WELCOME TO A NEW MONTHLY FEATURE FROM ACFCS: THE REGULATORY REPORT!

In this new feature, we will highlight key current, upcoming or potential changes in the global financial crime landscape, so compliance professionals, investigators and regulators can better keep abreast of pressing vulnerabilities, issues and legislative fixes. Enjoy!

United States

Guidance by enforcement, reinforcing AML regulations

While March didn’t have as many high-profile enforcement actions and hefty monetary penalties as February, where regulators hammered a domestic and a foreign bank for hiding weaknesses and lying to examiners, this month did result in an action roundly feared throughout the anti-money laundering (AML) compliance community: the rare and dreaded individual penalty.

The U.S. Treasury’s Office of the Comptroller of the Currency (OCC), the chief regulator of the country’s largest and most complex banks, released the details of an individual penalty of $20,000 this month against Theodore Roberts, a director at Merchants Bank of California.

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and the OCC hit the bank with a $7 million combined penalty in February 2017 for “egregious and willful” violations of financial crime compliance regulations, chiefly tied to its monitoring, oversight and reporting of activity on its stable of remitter clients and correspondent portals.

FinCEN issued the penalty against the diminutive and struggling bank in an action detailing what can happen in a compliance worst case scenario where profit-driven insiders secretly control risky businesses, push their agenda by threatening bank staffers and use their knowledge of anti-money laundering (AML) processes to evade controls.

The action told a tale of a bleeding red bank desperate to boost income at the expense of compliance by delving into an area with many layers of high-risk strata, including money services businesses (MSBs) near the Mexican border, offering remote deposit capture (RDC) check-cashing services and later, these operations exhibiting transactional tells indicative of structuring, layering and commingling.

The penalty for the Carson, Ca.-based bank was among the largest FinCEN had ever handed out related to Bank Secrecy Act (BSA) issues compared to the bank’s overall holdings – the $7 million is nearly 11 percent of the bank’s total assets, evincing the seriousness of failings that dated back to 2010 and spread across several prior enforcement actions.

The OCC specifically stated the individual penalty against Roberts was due to failing to “take necessary actions to ensure that the Bank corrected the deficiencies resulting in violations” of the original 2010 consent order and a follow-up 2014 Consent Order, gaps that eventually lead to the $7 million penalty.

To read the full action, click here. To read prior ACFCS coverage of the original Merchants Bank penalty, click here.

Fed dings ICBC on board oversight, AML experience, staffing

The U.S. Federal Reserve this month also kept up the broader trend of more intense regulatory pressure on the domestic and international AML programs of foreign banks with a cease and desist order against the New York and home country operations of the Industrial and Commercial Bank of China.

The bank has been linked to a major money laundering probe in Europe, where potentially hundreds of millions of dollars in suspect funds moved through ICBC’s Spain branch. More than half a dozen top ICBC executives in Spain have already been arrested related to the investigation.

In the U.S., federal and state regulators have hit several other large Chinese-based banks with AML orders and penalties. As for the latest Federal Reserve action, the regulator required improvements in key areas that have become a familiar refrain in recent years, including:

  • More active board oversight of AML
  • Better monitoring and reporting systems to track transactions, report suspicious activity.
  • More precise procedures to track how transaction alerts are created, tracked and escalated and a way to review the related decision-making.
  • More focus to ensure all AML staff have the required experience and subject matter expertise to make better decisions related to transaction and sanctions alerts.
  • Along with the individual talent, the bank must also ensure the accumulated acumen of the AML team is in line with the risk of the bank and properly staffed.

To view the Federal Reserve action against ICBC, click here.

The actions reflect on broader current trends in the AML space, including law enforcement wanting banks to plead guilty to a crime as a deterrent to the rest of the industry, the rising risks of informal and non-monetary orders later turning into massive penalties and the risk of a smaller fine turning into a head-turning penalty if examiners feel they were told lies or half-truths.

Treasury watchdog chides FinCEN on banks filing few, weak SARs

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), usually the agency levying penalties, also found itself facing criticism from government watchdog body, the U.S. Treasury’s Office of Inspector General (TOIG) related to not coming down harder on banks that are consistently filing few, weak or error-prone suspicious activity reports (SARs).

In a 44-page report released this month, the OIG noted that while, overall, financial institutions are sending more SARs and they are processed more quickly due to a requirement to file them all electronically, they are several persistent issues weakening the vital exercise – which is basically the end result of the country’s entire AML program efforts.

For instance, reviewers noted that certain banks continue to have SARs with invalid and non-responses in critical data fields along with inconsistent and incomplete responses when queried about the poor quality of certain filings.

In all, these gaps, happening for a long period of time by a significant number of banks, have impacted overall data quality in the SAR database, a vital resource for local, state and federal law enforcement agencies that ping the database to reach the threshold needed to start a case or to find links to break open ongoing domestic or international investigations.

Recent congressional reviews of U.S. AML laws have even considered using the SAR database as leverage to get foreign investigators to be more helpful in complex financial crime cases that jump across borders, basically creating a dynamic where if a foreign country quickly and fully responds to their mutual legal assistance treaty obligations, they can get access to the FinCEN SAR database, more of a classic carrot than a stick approach.

The OIG requested that FinCEN review institutions consistently filing error-strewn SARs, potentially sending that information to the banks’ primary federal regulators for consideration of enforcement actions, along with improving its technical abilities to find batch-filed SARs with broad problems and improve results through more education, guidance or fines, (via the TOIG).

Crypto corner

Depending on ICO structures, FinCEN could enforce AML penalties, require MSB registration: Letter to Congress

With state and federal regulators of all stripes jousting for oversight of the budding virtual currency sector and related blossoming of related initial coin offerings (ICOs), the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has once more gone into the breach, stating that depending on the structure of the virtual currency exchange or related ICO, it may need to register as a money services business.

An exchange that sells ICO coins or tokens, or exchanges them for other virtual currency, fiat currency, or other value that substitutes for currency, would typically also be a money transmitter, though other forms could call for oversight by U.S. securities regulators.

To read the letter, click here.

U.S. Congress

Similar to recent months, where U.S. Congress representatives have reviewed the country’s AML defenses, and potential legislative fixes, both the House and Senate in the past few weeks have reviewed areas with financial crime implications.

This month, hearings focused on the intersection of organized criminal and terror groups, how criminals puncture companies and monetize stolen data, and analyzing the regulatory oversight and criminal and fraud risks around virtual currencies and related initial coin offerings (ICOs), a booming sector currently rife with opportunists stealing funds for their own gain – basically a virtual verbiage-filled Ponzi scheme.

New bill would up personal liability of top officers for frauds, insider abuses

As well, the Senate in mid-March released a new bill, S.2544, the “Ending Too Big to Jail Act,” described as a “bill to stop financial institution crime, require certain officers of companies to certify that they have conducted due diligence relating to criminal conduct or civil fraud, create accountability in deferred prosecution agreements, and for other purposes.”

The proposed legislation calls for a bevy of changes to current paradigms and powers to fight financial crime, including:

·         The creation of a permanent law enforcement agency dedicated solely to investigating fraud committed by financial institutions and insiders at financial institutions because that type of fraud has such far-reaching repercussions on individuals and the overall U.S. economy.

·         Top bank executives, including potentially the chief compliance officer, at institutions with more than $10 billion in assets must certify annually they have conducted due diligence and found that there is no criminal conduct or civil fraud in the financial institution.

·         For top officers found to be violating the certification, particularly if it’s for an extensive period of time and involving a significant amount of money and reaches a criminal threshold, could face individual penalties of $500,000 and 10 years in prison.

To read the full text of the bill, click here.

Expanding nexus of criminal, terror groups

As for the hearings themselves, in a House hearing this week titled, Exploring the Financial Nexus of Terrorism, Drug Trafficking, and Organized Crime,” key academics and former government officials highlighted the growing trend and rising threat of illicit groups and terror operatives sharing tactics and even working together directly devising how to grow and distribute drugs, launder money and support international syndicates that victimize global financial networks.

In a statement about the hearing, House Financial Services Committee Chairman and Texas Republican Jeb Hensarling noted that transnational criminal organizations (TCOs) pose a significant and growing threat to the United States financial system and our national security.

These organizations have an estimated value of $3.6 trillion to $4.8 trillion, or seven percent of global Gross Domestic Product. Moreover, these TCOs should be regarded as a national security threat that is undermining U.S. government efforts to combat illegal drugs, arms, human trafficking, terrorism, and other crimes to include money laundering, cybercrimes, fraud, and corruption.

“Given the profit potential, terrorist and insurgent groups have been steadily incorporating criminal activities into their business models, thus blurring the line between TCOs and terrorist organizations,” he wrote.

“Most notably, Hezbollah, with the backing of Iran, has developed lucrative criminal enterprises in both South and Central America that encompasses transnational trade in narcotics, military weapons, and hundreds of millions of dollars in illicit cash proceeds.”

“We are witnessing a dangerous convergence of terrorism and crime, where these groups share operating areas, intelligence, tactics, and resources to threaten nation states,” said Celina Realuyo, a professor at National Defense University, in her prepared statements, noting that corruption is a key component that weakens rule of law, law enforcement power and even allows safe havens for criminal groups in some regions.

“The Islamic State exemplifies a ‘criminalized state’ engaged in a broad spectrum of illicit activities, including extortion, robbery, oil smuggling, human trafficking, kidnap for ransom, and antiquities looting, to sustain its terrorist caliphate and to become the richest terrorist group in the world.

While al Qa’ida enjoyed ample donor support under Bin Laden, who believed that criminal activity might draw attention from law enforcement, ISIS “instead has relied on crime to generate the revenues necessary to fund its government, recruit foreign fighters, and project its propaganda.”

Targeting the leadership and cutting off the finances of ISIS have “debilitated the group and allowed the recapture of the territories it invaded. Terror-crime convergence presents a significant national security threat around the world.”

The best-known cases of convergence “involve the narco-insurgencies in Afghanistan and Colombia that have lasted for decades. This past year, opium production in Afghanistan and coca production in Colombia have reached alarmingly record levels,” she wrote.

To view the archived hearing and read witness statements, please click here.

Lawmakers aim to improve cyber defenses, reporting, prosecutions

Congress also took aim at the rising scourge of cyberattacks and the secondary piece of that illicit puzzle – how criminals are turning that stolen data into value, in some cases through direct stolen credit and debit card details, and crafting synthetic Frankenstein-style identities, but also requiring ransomware payments in nigh untraceable virtual currencies.

The hearing, titled After the Breach: the Monetization and Illicit Use of Stolen Data,” analyzed the tactics hackers of all stripes are using to bust into the world’s most secure virtual vaults through a combination of classic phishing and spear phishing attacks, business email compromise attacks and taking advantage of known and unknown exploits, including the most intractable and vexing online entrance portal of all – human error, the source for some 90 percent of successful cyberattacks.

“Cybercriminals aggressively target both individuals and companies at an increasing rate and hack their personal and financial data as part of their criminal enterprises,” Hensarling wrote. “Data theft is becoming a more lucrative illicit enterprise for cybercriminals because of its low risk of identification by law enforcement and high reward potential.”

As well, cybercriminals use online marketplaces in the nether regions of the Internet – referred to as the “Dark Net” – to “sell stolen personal and financial records, conduct ransomware attacks and identity theft, and steal corporate intellectual property.”

Overall, the Center for Strategic and International Studies (CSIS) estimates that cybercrime costs the world’s economy nearly $600 billion.

To view the hearing and witness statements, click here.

Legislators also reviewed two bills, one still awaiting formal introduction, that would improve cybersecurity, but on the reporting side, not the defense and protection side.

In the hearing earlier this month entitled, “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime,” lawmakers along with influential government and private sector bodies looked at the pros and cons of proposals to strengthen the oversight and reporting requirements of credit reporting agencies.

The legislation is a clear reaction to the unprecedented Equifax data breach that took place last year and is still unfolding to this day.

In tandem, a draft legislative proposal would establish a “national data security standard and a national data breach notification standard with a federal enforcement mechanism overseen by the Federal Trade Commission,” a critical improvement replacing a “current patchwork of state and federal regulations for data breaches with a national law that provides uniform protections.”

To view the hearing and witness statements, please click here.

More clarity, oversight needed for cryptos, ICOs

Legislators also held a hearing related to the oversight of cryptocurrencies and ICOs, trying to bring clarity to a rollicking, Wild West-type sector that is long on dreams of grandeur and short on oversight and concrete steps on how that will happen.

In the hearing, “Examining the Cryptocurrencies and ICO Markets,” speakers and Congresspersons tried to better divine what federal entities should be reviewing virtual currency exchanges and companies offering ICOs and tokens, as some in recent months have been found to be nothing more than smoke, mirrors and glossy marketing.

As well, federal agencies are currently at odds over picking a de facto crypto and ICO regulator as both the U.S. Securities Exchange Commission and Commodities Futures Trading Commission have claimed jurisdiction depending on firm structures, while FinCEN has also entered the fray, stating some of these operations may have to register as money services businesses.

To view the hearing and witness statements, please click here.

State rules

NYDFS cyber rules coming into effect in various tranches with a deadline this month, phasing in until 2019. 

In late August 2017, the first in the nation cybersecurity compliance rules came into effect requiring certain financial institutions to bolster cyber protections and training, rapidly report breaches and attacks and designate a top officer to manage, with a CCO, or board member, certifying effectiveness.

To read more about what is needed to comply with the first deadline, click here.

Here are some current or upcoming deadlines:

  • March 1, 2018 – One-year transition period ends, first batch of requirements must be implemented
  • September 3, 2018 – Eighteen-month transition ends, second batch must be implemented
  • March 1, 2019 – Two-year transition ends, compliance with all requirements

FATF/G20

Global AML watchdog the Paris-based Financial Action Task Force (FATF) has updated the G20, which met this month, on progress to fight financial crime, including widespread corporate opacity, terror attacks, rampant de-risking, and improving the effectiveness of AML laws, prosecutions, forfeitures. To read the full update, click here.

European Union

While many European Union countries are still digesting the Fourth and Fifth AML Directives, broadly approved in December and replete with new beneficial ownership provisions to crack open anonymous shell companies, some analysts say they better be looking out for the latest potential package of amendments to the bloc’s chief counter-financial crime legislation.

Though still nascent, reviewers are calling these initiatives the Sixth AML Directive, which could have wide-ranging repercussions for subject entities. If finalized, look for major changes to compliance programs, including:

  • More extensive staff training on a wider range of money laundering predicate offenses.
  • Mandatory jail terms of four years, or six years for organized criminal groups.
  • Convicted launders could face bans from working in the public sector or holding office.
  • More executives and employs facing laundering charges.
  • Executives facing charges of “failing to prevent” the precursor crime or the laundering.

For more analysis, click here.

Canada

In February, Canada’s Department of Finance released a consultation paper to review the country’s AML and counter-terrorist defenses, with a deadline of April 30 to get comments in by respondents. To review the paper, click here.

The report asks for comments on a number of critical areas to better detect and prevent financial crime, including bolstering corporate transparency, improving oversight of gatekeepers, including attorneys, and expanding the monitoring of non-bank sectors, particularly related to domestic and international politically-exposed persons (PEPs), which are at a high-risk for corruption.

The paper also seeks to expand AML obligations to more sectors, including mortgage insurers, land registries and title insurance companies, non-federally regulated mortgage lenders, unregulated financing, leasing and factoring businesses and dealers in high-value goods.

The proposals, if enacted, could also be a boon for Canadian law enforcement agencies as they seek to broaden domestic and international information sharing, making it easier to go after large scale, cross-border organized criminal and money laundering networks, with an eye toward protecting the data on innocent citizens.

The Canadian government is also following in the footsteps of several other major economies in Europe and Asia by proposing to create a regulatory “sandbox” for fintech companies.

Such a system would allow for exemption and examination relief and administrative forbearance for emerging technology companies and the banks that attempt to innovate and improve AML programs through cutting edge, but unproven tech. A more thorough analysis can be viewed here.

United Kingdom

U.K. FCA spreads gospel of tech sandbox, updates enforcement ethos

The U.K.’s Financial Conduct Authority (FCA) is taking its fintech regulatory sandbox global as the regulator stated this week it is looking to expand its popular regulatory sandbox overseas, with the aim of allowing companies to run tests across geographies. To read the full release, click here.

The FCA also stated this week it is updating its approach to supervision and enforcement, trying to get ahead of major bank failures by pre-emptively finding gaps in what they are calling a bank’s “culture of compliance.”

The regulator stated it wants to better review an institution’s overall compliance strategies, and find minor snags before they result in systemic compliance failings that allow illicit funds through the institution, requiring large monetary penalties. The new strategy will also be more “intelligence” and “data driven,” to be able to find issues faster at more banks, and more quickly create improvement plans at institutions presenting the greatest risks.

To read the full release, click here.