The federal banking regulators (The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation) issued on July 25 a lengthy joint statement outlining the potential risks that financial institutions face in arrangements with third parties to deliver bank deposit products and services.
The U.S. Department of the Treasury has issued its 2024 National Strategy for Combatting Terrorist and Other Illicit Financing (“Strategy”). It is a 55-page document which, according to the government’s press release, “addresses the key risks from the 2024 National Money Laundering, Terrorist Financing, and Proliferation Financing Risk Assessments. . . and details how the United States will build on recent historic efforts to modernize the U.S. anti-money laundering/countering the financing of terrorism (AML/CFT) regime, enhance operational effectiveness in combating illicit actors, and embrace technological innovation to mitigate risks.”
The Strategy discusses an enormous list of topics. Given the breadth of its scope, the Strategy generally makes only very high-level comments regarding any particular topic. This post accordingly is extremely high level as well, and offers only a few select comments.
Continue Reading Treasury Issues Broad National Strategy for Combatting Illicit Financing
In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders (here and here) with two banks who partner with fintechs to offer “banking as a service” (BaaS) related to safety and soundness concerns relating to compliance with the Bank Secrecy Act (BSA), compliance with applicable laws, and third-party oversight.
BaaS refers to arrangements in which banks integrate their banking products and services into the services of non-bank third-party distributors and the distributors deliver the integrated banking services directly to the customer. A common example of BaaS is banks’ delivery of lending services through fintech partners’ digital platforms. BaaS has gained popularity in recent years as the bank partner can generally roll out banking services to customers at a much faster pace and for lower costs than traditional banking products and services.
These two consent orders do not arise in a vacuum. In June 2023, the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements. The guidance explained that supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. At that time, we noted that we expected increased regulatory attention to bank/fintech partnership programs like the BaaS relationships addressed here. Although these FDIC consent orders did not specifically cite to the interagency guidance, the guidance presumably was used to support the third-party oversight criticisms in the supervisory examinations of the two banks.
In its Fall 2023 Semiannual Risk Perspective, published on December 7, the Office of the Comptroller of the Currency (“OCC”) reported on key issues facing the federal banking system. In evaluating the overall soundness of the federal banking system, the OCC emphasized the need for banks to maintain prudent risk management practices. The key risk themes that the OCC underscored in the report included credit, market, operational, and compliance risks.
Of particular note was the discussion on the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships. We also will discuss briefly certain other compliance and operational risks highlighted by the OCC.
Continue Reading OCC Risk Perspective Report Focuses on Third-Party Relationships with Fintechs
The CFPB has issued a proposed rule to supervise nonbank companies that qualify as larger participants in a market for “general-use digital consumer payment applications.” Comments on the proposal are due by January 8, 2024 or by the date that is 30 days after the proposal’s publication in the Federal Register, whichever is later.
The proposal is based on the CFPB’s authority to supervise nonbank entities considered to be “a larger participant of a market for other consumer financial products or services.” It would cover providers of consumer financial products and services that are commonly referred to as “digital wallets,” “payment apps,” “funds transfer apps,” and “person-to-person or P2P payment apps.”
On August 17, 2023, Judge Robert Pitman of the federal district court for the Western District of Texas issued an Order granting summary judgment for the U.S. Treasury Department (“Treasury”) in a lawsuit brought by six individuals, and denying the cross-motion for summary judgment filed by the individuals. The lawsuit alleged that Treasury overstepped its authority by imposing sanctions on the coin mixing service Tornado Cash. Deciding for the government, Judge Pitman determined that Tornado Cash is a “person” that may be designated by OFAC sanctions. Specifically, the regulatory definition of “person” includes an “association,” and Tornado Cash is an “association” within its ordinary meaning.
Shortly thereafter, on August 23, 2023, the U.S. Department of Justice (“DOJ”) unsealed an indictment returned in the Southern District of New York against the alleged developers of Tornado Cash, Roman Storm (“Storm”), a naturalized citizen residing in the U.S., and Roman Semenov (“Semenov”), a Russian citizen. The indictment charges them with conspiring to commit money laundering, operate an unlicensed money transmitting business, and commit sanctions violations involving the International Emergency Economic Powers Act, or IEEPA. When the indictment was unsealed, Storm was arrested and then released pending trial. Treasury simultaneously sanctioned Semenov, who remains outside of the U.S., adding him to OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List.
These are very complicated cases raising complicated issues. They are separate but obviously related. As we will discuss, the factual and legal issues tend to blend together, and how a party characterizes an issue says a lot about their desired outcome: has the government taken incoherent action against a technology, or has it pursued a group of people attempting to hide behind tech?
We are pleased to offer the latest episode in Ballard Spahr’s Consumer Finance Monitor podcast series, A Look at the Treasury Department’s April 2023 Report on Decentralized Finance or “DeFi.”
In this episode, we follow up and expand upon our blog post regarding the U.S. Department of the Treasury’s April 6, 2023 report examining vulnerabilities
The Federal Reserve, FDIC, and OCC have released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements. The guidance is intended to provide principles for effective third-party risk management for all types of third-party relationships, regardless of how they may be structured. At the same time, the agencies state that banking organizations have flexibility in their approach to assessing the risks posed by each third- party relationship and deciding the relevance of the considerations discussed in the final guidance
The final guidance rescinds and replaces each agency’s previously-issued guidance on risk management practices for third-party relationships. In their July 2021 proposal, the agencies had included as an appendix FAQs issued by the OCC to supplement the OCC’s existing 2013 third-party risk management guidance. The proposed guidance included the revised FAQs as an exhibit and the agencies sought comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance. In their discussion of the final guidance, the agencies identify which concepts from the FAQs have been incorporated into the final guidance.
I am very pleased to co-chair again the Practicing Law Institute’s 2023 Anti-Money Laundering Conference on May 16, 2023, starting at 9 a.m. in New York City (the event also will be virtual).
I am also really fortunate to be working with co-chair Elizabeth (Liz) Boison
On April 6, 2023, the U.S. Department of the Treasury released a report examining vulnerabilities in decentralized finance (“DeFi”), including potential gaps in the United States’ anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulatory, supervisory, and enforcement regimes for DeFi. The report concludes by making a series of recommendations, including the closing of “gaps” in the application of the Bank Secrecy Act (“BSA”) to the extent that certain DeFi services currently fall outside the scope of the BSA’s definition of a “financial institution” covered by the BSA. The report cautions that it does not alter any existing legal obligations, issue any new regulatory interpretations, or establish any new supervisory expectations.