Transaction Monitoring

On August 27, 2024, the New York State Department of Financial Services (“NYDFS”) announced a consent order involving a $35 million settlement with Nordea Bank Abp (“Nordea”) for alleged significant failures related to anti-money laundering (“AML”) compliance. Nordea, headquartered in Helsinki, Finland, operates globally, including through a licensed branch in New York, which has its own AML and transaction monitoring requirements.

The enforcement action, which followed revelations from the Panama Papers leak, found that Nordea allegedly failed to conduct proper due diligence on high-risk correspondent banking relationships and maintained inadequate AML controls.  According to the NYDFS, the Panama Papers implicated Nordea in aiding clients in establishing offshore shell companies in order to facilitate illicit activities.

The consent order alleges that Nordea violated New York law by allowing compliance failures in its AML program and procedures to persist.  Meanwhile, Danish officials recently charged Nordea with repeatedly violating Denmark’s anti-money laundering act between 2012 and 2015, thereby exposing Nordea, potentially, to extremely significant fines.  As we will discuss, although the consent order implicates many different issues, the NYDFS enforcement action represents, in part, the latest chapter in the continued fall-out from the massive AML scandal involving Dankse Bank.  The consent order also highlights, once again, the particular risks posed by correspondent banking relationships, on which we repeatedly have blogged (for example, here, here, and here).

Continue Reading  NYDFS Imposes $35 Million Fine on Nordea Bank for Alleged AML Failures Following Panama Papers Revelations

Second in a Two-Part Series on the Utility of BSA Filings

In this post, we will once again consider the issue of the utility of Bank Secrecy Act (BSA) filings to the global anti-money laundering/countering the financing of terrorism (AML/CFT) compliance regime. 

In our first blog post in this series, we invited Don Fort, a former Chief of the Internal Revenue Service’s Criminal Investigation (CI) Division, to answer questions on utility of BSA filings from the perspective of law enforcement.  Here, we will discuss two recent publications by industry groups:  one by the Bank Policy Institute, the Financial Technology Association, the Independent Community Bankers of America, the American Gaming Association, and the Securities Industry and Financial Markets Association (collectively, the Associations), and another by the Wolfsberg Group, which is an association of 12 global banks which aims to develop frameworks and guidance for the management of financial crime risks.

The Associations respond to an estimate by the Financial Crime Enforcement Network (FinCEN) concerning the time required to complete a Suspicious Activity Report (SAR).  The Associations’ observations on SAR filing compliance costs are targeted and precise and serve as a good segue into the broader critiques and recommendations made by the Wolfsberg Group regarding overall AML/CFT reporting and how it might be more effective.

Continue Reading  BSA Filings and Their Utility to Law Enforcement:  An Industry Viewpoint

On July 31, 2023, the United States Securities and Exchange Commission (“SEC”) published an alert outlining deficiencies the Division of Examinations has observed in broker-dealers’ (“BD”) compliance with anti-money laundering (“AML”) and countering terrorism financing (“CTF”) requirements.  While the alert addresses overarching compliance requirements for BDs, it focuses on deficiencies the Division of Examinations has observed with regard to independent testing of BDs’ AML programs, personnel training and identification and verification of customers and their beneficial owners.

The alert makes two over-arching observations.  First, BDs “did not appear to devote sufficient resources, including staffing, to AML compliance given the volume and risks of their business.”  Second, the “effectiveness of policies, procedures, and internal controls was reduced when firms did not implement those measures consistently.”  Emphasizing the key elements of an adequate AML program BDs must implement, the Alert then shifts its focus to independent testing and training and customer identification and customer due diligence.

Continue Reading  SEC Issues Alert Outlining Deficiencies in Broker-Dealers’ AML Compliance

On June 16, 2023, Michael J. Hsu, Acting Comptroller of the Currency made remarks to the American Bankers Association (“ABA”) Risk and Compliance Conference in San Antonio, Texas. In his remarks, Hsu discussed both the benefits and risks of artificial intelligence (“AI”) and tokenization. The core of Hsu’s remarks is that, given the rapid innovation of AI and tokenization in banking, banks should closely work with regulators to manage technological risks.

Hsu’s remarks came at the right time. Five days later, and as we discuss below, Google Cloud announced the launch of an AI anti-money laundering program. Early results seem promising, but only time will tell whether Hsu’s remarks concerning AI’s risks prove prophetic.

Continue Reading  Building the Engine Alongside the Brakes: Acting Comptroller Hsu’s Remarks Discuss Impact of Artificial Intelligence and Tokenization in Banking

Enforcement Trends, Crypto, Regulatory Developments — and More

I am very pleased to co-chair again the Practicing Law Institute’s 2023 Anti-Money Laundering Conference on May 16, 2023, starting at 9 a.m. in New York City (the event also will be virtual). 

I am also really fortunate to be working with co-chair Elizabeth (Liz) Boison

On April 13, the State of Wyoming took the extraordinary step of filing a request for permission to intervene in the ongoing dispute between Custodia Bank, Inc. (“Custodia”) and the Board of Governors of the Federal Reserve System (“the Fed”) and the Federal Reserve Bank of Kansas City.  This dispute involves a complaint (now amended) filed by Custodia – a state-chartered special purpose depository institution (“SPDI”) based in Cheyenne, Wyoming – against the Fed and the Federal Reserve Bank of Kansas City, alleging that the defendants improperly denied Custodia’s application for a “master account” with the Fed. Generalizing greatly, having a master account allows financial institutions to operate in the normal course as a custodial bank in the U.S.  Having a Fed master account is therefore critical to any institution looking to operate in the U.S. financial system.

In a nutshell, Wyoming’s request to intervene critiques the defendants because of their “view of perceived inadequacies in Wyoming’s laws and regulations for SPDIs, [which are] partially responsible” for the denial of Custodia’s master account application.  More specifically, Wyoming accuses the defendants of seeking to treat Wyoming SPDIs in an inequitable manner, thereby “treating state-chartered non-federally regulated banks as second-class banks ineligible to compete with federally-regulated ones.”

This blog post focuses on an important issue referenced seemingly in passing in Wyoming’s request for permission to intervene, which is clearly motivating in part the filing by Wyoming:  on March 24, 2023, the Fed made public its January 27, 2023  Order Denying Application for Membership (the “Order”) by Custodia, which had requested the Fed’s approval under Section 9 of the Federal Reserve Act to become a member of the Federal Reserve System.  According to Wyoming, the Fed’s decision to deny Custodia’s application has the effect of preventing Custodia and other Wyoming SPDIs from ever being able to attain the status of federal regulation.  We focus here on the Order because of its much broader anti-money laundering (“AML”) and sanctions implications for any banks which are contemplating targeted services for the digital asset industry.  The 86-page Order is very detailed, and often also discusses safety and soundness concerns, as well as other issues.

As we discuss, the Order suggests that any bank will have a hard time convincing the Fed that crypto-heavy banking services can comply with the requirements of the Bank Secrecy Act (“BSA”) and U.S. sanctions law.  Likewise, the Fed has expressed its skepticism in the Order that blockchain analytics services, even when applied skillfully and with the best of intentions, actually can satisfy the BSA and U.S. sanctions law due to limitations inherent in crypto transactions relating to knowing with confidence who is actually conducting the transactions.  This same issue was also noted by the recent report by the U.S. Treasury regarding perceived AML and sanctions vulnerabilities in decentralized finance providers.

Continue Reading  State of Wyoming Wades Into Custodia Bank Dispute with Federal Reserve — In Wake of Fed’s Rejection of Bank Due to Crypto-Related AML and OFAC Concerns

On December 15, 2022, the New York Department of Financial Services (“NYDFS”) published an Industry Letter detailing the Department’s guidance regarding banking organizations that wish to engage in virtual currency-related activities. Specifically, while the guidance reminds New York banking organizations, branches, and agencies of foreign banking organizations licensed by the Department (together, “Covered Institutions”) of the preexisting obligation to seek approval from the Department before engaging in new or significantly different virtual currency-related activity, the guidance describes the process and types of information that the Department considers relevant to its approval process.  The guidance is effective as of December 15, 2022, and was accompanied by a press release from NYDFS’ Superintendent Adrienne A. Harris.

For the purposes of the Industry Letter, “virtual currency-related activity” includes “all ‘virtual currency business activity,’ as that term is defined in 23 NYCRR § 200.2(q), as well as the direct or indirect offering or performance of any other product, service, or activity involving virtual currency that may raise safety and soundness concerns for the Covered Institution or that may expose New York customers of the Covered Institution or other users of the product or service to risk of harm.”  As we will discuss, any Covered Institution seeking NYDFS approval should focus in part on addressing the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) and Office of Foreign Asset Control (“OFAC”)-related risks posed by the virtual currency-related activity.

Continue Reading  NYDFS Releases Virtual Currency Guidance for Banking Organizations

The Office of Foreign Assets Control (“OFAC”) announced (here and here) yesterday that virtual currency exchange Payward, Inc. – better known as Kraken – has agreed to pay $362,158.70 in order to settle its potential civil liability for apparent violations of the sanctions against Iran. Kraken also has agreed to invest an additional $100,000 in certain sanctions compliance controls.  According to OFAC, “[d]ue to Kraken’s failure to timely implement appropriate geolocation tools, including an automated internet protocol (IP) address blocking system, Kraken exported services to users who appeared to be in Iran when they engaged in virtual currency transactions on Kraken’s platform.” 

Compared to OFAC’s recent settlement with Bittrex, which agreed to pay a total of $29,280,829.20 to OFAC and the Financial Crimes Enforcement Network (“FinCEN”) in order to resolve allegations of sanctions and Bank Secrecy Act violations, the settlement amount is relatively low – and, as OFAC noted in its announcement, Kraken faced an astronomical statutory maximum civil monetary penalty of $272,228,964.  OFAC has stated that “[t]he settlement amount reflects OFAC’s determination that Kraken’s apparent violations were non-egregious and voluntarily self-disclosed.”

Continue Reading  Kraken Settlement Demonstrates Importance of Sanctions Monitoring for Transactions — Not Just When Onboarding Customers

Actions Highlight Risky Mix of Sanctions Law, Inadequate Transaction Monitoring and Dealing with Anonymity-Enhanced Cryptocurrencies

The Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”) announced on October 11 simultaneous settlements with Bittrex, Inc. (“Bittrex”), a virtual currency exchange and hosted wallet provider. Under the OFAC settlement, Bittrex has agreed to pay $24,280,829.20 to settle its potential civil liability for 116,421 alleged violations of multiple sanctions programs. Under the FinCEN consent order, Bittrex agreed to pay a civil penalty of $29,280,829.20 for alleged anti-money laundering (“AML”) violations under the Bank Secrecy Act (“BSA”). FinCEN has agreed to credit Bittrex’s payment to OFAC against its penalty because it found that the alleged BSA violations “stem from some of the same underlying conduct”; thus, Bittrex’s total payments to the two regulators come to $29,280,829.20. 

According to the Department of the Treasury dual press release, the two settlements represent the first parallel enforcement actions by FinCEN and OFAC in the virtual currency and sanctions space. Also, it is OFAC’s largest virtual currency enforcement action to date. To further highlight the importance of the settlements, the press release quotes the OFAC Director Andrea Gacki and FinCEN Acting Director Himamauli Das, both sternly warning operators in the same environment as Bittrex to implement effective AML compliance and sanction screening programs.

It is conceivable that Bittrex, for years now, has been on notice that federal and state regulators are closely watching and expecting more comprehensive risk assessment programs and procedures from businesses transacting with virtual currency. As we previously blogged here, in 2019 the New York Department of Financial Services (“NYDFS”) denied Bittrex’s application for a Bitlicense, citing: “deficiencies in Bittrex’s BSA/AML/OFAC compliance program; a deficiency in meeting the Department’s capital requirement; and deficient due diligence and control over Bittrex’s token and product launches.”  In its letter denying Bittrex’s application, NYDFS set forth in detail the deficiencies it found in Bittrex’s BSA/AML/OFAC compliance program, noting that Bittrex’s compliance policies and procedures “are either non-existent or inadequate.”

As we will discuss, the FinCEN consent order highlights Bittrex’s alleged failure to address adequately the overall risk environment in which it operated, including transactions involving anonymity-enhanced cryptocurrencies, or AECs.  The consent order also highlights two repeated themes in enforcement actions: lack of adequate compliance staff, and a seemingly robust written compliance policy that was not matched by an effective day-to-day transaction monitoring system.

Continue Reading  OFAC and FinCEN Settle with Bittrex in Parallel Virtual Currency Enforcements

With Guest Speaker Matthew Haslinger of M&T Bank

We are extremely pleased to offer a podcast (here) on the legal and logistical issues facing financial institutions as they implement the regulations issued by the Financial Crimes Enforcement Network (FinCEN) pursuant to the Anti-Money Laundering Act of 2020 (AMLA) and the Corporate Transparency Act