Cybersecurity

Subscribe to Cybersecurity

OFAC Updates Advisory on Enforcement Risks Relating to Agreeing to Pay Ransomware

First Post in a Two-Part Series on Recent OFAC Designations

On September 21, 2021 OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange, SUEX OTC, S.R.O. (SUEX) “for its part in facilitating financial transactions for ransomware variants.”  Although this is a unique development, the broader and more important issue for any financial institution or company facing a ransomware attack is the continuing problem encapsulated in OFAC’s six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which OFAC released in conjunction with the announcement of the SUEX designation.  The Updated Advisory illustrates a “Catch 22” scenario, in which a victim that halts a ransomware attack by making the demanded payment then may find itself under scrutiny from OFAC on a strict-liability basis if it turns out that the attackers were sanctioned or otherwise had a sanctions nexus.  The Updated Advisory states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action.

OFAC has been busy.  Tomorrow, we will blog on a more traditional action announced by OFAC right before the SUEX designation:  OFAC’s designation of members of a network of financial conduits funding Hizballah and Iran’s Islamic Revolutionary Guard Corps-Qods Force.  This designation is notable for the targets’ alleged use of gold as a vehicle to launder illicit funds through front companies.
Continue Reading  OFAC Targets Virtual Currency Exchange For Ransomware Attack

Breadth of List Undermines Usefulness to Industry

As required by the Anti-Money Laundering Act (“AML Act”), the Financial Crimes Enforcement Network (“FinCEN”) issued on June 30, 2021 the first government-wide list of priorities for anti-money laundering and countering the financing of terrorism (“AML/CFT”) (the “Priorities”).  The Priorities purport to identify and describe the most significant AML/CFT threats facing the United States.  The Priorities have been much-anticipated because, under the AML Act, regulators will review and examine financial institutions in part according to how their AML/CFT compliance programs incorporate and further the Priorities, “as appropriate.”

Unfortunately, and as we will discuss, there is a strong argument that FinCEN has prioritized almost everything, and therefore nothing.
Continue Reading  FinCEN Identifies AML/CFT “Priorities” For Financial Institutions

Last week, the law enforcement agencies across the globe executed a historic two-day takedown of hundreds of alleged criminals who used securely encrypted communication devices to further their criminal enterprises.  The operation, dubbed “Operation Trojan Shield,” involved over 9,000 law enforcement officers deployed worldwide to search more than 700 locations, which resulted in more than 800 arrests.  Their secret weapon? The encrypted communication devices used by these criminal organizations were manufactured and distributed by a company called ANOM, which just happens to be owned and operated by the Federal Bureau of Investigation (“FBI”).

To date, government press releases throughout the world have focused on the arrests and the seizures of contraband:  more than eight tons of cocaine; 22 tons of marijuana; two tons of methamphetamine/amphetamine; six tons of precursor chemicals; 250 firearms; and more than $48 million in various worldwide currencies and cryptocurrencies.  However, law enforcement agencies also have been clear that, of course, spin-off investigations are in the works.  As we discuss, money laundering already is a focus, and presumably numerous money laundering charges will be forthcoming over the years as a result of this operation, including as to any third parties or professionals knowingly involved in helping to move the massive amount of illicit proceeds.
Continue Reading  The Ultimate Inside Job: FBI-Owned Encrypted Communication Devices Take Down Criminal Syndicates Worldwide – With Money Laundering Cases Across the Globe to Follow

Action Highlights that Even Sophisticated Companies Serious about Compliance are not Immune from AML Enforcement – and the Importance of Cooperation When Cutting a Deal

On May 12, 2021, the Securities and Exchange Commission (“SEC”) issued an Order instituting a cease-and-desist proceeding under Sections 15(b) and 21C of the Securities and Exchange Act of 1934 (the “Exchange Act”), and imposed a $1.5 million monetary penalty against broker-dealer, GWFS Equities, Inc. (“GWFS”) for its alleged violations of the Bank Secrecy Act (“BSA”) due to its claimed failure to file Suspicious Activity Reports (“SARs”) when it was required to do so, and because certain filed SARs were inadequate.  The suspicious activity at issue involved primarily so-called “account takeovers” by cyber criminals, which is of course a growing and pernicious threat.

What is particularly notable about the case is that the SEC targeted GWFS for enforcement for allegedly filing 297 deficient SARs between September 2015 through October 2018 (the “Relevant Period”), despite GWFS having a seemingly otherwise robust  anti-money laundering (“AML”) program, a designated and capable BSA/AML Officer, a SAR review committee, written supervisory procedures that stressed the importance of providing “clear, complete, and concise descriptions of” suspicious activity, including the five essential elements of the suspicious activity—who, what, when, where and why (the “five essential elements”)—and GWFS providing formal and informal training to combat and report suspicious activity.  Stated otherwise, this AML enforcement action involves an actor clearly serious in general about compliance, rather than a compliance “outlier” representing an easy enforcement target. Crucially, cetain filed SARs allegedly omitted the “five essential elements” required in a SAR, even though GWFS allegedly knew the information and also knew that it was obligated to include the information in its SARs.  Instead, GWFS utilized a generic format for its SARs that did not contain much useful information.

The lesson here is clear: in regards to the allegedly inadequate filed SARs, the SEC is sending a message that a perceived cookie-cutter, cut-and-paste approach to fulfilling one’s obligations under the BSA will not be enough to stave off scrutiny and potential costly liability from government regulators.  With incidences of identity theft and other cybercrimes showing no signs of abating, and the government’s interest in ensuring that financial institutions are playing their role to guard against and to combat cybercrime, additional regulatory actions for deficient compliance are likely to follow.  It is not enough to just have a compliance program in place.  Broker-dealers should ensure that their compliance staff is well-trained and reports suspicious activity through the issuance of SARs that, at a minimum, contain the five essential elements.
Continue Reading  SEC Extracts AML Settlement From Broker-Dealer Based on Alleged Failure to Comply with “Five Essential Elements” of SAR Filings Regarding Cyber Crime

As we recently blogged, the Financial Crimes Enforcement Network (“FinCEN”) issued an advance notice of proposed rulemaking (“ANPRM”) on April 5, 2021 to solicit public comment on the implementation of the Corporate Transparency Act (“CTA”). In response, FinCEN received over 200 letters from industry stakeholders. This post will focus on one such letter, from the American Bankers Association (“ABA”), which highlights the industry perspective of large financial institutions.

The CTA, passed as part of the Anti-Money Laundering Act of 2020 (“AMLA”), requires certain legal entities to report their beneficial owners to a database accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions seeking to comply with their own Anti-Money Laundering (“AML”) compliance obligations, particularly FinCEN’s existing BO regulation which is part of the Customer Due Diligence Rule (“CDD Rule”) implemented in 2018. The beneficial ownership database is one of the most important and long-awaited changes to the AML legal framework in the United States.

To understand the paradigm shift, it is useful to recall the CDD rule currently in existence. Under FinCEN’s existing regulations, covered financial institutions have the requirement to collect and verify beneficial ownership information from their customers, and maintain records of such information. But until now their customers, which may include individuals and companies of all sizes, did not have to report such information to the government. The CTA makes companies (like LLCs and corporations) subject to such beneficial ownership reporting requirements. The CTA also requires FinCEN to revise the CDD Rule to try to make it consistent with the CTA and remove any unnecessary or duplicative burdens on financial institutions and legal entity customers.

In anticipation of these significant changes, industry groups have submitted comments to FinCEN on topics ranging from who will be covered to the logistics of implementation. The ABA, representing large banks, submitted a lengthy comment letter showcasing a strong interest in how these regulations shake out. The ABA first makes clear its support for Congress and FinCEN in ramping up efforts to combat money laundering and terrorism financing. It then lays out its recommendations for filling in gaps left by the CTA, largely tracking the questions that FinCEN solicited in its ANPRM. We summarize the most salient points below.
Continue Reading  American Bankers Association Weighs in on the Corporate Transparency Act

Seventh Post in an Extended Series on Legislative Changes to BSA/AML Regulatory Regime

On April 5, 2021, the Financial Crimes Enforcement Network (“FinCEN”) issued an advance notice of proposed rulemaking (“ANPRM”) to solicit public comment on questions pertaining to the implementation of the Corporate Transparency Act (“CTA”), passed as part of the Anti-Money Laundering Act of 2020 (“AMLA”).  The CTA requires certain legal entities to report their beneficial owners at the time of their creation to a database accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions seeking to comply with their own Anti-Money Laundering (“AML”) and Customer Due Diligence (“CDD”) compliance obligations.

According to the ANPRM, the ability to operate through legal entities without requiring the identification of beneficial owners is a key risk for the U.S. financial system.  The CTA seeks to mitigate the risk by reducing an individual’s ability to use corporate structures to conceal illicit activity such as money laundering, financing of terrorism, proliferation financing, serious tax fraud and human and drug trafficking.  The CTA seeks to set a clear federal standard for incorporation practices, protect vital U.S. national security interests, protect interstate and foreign commerce, better enable various law enforcement agencies to counter illicit activities and bring the U.S. into compliance with international standards.  With the goals of the CTA in mind, the ANPRM seeks public input on procedures and standards for reporting companies to submit information to FinCEN about their beneficial owners, and input on the implementation and maintenance of a database safeguarding disclosed information subject to appropriate protocols.

Written comments on the ANPRM are due soon – by May 5, 2021.  The CTA is a critical development in AML regulation, and FinCEN can expect a considerable response to this important ANPRM, both from the businesses that are covered and the financial institutions that would have access to the beneficial ownership database.  Although the ANPRM is detailed and poses many questions, the ultimate, real-world implementation of the CTA will involve even more questions.
Continue Reading  FinCEN Seeks Comments on Corporate Transparency Act Implementation

Sixth Post in an Extended Series on Legislative Changes to BSA/AML Regulatory Regime

As we have blogged, the Anti-Money Laundering Act of 2020 (“AMLA”) contains major changes to the Bank Secrecy Act (“BSA”), coupled with other changes relating to money laundering, anti-money laundering (“AML”), counter-terrorism financing (“CTF”), and protecting the U.S. financial system against illicit foreign actors.

A recurring theme of the changes offered by AMLA is information sharing. AMLA mandates that the Department of Treasury’s supervision priorities must include “appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities.” The increased emphasis on information sharing is accompanied by provisions requiring confidentiality and data security protocols.

The Financial Crimes Enforcement Network (“FinCEN”) is already beginning to address AMLA’s focus on the sharing and protection of information, as it explained in its recent detailed Report on FinCEN’s Innovation Hours Program, which focuses on fostering technological innovation in AML/CTF compliance.  In this post, we explore AMLA’s expansion of information sharing, corresponding privacy and data security protections, and the tensions that lie therein.
Continue Reading  AMLA Information-Sharing and Privacy and Data Security Concerns

The Financial Crimes Enforcement Network (“FinCEN”) issued on February 24, 2021 “an [A]dvisory to alert financial institutions to fraud and other financial crimes related to Economic Impact Payments (EIPs), authorized by the Coronavirus Aid, Relief, and Economic Security (CARES) Act, and the Coronavirus Response and Relief Supplemental Appropriations Act of 2021.” The Advisory describes EIP

Reunification of Korean Peninsula Memorial at the Entrance to Pyongyang

Related Money Laundering Case Relying on ATM Cash-Outs and BEC Schemes Also Unsealed

On February 17, the Department of Justice unsealed a sprawling indictment against three members of North Korea’s military intelligence agency – known as the Reconnaissance General Bureau –

Providing yet more proof that anything positive can be twisted into something negative, the Financial Crimes Enforcement Network (“FinCEN”) released a Notice yesterday “to alert financial institutions about the potential for fraud, ransomware attacks, or similar types of criminal activity related to COVID-19 vaccines and their distribution.”  This Notice comes on the heels of several