Recently, FinCEN announced a $1 million civil money penalty against the former Chief Compliance Officer (CCO) of a large financial services company for allegedly violating the Bank Secrecy Act (BSA) and its implementing regulations. In its complaint, FinCEN alleges that the CCO, from 2003 through 2008, failed to implement and maintain an effective AML program and file timely Suspicious Activity Reports as required by the BSA. As a result, the company’s money transfer system was used to carry out fraudulent activities causing customers to incur substantial losses. In addition to the penalty, FinCEN is seeking to prohibit the former CCO from participating, directly or indirectly, in the affairs of any financial institution.
On March 23, Department of the Treasury’s OFAC announced a settlement agreement with a large money services business (MSB) for failing to implement an effective compliance program “to identify, interdict, and prevent transactions in apparent violation of the sanctions programs administered by OFAC.” According to the settlement, prior to the MSB’s 2013 “long term solution” to screen its transactions in real time against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), deficiencies in the company’s transaction monitoring compliance procedures allowed for the processing of hundreds of transactions with OFAC-sanctioned individuals and countries. Specifically, OFAC alleged that from October 20, 2009 to April 1, 2013, the MSB processed over 100 transactions to or from an account registered to an individual on the SDN List because its “automated interdiction filter” did not initially identify the account holder as a potential match to the SDN List, and when it did, the MSB Operations Agents dismissed alerts on six separate occasions after failing to obtain or review documentation corroborating the identity of the SDN. Under the terms of the agreement, the MSB will (i) pay over $7 million to the Department of the Treasury and (ii) within six months, provide OFAC a summary of the company’s current policies and procedures as they relate to screening transactions and/or customers” to ensure compliance with OFAC regulations.
Special Alert: CSBS Issues Policy, Draft Model Regulatory Framework, and Request for Comment Regarding State Regulation of Virtual Currency
On December 16, 2014, the Conference of State Bank Supervisors (“CSBS”) issued a Policy on State Regulation of Virtual Currency (the “Policy”), Draft Model Regulatory Framework, and a request for public comment regarding the regulation of virtual currency. The Policy and Draft Model Regulatory Framework were issued through the work of the CSBS Emerging Payments Task Force (the “Task Force”). The Task Force was established to explore the nexus between state supervision and the development of payment systems and is seeking to identify where there are consistent regulatory approaches among states.
As a result of its work to date, the Policy recommends that “activities involving third party control of virtual currency, including for the purposes of transmitting, exchanging, holding, or otherwise controlling virtual currency, should be subject to state licensure and supervision.” The Policy states that state regulators have determined certain activities involving virtual currency raise concerns in three areas: consumer protection, marketplace stability, and law enforcement. Read more…
While 2014 is closing out with worldwide cyber-threats, at BuckleySandler, we’re going to close out our first year publishing Digital Insights & Trends on an optimistic note. Looking forward, we welcome a mobile payments development that could be cause for cyber-celebration in 2015 and the years to follow.
As financial services lawyers, we usually navigate the regulatory concerns of e-commerce providers in the financial sector for a clientele of banks, other financial institutions and technology companies. But we are keenly aware that access to financial services is vital even for those without access to traditional banks. This reality, referred to as the “unbanked” problem, has preoccupied financial service providers (and consumer advocates, and policymakers) for decades. Mobile payment technology may be the solution. Read more…
On December 18, Superintendent Lawsky delivered remarks regarding New York’s revised proposal for regulating virtual currency companies. The new proposal stems from the original July 17 proposal and includes certain revisions previously alluded to on October 17. Lawsky noted that the revisions will provide flexibility to virtual currency startups, while simultaneously allowing the New York Department of Financial Services to remain committed to protecting consumers. Most notably, the revised regulation “will offer a two-year transitional BitLicense, which may be issued to those firms who are unable to satisfy all of the requirements of a full license, and will be tailored to startups and small businesses.” According to Lawsky, while the companies will still have to abide by anti-money laundering and consumer protection requirements, the revisions are intended to “strike an appropriate balance between permitting innovation to proceed, while at the same time strongly protecting consumers and helping root out illicit activity.”
On November 13, the CFPB held a field hearing in Delaware to discuss its proposed rule regarding prepaid products. The proposal, which would amend Regulation E and Regulation Z, requires prepaid companies to provide certain protections under federal law.
In his opening remarks, Director Cordray noted that the many prepaid card consumers are some of the most economically vulnerable among us and that such cards have few, if any, protections under federal consumer financial law. Cordray outlined the reasons the Bureau’s proposed rule would “fill key gaps” for consumers. First, the proposed rule would provide consumers free and easy access to account information. Second, the proposed rule would mandate that financial institutions work with consumers to investigate any errors on registered cards. Third, the proposed rule would protect consumers against fraud and theft. Fourth, the rule includes “Know Before You Owe” prepaid disclosures, which would highlight key costs associated with the cards. Fifth, where prepaid card providers also extend credit to consumers such offers would be treated the same as credit cards under the law.
On November 10, FinCEN released a statement to reiterate that banking organizations can serve Money Services Businesses (MSB) while meeting obligations under the Bank Secrecy Act. FinCEN noted that there is concern that banks may be terminating the accounts of MSBs on a wholesale basis because of potential regulatory scrutiny and that as a result MSBs are losing access to banking services. FinCEN stated that they do “not support the wholesale termination of MSB accounts without regard to the risks presented or the bank’s ability to manage the risk.” Rather, the risks presented by a given MSB can vary and, therefore, financial institutions should assess the risks on a case-by-case basis. FinCEN expects that banking organizations will manage the risks associated with MSB accounts and are committed to addressing the “wholesale de-banking of an important part of the financial system.”
On November 2, New York Superintendent Lawsky delivered remarks at the Money 20/20 Conference on the state’s virtual currency and Bitcoin regulation. In October, Lawsky publicly stated that, as a result of the comments received on New York’s proposed BitLicense framework, there would be important changes made to the July 17 proposal. This week, on behalf of the NYDFS, Lawsky announced that additional changes are being considered to address “concern about the compliance costs of regulation on new or fledging virtual currency enterprises.” Specifically, Lawsky introduced the concept of a Transitional BitLicense, which would allow certain small, money transmitting startups to begin operating without huge compliance costs. Lawsky noted four main factors the NYDFS would consider when deciding whether or not to grant a Transitional BitLicense: (i) the nature and scope of the business and the associated risks for consumers; (ii) projected transactional and business volume; (iii) registration status as a Money Services Business with FinCEN; and (iv) previously established mitigating risk controls.
Recently, the Payment Card Industry (PCI) Security Standards Council published guidance to help organizations strengthen their security awareness. The guidance, developed by retailers, banks, and technology providers, details three recommendations for implementing a security awareness program: (i) Assembling a security awareness team, (ii) Developing appropriate security awareness content for your organization, and (iii) Creating a security awareness checklist. The PCI Security Standards Council is an open global forum comprised of more than 650 organizations, including banks, merchants, processors, and vendors, responsible for the development, management, education, awareness, and standards to increase payment data security.
On November 3, a large financial services company announced the rollout of its Token Service (Service) for online, mobile app, and in-store mobile purchases. The Service is designed to increase security and reduce magnetic-stripe card fraud. Based on EMVCo’s Payment Tokenization Specification and Technical Framework, the Service offers four main features: (i) token vault to store and designate tokens; (ii) ability to issue tokens; (iii) lifestyle management services to manage tokens; and (iv) anti-fraud and risk management services for institutions issuing the cards. The Service is currently available in the U.S. and is scheduled to launch internationally in 2015.
On October 28, the Federal Reserve announced its final rule to amend Regulation HH, standards for financial market utilities (FMUs) that have been designated as systemically important by the FSOC. The new rule will implement a common set of risk-management standards for all designated FMUs and revise certain definitions. Further, the Fed also announced final revisions to part 1 of its Federal Reserve Policy on Payment System Risk. The final rule and revisions to the policy are based on the Principles for Financial Market Infrastructures, which were developed jointly by the Committee on Payment and Settlement Systems and the International Organization of Securities Commissions. Specifically, the amendments and revisions will establish (i) separate standards to address credit risk and liquidity risk; (ii) new plans for recovery and orderly wind-down; (iii) new standards on general business risk and on tiered participation arrangements; and (iv) increased requirements on transparency and disclosure. The final rule will be effective on December 31, 2014. FMUs have until December 31, 2015 to comply with specific additional requirements set forth in the rule.
On October 14, Superintendent Lawsky delivered remarks on virtual currency and Bitcoin regulation in New York City. Specifically, Lawsky addressed the comments received in connection with the DFS’s July 17 proposal to establish a licensing regime for virtual currency businesses. Lawsky clarified the following five areas of concern: (i) who will be required to obtain a BitLicense; (ii) which type of license, money transmitter and/or virtual currency, a business will be required to obtain, confirming that, if both are required, the application process will be streamlined; (iii) the requirements that banks providing virtual currency services will need to comply with; (iv) the regulation of mining when a miner engages in virtual currency services; and (v) the “compliance costs of regulation on new or fledging virtual currency enterprises.” Noting that the DFS hopes that companies will work with the DFS as opposed to “run[ning] from regulation,” Lawsky emphasized the significance of appropriate regulation as it pertains to safeguarding customers’ money at financial companies.
Eastern District Court Of Texas Enjoins Bitcoin Investment Scheme And Orders Founder To Pay Civil Penalty
On September 18, the U.S. District Court for the Eastern District of Texas held that the defendant’s bitcoin investment program was a Ponzi scheme, and enjoined the founder and the investment program from violating Section 10(b) of the Securities Exchange Act of 1934 and Sections 5 and 17(a) of the Securities Act of 1933. S.E.C. v. Shavers, No. 4:13-CV-416 (E.D. Tex. Sep. 18, 2014). The court ruled that the founder knowingly and intentionally operated the bitcoin investment program as a sham and Ponzi scheme by repeatedly making misrepresentations, both to investors and potential investors alike, concerning: (i) the use of their bitcoins; (ii) how he planned to generate the promised returns; and (iii) the safety of the investments. The founder used new bitcoins received from investors to make payments on outstanding bitcoin investments, and diverted investors’ bitcoins for his own personal use. The court granted Plaintiff’s uncontested motion for summary judgment or, in the alternative, for default judgment, and, in addition to the injunctions, ordered Defendants jointly and severally liable for disgorgement of approximately $40 million in profits, and ordered each Defendant to pay civil penalties in the amount of $150,000.
FinCEN Rules Regulations on Money Services Businesses Do Not Apply to ISOs and Exempt Payment Processors
On August 27, FinCEN issued FIN-2014-R009, an administrative ruling clarifying that Independent Sales Organizations (“ISOs”) and exempt payment processors are not money transmitters subject to Bank Secrecy Act (“BSA”) regulations applicable to Money Services Businesses (“MSBs”). Under BSA MSB regulations, the term “money transmitter” applies to any person that provides money transmission services or otherwise engages in the transfer of funds. The term “money transmission services” includes the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means. Applying these standards, FinCEN determined that BSA MSB regulations do not apply to an ISO, so long as it: (i) merely solicits merchants to offer them the credit and debit card processing services of two counterparties; and (ii) does not take possession or control of merchant funds at any point. However, FinCEN concluded that BSA MSB regulations will apply to a payment processor unless the payment processor qualifies for the payment processor exemption established by 31 CFR § 1010.100(ff)(5)(ii)(B) and clarified by FIN-2013-R002. Under this exemption, BSA MSB regulations do not apply to a payment processor, so long as it: (i) facilitates the purchase of goods or services, or the payment of bills for goods or services (other than money transmission itself); (ii) operates through clearance and settlement systems that admit only BSA-regulated financial institutions; (iii) provides its services pursuant to a formal agreement; and (iv) the agreement itself is at a minimum with the seller or creditor that provides the goods or services and receives the funds. For a copy of the ruling, please see: Application of Money Services Business Regulations to a Company Acting as an Independent Sales Organization and Payment Processor.
This week, the New York DFS announced the extension of the comment period on its proposal to create a regulatory licensing framework for virtual currency companies, including a so-called BitLicense. Given the “significant amount of public interest in and commentary on” the proposal, the DFS doubled the length of the comment period from 45 to 90 days. Comments are now due by October 21, 2014. Further information about the proposal and related issues is available here.