On August 18, FINRA announced a complaint against a financial services and investment firm, alleging that the firm was responsible for systematic supervisory and AML violations in connection with providing direct market access and sponsored access to broker-dealers and non-registered market participants. Specifically, FINRA claims that from January 2008 through August 2013, the firm failed to “ensure appropriate risk management controls and supervisory systems and procedures,” thereby allowing its market access customers to “self-monitor and self-report” possibly manipulative trades. Moreover, FINRA asserts that during the relevant time period, the firm was made aware of these potential regulatory and compliance risks though numerous industrywide notices, disciplinary decisions taken against other industry participants, and multiple self-regulatory organization inquiries and examinations. The firm may request a hearing before the FINRA disciplinary committee. If FINRA’s charges stand, the firm could face suspension, censure, and/or monetary penalties.
On August 20, FinCEN announced an action against a casino employee who admitted to violating the Bank Secrecy Act by willfully causing the casino to fail to file certain reports. FinCEN asserted based in part on information obtained from an undercover investigation that the employee helped high-end gamblers avoid detection of large cash transactions by agreeing not to file either Currency Transaction Reports or Suspicious Activity Reports as required under the BSA. FinCEN ordered the employee to pay a $5,000 civil money penalty, and immediately and permanently barred him from participating in the conduct of the affairs of any financial institution located in the U.S. or that does business within the U.S.
On August 20, the OCC issued Bulletin 2014-41, which announces a new “Merchant Processing” booklet of the Comptroller’s Handbook. This booklet replaces the booklet of the same name issued in December 2001 and provides updated guidance to examiners and bankers on assessing and managing the risks associated with merchant processing activities. Specific updates address: (i) the selection of third-party organizations and due diligence; (ii) technology service providers; (iii) on-site inspections, audits, and attestation engagements, including the “Statement on Standards for Attestation Engagement” (SSAE 16) and the “International Standard on Assurance Engagements” (ISAE 3402); (iv) data security standards in the payment card industry for merchants and processors; (v) the Member Alert to Control High-Risk Merchants (MATCH) list; (vi) BSA/AML compliance programs and appropriate policies, procedures, and processes to monitor and identify unusual activity; and (vii) appropriate capital for merchant processing activities.
On August 19, the New York DFS announced a consent order with a British bank to resolve claims that the bank and its U.S. subsidiary failed to remediate AML compliance deficiencies as required by a prior settlement with the DFS that required the bank to, among other things, implement a transaction monitoring program. The DFS states that the compliance monitor appointed as part of the prior agreement determined that the procedures adopted by the bank to detect high-risk transactions contained errors and other problems that prevented the bank from identifying high-risk transactions for further review. The DFS asserts that the bank failed to detect these problems because of a lack of adequate testing both before and after implementation of the monitoring system. The DFS also claims the bank failed to properly audit its monitoring system. Under the latest consent order, the bank must: (i) suspend its dollar clearing operations for high-risk retail business clients of the bank’s Hong Kong subsidiary; (ii) obtain prior DFS approval to open a U.S. Dollar demand deposit account for any customer who does not already have such an account with the U.S. entity; and (iii) pay a $300 million penalty. The bank also must implement additional compliance enhancements, including enhanced due diligence and know-your customer requirements.
On August 11, FinCEN issued Advisory FIN-2014-A007 to provide guidance regarding BSA/AML compliance programs. Specifically, the guidance recommends that institutions create a “culture of compliance” by ensuring that: (i) leadership actively supports and understands compliance efforts; (ii) efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests; (iii) relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts; (iv) the institution devotes adequate resources to its compliance function; (v) the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and (vi) leadership and staff understand the purpose of the institution’s BSA/AML efforts. The guidance follows numerous public remarks by FinCEN Director Jennifer Shasky Calvery and other financial regulators and enforcement authorities calling for stronger compliance cultures, particularly with regard to BSA/AML compliance. Director Shasky Calvery reinforced that message in an August 12, 2014 speech in which she asserted that, in the enforcement matters she has seen, a culture of compliance “could have made all the difference.” In the same speech, Ms. Shasky Calvery criticized—as Comptroller of the Currency Thomas Curry also did earlier this year—financial institutions which may be “de-risking” by preventing certain categories of businesses from accessing banking services. She stressed that “just because a particular customer may be considered high risk does not mean that it is ‘unbankable’,” and called on banks to develop programs to manage high risk customer relationships.
On August 14, Freddie Mac issued Bulletin 2014-15, which reminds seller/servicers subject to the AML requirements of the BSA that they are expected to maintain an AML compliance program and are required to report to Freddie Mac any instances of AML program noncompliance. Effective October 1, 2014, Freddie Mac is also requiring seller/servicers not subject to the AML provisions of the BSA to develop internal controls and policies and procedures to detect and report Suspicious Activity to Freddie Mac (but without the requirement to file SARs). Additionally, the Bulletin notifies seller/servicers that, effective October 15, 2014, Freddie Mac will require wholly-owned subsidiaries of seller/servicers that are federally-regulated depository institutions to obtain separate Freddie Mac seller/servicer approvals. The Bulletin also: (i) provides that seller/servicers can waive the requirement for flood insurance for non-residential detached structures located on the Mortgaged Premises; (ii) clarifies ULDD data points; (iii) updates Freddie Mac’s certificate of incumbency for sellers and warehouse lenders (effective October 1, 2014); and (iv) updates miscellaneous manufactured home requirements.
On August 5, FinCEN issued an advisory, FIN-2014-A006, which provides guidance to financial institutions for reviewing their obligations and risk-based approaches with respect to certain jurisdictions. The Financial Action Task Force (FATF) recently updated its lists of jurisdictions that appear in two documents: (i) jurisdictions that are subject to the FATF’s call for countermeasures or Enhanced Due Diligence as a result of the jurisdictions’ Anti-Money Laundering/Counter-Terrorist Financing (AML/CFT) deficiencies; and (ii) jurisdictions identified by the FATF as having AML/CFT deficiencies. The advisory notice (i) summarizes the changes made by the FATF; (ii) provides specific guidance regarding jurisdictions listed in each category including when Enhanced Due Diligence is required; and (iii) reiterates that if a financial institution knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity or that a customer has otherwise engaged in activities indicative of money laundering, terrorist financing, or other violation of federal law or regulation, the financial institution must file a Suspicious Activity Report.
On August 1, FinCEN and its Mexican counterpart announced a series of reporting initiatives designed to improve the transparency of cross-border cash movements. To address U.S. and Mexican law enforcement’s concerns about potential misuse of exemptions and incomplete or inaccurate reports filed by armored car services (ACS) and other common carriers of currency, FinCEN issued a Geographic Targeting Order (GTO) that requires enhanced cash reporting by these businesses at the San Ysidro and Otay Mesa Ports of Entry in California. FinCEN also issued updated guidance concerning detailed and proper filing of Currency and Monetary Instruments Reports (CMIRs), which are filed when $10,000 or more in currency is moved across the U.S. border.
On July 30, FinCEN released a proposed rule that would amend BSA regulations to clarify and add customer due diligence (CDD) obligations for banks and other financial institutions, including brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities. The rule would not cover other entities subject to FinCEN regulations that are not already required to have a customer identification program (CIP)—e.g money services businesses—but FinCEN may extend CDD requirements in the future to these, and potentially other types of financial institutions. The proposed rule states that as part of the existing regulatory requirement to have a CIP, covered institutions are already obligated to identify and verify the identity of their customers. The proposed rule would add to that base CDD requirement, new requirements to: (i) understand the nature and purpose of customer relationships; and (ii) conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. The proposed rule also would add a so-called beneficial ownership requirement, which would require institutions to know and verify the identities of any individual who owns at least 25% of a legal entity, or who controls the legal entity.
FinCEN emphasizes that nothing in the proposal is intended to limit the due diligence expectations of the federal functional regulators or in any way limit their existing regulatory discretion. To that end, the rule would incorporate the CDD elements on nature and purpose and ongoing monitoring into FinCEN’s existing AML program requirements, which generally provide that an AML program is adequate if, among other things, the program complies with the regulation of its federal functional regulator governing such programs. FinCEN does not believe that the new CDD requirements will require covered institutions to perform any additional activities or operations, but acknowledges the rule may necessitate revisions to written policies and procedures. FinCEN also recognizes that financial institutions will be required to modify existing customer onboarding processes to incorporate the beneficial ownership requirement. As such, FinCEN proposes an effective date of one year from the date the final rule is issued. Comments on the proposal are due 60 days from publication of the proposal in the Federal Register.
On July 17, FinCEN named FBME Bank Ltd., formerly known as the Federal Bank of the Middle East, as a foreign financial institution of primary money laundering concern pursuant to Section 311 of the USA PATRIOT Act. As detailed in a notice of finding, FinCEN asserts that the bank attracts illicit finance businesses by soliciting high-risk customers and promoting its weak AML controls. FinCEN explains that the bank changed its country of incorporation numerous times, partly due to its inability to adhere to regulatory requirements, and has established itself with a nominal headquarters in Tanzania. However, according to FinCEN, it transacts over 90 percent of its global banking business through branches in Cyprus and has taken active steps to evade oversight by the Cypriot regulatory authorities in the recent past. FinCEN is proposing a rule that, once final, will prohibit covered U.S. financial institutions from opening or maintaining correspondent or payable-through accounts for FBME, and for other foreign banks being used to process transactions involving FBME. The proposal also would require covered financial institutions to apply special due diligence to their correspondent accounts maintained on behalf of foreign banks to guard against processing any transactions involving FBME. Comments on the proposed rule are due 60 days after publication in the Federal Register.
On June 20, Fannie Mae issued Servicing Guide Announcement SVC-2014-11, which reminds servicers that under a recent FinCEN rule, Fannie Mae is considered a financial institution subject to BSA requirements. The announcement advises servicers subject to the AML provisions of the BSA that they are obligated to be in compliance with the BSA, and to report to Fannie Mae: (i) all instances of noncompliance, compliance failures, or sanctions related to BSA/AML requirements; (ii) suspicious activity related to Fannie Mae loans or business activities; and (iii) changes in ownership interest. Servicers may implement these requirements immediately, but are required to do so no later than August 25, 2014.
On June 25, the OCC published its semiannual risk report, which provides an overview of the agency’s supervisory concerns for national banks and federal savings associations, including operational and compliance risks. As in prior reports and as Comptroller Curry has done in speeches over the past year, the report highlights cyber-threats and BSA/AML risks. The OCC believes cyber-threats continue to evolve and require heightened awareness and appropriate resources to identify and mitigate the associated risks. Specifically, the OCC is concerned that cyber-criminals will transition from disruptive attacks to attacks that are intended to cause destruction and corruption. Extending another recent OCC theme, the report notes that the number, nature, and complexity of both foreign and domestic third-party relationships continue to expand, resulting in increased system and process interconnectedness and additional vulnerability to cyber-threats. The report also states that BSA/AML risks “remain prevalent given changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud.” The OCC adds that “BSA programs at some banks have failed to evolve or incorporate appropriate controls into new products and services,” and again cautions that a lack of resources and expertise devoted to BSA/AML risk management can compound these concerns. Finally, the OCC expressed concern that competitive pressures in the indirect auto market are leading to an erosion of underwriting standards. The OCC’s supervisory staff plans to review retail credit underwriting practices at banks, especially for indirect auto.
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.
On June 18, the U.S. Attorney for the District of Maryland announced that a federal judge ordered a bank to forfeit $560,000 in drug proceeds laundered through the bank on which the bank failed to file currency transaction reports. The DOJ claimed that a member of a drug trafficking organization asked a teller at a Maryland bank branch to convert the proceeds from the sale of illegal drugs from small denomination bills to $100 bills, and paid the teller a one percent fee for each transaction for making the exchange without filing a currency transaction report. The government filed a civil action in February 2014 seeking forfeiture and alleging that the money was subject to forfeiture because the bank failed to file currency transactions reports on bank transactions in amounts in excess of $10,000, as required by law. The teller admitted that on each occasion she converted the bills without filing or causing anyone else at the bank to file a currency transaction report. She was sentenced to a month in prison followed by eight months of home detention for failing to file currency transaction reports on suspected drug proceeds, and must perform community service and forfeit the $5,000 she was paid in the scheme.
On May 28, FinCEN published Advisory FIN-2014-A005, which updates advice related to trade-based money laundering (TBML) to address the increased use of “funnel accounts.” FinCEN explains that individuals or businesses may establish an account in one geographic area that receives multiple cash deposits, and from which the funds are withdrawn in a different geographic area with little time elapsing between the deposits and withdrawals. FinCEN states that criminal organizations may use wires and checks issued from those accounts to move illicit narcotics proceeds to the accounts of businesses offering trade goods and services. The Advisory details this TBML scheme and offers a number of red flags that could indicate a funnel account is being used as part of such a scheme. FinCEN cautions that because some red flag activities may be legitimate financial activities in appropriate circumstances, financial institutions should evaluate indicators of potential TBML activity in combination with other red flags and the expected transaction activity for the customer before making determinations of suspiciousness. The Advisory reminds institutions of their SAR reporting obligations in the event activities are determined to be suspicious.