On August 30, the Department of the Treasury, along with the OCC, FDIC, Federal Reserve and NCUA, issued a joint fact sheet on foreign correspondent banking. The fact sheet provides a summary of the agencies’ (i) expectations for BSA/AML and OFAC risk management at U.S. depository institutions; (ii) risk-based approach to the supervisory examination process; and (iii) use of enforcement as an “extension of the supervisory process.” As highlighted in a corresponding blog post, the fact sheet explains that about “95% of BSA/OFAC compliance deficiencies identified by the [Federal Banking Agencies], FinCEN, and OFAC are corrected by the institution’s management without the need for any enforcement action or penalty.” The fact sheet notes that, under existing regulations there is no general requirement for depository institutions to conduct due diligence on an individual customer of a foreign financial institution (FFI). But it also notes that “[i]n determining the appropriate level of due diligence necessary for an FFI relationship, U.S. depository institutions should consider the extent to which information related to the FFI’s markets and types of customers is necessary to assess the risks posed by the relationship, satisfy the institution’s obligations to detect and report suspicious activity, and comply with U.S. economic sanctions. This may require U.S. depository institutions to request additional information concerning the activity underlying the FFI’s transactions in accordance with the suspicious activity reporting rules and sanctions compliance obligations.”
On October 25, FinCEN issued advisory bulletin FIN-2016-A005 reminding financial institutions of their Bank Secrecy Act (BSA) obligations to report certain cyber-events and cyber-enabled crime. The advisory highlights the importance of (i) reporting cyber-events and cyber-enabled crime through Suspicious Activity Reports (SARs); (ii) including cyber-related information such as IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information, in SAR reporting; (iii) collaborating with BSA/AML, cybersecurity, and other in-house units to facilitate “a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime”; and (iv) sharing cyber-related information – including specific malware signatures, IP addresses and device identifiers, and virtual currency addresses that seem anonymous – amongst financial institutions for the “purpose of identifying and, where appropriate, reporting money laundering or terrorist activities.” Importantly, the advisory distinguishes between mandatory SAR reporting of cyber-events, providing three specific examples, and voluntary reporting of cyber-events. Per the advisory, “[c]yber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
FinCEN simultaneously issued FAQs to supplement advisory bulletin FIN-2016-A005. The FAQs, which supersede 2001 FAQs regarding computer intrusion, provide answers to a set of nine questions. The FAQs address, among other things, (i) when cyber-related SAR reports should be filed; (ii) the type of information that should be included in cyber-related SARs; and (iii) cyber-event and cyber-enabled crime information sharing, pursuant to Section 314(b) of the USA PATRIOT Act, between financial institutions.
On June 1, the SEC announced that a Wall Street-based brokerage firm agreed to pay a $300,000 penalty to settle charges that it failed to sufficiently evaluate or monitor customers’ trading for suspicious activity and to file suspicious activity reports (SARs) in an alleged willful violation of Section 17(a) of the Exchange Act and Rule 17a-8. The broker-dealer was required to have written AML policies and procedures, which outlined specific examples of suspicious activities that, according to the SEC, “should have triggered internal reviews and, in a number of instances, [(SAR)] filings.” According to the SEC, the broker-dealer failed to file SARs on the following activity: (i) accounts that traded an aberrational percentage of a given stock in a particular day; (ii) accounts of entities that had executives charged with criminal securities fraud; (iii) customer trading that was the subject of grand jury subpoenas and regulatory inquiries; (iv) liquidation of securities followed immediately by large cash transfers; (v) transactions in securities that were subsequently subject to SEC trading suspensions; and (vi) rejections by other broker-dealers of attempts by the firm to transfer customers’ securities. Despite these red flags, the brokerage firm failed to file SARs for more than five years. The case represents the SEC’s first against a firm for solely failing to file SARs.
On April 5, FinCEN assessed a civil money penalty against a Nevada-based casino for willfully violating the anti-money laundering provisions of the BSA. From 2010 through November 2013, the casino allegedly failed to (i) establish and implement an effective, written anti-money laundering program; (ii) establish and maintain appropriate internal controls in compliance with the BSA’s reporting requirements; (iii) conduct independent testing of its AML program; (iv) implement automated data processing systems that ensured compliance with the BSA and the casino’s AML program; (v) report suspicious activity; and (vi) secure and retain certain required records. According to FinCEN, the casino generally “lacked a culture of compliance” and had a “blatant disregard for AML compliance permeat[ing] at all levels.” The casino agreed to a $1 million civil money penalty and admitted to willfully violating the BSA’s program, reporting, and recordkeeping requirements.
On January 19, FinCEN issued an advisory, FIN-2016-A001, to provide financial institutions with guidance on reviewing their obligations and risk-based approaches with respect to certain jurisdictions. According to the advisory, on October 23, the Financial Action Task Force (FATF) updated two documents identifying the following: (i) jurisdictions that are either subject to the FATF’s call to apply countermeasures, or to Enhanced Due Diligence (EDD) due to their AML/CFT deficiencies; and (ii) jurisdictions with AML/CFT deficiencies. FinCEN’s recently issued advisory summarizes the changes made to the respective lists and reiterates that a financial institution must file a Suspicious Activity Report if it “knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity or that a customer has otherwise engaged in activities indicative of money laundering, terrorist financing, or other violation of federal law or regulation.”