On July 23, FinCEN issued a final rule pursuant to Section 311 of the USA PATRIOT Act to impose “special measure five” against FBME Bank Ltd. (“FBME”), formerly known as the Federal Bank of the Middle East. Special measure five prohibits U.S. financial institutions from opening or maintaining correspondent accounts or payable through accounts for or on behalf of FBME. The action follows a July 17, 2014 notice of proposed rulemaking in which FinCEN stated that it had found FBME to be of primary money laundering concern under Section 311 and issued a related notice of proposed rulemaking (NPRM) proposing the imposition of special measure five against FBME. Supporting the proposed rule were the following factors: (i) FBME is used by its customers to facilitate money laundering, terrorist financing, transnational organized crime, fraud, sanctions evasion, and other illicit activity internationally and through the U.S. financial system; (ii) FBME has systemic failures in its anti-money laundering controls that attract high-risk shell companies, that is, companies formed for the sole purpose of holding property or funds and that do not engage in any legitimate business activity; and (iii) FBME performs a significant volume of transactions and activities that have little or no transparency and often no apparent legitimate business purpose. The final rule will be effective August 28, 2015.
On August 25, FinCEN issued a Notice of Proposed Rulemaking (NPRM) seeking to adopt minimum Bank Secrecy Act (BSA) and anti-money laundering (AML) standards that would be applicable to investment advisers. Under the proposal, investment advisers would be required to implement AML programs and report suspicious activity, among other safeguards. The NPRM states that the proposal would cover investment advisers registered or required to register with the SEC. The proposal would also add such investment advisers to the definition of “financial institution.” This would result in investment advisers being required to file currency transaction reports and to comply with recordkeeping and other requirements applicable to financial institutions. With respect to supervisory authority, FinCEN stated that it would delegate its authority to the SEC for purposes of examining investment advisers for compliance with the proposed requirements.
On July 21, a leading China-based bank agreed to address deficiencies in connection with the BSA/AML risk management and compliance program of its New York branch office. The Agreement, entered into with the Federal Reserve Bank of New York and the New York State Department of Financial Services, requires the bank and its New York branch to (i) enhance the branch’s written BSA/AML compliance program and customer due diligence program; and (ii) develop a written program for the branch that is capable of identifying and reporting suspected violations of law and suspicious transactions to law enforcement and supervisory authorities. In addition, the bank must hire an independent third-party to review the Branch’s U.S. dollar clearing transaction activity “to determine whether suspicious activity involving high-risk customers or transactions at, by, or through the branch was properly identified and reported” to the appropriate federal banking authorities. No civil money penalty was imposed on the bank.
FDIC and California Department of Business Oversight Levy $140 Million Penalty Against California Bank for Ongoing BSA/AML Deficiencies
On July 22, the FDIC, along with the Commissioner of the California Department of Business Oversight (“DBO”), announced the assessment of a $140 million civil money penalty against a California state-chartered bank to resolve allegations that it failed to implement and maintain an adequate BSA/AML Compliance Program over an extended period of time. In 2012, the bank entered a consent order with the FDIC and the DBO (fka California Department of Financial Institutions), requiring that it “address the weaknesses and correct deficiencies” in its BSA and AML programs. According to the DBO, the bank has since failed to implement the corrective actions stipulated in the consent order, which required the bank to, among other things, (i) establish internal controls to “detect and report illicit financial transactions and other suspicious activities”; (ii) hire a qualified BSA officer and sufficient staff; (iii) provide adequate BSA training; and (iv) conduct effective independent testing. Additionally, since the 2012 consent order, the DBO and FDIC have discovered “new, substantial violations of the BSA and anti-money laundering mandates over an extended period of time.” Under terms of the joint order, the bank will pay $40 million to the DBO and $100 million to the Department of the Treasury to satisfy the full $140 million penalty.
On July 21, U.S. Attorney for the Southern District of New York Preet Bharara, along with the Assistant Director-in-Charge of the New York Field Office of the FBI and the Special Agent-in-Charge of the New York Field Office of the United States Secret Service, announced the unsealing of criminal complaints filed against Anthony R. Murgio and Yuri Lebedev. According to the complaints, since at least late 2013, the two men and their co-conspirators illegally ran a money transfer operation called Coin.mx, which allowed customers to exchange cash for bitcoins for a fee. Murgio’s and Lebedev’s allegedly illegal money transfer operation involved exchanging cash for people whom they believed may be engaging in criminal activity, as well as allowing victims of “ransomware” attacks to trade cash for bitcoins. During these “ransomware” attacks, cybercriminals would “electronically block access to a victim’s computer system until a sum of ‘ransom’ money, typically in bitcoins, [was] paid to them.” In an attempt to evade detection, Murgio, Lebedev, and their co-conspirators operated through “Collectables Club,” a fake front-company. Also in an attempt to avoid detection, Murgio obtained beneficial control of a New Jersey-based federal credit union, then placed Lebedev and others on the Board of Directors so that Coin.mx’s operations could be transferred to the credit union. The individuals used the credit union as a “captive bank for their unlawful business,” until at least early 2015, at which point, the NCUA discovered the illegal activity and forced the credit union to “cease engaging in such activity,” but Murgio “thereafter found new, overseas payment processing channels for his unlawful business.” Murgio and Lebedev are each being charged with one count of conspiracy to operate an unlicensed money transmitting business, and one count of operating an unlicensed money transmitting business. Each of these charges carries a maximum prison sentence of five years. Murgio also was charged with one count of money laundering and one count of willful failure to file a suspicious activity report. These additional charges carry maximum prison sentences of 20 years and 5 years, respectively.
On July 20, FinCEN issued an advisory to financial institutions with updates to the Financial Action Task Force’s (FATF) list of jurisdictions containing strategic anti-money laundering/counter-terrorist financing (AML/CFT) deficiencies. According to FinCEN’s Advisory, on June 26, FATF updated two documents to reflect changes that have the potential to affect U.S. financial institutions’ due diligence obligations and risk-based policies, procedures, and practices. The first document, the FATF Public Statement, identifies jurisdictions that are subject to Enhanced Due Diligence or countermeasures due to the jurisdiction’s AML/CFT deficiencies. Revisions to the FATF Public Statement include the removal of Ecuador from the Public Statement because of progress in addressing its FATF action plan. Ecuador now appears on the list of jurisdictions requiring general due diligence. The second document to be updated, Improving Global AML/CFT Compliance: On-going Process, identifies new jurisdictions with AML/CFT deficiencies. Bosnia and Herzegovina have been downgraded to the Improving Global AML/CFT Compliance: On-going Process document due to its “strategic deficiencies in its AML/CFT regime.” However, the country has made a “high-level political commitment” to work with FATF and regional authorities to address their deficiencies. Indonesia was removed from the listing and monitoring process, according to the Advisory, for “its significant progress in establishing the legal and regulatory framework to address all or nearly all of its strategic AML/CFT deficiencies.”
Financial Action Task Force Issues Guidance Urging Risk-Based Approach to Virtual Currencies and Services
On June 29, the Financial Action Task Force (FATF) issued a report, Guidance for a Risk-Based Approach to Virtual Currencies,part of a staged approach focusing on the points of intersection that provide gateways to the regulated financial system, in particular, convertible virtual currency exchangers. The Guidance explains the application of the risk-based approach to AML/CFT measures in the virtual currency context, identify the entities involved in virtual currency payment products and services (VCPPS), and clarify the application of the relevant FATF Recommendations to convertible virtual currency exchangers. The guidance provides, among other things, recommendations and encourages member nations to adopt regulations and guidelines similar to those applicable to traditional financial institutions to reduce risk exposure to the banking system.
OCC Releases Semiannual Report Highlighting Key Risks Facing National Banks and Federal Savings Associations
Today, the OCC announced the release of its semiannual report, Semiannual Risk Perspective for Spring 2015, highlighting key risk areas affecting national banks and federal savings associations. Based on 2014 year-end data, the report identifies issues that pose a potential threat to the safety and soundness of banks and thrifts. It also sets forth the OCC’s supervisory priorities for the next 12 months, including, among others, (i) cybersecurity awareness and preventative controls, (ii) Bank Secrecy Act/Anti-Money Laundering compliance, (iii) fair access to credit, and (iv) underwriting practices, particularly with respect to leveraged loans, indirect auto lending, HELOCs, and credit related to the oil and gas sector. The report also notes declining revenues and profitability overall in OCC-supervised institutions.
Today, FinCEN announced the assessment of a civil money penalty against a Los Angeles-based Money Services Business (MSB) and its owner for alleged violations of the Bank Secrecy Act (BSA). During a 2011 examination of the MSB, FinCEN determined that, from October 1, 2010 through the present, the MSB knowingly violated the BSA by failing to (i) establish and ensure ongoing compliance with an adequate AML program; (ii) provide adequate training; and (iii) conduct independent testing of its compliance program. In addition, the MSB violated the BSA’s reporting requirements by failing to “file required currency transaction reports (“CTRs”) on all of its reportable transactions during the examination scope period,” and continued to file untimely CTRs even after the examination scope period ended on March 31, 2011. Finally, FinCEN expressed concern over the MSB owner’s failure to disclose that the MSB “frequently exchanged check for cash with another MSB, an arrangement known as ‘wholesaling’ or ‘bulk check cashing.’” According to the assessment document, the MSB’s owner, who was also the designated AML compliance officer, participated in the BSA violations by failing to accept his responsibility to “ensure that [an] AML program was in place, was effective, and was followed.” To resolve FinCEN’s allegations, the MSB and its owner admitted to violating the BSA program and its reporting requirements and will pay a civil money penalty of $60,000.
On June 23, the Board of Governors announced the execution of an enforcement action against a California-based community bank over BSA/AML deficiencies. According to the Cease and Desist Order, the deficiencies were identified by the Federal Reserve Bank of San Francisco and the California Department of Business Oversight, and directs the Bank to submit written plans outlining their efforts to strengthen their BSA/AML risk management program, including customer due-diligence and suspicious activity monitoring and reporting policies and procedures. In addition, the Bank must retain an independent third party to conduct a review of account and transaction activity affiliated with any high-risk customer and foreign branch accounts conducted at, by, or through the Bank from July 2014 through December 2014. No civil money penalty was imposed on the Bank.
On June 15, FinCEN announced a $4.5 million civil money penalty against a West Virginia-based bank for alleged violations of the BSA from 2008 through 2013. According to the Assessment of Civil Money Penalty, the bank failed to monitor, detect, and report suspicious activity as a result of an inadequate AML and customer due diligence program, ultimately allowing over $9.2 million in structured and otherwise suspicious cash transactions to pass though the financial institution unreported. FinCEN found that the bank failed to establish and maintain an AML program that provided, at a minimum: (i) a system of internal controls to ensure ongoing compliance; (ii) a designated individual or individuals responsible for coordinating and monitoring day-to-day compliance; (iii) independent testing for compliance to be conducted by either an outside party or bank personnel; and (iv) training for appropriate personnel. FinCEN’s enforcement action and $4.5 million civil money penalty against the bank is concurrent with a $3.5 million penalty imposed by the FDIC, of which $2.2 million is concurrent with a forfeiture pursuant to a deferred prosecution agreement with the U.S. Attorney’s Office for the Southern District of West Virginia.
On June 3, FinCEN announced a $75 million civil money penalty against an international casino for alleged “willful and egregious” violations of the BSA. As detailed in the Assessment, the casino (i) failed to develop and implement an AML program; (ii) failed to designate an official BSA officer to oversee compliance requirements of the BSA; and (iii) failed to train employees in adequate recordkeeping, or in identifying, monitoring or reporting suspicious activity – all considered to be critical components of an adequate BSA/AML program. Moreover, FinCen alleges that casino employees “provided detailed instructions” to undercover agents on how to conduct transactions without being properly reported to U.S. authorities. FinCen’s latest action follows a March announcement, when the agency imposed a $10 million civil money penalty against a New Jersey-based casino.
On June 1, a Boston-based international financial services holding company and its banking subsidiary agreed to address deficiencies in how they manage compliance risks with respect to their BSA/AML compliance program. The Agreement, entered into with the Federal Reserve Bank of Boston and the Massachusetts Division of Banks, requires both entities to submit a written plan outlining their efforts to improve their compliance with OFAC and internal controls, customer due-diligence procedures, and suspicious activity monitoring and reporting, among other things. In addition, the banking subsidiary must hire an independent third-party to review account and transaction activity during a specified period to ensure suspicious activity was properly identified and reported.
In a separate enforcement action, the Federal Reserve Bank of Chicago entered into an agreement on May 26 with an Illinois-based financial services company, requiring the parent company and its banking subsidiary to, among other things, submit written plans to (i) strengthen its BSA/AML compliance risk management program; and (ii) “ensure the identification and timely, accurate, and complete reporting” of suspicious transactions to the appropriate law enforcement and supervisory [banking] authorities.” No civil money penalties were imposed in either enforcement action.
FinCEN Fines Michigan MSB For BSA/AML Violations, Bans Owner From Serving at Any U.S. Financial Institution
On May 29, a Michigan-based money service business (MSB), along with its owner, admitted to repeated violations of the BSA and have agreed to pay FinCEN a civil money penalty in the amount of $12,000. The company violated the BSA in numerous ways, including but not limited to: (i) failing to maintain a sufficient anti-money laundering program; (ii) engaging in high-risk transactions, including wire transfers to Yemen, totaling millions of dollars, without keeping proper records of the transfers or performing due diligence; and (iii) conducting suspicious transactions “with no apparent business or lawful purpose.” According to FinCEN, the MSB failed to monitor the suspicious transactions, had no review process in place, and neglected to file a Suspicious Activity Report or a Currency Transaction Report while operating as a business entity. Furthermore, in addition to the aforementioned MSB, the owner opened an additional MSB in October 2010, containing similar BSA deficiencies. The owner has “agreed to immediately and permanently cease serving as an employee, officer, director, or agent of any financial institution located in the United States or that conducts business within the United States.”
BuckleySandler FinCrimes Webinar Series Recap: Best Practices in Customer Due Diligence and Know-Your-Customer
BuckleySandler hosted a webinar, Best Practices in Customer Due Diligence and Know-Your-Customer, on May 21, 2015 as part of their ongoing FinCrimes Webinar Series. Panelists included Eric Arciniega, Senior Manager, BSA/AML Due Diligence Operations at First Republic Bank; Janice Mandac, Global Head of KYC at Goldman Sachs; and Nagib Touma, Director Global AML/KYC at Citi. The following is a summary of the guided conversation moderated by Jamie Parkinson, partner at BuckleySandler LLP, and key take-aways you can implement in your company.
Best Practice Tips and Take-Aways:
- Establishing company-wide/global standards for your company’s customer due diligence and KYC program will help to ensure consistency throughout the organization. But, for global institutions, you must also be able to accommodate jurisdictions with requirements that are more stringent than the global standards.
- Be aware of data privacy standards in the countries where you operate. These standards pose a particular challenge to operating a centralized customer due diligence and KYC program.
- Regulators’ recent focus on model risk management extends to your customer risk rating model. Ensure that your model is being tested and tuned rigorously.