On August 19, the U.S. District Court for the Southern District of New York found that Bitcoin is “money” in a memorandum order denying a defendant’s motion to dismiss a federal money laundering charge. Faiella et al. v. United States, No. 14-cr-243 (JSR), 2014 WL 4100897 (S.D.N.Y. Aug. 19, 2014). The defendant is a former Bitcoin exchange owner who was charged in 2013 with unlawfully operating an unlicensed money transmitting business. In his motion before the court, the defendant argued that the charge should be dismissed because Bitcoin is not “money” within the meaning of the statute. The court disagreed, relying upon the dictionary definition of “money” to conclude that Bitcoin “clearly qualifies as ‘money’” as it “can be easily purchased in exchange for ordinary currency, acts as a denominator of value, and is used to conduct financial transactions.” The court additionally relied on Congress’ intent that anti-money laundering statutes keep pace with evolving threats, and also cited an opinion from a similar case in the U.S. District Court for the Eastern District of Texas that concluded Bitcoin can be used as money. SEC v. Shavers, No. 4:13-CV-416, 2013 WL 4028182, at *2 (E.D. Tex. Aug. 6, 2013).
On August 4, 2014, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) published a Notice of Proposed Rulemaking (“NPRM”) that would amend existing Bank Secrecy Act (“BSA”) regulations intended to clarify and strengthen customer due diligence (“CDD”) obligations for banks, securities broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities (collectively, “covered financial institutions”).
In drafting the modifications, FinCEN clearly took into consideration comments responding to its February 2012 Advance Notice of Proposed Rulemaking (“ANPRM”), as the current proposal appears narrower and somewhat less burdensome on financial institutions. Comments on the proposed rulemaking are due October 3, 2014.
Overview: Under the NPRM, covered financial institutions would be obligated to collect information on the natural persons behind legal entity customers (beneficial owners) and the proposed rule would make CDD an explicit requirement. If adopted the NPRM would amend FinCEN’s AML program rule (the four pillars) by making CDD a fifth pillar.
On August 20, FinCEN announced an action against a casino employee who admitted to violating the Bank Secrecy Act by willfully causing the casino to fail to file certain reports. FinCEN asserted based in part on information obtained from an undercover investigation that the employee helped high-end gamblers avoid detection of large cash transactions by agreeing not to file either Currency Transaction Reports or Suspicious Activity Reports as required under the BSA. FinCEN ordered the employee to pay a $5,000 civil money penalty, and immediately and permanently barred him from participating in the conduct of the affairs of any financial institution located in the U.S. or that does business within the U.S.
On August 18, FINRA announced a complaint against a financial services and investment firm, alleging that the firm was responsible for systematic supervisory and AML violations in connection with providing direct market access and sponsored access to broker-dealers and non-registered market participants. Specifically, FINRA claims that from January 2008 through August 2013, the firm failed to “ensure appropriate risk management controls and supervisory systems and procedures,” thereby allowing its market access customers to “self-monitor and self-report” possibly manipulative trades. Moreover, FINRA asserts that during the relevant time period, the firm was made aware of these potential regulatory and compliance risks though numerous industrywide notices, disciplinary decisions taken against other industry participants, and multiple self-regulatory organization inquiries and examinations. The firm may request a hearing before the FINRA disciplinary committee. If FINRA’s charges stand, the firm could face suspension, censure, and/or monetary penalties.
On August 20, the OCC issued Bulletin 2014-41, which announces a new “Merchant Processing” booklet of the Comptroller’s Handbook. This booklet replaces the booklet of the same name issued in December 2001 and provides updated guidance to examiners and bankers on assessing and managing the risks associated with merchant processing activities. Specific updates address: (i) the selection of third-party organizations and due diligence; (ii) technology service providers; (iii) on-site inspections, audits, and attestation engagements, including the “Statement on Standards for Attestation Engagement” (SSAE 16) and the “International Standard on Assurance Engagements” (ISAE 3402); (iv) data security standards in the payment card industry for merchants and processors; (v) the Member Alert to Control High-Risk Merchants (MATCH) list; (vi) BSA/AML compliance programs and appropriate policies, procedures, and processes to monitor and identify unusual activity; and (vii) appropriate capital for merchant processing activities.
On August 19, the New York DFS announced a consent order with a British bank to resolve claims that the bank and its U.S. subsidiary failed to remediate AML compliance deficiencies as required by a prior settlement with the DFS that required the bank to, among other things, implement a transaction monitoring program. The DFS states that the compliance monitor appointed as part of the prior agreement determined that the procedures adopted by the bank to detect high-risk transactions contained errors and other problems that prevented the bank from identifying high-risk transactions for further review. The DFS asserts that the bank failed to detect these problems because of a lack of adequate testing both before and after implementation of the monitoring system. The DFS also claims the bank failed to properly audit its monitoring system. Under the latest consent order, the bank must: (i) suspend its dollar clearing operations for high-risk retail business clients of the bank’s Hong Kong subsidiary; (ii) obtain prior DFS approval to open a U.S. Dollar demand deposit account for any customer who does not already have such an account with the U.S. entity; and (iii) pay a $300 million penalty. The bank also must implement additional compliance enhancements, including enhanced due diligence and know-your customer requirements.
On August 11, FinCEN issued Advisory FIN-2014-A007 to provide guidance regarding BSA/AML compliance programs. Specifically, the guidance recommends that institutions create a “culture of compliance” by ensuring that: (i) leadership actively supports and understands compliance efforts; (ii) efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests; (iii) relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts; (iv) the institution devotes adequate resources to its compliance function; (v) the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and (vi) leadership and staff understand the purpose of the institution’s BSA/AML efforts. The guidance follows numerous public remarks by FinCEN Director Jennifer Shasky Calvery and other financial regulators and enforcement authorities calling for stronger compliance cultures, particularly with regard to BSA/AML compliance. Director Shasky Calvery reinforced that message in an August 12, 2014 speech in which she asserted that, in the enforcement matters she has seen, a culture of compliance “could have made all the difference.” In the same speech, Ms. Shasky Calvery criticized—as Comptroller of the Currency Thomas Curry also did earlier this year—financial institutions which may be “de-risking” by preventing certain categories of businesses from accessing banking services. She stressed that “just because a particular customer may be considered high risk does not mean that it is ‘unbankable’,” and called on banks to develop programs to manage high risk customer relationships.
On August 14, Freddie Mac issued Bulletin 2014-15, which reminds seller/servicers subject to the AML requirements of the BSA that they are expected to maintain an AML compliance program and are required to report to Freddie Mac any instances of AML program noncompliance. Effective October 1, 2014, Freddie Mac is also requiring seller/servicers not subject to the AML provisions of the BSA to develop internal controls and policies and procedures to detect and report Suspicious Activity to Freddie Mac (but without the requirement to file SARs). Additionally, the Bulletin notifies seller/servicers that, effective October 15, 2014, Freddie Mac will require wholly-owned subsidiaries of seller/servicers that are federally-regulated depository institutions to obtain separate Freddie Mac seller/servicer approvals. The Bulletin also: (i) provides that seller/servicers can waive the requirement for flood insurance for non-residential detached structures located on the Mortgaged Premises; (ii) clarifies ULDD data points; (iii) updates Freddie Mac’s certificate of incumbency for sellers and warehouse lenders (effective October 1, 2014); and (iv) updates miscellaneous manufactured home requirements.
On August 5, FinCEN issued an advisory, FIN-2014-A006, which provides guidance to financial institutions for reviewing their obligations and risk-based approaches with respect to certain jurisdictions. The Financial Action Task Force (FATF) recently updated its lists of jurisdictions that appear in two documents: (i) jurisdictions that are subject to the FATF’s call for countermeasures or Enhanced Due Diligence as a result of the jurisdictions’ Anti-Money Laundering/Counter-Terrorist Financing (AML/CFT) deficiencies; and (ii) jurisdictions identified by the FATF as having AML/CFT deficiencies. The advisory notice (i) summarizes the changes made by the FATF; (ii) provides specific guidance regarding jurisdictions listed in each category including when Enhanced Due Diligence is required; and (iii) reiterates that if a financial institution knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity or that a customer has otherwise engaged in activities indicative of money laundering, terrorist financing, or other violation of federal law or regulation, the financial institution must file a Suspicious Activity Report.
On August 1, FinCEN and its Mexican counterpart announced a series of reporting initiatives designed to improve the transparency of cross-border cash movements. To address U.S. and Mexican law enforcement’s concerns about potential misuse of exemptions and incomplete or inaccurate reports filed by armored car services (ACS) and other common carriers of currency, FinCEN issued a Geographic Targeting Order (GTO) that requires enhanced cash reporting by these businesses at the San Ysidro and Otay Mesa Ports of Entry in California. FinCEN also issued updated guidance concerning detailed and proper filing of Currency and Monetary Instruments Reports (CMIRs), which are filed when $10,000 or more in currency is moved across the U.S. border.
On July 30, FinCEN released a proposed rule that would amend BSA regulations to clarify and add customer due diligence (CDD) obligations for banks and other financial institutions, including brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities. The rule would not cover other entities subject to FinCEN regulations that are not already required to have a customer identification program (CIP)—e.g money services businesses—but FinCEN may extend CDD requirements in the future to these, and potentially other types of financial institutions. The proposed rule states that as part of the existing regulatory requirement to have a CIP, covered institutions are already obligated to identify and verify the identity of their customers. The proposed rule would add to that base CDD requirement, new requirements to: (i) understand the nature and purpose of customer relationships; and (ii) conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. The proposed rule also would add a so-called beneficial ownership requirement, which would require institutions to know and verify the identities of any individual who owns at least 25% of a legal entity, or who controls the legal entity.
FinCEN emphasizes that nothing in the proposal is intended to limit the due diligence expectations of the federal functional regulators or in any way limit their existing regulatory discretion. To that end, the rule would incorporate the CDD elements on nature and purpose and ongoing monitoring into FinCEN’s existing AML program requirements, which generally provide that an AML program is adequate if, among other things, the program complies with the regulation of its federal functional regulator governing such programs. FinCEN does not believe that the new CDD requirements will require covered institutions to perform any additional activities or operations, but acknowledges the rule may necessitate revisions to written policies and procedures. FinCEN also recognizes that financial institutions will be required to modify existing customer onboarding processes to incorporate the beneficial ownership requirement. As such, FinCEN proposes an effective date of one year from the date the final rule is issued. Comments on the proposal are due 60 days from publication of the proposal in the Federal Register.
On July 17, FinCEN named FBME Bank Ltd., formerly known as the Federal Bank of the Middle East, as a foreign financial institution of primary money laundering concern pursuant to Section 311 of the USA PATRIOT Act. As detailed in a notice of finding, FinCEN asserts that the bank attracts illicit finance businesses by soliciting high-risk customers and promoting its weak AML controls. FinCEN explains that the bank changed its country of incorporation numerous times, partly due to its inability to adhere to regulatory requirements, and has established itself with a nominal headquarters in Tanzania. However, according to FinCEN, it transacts over 90 percent of its global banking business through branches in Cyprus and has taken active steps to evade oversight by the Cypriot regulatory authorities in the recent past. FinCEN is proposing a rule that, once final, will prohibit covered U.S. financial institutions from opening or maintaining correspondent or payable-through accounts for FBME, and for other foreign banks being used to process transactions involving FBME. The proposal also would require covered financial institutions to apply special due diligence to their correspondent accounts maintained on behalf of foreign banks to guard against processing any transactions involving FBME. Comments on the proposed rule are due 60 days after publication in the Federal Register.
On June 20, Fannie Mae issued Servicing Guide Announcement SVC-2014-11, which reminds servicers that under a recent FinCEN rule, Fannie Mae is considered a financial institution subject to BSA requirements. The announcement advises servicers subject to the AML provisions of the BSA that they are obligated to be in compliance with the BSA, and to report to Fannie Mae: (i) all instances of noncompliance, compliance failures, or sanctions related to BSA/AML requirements; (ii) suspicious activity related to Fannie Mae loans or business activities; and (iii) changes in ownership interest. Servicers may implement these requirements immediately, but are required to do so no later than August 25, 2014.
On June 25, the OCC published its semiannual risk report, which provides an overview of the agency’s supervisory concerns for national banks and federal savings associations, including operational and compliance risks. As in prior reports and as Comptroller Curry has done in speeches over the past year, the report highlights cyber-threats and BSA/AML risks. The OCC believes cyber-threats continue to evolve and require heightened awareness and appropriate resources to identify and mitigate the associated risks. Specifically, the OCC is concerned that cyber-criminals will transition from disruptive attacks to attacks that are intended to cause destruction and corruption. Extending another recent OCC theme, the report notes that the number, nature, and complexity of both foreign and domestic third-party relationships continue to expand, resulting in increased system and process interconnectedness and additional vulnerability to cyber-threats. The report also states that BSA/AML risks “remain prevalent given changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud.” The OCC adds that “BSA programs at some banks have failed to evolve or incorporate appropriate controls into new products and services,” and again cautions that a lack of resources and expertise devoted to BSA/AML risk management can compound these concerns. Finally, the OCC expressed concern that competitive pressures in the indirect auto market are leading to an erosion of underwriting standards. The OCC’s supervisory staff plans to review retail credit underwriting practices at banks, especially for indirect auto.
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.