Daily Briefing: Danes charge former regulator in Danske scandal, FinCEN crypto guidance, and more
Wednesday, May 15, 2019
Posted by: Brian Monroe
By Brian Monroe
May 15, 2019
Quote of the Day: “The level of our success is limited only by our imagination and no act of kindness, however small, is ever wasted.” – Aesop
In today’s ACFCS Fincrime Briefing, Danish prosecutors charge former Danske official, regulator, new FinCEN crypto guidance, P2P exchange penalty, and more.
Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.
Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!
Prosecutors charge ex-Denmark financial regulator, former Danske Bank director, in money laundering scandal
Danish authorities have charged a former top official at scandal-plagued Danske Bank, who also held a high position at Denmark’s financial regulator, related to the institution’s sprawling money laundering debacle.
Economic prosecutors have charged Henrik Ramlau-Hansen, a former Danske Bank finance director, who chaired Denmark’s Financial Supervisory Authority between 2016 and 2018, with crimes tied to the bank’s estimated $230 billion money laundering scandal.
He resigned in 2018 at the same time a scathing Danske report from the regulator was issued. He has recused himself from the investigation. He’s been working as an assistant professor at Copenhagen Business School, reported The Financial Times.
People familiar with the investigation told The Financial Times the former regulator was charged for not preventing transactions at Danske Bank when he was finance director from 2011 to 2015.
Danske’s former chief executive Thomas Borgen had his home raided as well. People familiar with the investigation told The Financial Times that other executives at Danske have been charged due to money laundering scandals.
Those indictments are sealed, noted the report. According to the paper, the move to raid Ramlau-Hansen home is an escalation of the investigation which has hurt Danske market capitalization and resulted in the ouster of executives and a slew of investigations around the world.
The Financial Times reported the charges against the Danske executives were brought following the U.S.’s request to conduct interviews in the case. That implies the Department of Justice and authorities in Denmark are coordinating their efforts.
In September Danske disclosed that €200 billion worth of money flowed from Russia and ex-Soviet states to the Danske Estonia branch. The money laundering went on from 2007 to 2015.
The charges against the ex-Danske Bank finance director come at the same time the bank has named a replacement for Borgen. The bank tapped Chris Vogelzang, a Dutch executive who spent 18 years at ABN Amro. He will be tasked with restoring the image of Denmark’s largest bank, (via Pymnts).
This move is an interesting twist in the sprawling Danske scandal and hits on two key questions investigators asking in the wake of a massive money laundering case involving a bank: what were bank insiders, such as compliance officers and business line managers, seeing and doing, and what were regulators seeing and doing.
Or really, what did they miss, or purposely allowed due to potential corruption or other reasons. This latest move by Danish authorities covers both of these questions, about insiders and regulators. Look for an intense focus on this official as they potentially could have seen red flags of the Danske Bank scandal from the regulatory and insider perspectives.
Nordic, Baltic regulators boosting cooperation, oversight on AML as banks pool resources to appease examiners, battle fincrime
Nordic and Baltic regulators are working to better communicate, coordinate and cooperate in fighting massive money laundering scandals rocking the regions, as many of the banks in their charge similarly band together to share resources, better know customers and more quickly uncover financial crime and compliance risks.
In recent weeks, financial regulators in Denmark, Estonia, Finland, Iceland, Latvia, Lithuania Norway and Sweden have agreed to craft a permanent working group to bolster cumulative efforts to identify, investigate and prosecute money laundering, terrorist financing and other financial crimes.
The regulators will “maintain regular contact and exchange experiences and information with the goal of being more effective in the prevention of money laundering,” in their home jurisdictions and countering larger, multi-country schemes, as a result of the agreement, working group, and related memorandum of understanding.
The agreement “marks a significant step forward in the combined Nordic-Baltic efforts to combat money laundering and terrorist financing” said Jesper Berg, Director General of the Danish Financial Supervisory Authority, in a statement.
The agreement occurs as Denmark increases its focus on counter money laundering and, in particular, its scrutiny of Danske Bank, and sharing related information with foreign authorities.
The moves occur as pressure increases on both regional regulators and financial institutions in the wake of the still-rumbling Danske Bank scandal.
Just this week, economic prosecutors have charged Henrik Ramlau-Hansen, a former Danske Bank finance director, who chaired Denmark’s Financial Supervisory Authority between 2016 and 2018, with crimes tied to the bank’s estimated $230 billion money laundering scandal.
In tandem, banks in these regions are attempting to assuage both regulatory and prosecutorial scrutiny by increasing the depth and breadth of AML programs and sharing more information on customers tethered to higher financial crime and risk trappings – a strategy already underway in recent months but is likely to become a greater priority.
A half-dozen of the Nordic region’s largest financial institutions banks are marshaling forces and sharing resources to craft a broad customer reviewing center to strengthen efforts to counter money launderers – a partial response to save face in the face of the Danske Bank scandal that has caused some authorities to say the reputation of the financial sector has taken a hit.
The banks intend to set up a joint venture, called the Nordic Know Your Customer (KYC) Utility, which will have a “singular focus on developing an efficient, common, secure and cost-effective Nordic KYC infrastructure,” according to the group, which made the initial announcement roughly one year ago, with Swedbank reportedly joining more recently.
KYC initiatives are a longstanding part of global AML regulations and best practices, with these efforts typically underpinning a numeric customer risk assessment and raking, usually low, medium or high, that correspondingly tunes bank transactional monitoring systems, the electronic brains of compliance programs to detect and report aberrant activity to law enforcement.
The company “will be owned and controlled by the founding banks, however, the plan is that the company will also offer its services to third parties,” according to the banks. “The initiative will contribute to ensuring a healthy financial environment, prevent financial crime and to protect customers and society.”
Last year, Sweden’s Financial Supervisory Authority dinged lenders on a key piece of AML, stating they had weak customer due diligence measures between 2016-2017, evincing lax capture of ownership details and threadbare documentation, according to media reports.
Some of that could change with the new KYC utility, which holds the potential to help banks better coordinate client tracking, lower instances of customer risk assessment failures or misidentification risks due to using different data sources and formats, lowering overall compliance costs, according to accounting firm Deloitte in a paper on the Nordic project and other KYC measures prepared for United Kingdom banks, noted by Reuters.
But such efforts in the EU, and around the world, are rare.
Banking secrecy laws in the EU and other countries can prevent banks from disclosing suspicious clients to each other, a stumbling block that has hindered the fight against financial crime, a paper published last September by independent consultancy the Tax Justice Network said.
But several groups are crafting industry-wide initiatives to assuage regulators and better identify threats and report them to law enforcement.
Clipeum, a French project launched by Societe Generale’s employees, with support from the bank, is currently building a platform where companies and individuals can upload KYC documents and authorize multiple financial institutions to consult the documents, according to Reuters.
Societe Generale has so far convinced Allianz, Banque Postale, BpiFrance, Commerzbank, Credit Agricole, Euler Hermes, Natixis, asset manager Tikehau and UniCredit to join Clipeum, Reuters noted.
The initiative, which will become a joint venture with institutions that are part of it owning stakes, expects to be ready in 2020, the paper said.
But such ventures have had varying success, with Singapore’s Monetary Authority having shelved its KYC utility citing unexpectedly high costs, according to media reports.
“I see great value in simplifying this process and making it common for all banks,” said Stefan Stignäs, head of Corporate Market within Corporate and Private Customers at SEB. “We can compare for example with mobile bank-id which is also infrastructure that is common for all banks.”
Moreover, by “establishing a common service, we can enhance the quality and the efficiency in the know-your-customer process and set distinct and uniform standards that correspond to demands from customers, banks and society,” he said in a statement.
To read the full joint regulatory release, click here. To read more coverage, click here.
To read the joint banking release on the KYC utility, click here. To read more coverage, click here.
This is similar to a move done by the U.S. banking sector more than a decade ago where many of the largest domestic banks pooled their data on potentially fraudulent customers together to prevent them from gaming the system and going bank to bank, called Early Warning Services.
The company was owned by the banks and later got blessed by FinCEN that their pooling and swimming together of customers from multiple bank data streams was protected under Patriot Act Section 314(b), a broad and powerful safe harbor allowing institutions to share data on customer suspected of breaching money laundering rules.
FinCEN offers crypto currency guidance to clarify AML rule obligations, highlight red flags on heels of first P2P exchanger penalty
If you use a person-to-person (P2P) crypto exchange and transfer virtual coins into money and back for others as a business, you are a money transmitter and must have a financial crime compliance program.
If you are the administrator of an exchange that allows people to do this, you are likely also a “money services business” for fincrime compliance purposes.
But if you are a person who “infrequently” trades value on a P2P exchange without attempting to make a profit, you haven’t officially tripped anti-money laundering (AML) rules under the U.S. Bank Secrecy Act (BSA).
Those are just some of the revelations in just-released interpretative guidance by the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) to help the “convertible virtual currency” (CVC) sector better understand their own obligations if and when AML rules get tripped and, just as importantly, when they don’t.
FinCEN also detailed “red flags” for crypto exchangers – formal exchanges and platforms that allow individuals to buy and sell with each other – to understand when transactions could be tied to illicit groups or darknet sites, with further transactional tells to help financial institutions uncover that an account is tied to a crypto exchange, but the operation never told the bank.
The guidance comes on the heels of a key penalty in the crypto space.
Last month, FinCEN in its first foray against a peer-to-peer crypto exchange, fined a tiny, one-person operation $35,000 for buying and selling millions of dollars in Bitcoin over a roughly two-year period for a bevy of individuals with virtually no financial crime compliance program to speak of – including failing to file on any large or risky transactions.
Thankfully, the latest FinCEN offering has more substance than that exchange's AML program. Through 30 pages of guidance, the central prevailing theme is that if you take money, change it into digital coinage, and make money doing it, and the inverse of that scenario, you are likely caught by federal AML rules.
This is true whether you are a formal exchange, individual or attempting to create a new avenue of virtual value – such as initial coin offerings (ICOs) – if you take fiat funds, and exchange it for crypto funds, regardless of the name and value, and vice versa, you would “generally” become a money services business (MSB) for AML purposes, specifically a money transmitter.
As such, that operation, or even that individual, would need to register with FinCEN as a money transmitter and create the four-pronged AML program, including policies and procedures, a compliance officer, AML training and independent auditing, with the addition of more recent formally finalized tangs, a customer risk assessment and transaction monitoring system.
“A natural person operating as a P2P exchanger that engages in money transmission services involving real currency or CVCs must comply with BSA regulations as a money transmitter acting as principal. This is so regardless of the regularity or formality of such transactions or the location from which the person is operating,” according to FinCEN.
But that comes with a significant caveat: “However, a natural person engaging in such activity on an infrequent basis and not for profit or gain would be exempt from the scope of money transmission,” meaning that typical users of a crypto exchange, or simply using a P2P platform to offload, or snap up, some crypto coin won’t trip burdensome AML rules.
The latest CVC interpretive note builds on 2013 FinCEN crypto guidance that identified the participants of generic CVC arrangements, including an “exchanger,” “administrator,” and “user,” and further clarified that “exchangers and administrators generally qualify as money transmitters under the [Bank Secrecy Act (BSA)], while users do not.”
An exchanger is defined as a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency, while an administrator is a person engaged as a business in issuing, or putting into circulation, a virtual currency, and who has the authority to redeem, or to withdraw from circulation, such virtual currency.
FinCEN also went into extensive detail on why it sees CVC exchange platforms as money transmitters.
“As money transmission involves the acceptance and transmission of value that substitutes for currency by any means, transactions denominated in CVC will be subject to FinCEN regulations regardless of whether the CVC is represented by a physical or digital token, whether the type of ledger used to record the transactions is centralized or distributed, or the type of technology utilized for the transmission of value,” according to the guidance.
Part and parcel of this AML regime for the CVC sector is that these program requirements have specific steps related to what you have to do with customers, what you have to report at certain transactional thresholds and mandatory filings of aberrant activity when customers, businesses or transactions reach the subjective threshold of “suspicious.”
That means that CVC operations subject to AML rules must risk assess customers at the beginning of a relationship, scrutinize transactions to capture when they exceed $3,000 in a day under a related “travel rule” and must file a customer transaction report (CTR) if the movement of funds for one entity breaches $10,000 in a day.
As well, these CVC exchanges must have an AML regime with requisite expertise, resources and systems in line with the risks and regions it encounters, with the penultimate expression of that program being the filing of suspicious activity reports (SARs) when transactions seem to originate from criminal activities or touch known sketchy darknet market places.
Here are some snapshots from the guidance about what is expected from crypto exchangers in terms of AML compliance:
· A well-developed risk assessment is part of sound risk management and assists MSBs in identifying and providing a comprehensive analysis of their individual risk profile.
· As part of its risk assessment, an MSB should determine both the identity and the profile of its customers and MSBs must know enough about their customers to be able to determine the risk level they represent to the institution.
· Wallets may also use multiple private keys stored in multiple locations. Wallets where user funds are controlled by third parties are called “hosted wallets” whereas wallets where users control the funds are called “unhosted wallets.”
· For hosted wallets, when the wallet owner is a user, the host must follow the procedures for identifying, verifying and monitoring both the user’s identity and profile, consistent with the host’s AML program.
· When the wallet owner is an agent of the host, the host must comply with regulations and internal policies, procedures and controls governing a principal MSB’s obligation to monitor the activities of its agent.
· If the multiple-signature wallet provider restricts its role to creating un-hosted wallets that require adding a second authorization key to the wallet owner’s private key in order to validate and complete transactions, the provider is not a money transmitter because it does not accept and transmit value.
· On the other hand, if the person combines the services of a multiple-signature wallet provider and a hosted wallet provider, that person will then qualify as a money transmitter.
CVC kiosks, ATMs
· An owner-operator of a CVC kiosk who uses an electronic terminal to accept currency from a customer and transmit the equivalent value in CVC (or vice versa) qualifies as a money transmitter both for transactions receiving and dispensing real currency or CVC.
· FinCEN issued guidance clarifying that owners/operators of ATMs that link an accountholder with his or her account at a regulated depository institution solely to verify balances and dispense currency do not meet the definition of a money transmitter.
Anonymous crypto transactions
· Anonymity-enhanced CVC transactions are transactions either (a) denominated in regular types of CVC, but structured to conceal information otherwise generally available through the CVC’s native distributed public ledger; or (b) denominated in types of CVC specifically engineered to prevent their tracing through distributed public ledgers (also called privacy coins).
· An anonymizing services provider is a money transmitter under FinCEN regulations. The added feature of concealing the source of the transaction does not change that person’s status under the BSA.
· An anonymizing software provider is not a money transmitter.
· By contrast, a person that utilizes the software to anonymize the person’s own transactions will be either a user or a money transmitter, depending on the purpose of each transaction.
Crypto payment processors
· CVC payment processors fall within the definition of a money transmitter and are not eligible for the payment processor exemption because they do not satisfy all the required conditions for the exemption.
· Under the payment processor exemption, a person is exempt from the definition of “money transmitter” when that person only “[a]cts as a payment processor to facilitate the purchase of, or payment of a bill for, a good or service through a clearance and settlement system by agreement with the creditor or seller.”
Centralized, decentralized apps, or DApps
· The same regulatory interpretation that applies to mechanical agencies such as CVC kiosks applies to DApps that accept and transmit value, regardless of whether they operate for profit.
· Accordingly, when DApps perform money transmission, the definition of money transmitter will apply to the DApp, the owners/operators of the DApp, or both.
Crypto P2P trading platforms, like localbitcoins
· CVC P2P trading platforms are websites that enable buyers and sellers of CVC to find each other. Sometimes, trading platforms also facilitate trades as an intermediary.
· Under FinCEN regulations, a person is exempt from money transmitter status if the person only provides the delivery, communication, or network access services used by a money transmitter to support money transmission services.
· Consistent with this exemption, if a CVC trading platform only provides a forum where buyers and sellers of CVC post their bids and offers, with or without automatic matching of counterparties, and the parties themselves settle any matched transactions through an outside venue, either through individual wallets or other wallets not hosted by the trading platform, the trading platform does not qualify as a money transmitter under FinCEN regulations.
Those tenets, however, are really just the basics of an AML compliance, and the tacit expectation is that crypto exchangers, similar to the baking brethren, will engage in more than a token effort to comply with counter-crime rules.
FinCEN states that the regulatory framework of a strong AML program “begins with the expectation that financial institutions will operate under a culture of compliance supported by senior leadership, including owners, boards of directors, and senior executives.”
This culture of compliance, a term highlighted in many AML enforcement actions in recent years against banks large and small, will “dictate the basic norms of behavior, knowledge, and transparency under which the management team, employees, and service providers will be held accountable.” (via FinCEN).
The crypto guidance from FinCEN is long-awaited, and eagerly-awaited, with the details required reading for both crypto exchange firms, their AML staff, those engaging in P2P transactions, who are now clearly caught in the rules, and even banks with accounts with crypto exchanges.
The biggest news is that the guidance is a warning to individuals who thought they could use P2P exchanges to make money, and wouldn’t have to worry about actually worrying about creating an AML program or looking for suspicious activity. The clear answer from FinCEN: you are now caught by AML rules.
FinCEN fines P2P crypto exchanger $35,000 for buying, selling millions of dollars in Bitcoin, not filing SARs, CTRs
On the virtual currency enforcement side, FinCEN in its first foray against a peer-to-peer crypto exchange, fined a tiny, one-person operation $35,000 for buying and selling millions of dollars in Bitcoin over a roughly two-year period for a bevy of individuals with virtually no financial crime compliance program to speak of – including failing to file on any large or risky transactions.
FinCEN stated last month Kern County, Calif. Resident Eric Powers operated as a peer-to-peer (P2P) exchanger of convertible virtual currency, tripping anti-money laundering (AML) obligations, including registering as a money services business (MSB) due to being a money transmitter for helping others in the country move and change from dollars to bitcoins and back.
A key differentiator that led to the penalty was that Powers was “not simply a ‘user’ of virtual currency,” which FinCEN defined as “someone who obtains and uses convertible virtual currency to purchase real or virtual goods or services for his own benefit.”
But because he was exchanging funds on behalf of multiple people around the country and acting as a “business,” he became a “money transmitter” through acting as a crypto exchanger.
What is still unclear in the action is if there are any thresholds for an individual, say, using a site like localbitcoins.com to buy and sell virtual currencies, depositing or taking fiat currencies, for their own benefit, if that scenario would trip AML and money transmitter requirements due to any profits giving the perception of being a business.
But at least in the case of Powers, that question is not an issue, as he did not hide his desire to exchange funds for one and all.
Through postings Powers made on web fora, such as bitcointalk.org and bitcoin-otc.com, he effectively “advertised his intent to purchase and sell bitcoin for others,” according to FinCEN, adding that he “completed sales and purchases by either physically delivering or receiving currency in person, sending or receiving currency through the mail, or coordinating transactions by wire through a depository institution.”
As well, Powers’ internet postings also indicated that he would direct transactions at other virtual currency exchangers, such as the currently imploded, Mt. Gox, on behalf of his customers.
He also couldn’t claim a lack of knowledge about financial crime compliance requirements, a key factor in the final $35,000 penalty, a figure which FinCEN originally considered levying at $100,000, but dropped to his ability to pay and willingness to help.
Still, Powers also agreed to a bar to never engage in similar business again to prevent himself from tripping AML rules.
“Powers participated in online discussions pertaining to AML compliance, including specific conversations about registering as an MSB, which demonstrate his awareness of the relevant [Bank Secrecy Act] requirements,” according to FinCEN, adding that in March 2013 he publicly stated on the Internet he would “assist customers that wanted to circumvent AML obligations.”
Moreover, this was not an ambiguous case where someone did a handful of transactions to help friends or family members.
Overall, in a nearly two-year period between December 2012 and September 2014, Powers conducted more than 1,700 transactions as an unlicensed money transmitter.
He engaged in "more than 200 transactions involving the physical transfer of more than $10,000 in currency,” but failed to file required customer transaction reports (CTRs), a requirement tied to the four-pronged AML program.
As well, Powers conducted some 160 purchases of bitcoin worth around $5 million through multiple in person cash transactions, in public places such as coffee shops, with someone he corresponded with in a forum that helps people buy and sell bitcoins – nearly all of these instances requiring a CTR.
Not surprisingly, due to a lack of any formal AML program, Powers also failed to file required suspicious activity reports (SARs) for transactions actually or potentially tied to illicit groups or derived from sullied funds.
FinCEN in the action stated he processed “numerous suspicious transactions without ever filing a SAR,” including doing business related to high-profile, illicit darknet marketplace “Silk Road,” as well as helping customers through The Onion Router (TOR), which is built to provide anonymity to users and prevent investigators from determining Internet Protocol (IP) addresses.
So, in many cases, Powers didn’t know who or what company he was dealing with or if the funds he was touching were derived from illicit drugs, cyber hacks and other illicit activity.
But FinCEN stated he did, however, turn a blind eye to indicia of suspicious activity – and didn’t blink when funds were clearly tied to illicit entities, such as customers The Onion Router, or @tor, email addresses.
Worse, however, is that Powers dealt with customers already publicly chastised for links to shadowy sites.
“Powers conducted transactions with one customer three times for approximately $170,000 after the customer appeared in news media commenting on alternate ways to access darknet marketplaces following the shutdown of Silk Road,” FinCEN said in the penalty document.
Even a “basic search on the internet for the customer’s screen name revealed identifying information for the customer, including the customer’s name, yet this information was not listed in Mr. Powers’ records.”
In addition, on at least one occasion, Powers “offered to exchange convertible virtual currency for fiat currency, knowing that the fiat currency constituted the proceeds of illegal activity,” according to FinCEN.
This case shows all the things you are not supposed to when engaging in crypto trading as a business, thus tripping AML rules, MSB obligations and money transmitter requirements.
This case will likely be a wakeup call to numerous individuals who thought they could make some extra bucks helping people get or offload crypto value. If you do, and you get to levels that catches the attention of authorities, and eventually FinCEN, prepare to be investigated, named and shamed – in the form of an enforcement action or penalty.