On September 7, FinCEN issued advisory bulletin FIN-2016-A004 notifying financial institutions of updates to the Financial Action Task Force’s (FATF) list of jurisdictions containing anti-money laundering/counter-terrorist financing (AML/CFT) deficiencies. The FATF updated two documents categorizing certain jurisdictions: (i) the FATF Public Statement, identifying jurisdictions that are subject to the FATF’s call for countermeasures or are subject to Enhanced Due Diligence (EDD) due to AML/CFT deficiencies; and (ii) the Improving Global AML/CFT Compliance: on-going process, identifying jurisdictions which have developed an action plan with the FATF to address strategic AML/CFT deficiencies. Revisions to the FATF Public Statement include the 12 months suspension of FATF’s call for countermeasures against Iran; in turn, Iran was added to the EDD category based on the continued risk posed by Iran to the international financial system. North Korea remains the sole country subject to countermeasures. Jurisdictions currently on the Improving Global AML/CFT Compliance: on-going process list include Afghanistan, Bosnia and Herzegovina, Guyana, Iraq, Lao PDR, Syria, Uganda, Vanuatu, and Yemen. Myanmar (Burma) and Papua New Guinea were removed from the list. FinCEN reminded financial institutions that they are subject to a broad range of restrictions on dealing with North Korea and Iran, in spite of the 12-month suspension of its call for countermeasures against Iran.
On September 21, the U.S. District Court for the District of Columbia stayed enforcement of FinCEN’s second attempt to cut off a Tanzania-based bank’s access to the U.S. banking system. The dispute originated from FinCEN’s attempt to prohibit domestic financial institutions from opening or maintaining correspondent accounts on behalf of the foreign bank under the authority of Section 311 of the USA PATRIOT ACT, which authorizes FinCEN take special measures against banks of primary money laundering concern. FinCEN first promulgated a final rule imposing the prohibition in July 2015, which was enjoined by the court in August, 2015. FinCEN agreed to a voluntary remand to correct deficiencies in its rulemaking process, such as providing the bank access to declassified information and considering the use of less drastic measures to address its concerns. In March 2016, FinCEN promulgated a revised final rule in which it indicated that the bank’s AML compliance remained inadequate and that the bank continued to engage in “illicit financial activity.” Upon a second review, the court again found that FinCEN had failed to adequately disclose declassified information to the bank prior to releasing the revised final rule, and did not properly respond to other of the bank’s concerns. In addition, the court was not satisfied that FinCEN had made the required consultations with other executive-branch agencies as required by statute.
On September 6, FinCEN issued advisory bulletin FIN-2016-A003 notifying financial institutions of a growing number of e-mail compromise schemes, in which criminals misappropriate funds by deceiving financial institutions and their customers into conducting wire transfers. The advisory summarizes the three main stages of email compromise schemes, which involve impersonating victims to submit seemingly legitimate transactions instructions: (i) compromising victim information and e-mail accounts, whereby criminals access an e-mail account via social engineering or computer intrusion techniques; (ii) transmitting fraudulent transaction instructions, whereby criminals use stolen e-mail account information to send financial institutions fraudulent wire transfer instructions; and (iii) executing unauthorized transactions, whereby the fraudulent wire transfer instructions direct the financial institution to deposit the transfers to the criminals’ domestic or foreign banks. The advisory further warned of two prevalent email compromise schemes: i) Business E-mail Compromise (BEC), which targets commercial customers of financial institutions; and (ii) E-mail Account Compromise (EAC), which targets personal bank accounts. When conducting a BEC scheme, criminals will impersonate company employees, a company supplier, or a company executive to “authorize or order payment through seemingly legitimate internal e-mails.” EAC schemes, however, target individuals conducting large transactions through financial institutions, lending entities, real estate companies, and law firms. Developed in coordination with the FBI and the U.S. Secret Service, the advisory provides red flags for financial institutions to use to identify and prevent BEC and EAC e-mail fraud schemes.
On August 30, the Department of the Treasury, along with the OCC, FDIC, Federal Reserve and NCUA, issued a joint fact sheet on foreign correspondent banking. The fact sheet provides a summary of the agencies’ (i) expectations for BSA/AML and OFAC risk management at U.S. depository institutions; (ii) risk-based approach to the supervisory examination process; and (iii) use of enforcement as an “extension of the supervisory process.” As highlighted in a corresponding blog post, the fact sheet explains that about “95% of BSA/OFAC compliance deficiencies identified by the [Federal Banking Agencies], FinCEN, and OFAC are corrected by the institution’s management without the need for any enforcement action or penalty.” The fact sheet notes that, under existing regulations there is no general requirement for depository institutions to conduct due diligence on an individual customer of a foreign financial institution (FFI). But it also notes that “[i]n determining the appropriate level of due diligence necessary for an FFI relationship, U.S. depository institutions should consider the extent to which information related to the FFI’s markets and types of customers is necessary to assess the risks posed by the relationship, satisfy the institution’s obligations to detect and report suspicious activity, and comply with U.S. economic sanctions. This may require U.S. depository institutions to request additional information concerning the activity underlying the FFI’s transactions in accordance with the suspicious activity reporting rules and sanctions compliance obligations.”
On August 26, FinCEN published a proposed rule that seeks to impose AML program requirements on banks that are without a Federal functional regulator, including, but not limited to, private banks, non-federally insured credit unions, and certain trust companies. FinCEN estimates that there are 740 such banks nationwide. The proposal would establish minimum AML program standards for such banks. In addition, if finalized, the proposed rule would expand the reach of FinCEN’s customer due diligence final rule to cover banks that are not already subject to the rule’s customer identification program requirements and beneficial ownership requirements. FinCEN issued the proposal to ensure that Bank Secrecy Act coverage is consistent across the industry. Comments on the proposal must be submitted to FinCEN by October 24, 2016.