On July 23, FinCEN issued a final rule pursuant to Section 311 of the USA PATRIOT Act to impose “special measure five” against FBME Bank Ltd. (“FBME”), formerly known as the Federal Bank of the Middle East. Special measure five prohibits U.S. financial institutions from opening or maintaining correspondent accounts or payable through accounts for or on behalf of FBME. The action follows a July 17, 2014 notice of proposed rulemaking in which FinCEN stated that it had found FBME to be of primary money laundering concern under Section 311 and issued a related notice of proposed rulemaking (NPRM) proposing the imposition of special measure five against FBME. Supporting the proposed rule were the following factors: (i) FBME is used by its customers to facilitate money laundering, terrorist financing, transnational organized crime, fraud, sanctions evasion, and other illicit activity internationally and through the U.S. financial system; (ii) FBME has systemic failures in its anti-money laundering controls that attract high-risk shell companies, that is, companies formed for the sole purpose of holding property or funds and that do not engage in any legitimate business activity; and (iii) FBME performs a significant volume of transactions and activities that have little or no transparency and often no apparent legitimate business purpose. The final rule will be effective 30 days after its publication date in the Federal Register.
On July 24, OCC Comptroller Curry delivered remarks before the New England Council in Boston, MA regarding the risks that financial institutions face today. Rising interest rates and regulatory compliance were two of the three risks discussed. Curry emphasized that the inevitable rise in interest rates could greatly affect loan quality, particularly loans that were not carefully underwritten to begin with, and that ”[l]oans that are typically refinanced, such as leveraged loans,” would be particularly severely affected. Recognizing the impact that Dodd-Frank continues to have on banks, Curry said that financial institutions face two categories of risk from new regulations: (i) “banks run afoul of the new regulations, possibly damaging their reputations and subjecting themselves to regulatory penalties”; and (ii) banks devote their time and money to regulatory compliance, rather than putting those resources toward serving their customers and communities. The final and “perhaps the foremost risk facing banks today,” according to Curry, is cyber threats. Curry outlined the agency’s efforts to curtail cyber intrusion in the banking industry, highlighting the June 30 release of its Semiannual Risk Assessment and the creation of a Cybersecurity and Critical Infrastructure Working Group, which was designed to (i) increase cybersecurity awareness; (ii) promote best practices; and (iii) strengthen regulatory oversight of cybersecurity readiness. Curry noted, however, that information-sharing is just as important as self-assessment and supervisory oversight: “We strongly recommend … that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center, a non-profit information-sharing forum established by financial services industry participants to facilitate the sharing of physical and cyber threat and vulnerability information.” Collaboration among banks of all sizes and non-bank providers, Curry stated, can be a “game-changer” in more ways than one: “By promoting the discovery of common interests and common responses to the risks that you face in your businesses and we all face together, you provide an invaluable service to New England and to the United States.”
On July 21, a leading China-based bank agreed to address deficiencies in connection with the BSA/AML risk management and compliance program of its New York branch office. The Agreement, entered into with the Federal Reserve Bank of New York and the New York State Department of Financial Services, requires the bank and its New York branch to (i) enhance the branch’s written BSA/AML compliance program and customer due diligence program; and (ii) develop a written program for the branch that is capable of identifying and reporting suspected violations of law and suspicious transactions to law enforcement and supervisory authorities. In addition, the bank must hire an independent third-party to review the Branch’s U.S. dollar clearing transaction activity “to determine whether suspicious activity involving high-risk customers or transactions at, by, or through the branch was properly identified and reported” to the appropriate federal banking authorities. No civil money penalty was imposed on the bank.
FDIC and California Department of Business Oversight Levy $140 Million Penalty Against California Bank for Ongoing BSA/AML Deficiencies
On July 22, the FDIC, along with the Commissioner of the California Department of Business Oversight (“DBO”), announced the assessment of a $140 million civil money penalty against a California state-chartered bank to resolve allegations that it failed to implement and maintain an adequate BSA/AML Compliance Program over an extended period of time. In 2012, the bank entered a consent order with the FDIC and the DBO (fka California Department of Financial Institutions), requiring that it “address the weaknesses and correct deficiencies” in its BSA and AML programs. According to the DBO, the bank has since failed to implement the corrective actions stipulated in the consent order, which required the bank to, among other things, (i) establish internal controls to “detect and report illicit financial transactions and other suspicious activities”; (ii) hire a qualified BSA officer and sufficient staff; (iii) provide adequate BSA training; and (iv) conduct effective independent testing. Additionally, since the 2012 consent order, the DBO and FDIC have discovered “new, substantial violations of the BSA and anti-money laundering mandates over an extended period of time.” Under terms of the joint order, the bank will pay $40 million to the DBO and $100 million to the Department of the Treasury to satisfy the full $140 million penalty.
On July 15, the Wage and Hour Division of the Department of Labor (DOL) issued guidance to employers in determining whether a worker should be classified as an employee or independent contractor under the Fair Labor Standards Act (FLSA). The Guidance first noted the “problematic trend” in misclassifying workers as independent contractors and the potential adverse effects of such misclassification, including the loss of workplace protections such as minimum wage, overtime compensation, unemployment insurance, and workers’ compensation, as well as the loss of tax revenues and the creation of an uneven playing field for employers. Beginning with the expansive FLSA definition of “employ” and applying a detailed six factor “economic realities” test, rather than a narrower common law control test, the Guidance concludes that most workers are employees under the FLSA’s broad definitions.
On July 14, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the American Bankers Association Summer Leadership meeting in Baltimore. Speaking on cybersecurity and cyber-resiliency in banking and the financial sector generally, Raskin’s remarks continued her December 2014 remarks in Austin at the Executive Leadership Cybersecurity Conference regarding three main areas, including (i) baseline protections, (ii) information sharing, and (iii) response recovery. According to Raskin, since December the growing number of cyberattacks – including against health insurers and the federal government’s Office of Personnel Management – has made the government and public more mindful of the serious threat posed by cyberattacks. Accordingly, cybersecurity has seen a “profoundly positive cultural change,” moving beyond just the purview of IT specialists. Deputy Secretary Raskin’s most recent remarks added 10 follow-up questions for banks and financial entities to consider, including whether cybersecurity is incorporated into the bank’s governance systems, security controls are tailored to specific cyber risks presented (as opposed to a “one-size fits all” approach), enhanced controls are implemented and adequate training provided, and basic “cyber hygiene” practices (including multi-factor authentication) are followed. Raskin also emphasized the need to appropriately tailor cyber risk insurance.
On July 13, CFPB Director Richard Cordray delivered remarks at the White House Conference on Aging, expressing the need to protect older consumers in light of recent studies that have found that financial exploitation is the most prevalent form of elder abuse. Accordingly, Cordray revealed that the Bureau intends to issue an advisory “later this year” to assist financial institutions with preventing, recognizing, and reporting elder financial abuse, adding that “[f]inancial institutions are especially well-positioned” to prevent fraud, scams, or theft that victimize seniors.
Update: OFAC Releases Guidance on the Continuation of Certain Temporary Sanctions Relief Under the JPOA
On July 10, the P5 + 1, and Iran agreed to extend the JPOA for three days to further negotiations in reaching a comprehensive solution surrounding Iran’s nuclear program. As a result, OFAC issued updated guidance informing that all JPOA sanctions relief detailed in the Guidance, FAQs, and Statement of License Policy issued in November 2014 has been extended through July 13, 2015. This updated guidance replaces guidance previously issued by OFAC on July 7, 2015.
Update: OFAC Releases Guidance on the Continuation of Certain Temporary Sanctions Relief Under the JPOA
On July 7, the P5 + 1, EU, and Iran agreed to extend the JPOA for three days to further negotiations in reaching a comprehensive solution surrounding Iran’s nuclear program. As a result, OFAC issued updated guidance informing that all JPOA sanctions relief detailed in the Guidance, FAQs, and Statement of License Policy issued in November 2014 has been extended through July 10, 2015. This updated guidance replaces guidance previously issued by OFAC on June 30, 2015.
Federal Reserve Orders Bank Holding Company to Strengthen its Firmwide Risk Management, Cites Capital Planning and Liquidity Risk Deficiencies
On July 7, the Board of Governors announced the execution of an enforcement action against a Boston-based bank holding company over deficiencies identified by the Federal Reserve Bank of Boston concerning the company’s governance, risk management, capital planning, and liquidity risk management operations. Pursuant to the Agreement, within 60 days of its execution the company must submit written plans detailing their efforts to strengthen board oversight of the company’s management and operations, bolster the risk management program, improve capital planning to match the company’s size and complexity, and strengthen liquidity risk management. No civil money penalty was imposed on the company.
Federal Banking Agencies Reveal Location For Latest EGRPRA Outreach Meeting Highlighting Rural Banking Issues
On July 6, federal banking agencies – the Board of Governors, FDIC, and OCC – announced the date and location of the latest outreach meeting under the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA). Scheduled for August 4 at the Federal Reserve Bank of Kansas, the upcoming meeting will examine rural banking issues and will feature remarks from agency officials. This is the fourth of six scheduled outreach meetings around the country focused on identifying newly issued, outdated, or burdensome regulatory requirements imposed on financial institutions.
Financial Action Task Force Issues Guidance Urging Risk-Based Approach to Virtual Currencies and Services
On June 29, the Financial Action Task Force (FATF) issued a report, Guidance for a Risk-Based Approach to Virtual Currencies,part of a staged approach focusing on the points of intersection that provide gateways to the regulated financial system, in particular, convertible virtual currency exchangers. The Guidance explains the application of the risk-based approach to AML/CFT measures in the virtual currency context, identify the entities involved in virtual currency payment products and services (VCPPS), and clarify the application of the relevant FATF Recommendations to convertible virtual currency exchangers. The guidance provides, among other things, recommendations and encourages member nations to adopt regulations and guidelines similar to those applicable to traditional financial institutions to reduce risk exposure to the banking system.
As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
On June 30, the P5 + 1, European Union, and Iran agreed to extend the Joint Plan of Action for seven days, furthering negotiations to reach a solution to reduce Iran’s nuclear program. In conjunction with the announcement of the seven day extension, OFAC published Guidance on the Continuation of Certain Temporary Sanctions Relief Implementing the Joint Plan of Action, as Extended. The guidance continues the JPOA sanctions relief period, provided in November 2014 as implemented via Guidance, FAQs, and Statement of Licensing Policy, from June 30 through July 7, 2015.
On June 22, the federal banking agencies issued a joint final rule that modifies the mandatory purchase of flood insurance regulations to implement some provisions of the Biggert-Waters and Homeowner Flood Insurance Affordability Acts. Notable highlights include that the final rule, among other things: (i) expands escrow requirements for lenders who do not qualify for a small lender exception, (ii) clarifies the detached structure exemption, (iii) introduces new and revised sample notice forms and clauses relating to the escrow requirement and the availability of private flood insurance, and (iv) clarifies the circumstances under which lenders and servicers may charge borrowers for lender-placed flood insurance coverage. The escrow provisions and sample notice forms will become effective on January 1, 2016, and all other provisions will become effective October 1, 2015. The agencies reminded that the escrow provisions in effect on July 5, 2012, the day before Biggert-Waters was enacted, will remain in effect and be enforced through December 31, 2015.
The agencies also indicated that they plan to address Biggert-Waters’ private flood insurance provisions through a separate rulemaking.