In this new feature, ACFCS highlight’s key current, upcoming or potential changes in the global financial crime landscape, so compliance professionals, investigators and regulators can better keep abreast of pressing vulnerabilities, issues and legislative fixes. Enjoy!

In this month’s ACFCS Regulatory Report covering May, FinCEN’s beneficial ownership rule took effect, with a key interagency exam manual update and fresh interpretative guidance related to a remaining tangle, regulators get more aggressive in anti-money laundering enforcement actions, targeting individual compliance officers, Congress passes a regulatory relief package, with financial crime compliance components, and more.

United States


FinCEN issues 90-day exceptive relief for renewable, rollover products in interpretative ruling on new beneficial ownership obligations

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) on May 16 issued a rare ruling granting exceptive relief for 90 days related to an ambiguous, potentially burdensome piece of new beneficial ownership obligations on legal entity customers that took effect May 11.

The short, two-page ruling occurred on the same day FinCEN Director Kenneth Blanco testified before Congress on issues and industry concerns related to the customer due diligence rule, referred to in industry as the beneficial ownership rule.

The interpretive ruling targets “certain financial products and services that automatically rollover or renew (i.e., certificate of deposit (CD) or loan accounts) and were established before the Beneficial Ownership Rule’s Applicability Date, May 11, 2018.”

The exception begins, retroactively, on May 11, 2018, and will expire on August 9, 2018. At issue is that when CD’s annually rollover, they technically become a new account, which, in turn, would require the bank to reach out to the company or owner to make sure no beneficial ownership details have changed.

If the bank can’t get a verbal, written or email response, the bank would, technically, not be in compliance with the new rules and could face regulatory scrutiny or penalties. To read the full ruling, click here. To read recent ACFCS coverage of the various issues tied to the new rules or FAQs, please click here.

On deadline day, FFIEC releases new beneficial ownership, CDD exam rules, with key details on verification expectations

The Federal Financial Institutions Examination Council (FFIEC) also on May 11 issued new examination procedures on the beneficial ownership rule. FinCEN’s 2016 final rule clarifies customer due diligence requirements and also includes a new requirement for covered financial institutions to identify and verify the identity of beneficial owners of certain legal entity customers. Some excerpts include:

  • A bank may rely on the information supplied by the individual opening the account on behalf of the legal entity customer regarding the identity of its beneficial owner(s), provided that it has no knowledge of facts that would reasonably call into question the reliability of such information. If a legal entity customer opens multiple accounts a bank may rely on the pre-existing beneficial ownership records it maintains, provided that the bank confirms (verbally or in writing) that such information is up-to-date and accurate at the time each account is opened.
  • A bank need not establish the accuracy of every element of identifying information obtained, but must verify enough information to form a reasonable belief that it knows the true identity of the beneficial owner(s) of the legal entity customer. The bank’s procedures for verifying the identity of the beneficial owners must describe when it uses documents, non-documentary methods, or a combination of methods.

To read the full supplement, click here.

To read the FAQs related to the rule, released in April, click hereTo read ACFCS coverage of the FAQs, click hereTo read FAQs from 2016, click here. To read the original final rules, click here.  To read prior ACFCS coverage of the rule, click here.

AML compliance, cyber risk elevated as banks adjust to new beneficial ownership obligations, hack attacks: OCC report

The risk of a bank failing afoul of AML rules, or getting punctured by digital brigands, is “elevated” as banks must adapt to new requirements to capture and to a limited degree vet, the beneficial owners of certain corporate customers, as well as strengthen cyber resilience and recovery objectives in the face of more, and more creative, hack attacks.

Those are just some of the findings from the U.S. Treasury’s Office of the Comptroller of the Currency’s (OCC) latest Semiannual Risk Perspective, which has sprung covering Spring. Some highlights include:

  • Operational risk is elevated as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.
  • Compliance risk is elevated as banks manage money laundering risks and implement changes to policies and procedures to comply with amended Bank Secrecy Act and consumer protection requirements.
  • AML compliance risk management systems often do not keep pace with evolving risks, resource constraints, changes in business models, and regulatory changes.

The report covers risks facing national banks and federal savings associations based on data as of March 31, 2018. The report presents data in five main areas: the operating environment, bank performance, special topics in emerging risk, trends in key risks, and supervisory actions. To read the full report, click here.


OCC levies rare $50,000 individual penalty against former Rabobank CCO for concealing AML weaknesses, tarrying on timetables

The U.S.  Treasury’s Office of the Comptroller of the Currency (OCC) levied a $50,000 penalty against former Rabobank Chief Compliance Officer Laura Akahoshi and prohibited her from working in financial institutions in a compliance capacity related to failures in reporting AML weaknesses and concealing program gaps from federal examiners.

The OCC stated that Akahoshi, a former OCC examiner herself, made “false statements” and “concealed bank documents” from examiners who found issues with the California operations of the Dutch bank as far back as 2012.

The OCC action states one unnamed former CCO raised concerns, but was not believed and eventually overruled by bank management and eventually placed on “force leave” before becoming a whistleblower for the OCC. To read ACFCS coverage of the original action, click here. To read the DOJ action, click here and the OCC action here.

In imposing the sentence, Judge Jeffrey Miller noted that Rabobank’s conduct essentially amounted to “stiff-arming the OCC, and completely failing in its responsibility to its customers and the nation.” To read the action, click here.

U.S. judge sentences Netherlands bank to pay “statutory maximum” of $500,000, in addition to previously negotiated nearly $370 million forfeiture, on obstruction charges

A U.S. District Court Judge in California in May sentenced the Rabobank to two years of probation, along with a half-million dollar fine as part of a previously-negotiated $368 million forfeiture related to obstruction charges for lying, tarrying and actively obfuscating a federal regulatory inquiry by the OCC.

The government announced the agreement in February. To read ACFCS coverage of the original action, click here.

To read the DOJ action, click here and the OCC action here.

SEC, Finra hit penny stock pinchers with millions in penalties, fines AML officer for proactively furthering fraud

The SEC and Finra teamed up to take down two broken broker-dealers engaging in penny stock frauds and related pump-and-dump dastardly doings.

To read the SEC actions, click here. To read the Finra action, click here.

The SEC settled charges against broker-dealers Chardan Capital Markets LLC and Industrial and Commercial Bank of China Financial Services LLC (ICBCFS) for failing to report suspicious sales of billions of penny stock shares, a fraudulent activity reaching epidemic proportions in trading spaces.

In the case, from October 2013 to June 2014, Chardan, an introducing broker, “liquidated more than 12.5 billion penny stock shares for seven of its customers and ICBCFS cleared the transactions,” according to the SEC, highlighting the trading sector’s often complex investment chains, where many individuals are involved, but none responsible for, or committed to, AML.

The firms faced charges including breaching AML and recordkeeping rules, but the biggest bombshell in the document: Chardan’s AML officer, Jerard Basmagy, was not just making honest mistakes, but “aided and abetted and caused the firm’s violations.”

In the settlement, the SEC is requiring Chardan to pay a $1 million penalty, ICBCFS to pay $860,000, and Basmagy individually to pay $15,000.

On the Finra side, the regulator hit ICBCFS with a $5.3 million penalty and is also requiring the firm to be scrutinized for further issues by an independent compliance consultant due to extensive AML failures through all four prongs of the program.

Supreme Court

A look at some of the aftershocks of the Supreme Court’s decision to allow states to decide on sports betting

The Supreme Court on Monday ruled in favor of New Jersey in the case that was formerly known as Chris Christie vs. NCAA (Christie’s name has been supplanted by Phil Murphy, the state’s new governor), striking down a 25-year old federal law known as the Professional and Amateur Sports Protection Act (PASPA) that largely outlawed sports betting outside Nevada.

The court’s 6-3 decision overruled the Third Circuit Court of Appeals, saying PASPA violates the state’s 10th Amendment rights, thereby creating a path for New Jersey and other states to offer sports betting, according to media reports. To read more, click here.

Crypto corner

Regulating digital currencies to fight crime: even with new laws in Australia, keeping criminals out of crypto will be a challenge

As Australia looks to strengthen rules to ensnare virtual currencies in AML duties, the country must do more to prevent criminals from using nigh anonymous digital value stores to move illicit funds internationally, destroying paper trails and hiding ties to the flesh-and-blood criminals and regimes at the heart of geopolitical instability.

The country took an important step in countering the criminal use of digital and cryptocurrencies with new AML legislation that came into effect in April. But digital currencies will continue to facilitate crime and will remain a challenge to law enforcement. Regulating the industry is necessary because it removes an intelligence black spot that’s exploited by criminals.

While all transactions and past ownership details are recorded in a publicly accessible ledger on the internet, computer code rather than individual names and addresses act as the owner’s digital signature in the blockchain, putting more pressure on investigators to get creative – and trained. To read more, click here.

U.S. Congress

As part of broader regulatory relief package, Trump signs law allowing banks to better protect elders, ease online IDs

Last week, President Trump signed a bill into law with broader implications for overall regulatory relief for banks related to Dodd-Frank and the Volcker Rule – rules to strengthen bank liquidity, lending and restrict risky, proprietary investing – but the legislation also eased customer identification friction for online banking and gives banks more protections when protecting vulnerable elder clients.

On May 24, Trump signed into law S.2155, the “Economic Growth, Regulatory Relief, and Consumer Protection Act,” a piece of legislation widely supported by groups like the American Bankers Association, the industry’s chief lobbying group. To read a text of the bill, click here.

The bill, introduced in November, is the result of a series of hearings mainly focused on how Congress and regulators can better trim unduly burdensome regulations to promote a better business environment, but also details several ways current AML obligations could be lightened, including:

  • Online banking: The law seeks to make online banking easier by smoothing friction in the identification area, allowing individuals to send the bank a scan or picture of their driver’s license or identification card, rather than showing up at a branch with the real thing.
  • Elder abuse: The law gives banks a safe harbor when disclosing potential financial abuse against senior citizens by granting staffers, such as AML compliance officers, broad immunity from civil and administrative lawsuits. The immunity is contingent on two key factors: if the person received specialized training and made the disclosure to authorities in “good faith” and with “reasonable care.”
  • Exam cycles: The law allows longer exam cycles for community banks, including AML exams.

To read Trump’s remarks on the bill becoming law, click here.

In addition to S. 2155, Rep. Blaine Luetkemeyer (R-Mo.) also highlighted a number of other legislative efforts currently ongoing in the house.

These include reforming AML rules by streamlining reporting requirements and ensuring that banks can use technology to more efficiently report important information to regulators and law enforcement. He also noted that “we’re getting very close” on introducing legislation that would put in place a national data breach notification standard. To read more, click here.

Congress introduces bill to provide safe harbor to prevent regulators from dinging banks for keeping suspicious accounts open for law enforcement

Rep. French Hill, R-Ark., a member of the House Financial Services Committee and a former banker, introduced legislation May 14 to provide a “safe harbor” for financial firms that keep open a suspicious account at the request of law enforcement so that they don’t get penalized for doing so by examiners under AML rules.

His bill “enables partnerships without repercussions between law enforcement agencies and our local financial institutions by allowing law enforcement to monitor cash flows associated with criminal investigations,” he said in a statement.

The legislation, the Cooperate with Law Enforcement Agencies and Watch Act, was not part of the bank regulatory relief package that passed recently into law.

At issue is that sometimes banks receive notices from law enforcement agencies, known as “keep open” letters, requesting them to keep an account open so that they can track payments and better monitor criminals.

If banks do help out law enforcement and comply, however, they face the risk of being chastised by regulators for allowing an account to be used for illicit purposes. Law enforcement agencies are supposed to provide a written notice that they requested the account be kept open, but bankers say there are no guarantees. To read more, click here.

Congressional hearing tackles cyber risks, resilience of the financial sector, with legislators calling for “iron dome,” better public, private information sharing 

The U.S. financial sector is under constant, withering barrages from a wide array of cyber hacking groups, including organized criminals, hacktivist idealists and rogue nation states – and in too many instances banks are failing to keep them all out – meaning operations need to craft better defenses and recovery capabilities.

Those are some of the issues covered, and conclusions reached, by U.S. Senator Mike Crapo (R-Idaho), Chairman of the U.S. Senate Committee on Banking, Housing and Urban Affairs, at a hearing last week entitled “Cybersecurity: Risks to the Financial Services Industry and Its Preparedness.”

He noted that the collection and use of personally identifiable information (PII) will be a major focus of the Banking Committee moving forward, along with seeing what banks are doing to better withstand assaults and how regulators are examining for cyber preparedness and resilience.

Senators Mike Rounds (R-SD) and Heidi Heitkamp (D-ND) proffered the idea of a financial sector “umbrella” or “iron dome” of cyber readiness to serve as a means to deter threats before they can get into a bank, according to legal analysts.

Senator Mark Warner (D-VA) went a step further, putting forth the possibility of planting individuals with a government security clearance at every large and mid-size institution to bolster intelligence sector information sharing.

To view a recording of the hearing or read witness statements, click here. For additional analysis and a summary of the hearing, click here.


NYDFS cyber rules coming into effect in various tranches with a deadline this month, phasing in until 2019. 

In late August 2017, the first in the nation cybersecurity compliance rules came into effect requiring certain financial institutions to bolster cyber protections and training, rapidly report breaches and attacks and designate a top officer to manage, with a CCO, or board member, certifying effectiveness.

To read more about what is needed to comply with the first deadline, click here.

Here are some passed or upcoming deadlines:

  • March 1, 2018 – One-year transition period ends, first batch of requirements must be implemented
  • September 3, 2018 – Eighteen-month transition ends, second batch must be implemented
  • March 1, 2019 – Two-year transition ends, compliance with all requirements

European Union

A look at the GDPR: EU’s new rules of data handling

On May 25, 2018, the EU-wide mandate known as the General Data Protection Regulation (GDPR) took effect. Now, companies operating in the EU can face heavy fines or sanctions for mishandling personal data of customers, clients or employees or even querying operations without prior consent.

To visit a GDPR resource page, click here. To visit the official EU page, click here.

Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’.

To read a thorough analysis of the rules, click here.

EU Commission lauds agreement between EU states, parliament to bolster AML rules, extend cross-border currency declaration rules to prepaid cards, precious commodities, like gold

The Commission has welcomed the agreement reached by EU Member States and the European Parliament today on key measures to control illicit cash flows in and out of the EU, following a final round of negotiations this evening in Brussels, including extending critical currency border controls to other mediums of value. The main elements of the new rules will:

  • Tighten cash controls on people entering or leaving the EU with €10,000 or more in cash;
  • Enable authorities to act on amounts lower than the declaration threshold of €10,000, where there are suspicions of criminal activity;
  • Improve the exchange of information between authorities (Customs and Financial Intelligence Units) and Member States;
  • Extend customs controls to cash sent in postal parcels or freight shipments, to prepaid cards and to precious commodities, such as gold, which are not currently subject to customs control. To read the full report, click here.


In February, Canada’s Department of Finance released a consultation paper to review the country’s AML and counter-terrorist defenses, with a deadline of April 30 to get comments in by respondents. To review the paper, click here.

The report asks for comments on a number of critical areas to better detect and prevent financial crime, including bolstering corporate transparency, improving oversight of gatekeepers, including attorneys, and expanding the monitoring of non-bank sectors, particularly related to domestic and international politically-exposed persons (PEPs), which are at a high-risk for corruption.

The paper also seeks to expand AML obligations to more sectors, including mortgage insurers, land registries and title insurance companies, non-federally regulated mortgage lenders, unregulated financing, leasing and factoring businesses and dealers in high-value goods.

The proposals, if enacted, could also be a boon for Canadian law enforcement agencies as they seek to broaden domestic and international information sharing, making it easier to go after large scale, cross-border organized criminal and money laundering networks, with an eye toward protecting the data on innocent citizens.

The Canadian government is also following in the footsteps of several other major economies in Europe and Asia by proposing to create a regulatory “sandbox” for fintech companies.

Such a system would allow for exemption and examination relief and administrative forbearance for emerging technology companies and the banks that attempt to innovate and improve AML programs through cutting edge, but unproven tech. A more thorough analysis can be viewed here.

United Kingdom

U.K. preparing for post-Brexit sanctions regimes, enabling government to be nimbler, timelier when adjusting to geopolitical power shifts

The United Kingdom is already preparing its AML and sanctions regime to better comply with international obligations and partnerships post-Brexit with a new bill receiving royal assent to become an act of Parliament, a move that would the country keep in step with sanctions updates from the United Nations and other ally jurisdictions. To read the text of the bill, click here.

But the legislative update also has the potential to become more onerous, in particular, for financial institutions, with Britain potentially able to update designated lists “as appropriate” to more quickly further geopolitical objectives. To read more legal analysis, click here.


The Organization for Economic Cooperation and Development’s (OECD) Common Reporting Standard (CRS) became effective in Australia on 1 July 2017.

The first report for the six-month period ending on December 31, 2017 is due on July 31, 2018.  As such, reporting entities should be gearing up to make sure their due diligence procedures are properly completed, and their purported reportable accounts are identified to ensure they meet this deadline, according to legal analysts. To read more, click here.

Internal auditor reports “diluted, suppressed and ignored,” says Australian audit group

Internal auditors are having their reports “diluted or suppressed” or even seeing their careers derailed when they raise red flags within large corporations, a major issue for many large corporates, including financial institutions, in Australia, according to the sector’s chief lobbying body.

The allegations, by the head of the Institute of Internal Auditors, Peter Jones, comes in response to criticism that internal auditors had lost their authority within large corporations, were too timid to “speak truth to power” and too readily intimidated into watering down their own reports, according to media reports.

Jones was unable to provide specific details of his allegations but said the institute was aware of cases where internal auditors being ignored or punished for doing their job, which is to ensure that non-financial systems within a company operate as expected.

He stated that regulatory reports into failings at the Commonwealth Bank of Australia highlighted that internal auditors were muted by senior management and the board, a dynamic that leads to weak systems allowing criminals free reign into the international financial system. For more, click here.

Australia strengthens laws around crypto currency space, calls for AML program, registration with Austrac

Australia’s chief regulator and financial intelligence unit has issued rules April 3 requiring all crypto service providers, also called virtual currency exchanges, in the country to register with the agency, called Austrac, and bring their business in compliance with government’s AML rules. The requirements take effect immediately, though operations had until May 14 to register before being graded by examiners. They key tenets are:

  • Adopting, maintaining an AML/CTF program
  • Identifying, verifying the identities of their customers
  • Reporting suspicious activities, transactions of $10,000 or more to Austrac
  • Keeping certain records for seven years.

To read the full Austrac release, click here.


Latvian banking watchdog penalizes Meridian Trade Bank for AML deficiencies, institution agrees to independent review, remediation

A Latvian banking watchdog has fined Meridian Trade Bank for a host of AML violations, including lax staffing and transaction monitoring. Latvia’s Financial and Capital Market Commission (FCMC) fined the bank €456,000 and required the bank to improve its internal control systems related to financial crime and compliance risk management by next year.

Meridian also agreed to conduct an independent assessment to ensure that it complies with all the necessary regulatory requirements. To read the full action, click here.

The bank claimed that it has already invested more than €1.5m to upgrade its AML/CTF internal control system in 2016 and 2017, with plans to make additional €1m this year.

In February, US alleged Latvian financial entity ABLV bank of money laundering leading to its closure. Following this incident, Latvia strengthened vigilance efforts over the banks engaged in serving non-residents.

To date, around nine Latvian non-resident banks have been fined for breaching money laundering regulations, according to media reports. To read more, click here.


Danish regulators scrutinizing banks with potential ties to Russian money laundering, criticizes Danske Bank AML program

Danish regulators in May chastised the financial crime compliance processes of Danske Bank, stating there were “serious shortcomings” in the AML operations tied to Estonia, chiefly around reports of suspicious funds coming from relatives and associates of Russian President Vladimir Putin. The authority’s head, Jesper Berg, says Danske Bank “responded too late” when detailing the strength of its AML program and also tarried in filing suspicious transaction reports (STRs).

The regulator is requesting the bank add nearly $1 billion to boost overall solvency, including in the area of compliance. The bank admitted that in the period from 2007 to 2015, it was not sufficiently effective in preventing the branch in Estonia from potentially being used for money laundering and that this was due to critical deficiencies in governance and controls. To read the full statement, click here.

Hong Kong

In national risk assessment, Hong Kong sees more creativity, aggressiveness in cyber attacks

Under pressure from global watchdog groups and following U.S., and other country initiatives, Hong Kong in May published its National Risk Assessment, noting increasing creativity and sophistication related to criminal, terror and cyber hacking groups that are more quickly moving between fincrime gaps in the real world to gaping vulnerabilities in virtual worlds.

The country, going forward, is working to strengthen AML supervision and penalties, more aggressively freeze and seize assets and work more closely with international authorities to take down larger, global criminal syndicates. To read the full report, click here.