WELCOME TO A NEW MONTHLY FEATURE FROM ACFCS: THE REGULATORY REPORT!
In this new feature, we will highlight key current, upcoming or potential changes in the global financial crime landscape, so compliance professionals, investigators and regulators can better keep abreast of pressing vulnerabilities, issues and legislative fixes. Enjoy!
This month covers a host of important updates, including new U.S. Treasury guidance on beneficial ownership duties, a crypto fusillade by Gotham’s law enforcement, European Union officials bolstering corporate transparency and beleaguered on the fincrime front, Latvia, in the same vein, promising to stop getting duped by shell games, just to name a few.
FinCEN FAQs on new beneficial ownership rule coming online next month add clarity, but ambiguity on key points remains
Even in its quest to add clarity to new beneficial ownership requirements coming online next month, the U.S. Treasury has also added fresh uncertainty hinging on whether federal examiners deem compliance practices and decision-making as “reasonable,” according to Frequently Asked Questions (FAQ) released this month.
The original final rule, released in May of 2016, requires financial institutions to capture beneficial ownership details on certain legal entity customers down to the 25 percent level, or more on a “risk-based basis,” and list a top-level person who exercises managerial control. Institutions can chiefly rely on what companies provide in a self-certification form.
Through nearly 40 questions across 24 pages, FinCEN tackled a bevy of issues related to the rule, including everything from intermediated securities relationships to reliance on international, public beneficial ownership lists, from what renewal products trip new customer thresholds, to potential pitfalls when nominating notorious nominees.
Some key concerns include:
- Drawn and quartered: Is the 25 percent ownership level a “floor or ceiling?” Well, that depends on the risk of the firm, transparency of its ownership structures and believability of its self-certification responses.
- Man O’ Manual: While regulators can argue banks have known about the proposal since 2012 and had since 2016 to meet the May 18, 2018 deadline, institutions still don’t know what examiners will be looking for because agencies haven’t yet released an updated interagency AML exam manual.
- Remote control: When it comes to picking someone for the control piece, it’s still unclear when, how, if, or what news could constitute a reason for a bank to doubt the sworn statements of someone saying they have “managerial control” over a legal entity.
- Renewable energy: Due to other prior bank customer identification rules, when a certificate of deposit (CD) comes up for a re-up, that constitutes a new “account.” But if the bank attempts to contact the customer to check ownership details, and the person rebuffs, it could leave the bank vulnerable to regulatory knuckle-rapping.
To read ACFCS coverage of the FAQs, click here.
Regulators hit Wells Fargo with $1 billion penalty tied to automating auto insurance charges
The U.S. Treasury’s Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) this month penalized embattled Wells Fargo with a $1 billion fine for improperly charging thousands of customers for auto insurance they didn’t need and deceptive mortgage practices.
While not specifically AML, similar issues related to sales people at banks taking advantage of customers have caused Congress to ask financial institutions what internal bank group should police potentially fraudulent insiders – with the consensus by some it would be the fincrime compliance function.
To read the OCC and CFPB orders, click here.
On the AML enforcement front, the OCC this month released a trio of individual enforcement actions and two personal cease-and-desist orders against top officers and a board member of Merchants Bank of California related to past financial crime compliance failings. You can read the individual actions here.
The OCC action against individuals at Merchants Bank followed a prior individual penalty of $20,000 last month against Theodore Roberts, a director at Merchants Bank of California.
FinCEN and the OCC hit the bank with a $7 million combined penalty in February 2017 for “egregious and willful” violations of financial crime compliance regulations, chiefly tied to its monitoring, oversight and reporting of activity on its stable of remitter clients and correspondent portals.
FinCEN issued the penalty against the diminutive and struggling bank in an action detailing what can happen in a compliance worst case scenario where profit-driven insiders secretly control risky businesses, push their agenda by threatening bank staffers and use their knowledge of anti-money laundering (AML) processes to evade controls.
The action told a tale of a bleeding red bank desperate to boost income at the expense of compliance by delving into an area with many layers of high-risk strata, including money services businesses (MSBs) near the Mexican border, offering remote deposit capture (RDC) check-cashing services and later, these operations exhibiting transactional tells indicative of structuring, layering and commingling.
The penalty for the Carson, Ca.-based bank was among the largest FinCEN had ever handed out related to Bank Secrecy Act (BSA) issues compared to the bank’s overall holdings – the $7 million is nearly 11 percent of the bank’s total assets, evincing the seriousness of failings that dated back to 2010 and spread across several prior enforcement actions.
The OCC specifically stated the individual penalty against Roberts was due to failing to “take necessary actions to ensure that the Bank corrected the deficiencies resulting in violations” of the original 2010 consent order and a follow-up 2014 Consent Order, gaps that eventually lead to the $7 million penalty.
In tandem, the Federal Reserve this month issued an AML enforcement action against Hua Nan Commercial Bank Limited and Hua Nan Commercial Bank Limited New York Agency for a host of financial crime compliance deficiencies, echoing other recent federal actions.
The order particularly highlighted gaps in the areas of customer risk assessments and suspicious activity monitoring and reporting, continuing a focus by state and federal regulators on Asian banks and their U.S. operations as a potentially leaky portal into the U.S. financial system for illicit entities and sanctions evaders. To read the action, click here.
That was the second time in two Months the Fed chastised an Asian bank.
The regulator last month issued a cease and desist order against the New York and home country operations of the Industrial and Commercial Bank of China.
The bank has been linked to a major money laundering probe in Europe, where potentially hundreds of millions of dollars in suspect funds moved through ICBC’s Spain branch. More than half a dozen top ICBC executives in Spain have already been arrested related to the investigation.
In the U.S., federal and state regulators have hit several other large Chinese-based banks with AML orders and penalties. As for the latest Federal Reserve action, the regulator required improvements in key areas that have become a familiar refrain in recent years, including:
- More active board oversight of AML
- Better monitoring and reporting systems to track transactions, report suspicious activity.
- More precise procedures to track how transaction alerts are created, tracked and escalated and a way to review the related decision-making.
- More focus to ensure all AML staff have the required experience and subject matter expertise to make better decisions related to transaction and sanctions alerts.
- Along with the individual talent, the bank must also ensure the accumulated acumen of the AML team is in line with the risk of the bank and properly staffed.
To view the Federal Reserve action against ICBC, click here.
NYAG’s office launches inquiry into virtual currency exchanges to gauge compliance, transparency, accountability
The New York Attorney General’s Office (NYAG) has launched a “Virtual Markets Integrity Initiative” to improve the transparency and accountability of major cryptocurrency trading platforms and to better protect virtual currency investors by querying areas including operations, internal controls, use of automated bots, actual assets and anti-money laundering (AML) processes.
The AG’s Office has sent letters to 13 virtual currency exchanges so far, including Coinbase, Bitstamp, Binance and others, also attempting to uncover potential conflicts of interest, cyber defenses and ability to withstand or recover for power or data outages.
The questionnaires ask the platforms to disclose information falling within six major topic areas, including:
- Ownership and Control
- Basic Operation and Fees
- Trading Policies and Procedures
- Outages and Other Suspensions of Trading
- Internal Controls
- Money Laundering
Among other areas of interest, the questionnaires request that platforms describe their approach to combating suspicious trading and market manipulation; their policies on the operation of bots; their limitations on the use of and access to non-public trading information; and the safeguards they have in place to protect customer funds from theft, fraud, and other risks, (via the NYAG).
Congress this month also touched on a key piece of legislation with clear implications for financial crime compliance programs.
On April 19, the U.S. Senate Committee on Banking, Housing and Urban Affairs reviewed S.2155, the “Economic Growth, Regulatory Relief, and Consumer Protection Act,” in the overall context of how the Federal Reserve is overseeing and supervising financial institutions related to how they are complying with rules and regulations, including AML.
The bill, introduced in November, has already passed in the Senate. And while the hearing mainly focused on how Congress and regulators can better trim unduly burdensome regulations to promote a better business environment, the text of S.2155 details several ways current AML obligations could be lightened, including:
- Online banking: The bill seeks to make online banking easier by smoothing friction in the identification area, allowing individuals to send the bank a scan or picture of their driver’s license or identification card, rather than showing up at a branch with the real thing.
- Elder abuse: The bill also wants to give banks a safe harbor when disclosing potential financial abuse against senior citizens by granting staffers, such as AML compliance officers, broad immunity from civil and administrative lawsuits. The immunity is contingent on two key factors: if the person received specialized training and made the disclosure to authorities in “good faith” and with “reasonable care.”
In addition to S. 2155, Rep. Blaine Luetkemeyer (R-Mo.) also highlighted a number of other legislative efforts currently ongoing in the house.
These include reforming AML rules by streamlining reporting requirements and ensuring that banks can use technology to more efficiently report important information to regulators and law enforcement. He also noted that “we’re getting very close” on introducing legislation that would put in place a national data breach notification standard, (via the ABA).
In that same vein, OCC officials have said publicly that another top another priority is modifying how banks are examined on their compliance with anti-money-laundering laws.
The OCC, Federal Deposit Insurance Corp. and Federal Reserve are reportedly planning within the next few weeks to send a proposal to the FinCEN that would grant banks more flexibility in complying with those financial crime compliance obligations, with an eye toward innovation.
NYDFS transaction monitoring rules getting more teeth, with first transaction monitoring certification of compliance due in April
On April 9, the New York Department of Financial Services (NYDFS) announced the launch of a new online portal for regulated entities to securely file certifications required under New York’s AML transaction monitoring regulations. For more information, click here.
This regulation took effect January 1, 2017, and regulated entities had to file their first certification of compliance by April 16 and annually thereafter.
The regulation requires subject entities to maintain programs to monitor and filter transactions for potential AML violations, and ban and report on transactions with groups on U.S. sanctions lists. The regulator stated it prefers institutions to file using the online portal is preferred. For more information on rule 504, click here.
NYDFS cyber rules coming into effect in various tranches with a deadline this month, phasing in until 2019.
In late August 2017, the first in the nation cybersecurity compliance rules came into effect requiring certain financial institutions to bolster cyber protections and training, rapidly report breaches and attacks and designate a top officer to manage, with a CCO, or board member, certifying effectiveness.
To read more about what is needed to comply with the first deadline, click here.
Here are some passed or upcoming deadlines:
- March 1, 2018 – One-year transition period ends, first batch of requirements must be implemented
- September 3, 2018 – Eighteen-month transition ends, second batch must be implemented
- March 1, 2019 – Two-year transition ends, compliance with all requirements
FATF reviews Spain, Iceland, giving overall more positive grades, but chiding both for persisting vulnerabilities
The world’s top financial crime governing body, the Paris-based Financial Action Task Force (FATF), has released two mutual evaluation reports in key jurisdictions, that both must improve outstanding vulnerabilities against broad areas of financial crime. The group released its reports on Iceland, available here, and on Spain, available here, noting that while both have improved counter-crime defenses overall, but has struggled to rise in terms of effectiveness, such as AML penalties levied, prosecutions of large cases and forfeitures, (via FATF).
EU parliament votes to shine spotlight on true owners of companies, strengthen oversight of virtual currencies
This month Members of the European Parliament (MEPs) decided overwhelmingly to shed light on the true owners of shell, or letterbox, companies, by stating that any citizen will, in future, be able to access data about the beneficial owners of firms operating in the EU.
MEPs voted by 574 to 13 votes to support a December agreement reached with the Council, which also proposed closer regulation for virtual currencies, like Bitcoin, to prevent them being used for money laundering and terrorism financing.
The vote was the latest update to the EU’s Fifth AML Directive and is informed by the terrorist attacks of 2015 and 2016 in Paris and Brussels, as well as the Panama Papers leaks. Key updates include:
- Opening up data on beneficial owners of trusts and similar arrangements to those who can demonstrate a “legitimate interest,” such as investigative journalists, NGOs.
- Extending AML duties and in some cases registration requirements to virtual currency exchange platforms and custodian wallet providers, currency exchanges and check cashing offices, and trust or company services providers.
- Lower ID threshold on prepaid cards from €250 to €150.
- Tougher criteria for assessing risk of foreign nationals from risky regions, more scrutiny of high-risk countries overall.
- Better protection for fincrime and compliance whistleblowers, including anonymity
- Expanding the directive to cover all forms of tax advisory services, letting agents and art dealers.
While many European Union countries are still digesting the Fourth and Fifth AML Directives, broadly approved in December and replete with new beneficial ownership provisions to crack open anonymous shell companies, some analysts say they better be looking out for the latest potential package of amendments to the bloc’s chief counter-financial crime legislation.
Though still nascent, reviewers are calling these initiatives the Sixth AML Directive, which could have wide-ranging repercussions for subject entities. If finalized, look for major changes to compliance programs, including:
- More extensive staff training on a wider range of money laundering predicate offenses, possibly nearly two dozen.
- Mandatory jail terms of four years, or six years for organized criminal groups.
- Convicted launders could face bans from working in the public sector or holding office.
- Any company found guilty of money laundering could also see executives and employs face laundering charges.
- For large companies, executives, even though the company is too large for them to face money laundering charges directly, could face charges of “failing to prevent” the precursor crime or the laundering.
For more analysis, click here.
In February, Canada’s Department of Finance released a consultation paper to review the country’s AML and counter-terrorist defenses, with a deadline of April 30 to get comments in by respondents. To review the paper, click here.
The report asks for comments on a number of critical areas to better detect and prevent financial crime, including bolstering corporate transparency, improving oversight of gatekeepers, including attorneys, and expanding the monitoring of non-bank sectors, particularly related to domestic and international politically-exposed persons (PEPs), which are at a high-risk for corruption.
The paper also seeks to expand AML obligations to more sectors, including mortgage insurers, land registries and title insurance companies, non-federally regulated mortgage lenders, unregulated financing, leasing and factoring businesses and dealers in high-value goods.
The proposals, if enacted, could also be a boon for Canadian law enforcement agencies as they seek to broaden domestic and international information sharing, making it easier to go after large scale, cross-border organized criminal and money laundering networks, with an eye toward protecting the data on innocent citizens.
The Canadian government is also following in the footsteps of several other major economies in Europe and Asia by proposing to create a regulatory “sandbox” for fintech companies.
Such a system would allow for exemption and examination relief and administrative forbearance for emerging technology companies and the banks that attempt to innovate and improve AML programs through cutting edge, but unproven tech. A more thorough analysis can be viewed here.
UK regulator to increase pressure, scrutiny of AML legal, accountancy programs, strengthen oversight of virtual currency compliance: business plan
The United Kingdom’s (UK) chief financial sector regulator, the Financial Conduct Authority (FCA), will be more aggressively reviewing the anti-money laundering (AML) programs of the solicitor and accounting sectors, breaking in a new oversight body, while at the same time cracking down on fraudsters and criminals using virtual currencies to safeguard and move illicit assets. Those are just some of the areas the UK FCA stated it will make operational priorities in the 2018/19 timeframe in its just-released business plan.
Building on momentum from its regulatory sister bodies on the other side of the pond, the FCA will also be analyzing how fraudsters, scammers and organized criminal groups game the capital markets arena, particularly when the virtual currency and securities’ worlds combine in the form of individuals touting initial coin offerings that are nothing more than glorified, crypto Ponzi schemes. The FCA is also retooling systems to be able to make its analyses of financial crime, and related compliance exams, more efficient and effective, in some cases using artificial intelligence. The regulator is also pledging to more fully swim this more tuned and timely data pool with information from domestic and international partners, (via the UK FCA).
Australia strengthens laws around crypto currency space, calls for AML program, registration with Austrac
Australia’s chief regulator and financial intelligence unit has issued rules April 3 requiring all crypto service providers, also called virtual currency exchanges, in the country to register with the agency, called Austrac, and bring their business in compliance with government’s AML rules. The requirements take effect immediately, though operations will have time to register until May 14 before they are graded by examiners. They key tents are:
- Adopting, maintaining an AML/CTF program
- Identifying, verifying the identities of their customers
- Reporting suspicious activities, transactions of $10,000 or more to Austrac
- Keeping certain records for seven years.
The new rules are part of more extensive changes aimed at bolstering the country’s overall AML standards following criticism by global AML watchdog FATF. As a point of context, South Korea is also implementing more stringent AML rules for the crypto space.
The Financial Services Commission (FSC) has initiated inspections of several banks to ensure they are complying with new rules for cryptocurrency exchange accounts as financial institutions are the real world nexus of the virtual currency arena where people deposit and withdraw cash. To read the full Austrac release, click here.
New Zealand broadens AML rules to capture more sectors
The question at issue: Does a new AML regime in New Zealand coming into force in October, which will start capturing accountants, attorneys and other gatekeepers, have a silver lining in the form of a deeper relationship with customers, fostering stronger business and compliance connections? Some say both seemingly dichotomous goals can coexist. For more analysis, click here.
New Zealand regulator set to level nearly $3 million AML penalty on currency exchanger for failing to properly scrutinize millions of dollars, lax risk ranking
More than $100 million in suspect transactions may have not been properly checked under Zew Zealand’s AML regulations by Qian DuoDuo Limited (QDD), which now faces a multi-million dollar government fine, according to news reports. The Department of Internal Affairs (DIA) was seeking a fine of about $2.6 million, with one official stating the penalty could soar higher, up to $7 million.
The department has accused QDD of failing to meet AML requirements for customer due diligence, account monitoring, record keeping and risk assessment.
QDD, which was trading under Lidong Foreign Exchange, has not been accused of money laundering or funding terrorism, but being accused of failing to adequately scrutinize some $100 million in transactions, including weak transaction monitoring, initial customer due diligence and related risk ranking and properly reporting on potential suspicious activity.
Part of the issue is that the operation had sparse, improperly trained staff and a threadbare audit function, the critical backstop of the AML program function. For more analysis, click here.
Latvian government moving to ban financial institutions dealing with shell companies
Latvia’s Cabinet of Ministers upheld vital draft amendments to the country’s AML laws aimed at strengthening the overall finance system by reducing connections to opaque and potentially risky entities hiding behind shell companies.
The bill is also intended to increase the exchange of information between public and private sector operations and better arm law enforcement.
The amendment seeks ban financial institutions from ties to entities that appear to be shells. Under the draft law, the shell company is defined as an entity that fits one or several of the following three criteria:
- No actual economic activity and no documentary proof to the contrary.
- Registered in a jurisdiction where companies are not required to submit financial statements.
- The entity has no place of business in its country of domicile.
To read more analysis, click here.