On October 3, FinCEN assessed a $12 million civil money penalty against a Nevada-based casino for willfully violating the anti-money laundering (AML) provisions of the Bank Secrecy Act (BSA). Pursuant to the Statement of Facts, from March 2009 through September 28, 2015, the casino allegedly failed to (i) develop and implement an effective AML program reasonably designed to ensure compliance with the BSA; (ii) exercise due diligence in its monitoring of suspicious activity; and (iii) maintain sufficient AML compliance controls, procedures, training, and audits, which resulted in multiple filing and recordkeeping control violations. As part of the FinCEN’s Assessment and the Non-Prosecution Agreement filed by the U.S. Attorney’s Officers, the casino must (i) perform a series of required Remedial Measures to ensure compliance going forward; and (ii) conduct a look-back review to ensure that suspicious transactions and attempted transactions were appropriately reported for transactions that occurred between 2010 and 2013.
On October 25, FinCEN issued advisory bulletin FIN-2016-A005 reminding financial institutions of their Bank Secrecy Act (BSA) obligations to report certain cyber-events and cyber-enabled crime. The advisory highlights the importance of (i) reporting cyber-events and cyber-enabled crime through Suspicious Activity Reports (SARs); (ii) including cyber-related information such as IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information, in SAR reporting; (iii) collaborating with BSA/AML, cybersecurity, and other in-house units to facilitate “a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime”; and (iv) sharing cyber-related information – including specific malware signatures, IP addresses and device identifiers, and virtual currency addresses that seem anonymous – amongst financial institutions for the “purpose of identifying and, where appropriate, reporting money laundering or terrorist activities.” Importantly, the advisory distinguishes between mandatory SAR reporting of cyber-events, providing three specific examples, and voluntary reporting of cyber-events. Per the advisory, “[c]yber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
FinCEN simultaneously issued FAQs to supplement advisory bulletin FIN-2016-A005. The FAQs, which supersede 2001 FAQs regarding computer intrusion, provide answers to a set of nine questions. The FAQs address, among other things, (i) when cyber-related SAR reports should be filed; (ii) the type of information that should be included in cyber-related SARs; and (iii) cyber-event and cyber-enabled crime information sharing, pursuant to Section 314(b) of the USA PATRIOT Act, between financial institutions.
On September 28, OCC Comptroller Thomas J. Curry announced Wednesday during a speech at the Association of Certified Anti-Money Laundering Specialists (ACAMS) conference that the OCC is developing guidance for banks to manage AML/BSA risks in their foreign correspondent banking relationships.
On September 14, the OCC released its bank supervision operating plan for fiscal year 2017. The plan identifies the OCC’s priority objectives, which include: (i) commercial and retail loan underwriting; (ii) business model sustainability and viability; (iii) operational resiliency; (iv) BSA/AML compliance; and (v) processes to address regulatory changes. Moreover, the plan affirms that the OCC will look at each individual bank’s key risks, and will continue the process of stress testing, both for large banks and for midsize and community banks.
On September 7, FinCEN issued advisory bulletin FIN-2016-A004 notifying financial institutions of updates to the Financial Action Task Force’s (FATF) list of jurisdictions containing anti-money laundering/counter-terrorist financing (AML/CFT) deficiencies. The FATF updated two documents categorizing certain jurisdictions: (i) the FATF Public Statement, identifying jurisdictions that are subject to the FATF’s call for countermeasures or are subject to Enhanced Due Diligence (EDD) due to AML/CFT deficiencies; and (ii) the Improving Global AML/CFT Compliance: on-going process, identifying jurisdictions which have developed an action plan with the FATF to address strategic AML/CFT deficiencies. Revisions to the FATF Public Statement include the 12 months suspension of FATF’s call for countermeasures against Iran; in turn, Iran was added to the EDD category based on the continued risk posed by Iran to the international financial system. North Korea remains the sole country subject to countermeasures. Jurisdictions currently on the Improving Global AML/CFT Compliance: on-going process list include Afghanistan, Bosnia and Herzegovina, Guyana, Iraq, Lao PDR, Syria, Uganda, Vanuatu, and Yemen. Myanmar (Burma) and Papua New Guinea were removed from the list. FinCEN reminded financial institutions that they are subject to a broad range of restrictions on dealing with North Korea and Iran, in spite of the 12-month suspension of its call for countermeasures against Iran.