FinCEN Issues Advisory and Supplemental FAQs on Cyber-Events and Cyber-Enabled Crime

On October 25, FinCEN issued advisory bulletin FIN-2016-A005 reminding financial institutions of their Bank Secrecy Act (BSA) obligations to report certain cyber-events and cyber-enabled crime. The advisory highlights the importance of (i) reporting cyber-events and cyber-enabled crime through Suspicious Activity Reports (SARs); (ii) including cyber-related information such as IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information, in SAR reporting; (iii) collaborating with BSA/AML, cybersecurity, and other in-house units to facilitate “a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime”; and (iv) sharing cyber-related information – including specific malware signatures, IP addresses and device identifiers, and virtual currency addresses that seem anonymous – amongst financial institutions for the “purpose of identifying and, where appropriate, reporting money laundering or terrorist activities.” Importantly, the advisory distinguishes between mandatory SAR reporting of cyber-events, providing three specific examples, and voluntary reporting of cyber-events. Per the advisory, “[c]yber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”

FinCEN simultaneously issued FAQs to supplement advisory bulletin FIN-2016-A005. The FAQs, which supersede 2001 FAQs regarding computer intrusion, provide answers to a set of nine questions. The FAQs address, among other things, (i) when cyber-related SAR reports should be filed; (ii) the type of information that should be included in cyber-related SARs; and (iii) cyber-event and cyber-enabled crime information sharing, pursuant to Section 314(b) of the USA PATRIOT Act, between financial institutions.

LinkedInFacebookTwitterGoogle+Share

FinCEN Assesses Civil Money Penalty Against Nevada-Based Casino for AML/BSA Violations

On October 3, FinCEN assessed a $12 million civil money penalty against a Nevada-based casino for willfully violating the anti-money laundering (AML) provisions of the Bank Secrecy Act (BSA). Pursuant to the Statement of Facts, from March 2009 through September 28, 2015, the casino allegedly failed to (i) develop and implement an effective AML program reasonably designed to ensure compliance with the BSA; (ii) exercise due diligence in its monitoring of suspicious activity; and (iii) maintain sufficient AML compliance controls, procedures, training, and audits, which resulted in multiple filing and recordkeeping control violations. As part of the FinCEN’s Assessment and the Non-Prosecution Agreement filed by the U.S. Attorney’s Officers, the casino must (i) perform a series of required Remedial Measures to ensure compliance going forward; and (ii) conduct a look-back review to ensure that suspicious transactions and attempted transactions were appropriately reported for transactions that occurred between 2010 and 2013.

LinkedInFacebookTwitterGoogle+Share

FinCEN Acting Director Comments on Recent Casino Actions and Culture of Compliance

On October 3, FinCEN Acting Director Jamal El-Hindi issued a statement regarding anti-money laundering and countering the financing of terrorism compliance. According to Acting Director El-Hindi, two recent actions against casinos represent failure to (i) adequately train staff at every level in the organization; and (ii) properly file – or file at all – Suspicious Activity Reports and Currency Transaction Reports. Still, Acting Director El-Hindi acknowledged that casinos in general have improved their AML compliance efforts. Acting Director El-Hindi stated that FinCEN will continue to work with casinos on their compliance efforts, and cautioned that “[a] good compliance culture is one where doing the right thing is rewarded, and where ‘looking the other way’ has consequences.”

LinkedInFacebookTwitterGoogle+Share

DOJ Teams Up With OFAC to Bring Enforcement against Chinese Front Company

On September 26, the DOJ announced charges against a Chinese trading company and its executives for conspiracy to violate the International Emergency Economic Powers Act (IEEPA), and to defraud the United States; as well as for conspiracy to launder monetary instruments through U.S. financial institutions. The criminal complaint alleges that the company served as a third-party payer, using an illicit network of front companies, financial facilitators, and trade representatives to purchase sugar and fertilizer for a banking entity based in North Korea that OFAC had designated as a Specially Designated National (SDN) in 2009. The civil forfeiture complaint seeks forfeiture of funds spread out across 25 different bank accounts located in China and connected to the affairs of the company. In addition, OFAC imposed sanctions on the company, which is located near the North Korean border and openly worked with the SDN banking entity after 2009.

LinkedInFacebookTwitterGoogle+Share

Federal Court Denies FinCEN’s Second Attempt to Ban Foreign Bank

On September 21, the U.S. District Court for the District of Columbia stayed enforcement of FinCEN’s second attempt to cut off a Tanzania-based bank’s access to the U.S. banking system. The dispute originated from FinCEN’s attempt to prohibit domestic financial institutions from opening or maintaining correspondent accounts on behalf of the foreign bank under the authority of Section 311 of the USA PATRIOT ACT, which authorizes FinCEN take special measures against banks of primary money laundering concern. FinCEN first promulgated a final rule imposing the prohibition in July 2015, which was enjoined by the court in August, 2015. FinCEN agreed to a voluntary remand to correct deficiencies in its rulemaking process, such as providing the bank access to declassified information and considering the use of less drastic measures to address its concerns. In March 2016, FinCEN promulgated a revised final rule in which it indicated that the bank’s AML compliance remained inadequate and that the bank continued to engage in “illicit financial activity.” Upon a second review, the court again found that FinCEN had failed to adequately disclose declassified information to the bank prior to releasing the revised final rule, and did not properly respond to other of the bank’s concerns. In addition, the court was not satisfied that FinCEN had made the required consultations with other executive-branch agencies as required by statute.

LinkedInFacebookTwitterGoogle+Share