domestic corporations and foreign entities registered to do business in the U.S. – to report BOI and company applicant information to a database created and run by FinCEN upon the entities’ creation or registration within the U.S.  This database will be accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions (“FIs”) seeking to comply with their own Customer Due Diligence (“CDD”) compliance obligations, which requires covered FIs to obtain BOI from many entity customers when they open up new accounts.

In regards to this NPRM, FinCEN’s declared goal is to ensure that

(1) only authorized recipients have access to BOI; (2) authorized recipients use that access only for purposes permitted by the CTA; and (3) authorized recipients only redisclose BOI in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA’s objective of making BOI available to a range of users for purposes specified in the CTA.

Further, FinCEN has indicated that, “[c]oincident with the protocols described in this NPRM, FinCEN is working to develop a secure, non-public database in which to store BOI, using rigorous information security methods and controls typically used in the Federal government to protect non-classified yet sensitive information systems at the highest security levels.”

The comment period for the NPRM is 60 days.  The NPRM proposes an effective date of January 1, 2024, consistent with when the final BOI reporting rule at 31 C.F.R. § 1010.380 becomes effective.  The proposed BOI access regulations will be set forth separately at 31 C.F.R. § 1010.955, rather than existing 31 C.F.R. § 1010.950, which governs the disclosure of other Bank Secrecy Act (“BSA”) information.

This NPRM relates to the second of three sets of regulations which FinCEN ultimately will issue under the CTA.  As we have blogged (here and here), FinCEN already has issued regulations regarding the BOI reporting obligation itself.  FinCEN still must issue proposed regulations on “reconciling” the new BOI reporting regulations and the existing CDD regulations applicable to covered FIs for obtaining BOI from their own entity customers.

As we discuss, the lengthy NPRM suggests answers to some questions, but it of course also raises other questions.  Although domestic and even foreign government agencies will have generally broad access to the BOI database, assuming that they satisfy various requirements, the NPRM’s proposed access for FIs to the BOI database is relatively limited.

Continue Reading  Privacy, Cybersecurity and Access to Beneficial Ownership Information:  FinCEN Issues Notice of Proposed Regulations Under the Corporate Transparency Act

On December 15, 2022, the New York Department of Financial Services (“NYDFS”) published an Industry Letter detailing the Department’s guidance regarding banking organizations that wish to engage in virtual currency-related activities. Specifically, while the guidance reminds New York banking organizations, branches, and agencies of foreign banking organizations licensed by the Department (together, “Covered Institutions”) of the preexisting obligation to seek approval from the Department before engaging in new or significantly different virtual currency-related activity, the guidance describes the process and types of information that the Department considers relevant to its approval process.  The guidance is effective as of December 15, 2022, and was accompanied by a press release from NYDFS’ Superintendent Adrienne A. Harris.

For the purposes of the Industry Letter, “virtual currency-related activity” includes “all ‘virtual currency business activity,’ as that term is defined in 23 NYCRR § 200.2(q), as well as the direct or indirect offering or performance of any other product, service, or activity involving virtual currency that may raise safety and soundness concerns for the Covered Institution or that may expose New York customers of the Covered Institution or other users of the product or service to risk of harm.”  As we will discuss, any Covered Institution seeking NYDFS approval should focus in part on addressing the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) and Office of Foreign Asset Control (“OFAC”)-related risks posed by the virtual currency-related activity.

Continue Reading  NYDFS Releases Virtual Currency Guidance for Banking Organizations

Ruling Could Influence FinCEN in Forthcoming Regulations Under the CTA

On November 22nd, an appeals court in Luxembourg issued a decision that highlights the tensions between anti-money laundering (“AML”) goals and privacy concerns, and could impact impending beneficial ownership regulations to be issued under the U.S. Corporate Transparency Act (“CTA”).  Specifically, the appeals court decided that the general public’s access to beneficial ownership information (“BOI”) interfered with the fundamental right of privacy granted under the Charter of Fundamental Rights of the European Union (“EU”).

Continue Reading  European Court Puts the Brakes on AML Directive:  Public Access to Beneficial Ownership Database Violates European Privacy Laws

The “Highlights” — To Russia, With Crypto

The Financial Crimes Enforcement Network (“FinCEN”) issued on November 1 a Financial Trend Analysis regarding ransomware-related Bank Secrecy Act (“BSA”) filings during the second half of 2021 (the “Report”).  This publication follows up on a similar ransomware trend analysis issued by FinCEN regarding the first half of 2021, on which we blogged here.  

In the most recent analysis, FinCEN found that both the number of ransomware-related Suspicious Activity Reports (“SAR”) filed, and the dollar amounts at issue, nearly tripled from 2020 to 2021.  The notable takeaways from the Report include:

  • Ransomware-related SARs were the highest ever in 2021 (both in number of SARs and in dollar amounts of activity reported).
  • Ransomware-related SARs reported amounts totaling almost $1.2 billion in 2021.
  • Approximately 75% of ransomware-related incidents between June 2021 and December 2021 were connected to Russia-related ransomware variants.

The Report, which stated that the majority of these ransomware payments were made in Bitcoin, serves as a particular reminder to cryptocurrency exchanges of their role in both identifying and reporting ransomware-related transactions facilitated through their platforms.  The Report stresses that SAR filings play an essential role in helping FinCEN identify ransomware trends.

Continue Reading  FinCEN Reports Staggering Increase in Reported Ransomware Attacks

On June 23, 2022, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective (SRP) for spring 2022.  In the SRP, the OCC opines on its current safety and soundness concerns for banks under its regulatory umbrella, focusing on Russia sanctions, climate-related risk, and rising inflation.  Despite these challenges, the OCC believes that “[b]anks’ financial condition remains strong and positioned to deal with the economic headwinds.”

Of special note, the OCC also believes compliance risk is “heightened” for Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) compliance because of world events and compliance staffing concerns.  In addition, the OCC warns that banks face an “elevated” risk of cyber attacks and fraud or cybersecurity risks related to digital assets.

Continue Reading  OCC Highlights Risks Associated with Compliance Staffing Concerns, Russia Sanctions, Environmental Crimes, Cyber Attacks and Digital Assets

On June 15, FinCEN issued an Advisory on Elder Financial Exploitation (“Advisory”) to warn financial institutions about the rising trend of elder financial exploitation (“EFE”), which FinCEN defines as “the illegal or improper use of an older adult’s funds, property, or assets, and is often perpetrated either through theft or scams.”  The Advisory is detailed.  It highlights new EFE typologies and potential red flags and builds upon a related advisory issued in 2011.  It also offers tips on Suspicious Activity Report (“SAR”) filings and describes other resources available to fight EFE.

Continue Reading  FinCEN Warns Against Elder Financial Exploitation

On May 19, 2022, the Associate Director of the Enforcement and Compliance Division of the Financial Crimes Enforcement Network (“FinCEN”), Alessio Evangelista, spoke at the Chainalysis Links Conference in New York City on the topic of “The Intersection of Cryptocurrencies and National Security.”  Associate Director Evangelista stressed “responsible innovation” by the cryptocurrency industry, in order to protect consumers and national security interests, as well as to combat cybercrime and other illicit financial activity.  Associate Director Evangelista also denied that FinCEN’s enforcement efforts represent a “gotcha” enterprise.

Shortly after Associate Director Evangelista’s speech, Acting Comptroller of the Currency Michael J. Hsu discussed vulnerabilities in the cryptocurrency framework and recent volatility with stablecoins in pointed remarks at the DC Blockchain Summit 2022.  Describing himself as a “crypto skeptic,” Acting Comptroller Hsu acknowledged the potential value of innovation presented by crypto, but repeatedly bemoaned a “hyped-based” crypto economy, and stressed that “hype is not harmless.”

Combined, these speeches leave no doubt that regulators are exceedingly focused on digital assets and cryptocurrencies, and in particular are increasingly focused on consumer protection concerns, beyond the usual illicit finance and terrorist financing concerns.

Continue Reading  FinCEN and OCC Address Cryptocurrency:  Responsible Innovation and Pervasive Hype

Enforcement Trends, Crypto, the AML Act — and More

We are very pleased to be moderating, once again, the Practising Law Institute’s 2022 Anti-Money Laundering Conference on May 17, 2022, starting at 9 a.m. This year’s conference will be both live and virtual — and it will be as informative, interesting and timely as always. 

On April 5, 2022 the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced sanctions against “the world’s largest and most prominent darknet market, Hydra Market” and Garantex, a virtual currency exchange registered in Estonia but operating in Moscow and St. Petersburg, Russia.  The sanctions are part of a larger initiative targeting Russian cybercrime that spans across multiple federal departments—including the U.S. Department of Justice, Federal Bureau of Investigations, Drug Enforcement Administration, Internal Revenue Service Criminal Investigation, and Homeland Security Investigations—and across the globe—including international partners like the German Federal Criminal Police and Estonia’s Financial Intelligence Unit.  The sanctions follow September and November sanctions of SUEX OTC, S.R.O. and CHATEX, two virtual currency exchanges operated out of Moscow that allegedly facilitated transactions for ransomware actors.  SUEX was the first virtual currency exchange subject to OFAC sanctions (and the subject of a previous post).

While ostensibly focused on closing another avenue for ransomware purveyors to profit off of their wares, the sanctions may also cut off all types of cybercriminals who allegedly find “a haven” in Russia and used Hydra or Garantex.
Continue Reading  OFAC Designates “Hydra” –  the Largest Darknet Market – and Third Russian Virtual Currency Exchange

On March 1, 2022, the U.S. Department of the Treasury (“Treasury”) published its National Risk Assessment for Money Laundering, Terrorist Financing, and Proliferation Financing (the “NMLRA”), identifying the national threats, vulnerabilities, and risks facing the U.S. financial system.  The NMLRA is 74 pages long and comprehensively covers many different perceived threats and vulnerabilities, including the misuse of legal entities, virtual assets, real estate, investment advisors, and casinos.  This post therefore selects three key issues for closer analyses.

First, cybercrime (a topic we cover frequently) in the form of ransomware received the dubious honor of representing “a larger and growing share of the overall money laundering threat in the United States.”  Second, professional money laundering organizations (“PMLOs”) continue to peddle their illicit services internationally to launder the proceeds of cybercrime, narcotics trafficking, and other schemes on behalf of organized criminal enterprises.  Third, merchants and professionals, such as lawyers, real estate professionals, and financial services employees, continue to perform – knowingly or unknowingly – critical functions in support of money laundering schemes and obfuscating the source of ill-gotten gains.
Continue Reading  U.S. Treasury Identifies Ongoing and Emergent Money Laundering Risks and Vulnerabilities