On December 28, FINRA entered into an acceptance, waiver, and consent (AWC) agreement with a Puerto-Rican-based brokerage firm based upon allegations that the firm’s anti-money laundering (AML) program “was not reasonably designed to achieve and monitor compliance with the requirements of the Bank Secrecy Act.” In deciding to levy a $5.75 million fine, FINRA noted, among other things, that the firm improperly “relied on manual supervisory review of securities transactions” that was “not sufficiently focused on AML risks.” The firm neither admitted nor denied the findings set forth in the AWC agreement, but agreed to address deficiencies in their AML program within 180 days. According to a firm spokeswoman, the firm is “pleased to have this matter from 2013 resolved and we continue to improve, manage and monitor our AML efforts.”
On December 30, the FDIC announced new regulatory actions against a Florida-based bank. Along with the Florida Office of Financial Regulation, the FDIC issued a new Consent Order against the $121.5 million-asset bank, based on allegations that the bank had engaged in “unsafe or unsound” banking practices, or practices which constituted a violation of law or regulation in the following areas: (i) weakness in asset quality, (ii) capital adequacy, earnings, (iii) management effectiveness, (iv) liquidity, (v) sensitivity to market risk, and (vi) compliance with the Bank Secrecy Act (BSA).
Among other things, the Order notes that the bank currently falls short of FDIC requirements for qualifying as “well capitalized,” qualifying merely as “adequately capitalized,” and therefore must boost its capital levels or face continued restrictions on its operations. The Order also states that the bank—which consented to the Order without admitting or denying the charges—now has 120 days to meet its capital requirements and 60 days to submit a capital plan to both: (i) achieve and maintain the capital requirements; and (ii) provide for a contingency plan to sell or merge the bank.
FinCEN Issues Guidance on Sharing Suspicious Activity Reports with U.S. Parents and Affiliates of Casinos
On January 4, the Financial Crimes Enforcement Network (FinCEN) issued guidance to “confirm that, under the Bank Secrecy Act (BSA) and its implementing regulations, a casino that has filed a Suspicious Activity Report (SAR) may share the SAR, or any information that would reveal the existence of the SAR, with each office or other place of business located within the United States of either the casino itself or a parent or affiliate of the casino.” As explained in the guidance, FinCEN expects that the anti-money laundering efforts of the casino’s affiliates could be enhanced by virtue of their access to a clearer and more comprehensive picture of the activities the casino has identified as suspicious. The guidance also specified that casinos may not share SARs or information that would reveal the existence of a SAR with non-U.S. offices or affiliates, individuals or entities within the casino’s corporate famile that perform functions unrelated to gaming, a financial institution without an independent SAR obligation, or unaffialited money services businesses located within the casino. Finally, the guidance specified that a domestic affiliate that receives a SAR or revealing information from a casino may not further share that SAR with an affiliate of its own.
On December 14 the New York State Department of Financial Services (NYDFS) announced the imposition of a $235 million fine against an Italian bank and its New York branch as part of a consent order addressing “significant violations of New York anti-money laundering and Bank Secrecy Act (AML/BSA) laws.” According to the consent order, a NYDFS investigation identified “compliance failures . . . arising from deficiencies in the implementation and oversight of the transaction monitoring system located at the New York Branch,” as well as “non-transparent practices to process payments on behalf of Iranian clients” and “shell company activity indicative of potentially suspicious transactions” and a general “breakdown in audit and management oversight.” The consent order findings stipulate that the wrongdoing dated back to 2002, but also acknowledge that the Bank made the decision to discontinue certain of its non-transparent practices in 2006. In addition to a civil monetary penalty, the consent order also requires that the bank continue to engage an independent consultant to help “remediate the identified shortcomings,” “audit the Bank’s transaction review efforts”, and submit a report of its findings, conclusions and recommendations within 60 days. Thereafter, the Bank must submit, in writing for NYDFS review, across-the-board enhancements to its internal control policies and procedures.
On October 25, FinCEN issued advisory bulletin FIN-2016-A005 reminding financial institutions of their Bank Secrecy Act (BSA) obligations to report certain cyber-events and cyber-enabled crime. The advisory highlights the importance of (i) reporting cyber-events and cyber-enabled crime through Suspicious Activity Reports (SARs); (ii) including cyber-related information such as IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information, in SAR reporting; (iii) collaborating with BSA/AML, cybersecurity, and other in-house units to facilitate “a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime”; and (iv) sharing cyber-related information – including specific malware signatures, IP addresses and device identifiers, and virtual currency addresses that seem anonymous – amongst financial institutions for the “purpose of identifying and, where appropriate, reporting money laundering or terrorist activities.” Importantly, the advisory distinguishes between mandatory SAR reporting of cyber-events, providing three specific examples, and voluntary reporting of cyber-events. Per the advisory, “[c]yber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
FinCEN simultaneously issued FAQs to supplement advisory bulletin FIN-2016-A005. The FAQs, which supersede 2001 FAQs regarding computer intrusion, provide answers to a set of nine questions. The FAQs address, among other things, (i) when cyber-related SAR reports should be filed; (ii) the type of information that should be included in cyber-related SARs; and (iii) cyber-event and cyber-enabled crime information sharing, pursuant to Section 314(b) of the USA PATRIOT Act, between financial institutions.