Anti-Money Laundering (AML)

Bank’s Alleged “Tick Box” Approach Failed to Attain Substantive AML Compliance

Late last week, the Financial Conduct Authority (“FCA”), the United Kingdom’s financial services regulator, imposed a $1.2 million (896,100 pound) fine on the UK division of India’s Canara Bank, an Indian state-owned bank, and ordered a moratorium on new deposits for nearly five months.  The cause—according to Reuters—was Canara’s systemic anti-money laundering (“AML”) failures.

A 44-page final notice published by the FCA explains the multi-year regulatory process that led to a finding of systemic failures and the imposition of penalties.  The FCA’s investigation began in late 2012 and early 2013 with assessments of Canara’s AML systems.  Upon inspection, the FCA “notified Canara of a number of serious weaknesses in its AML systems and controls.”  After promises of remedial action by Canara, an April 2015 visit revealed that the AML systems had not been fixed.  The investigation ended with a final report from a “skilled person,” an expert brought in by the FCA to assess Canara’s AML policies and procedures, completed in January 2016.  Settlement followed, resulting in sanctions and the FCA’s published final notice.

These three visits from the FCA generated a laundry list of Canara’s AML shortcomings.  This enforcement action reflects three main take-aways: (i) the potential risks faced by banks operating in foreign countries in which they have limited AML experience; (ii) the need for swift remedial action after the first examination finding AML deficiencies; and (iii) the need for a substantive AML policy implemented in a substantive way, rather than through a rote reliance on AML-related checklists. Continue Reading Canara Bank of India Fined $1.2 Million by UK Regulators for Systemic AML Failures

OCC Identifies AML/BSA and Cyber Threats as Elevated Risks Facing Banks

Last week, the Office of the Comptroller of the Currency (“OCC”) published the Spring 2018 Semiannual Risk Perspective (the “Report”), which uses up-to-date data to identify risks to U.S. banks and measure their compliance with applicable laws and regulations.  The Report concluded that some of the OCC’s primary concerns are with banks’ abilities to comply with the anti‑money laundering (“AML”) laws and regulations, as well as to manage risks associated with cybersecurity threats.

Many of the OCC’s observations and recommendations remained the same from its Fall 2017 report, about which we previously blogged, begging readers to wonder what will spur less conversation and potentially more action among OCC-supervised banks or concrete guidance by the OCC.  Regardless, a common thread running throughout both reports is the potential risk presented to financial institutions by emerging technologies, which carry the simultaneous blessing and curse of business opportunities and compliance risks. Continue Reading OCC Report: Same Threats, Different Season

Commonwealth Bank of Australia (“CBA”), the largest bank in Australia, has agreed to a proposed civil settlement — subject to court approval — of historic proportions, involving a fine of approximately $700 million Australian dollars (roughly equivalent to $530 million U.S. dollars) regarding numerous alleged Anti-Money Laundering (“AML”) and Counter Terrorism Financing (“CTF”) violations.  The settlement is with the Australian Transaction Reports and Analysis Center (“AUSTRAC”) – a government financial intelligence agency whose counterpart in the U.S. would be the Financial Crimes Enforcement Network (“FinCEN”) — and represents the largest such enforcement action in the history of Australia.  Under the settlement, AUSTRAC also will recoup its legal costs of $2.5 million Australian dollars.

As we have blogged, AUSTRAC filed on August 3, 2017 a claim seeking civil monetary penalties against CBA for over 53,000 alleged violations of Australia’s AML/CTF law.  Although the case involves several types of alleged AML violations, it fundamentally rests on the bank’s use of so-called intelligent deposit machines (“IDMs”), a type of ATM which allowed customers to anonymously deposit and transfer cash.  Unfortunately, and perhaps not surprisingly, the IDMs also became an alleged favored conduit for money laundering by criminals involved in drug trafficking and illegal firearms. Continue Reading Australia’s Largest Bank Agrees to Historic AML Penalty

On April 19, 2018, the European Parliament (“EP”) adopted the European Commission’s (the “Commission”) proposal for a Fifth Anti-Money Laundering Directive (“AMLD5”) to prevent terrorist financing and money laundering through the European Union’s (“EU”) financial system. The Commission proposed this directive on July 26, 2016 to build upon and amend the Fourth Anti-Money Laundering Directive (“AMLD4”) – before all 28 member states even implemented AMLD4.

Under AMLD4, the EU sought to combat money laundering and terrorist financing by imposing registration and customer due diligence requirements on “obliged entities,” which it defined as banks and other financial and credit institutions. It also called for the creation of central registers comprised of information about who owns companies operating in the EU and directed that these registers be accessible to national authorities and obliged entities.  However, the European Central Bank warned that AMLD4 failed to effectively address recent trends in money laundering and terrorist financing, which have spanned multiple jurisdictions and fallen both within and outside of the traditional financial sector.  As a result, and in response to recent terrorist attacks in Europe and to the Panama Papers, the EP has adopted AMLD5 to more effectively keep pace with these recent trends.

Although AMLD5 contains several important provisions, including a proposed public registry of beneficial owners of legal entities, we focus here on how AMLD5 addresses, for the first time, the potential money laundering and terrorist financing risks posed by virtual currencies. Continue Reading The Fifth Anti-Money Laundering Directive: Extending the Scope of the European Union’s Regulatory Authority to Virtual Currency Transactions

But Passage of Pending U.S. AML Reform May Reduce Perceived Deficiencies in Beneficial Owner Identification

Last week, Transparency International (“TI”) released an updated assessment of the “beneficial ownership legal frameworks” in the G20 countries, entitled “G20 Leaders or Laggers?”  Since TI’s 2015 assessment of this same issue, the international anti-corruption organization found that “progress across the board has been slow.”  The 2018 Report lauds France, Germany and Italy for making “noticeable improvements since 2015.”  Other countries made more modest upgrades during that time period, including the United States, whose beneficial ownership transparency framework assessment rose from “Weak” in 2015 to “Average” in the 2018 Report.

This post begins with a few observations regarding TI’s methodology in composing the 2018 Report. The post then reviews certain of the areas where TI found the United States lacking as compared to its G20 peers, and examines whether Congress’ recent draft bill, the Counter Terrorism and Illicit Finance Act (“CTIFA”), about which we blogged in a January 2018 two-part series (here and here), may address these identified deficiencies. Continue Reading International Report Critiques U.S. Beneficial Ownership Transparency

May 11, 2018 Implementation Deadline Looms

Last year, we posted FinCEN’s Beneficial Ownership Rule: A Practical Guide to Being Prepared for Implementation regarding the Customer Due Diligence Requirements for Financial Institutions Rule (the “Beneficial Ownership Rule” or “Rule”) issued by the Financial Crime Enforcement Center (“FinCEN”). With the Rule’s May 11 implementation date only a few weeks away, and with FinCEN recently having published its new and long-awaited FAQs regarding the Rule (FAQs), we thought that the time was right for more practical tips and answers to questions surrounding the Rule. Continue Reading FinCEN’s Beneficial Ownership Rule: More Practical Tips and Answers to Frequently Asked Questions

Australia announced on April 11 that all digital currency exchanges operating in the country will be regulated by the Transaction Reports and Analysis Centre (“AUSTRAC”), the country’s financial intelligence agency.  A byproduct of the government’s Anti-Money Laundering (“AML”) and Counter Terrorism Financing (“CTF”) Act (on which we previously have blogged, both here and here), the new laws require all “digital currency exchange providers” with operations in Australia to register with AUSTRAC and, additionally, meet compliance and reporting obligations by May 14.

AUSTRAC’s new policing mandate represents a meaningful step in strengthening the country’s efforts under the AML/CTF Act, first enacted in 2006.  In brief, that law—now applicable to all digital currency exchanges operating in Australia—requires all regulated entities such as banks and money transfer operators to collect information to establish a customer’s identity, monitor transactions, and report activity that is suspicious or involves cash over $10,000 Australian dollars.  As summarized by AUSTRAC on its website, the AML/CTF Act:

. . . . places a number of obligations on reporting entities when they provide designated services, including:

Reporting entities determine how they meet their obligations based on their assessment of the risk of whether providing a designated service to a customer may facilitate money laundering or terrorism financing.  These requirements echo similar AML regulatory requirements in the United States that require digital currency exchangers and administrators to register with FinCEN as money services businesses, and with the various States as money transmitter businesses.  AUSTRAC also has issued a guide for digital currency exchange service businesses to prepare and implement their AML/CTF programs.  The guide sets forth a check list of tasks necessary to developing and maintaining an adequate AML/CTF program, including the completion of a risk assessment of the business, designing a training program, and creating procedures for responding to AUSTRAC feedback. Continue Reading Australia’s Financial Intelligence Agency Implements AML Regulation of Digital Currencies

And a Tale of Four Countries: Singapore Fines a U.K. Bank, and the U.S. Imposes a Consent Order on a Chinese Bank

Less than a week apart, two major financial institutions (“FIs”) have been hit with penalties for failing to implement adequate anti-money laundering (“AML”) protections. But the penalties imposed by the involved regulators are different.  In this post, we report on the enforcement actions recently lodged against Standard Chartered PLC and the Industrial & Commercial Bank of China Ltd. by the Monetary Authority of Singapore and the United States Federal Reserve, respectively.  We also consider the approaches of these two regulators to the banks and the differing outcomes of the enforcement actions.

Continue Reading A Tale of Two Enforcement Actions

Second Part in a Two-Part Series

The Tale of an AML BSA Exam Gone Wrong

As we have blogged, the Ninth Circuit Court of Appeals recently upheld the decision of the Board of Directors of the Federal Deposit Insurance Corporation (“FDIC”) to issue a cease and desist order against California Pacific Bank (the “Bank”) for the Bank’s alleged failure to comply with Bank Secrecy Act (“BSA”) regulations or have a sufficient plan and program in place to do so.

In our first post, we described how the Ninth Circuit rejected the Bank’s constitutional challenge to the relevant regulation, and accorded broad deference to the FDIC in its interpretations of its own regulations, expressed in the form of the Federal Financial Institutions Examination Council Manual (“FFIEC Manual”).  This post discusses the Court’s review of the Bank’s challenge under the Administrative Procedures Act to the FDIC’s factual findings of AML program failings.

The California Pacific opinion provides a significant piece of guidance for banks questioning the adequacy of its BSA compliance program: consult and abide the FFIEC Manual.  Furthermore, it demonstrates that no shortcuts are permitted when it comes to establishing and maintaining a BSA compliance program.  The BSA and the FDIC’s regulations contain firm guidelines and the FFIEC Manual puts banks of all sizes on notice of what compliance is expected of them.  The independence of both the AML compliance officer and of testing; adequate risk assessments of customer accounts; and the correction of prior regulator findings of AML deficiencies are key. Continue Reading Ninth Circuit Court of Appeals Outlines BSA Compliance Obligations and How One Small Bank Failed to Meet Them

As we previously have blogged, the Financial Crimes Enforcement Network (“FinCEN”) became one of the first regulators to wade into the regulation of cryptocurrency when it released interpretive guidance in March 2013 stating that an administrator or exchanger of virtual currency is a Money Services Business (“MSB”). As a MSB, and according to FinCEN, an administrator or exchanger of virtual currency therefore is a “financial institution” subject to the Bank Secrecy Act (“BSA”) and its various AML-related requirements, unless a limitation or exemption applies.  Accordingly, the Department of Justice has prosecuted operators of cryptocurrency exchanges for a failure to register with FinCEN as a MSB, and FinCEN has brought civil enforcement proceedings against such exchanges for alleged failures to maintain adequate AML programs and file required Suspicious Activity Reports (“SARS”), among other alleged BSA violations.

Recently, regulators of all stripes across the globe have been moving swiftly to regulate cryptocurrency in various ways (see herehere, here, here, here, here, here, here, and here). Indeed, the Securities and Exchange Commission (“SEC”) has been very vocal and aggressive in claiming that many if not all Initial Coin Offerings (“ICOs”) involving cryptocurrency represent securities subject to the jurisdiction and supervision of the SEC, and already has filed several enforcement proceedings involving ICOs. Moreover the SEC just yesterday issued a statement that it considers exchanges for cryptocurrency to also be subject to its jurisdiction. Likewise, the U.S. Commodity Futures Trading Commission (“CFTC”) has asserted that cryptocurrencies are commodities subject to its jurisdiction; this week, a federal court agreed with this assertion in a CFTC enforcement action.  The CFTC claims that its jurisdiction reaches beyond cryptocurrency derivative products to fraud and manipulation in the underlying cryptocurrency spot markets.

But there is a potential problem with all of these regulators simultaneously rushing in to assert their respective power over cryptocurrency businesses, and it is a tension that does not seem to have attracted much public attention to date. Specifically, BSA regulations pertaining to the definition of a MSB, at 31 C.F.R. § 1010.100(ff)(8)(ii), flatly state that a MSB does not include the following:

A person registered with, and functionally regulated or examined by, the SEC or the CFTC, or a foreign financial agency that engages in financial activities that, if conducted in the United States, would require the foreign financial agency to be registered with the SEC or CFTC[.]

How can certain cryptocurrency businesses be subject to the claimed jurisdictions of FinCEN as well as the recent regulatory newcomers to this area, the SEC and the CFTC? Continue Reading FinCEN Letter to U.S. Senate Committee on Finance Purports to Thread Needle of Potentially Competing Jurisdictions by Regulators over Cryptocurrencies