As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
Financial Action Task Force Issues Guidance Urging Risk-Based Approach to Virtual Currencies and Services
On June 29, the Financial Action Task Force (FATF) issued a report, Guidance for a Risk-Based Approach to Virtual Currencies,part of a staged approach focusing on the points of intersection that provide gateways to the regulated financial system, in particular, convertible virtual currency exchangers. The Guidance explains the application of the risk-based approach to AML/CFT measures in the virtual currency context, identify the entities involved in virtual currency payment products and services (VCPPS), and clarify the application of the relevant FATF Recommendations to convertible virtual currency exchangers. The guidance provides, among other things, recommendations and encourages member nations to adopt regulations and guidelines similar to those applicable to traditional financial institutions to reduce risk exposure to the banking system.
On June 30, the P5 + 1, European Union, and Iran agreed to extend the Joint Plan of Action for seven days, furthering negotiations to reach a solution to reduce Iran’s nuclear program. In conjunction with the announcement of the seven day extension, OFAC published Guidance on the Continuation of Certain Temporary Sanctions Relief Implementing the Joint Plan of Action, as Extended. The guidance continues the JPOA sanctions relief period, provided in November 2014 as implemented via Guidance, FAQs, and Statement of Licensing Policy, from June 30 through July 7, 2015.
On June 22, the federal banking agencies issued a joint final rule that modifies the mandatory purchase of flood insurance regulations to implement some provisions of the Biggert-Waters and Homeowner Flood Insurance Affordability Acts. Notable highlights include that the final rule, among other things: (i) expands escrow requirements for lenders who do not qualify for a small lender exception, (ii) clarifies the detached structure exemption, (iii) introduces new and revised sample notice forms and clauses relating to the escrow requirement and the availability of private flood insurance, and (iv) clarifies the circumstances under which lenders and servicers may charge borrowers for lender-placed flood insurance coverage. The escrow provisions and sample notice forms will become effective on January 1, 2016, and all other provisions will become effective October 1, 2015. The agencies reminded that the escrow provisions in effect on July 5, 2012, the day before Biggert-Waters was enacted, will remain in effect and be enforced through December 31, 2015.
The agencies also indicated that they plan to address Biggert-Waters’ private flood insurance provisions through a separate rulemaking.
OCC Releases Semiannual Report Highlighting Key Risks Facing National Banks and Federal Savings Associations
Today, the OCC announced the release of its semiannual report, Semiannual Risk Perspective for Spring 2015, highlighting key risk areas affecting national banks and federal savings associations. Based on 2014 year-end data, the report identifies issues that pose a potential threat to the safety and soundness of banks and thrifts. It also sets forth the OCC’s supervisory priorities for the next 12 months, including, among others, (i) cybersecurity awareness and preventative controls, (ii) Bank Secrecy Act/Anti-Money Laundering compliance, (iii) fair access to credit, and (iv) underwriting practices, particularly with respect to leveraged loans, indirect auto lending, HELOCs, and credit related to the oil and gas sector. The report also notes declining revenues and profitability overall in OCC-supervised institutions.
Today, FinCEN announced the assessment of a civil money penalty against a Los Angeles-based Money Services Business (MSB) and its owner for alleged violations of the Bank Secrecy Act (BSA). During a 2011 examination of the MSB, FinCEN determined that, from October 1, 2010 through the present, the MSB knowingly violated the BSA by failing to (i) establish and ensure ongoing compliance with an adequate AML program; (ii) provide adequate training; and (iii) conduct independent testing of its compliance program. In addition, the MSB violated the BSA’s reporting requirements by failing to “file required currency transaction reports (“CTRs”) on all of its reportable transactions during the examination scope period,” and continued to file untimely CTRs even after the examination scope period ended on March 31, 2011. Finally, FinCEN expressed concern over the MSB owner’s failure to disclose that the MSB “frequently exchanged check for cash with another MSB, an arrangement known as ‘wholesaling’ or ‘bulk check cashing.’” According to the assessment document, the MSB’s owner, who was also the designated AML compliance officer, participated in the BSA violations by failing to accept his responsibility to “ensure that [an] AML program was in place, was effective, and was followed.” To resolve FinCEN’s allegations, the MSB and its owner admitted to violating the BSA program and its reporting requirements and will pay a civil money penalty of $60,000.
Today, the DOJ unsealed an eighteen-count indictment in Brooklyn, New York charging a Turkish citizen (Defendant) with organizing worldwide cyberattacks against at least three U.S. payment processors’ computer networks. The Defendant’s organization allegedly used “sophisticated intrusion techniques” to hack the computer systems, stealing prepaid debit card data and subsequently using the stolen data to make ATM withdrawals in which standard withdrawal limits were manipulated to allow for greater withdrawals. According to the indictment, the Defendant managed a group of co-conspirators responsible for distributing the stolen card information to “cashing crews” around the world, who then used the information to conduct tens of thousands of fraudulent ATM withdrawals and fraudulent purchases. Within two days – February 27 and 28, 2011 – the DOJ alleges that the “cashing crews withdrew approximately $10 million through approximately 15,000 fraudulent ATM withdrawals in at least 18 countries.” The remaining two operations, occurring in late 2012 and early 2013, resulted in ATM withdrawals of roughly $5 million and $40 million, respectively. The Defendant, along with other high-ranking members of the conspiracy, received the funds from the fraudulent operations via wire transfer, electronic currency, and personal delivery of U.S. and foreign currency. The Defendant was arrested in Germany on December 18, 2013, and was extradited to the United States on June 23, 2015. The charges against the Defendant follow previous charges against members of the conspiracy, including the arrest of a member of the New York cashing crew.
On June 23, the Board of Governors announced the execution of an enforcement action against a California-based community bank over BSA/AML deficiencies. According to the Cease and Desist Order, the deficiencies were identified by the Federal Reserve Bank of San Francisco and the California Department of Business Oversight, and directs the Bank to submit written plans outlining their efforts to strengthen their BSA/AML risk management program, including customer due-diligence and suspicious activity monitoring and reporting policies and procedures. In addition, the Bank must retain an independent third party to conduct a review of account and transaction activity affiliated with any high-risk customer and foreign branch accounts conducted at, by, or through the Bank from July 2014 through December 2014. No civil money penalty was imposed on the Bank.
On June 19, the OCC released recent enforcement actions taken against national banks, federal savings associations, and individuals currently or formerly affiliated with national banks and federal savings associations. Among the actions was the issuance of a consent order for a civil money penalty against a national bank for allegedly violating the Federal Trade Commission Act. During its investigation, the OCC discovered deficiencies relating to the bank’s billing and marketing practices, specifically with regard to identity protection and debt cancellation products. According to the consent order, since April 2004, the bank, along with an identity protection product vendor, marketed and sold various types of identity theft protection products to its customers. Before customers could access the credit monitoring service of the identity theft product, they “were required to provide sufficient personal verification information and consent before their credit bureau reports could be accessed.” However, the OCC found that the vendor (i) billed the bank’s customers the full fee for the products, even if they were not receiving all of the credit monitoring services; (ii) billed the customers prior to receiving the customers’ information and consent and establishment of credit monitoring; and (iii) failed to ensure that customers received electronic benefit notifications. The bank retained a portion of the fees that the customers paid. Additionally, the bank’s vendors incorrectly informed customers during telemarketing calls that only one of the products offered had the ability to access identity protection benefits electronically. As a result, some customers purchased the more expensive Enhanced Identity Theft Protection, as opposed to the less expensive Identity Theft Protection, under the mistaken belief that this was the only way they could access the product’s benefits online. Finally, the OCC also alleged that, from August 2005 through November 2013, the bank’s debt cancellation product vendor’s billing practices, which posted recurring payments on the same day of the month regardless of the payments’ due dates, resulted in some customers paying recurring late fees. The bank will pay $4,000,000 to resolve the OCC’s allegations.
On June 18, FinCEN’s Associate Director for Enforcement, Stephanie Brooker, delivered remarks at the Bank Secrecy Act Conference, focusing on three main areas: (i) BSA filing trends, the value of BSA data, and compliance development in the casino industry over the past year; (ii) FinCEN’s enforcement approach and recent enforcement developments; and (iii) the significance of establishing and maintaining a culture of compliance throughout the business and compliance sides of casinos and card clubs. In addition, Brooker noted certain principles at the core of FinCEN’s enforcement program: (i) transparency in the agency’s rationale behind its enforcement actions; (ii) accountability, ensuring that financial institutions, and any individual related to the financial institution, take responsibility for violations of the BSA; and (iii) giving credit where credit is due by considering an institution’s “documented improvements in AML compliance over time.” Finally, Brooker stressed that in order for a financial institution to successfully maintain a culture of compliance, its business side and business leaders must take AML controls and BSA compliance seriously, meaning that “every casino employee, from the top down, views AML compliance as part of his or her responsibility.”
On June 15, FinCEN announced a $4.5 million civil money penalty against a West Virginia-based bank for alleged violations of the BSA from 2008 through 2013. According to the Assessment of Civil Money Penalty, the bank failed to monitor, detect, and report suspicious activity as a result of an inadequate AML and customer due diligence program, ultimately allowing over $9.2 million in structured and otherwise suspicious cash transactions to pass though the financial institution unreported. FinCEN found that the bank failed to establish and maintain an AML program that provided, at a minimum: (i) a system of internal controls to ensure ongoing compliance; (ii) a designated individual or individuals responsible for coordinating and monitoring day-to-day compliance; (iii) independent testing for compliance to be conducted by either an outside party or bank personnel; and (iv) training for appropriate personnel. FinCEN’s enforcement action and $4.5 million civil money penalty against the bank is concurrent with a $3.5 million penalty imposed by the FDIC, of which $2.2 million is concurrent with a forfeiture pursuant to a deferred prosecution agreement with the U.S. Attorney’s Office for the Southern District of West Virginia.
On June 12, the OCC announced an improvement to the public’s ability to access information online concerning business combination corporate applications submitted by national banks and federal savings associations. The enhanced online access, which is now accessible via the agency’s homepage and licensing page, allows the public to submit and view comments on business combination applications on a single page. In addition, the single page provides links to a public copy of the corporate application, supplemental material filed by the applicant, and a location for individuals to view and submit comments.
Recently, the Federal Reserve submitted to Congress its 2015 Annual Performance Plan, which sets forth the Board’s planned projects, initiatives, and activities for the upcoming year. The Plan, which complements the Federal Reserve’s Strategic Framework 2012-15, outlines planned activities in the following six areas aimed at assisting the Board in meeting its strategic framework’s long-term objectives: (i) supervision, regulation, and monitoring risks to financial stability; (ii) data governance; (iii) facilities infrastructure; (iv) human capital; (v) management process; and (vi) cost reduction and budgetary growth. Among its initiatives, the Board aims to continue building an interdisciplinary infrastructure for supervision, regulation, and monitoring of risks to financial stability. In addition, the Board’s staff plans to develop “analytical tools” that enhance the Board’s understanding of evolving market structures and practices, including changes in risk-management practices and incentives for financial institutions to appropriately manage risk exposures. With respect to the supervision of individual institutions, the report highlights the Board’s intent to develop supervisory approaches for community and regional banks, as well as for savings and loan holding companies, that “identify and support taking action against early warning indicators of outlier risk.”
On June 9, six federal agencies – the Federal Reserve, CFPB, FDIC, NCUA, OCC, and the SEC – issued a final interagency policy statement creating guidelines for assessing the diversity policies and practices of the entities they regulate. Mandated by Section 342 of the Dodd-Frank Act, the final policy statement requires the establishment of an Office of Minority and Women Inclusion at each of the agencies and includes standards for the agencies to assess an entity’s organizational commitment to diversity, workforce and employment practices, procurement and business practices, and practices to promote transparency of diversity and inclusion within the organization. The final interagency guidance incorporates over 200 comments received from financial institutions, industry trade groups, consumer advocates, and community leaders on the proposed standards issued in October 2013. The final policy statement will be effective upon publication in the Federal Register. The six agencies also are requesting public comment, due within 60 days following publication in the Federal Register, on the information collection aspects of the interagency guidance.
On June 1, a Boston-based international financial services holding company and its banking subsidiary agreed to address deficiencies in how they manage compliance risks with respect to their BSA/AML compliance program. The Agreement, entered into with the Federal Reserve Bank of Boston and the Massachusetts Division of Banks, requires both entities to submit a written plan outlining their efforts to improve their compliance with OFAC and internal controls, customer due-diligence procedures, and suspicious activity monitoring and reporting, among other things. In addition, the banking subsidiary must hire an independent third-party to review account and transaction activity during a specified period to ensure suspicious activity was properly identified and reported.
In a separate enforcement action, the Federal Reserve Bank of Chicago entered into an agreement on May 26 with an Illinois-based financial services company, requiring the parent company and its banking subsidiary to, among other things, submit written plans to (i) strengthen its BSA/AML compliance risk management program; and (ii) “ensure the identification and timely, accurate, and complete reporting” of suspicious transactions to the appropriate law enforcement and supervisory [banking] authorities.” No civil money penalties were imposed in either enforcement action.