On August 8, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the imposition of sanctions on the decentralized digital asset mixer Tornado Cash.  The action marks the first time OFAC has targeted an on-chain decentralized protocol.  To date, OFAC has not issued any guidance specific to decentralized finance (DeFi) as part of its broader sanctions guidance for the “virtual currency” industry, but the Tornado Cash action lays down an important marker and makes clear that OFAC will target projects or protocols engaged in illicit activity regardless of their centralized or decentralized status.  (Our prior blog post on OFAC’s general virtual currency guidance is available here).
Continue Reading OFAC Designates Tornado Cash in First Action Against a Decentralized Platform

On March 7, 2022, the Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury published guidance (Guidance) for US financial institutions warning about: (1) efforts of foreign actors to evade expanding US economic sanctions and trade restrictions related to the Russian Federation and Belarus and (2) increased risk of malicious cyber-attacks and related ransomware campaigns, following the invasion of and continued military action in Ukraine.  The Guidance provides instructive red flags and related advice for all US financial institutions to evaluate, and provides information of particular relevance for Money Services Businesses (MSBs) and other FinCEN-regulated institutions undertaking transactions in what the agency calls “convertible virtual currency” (CVC).

Most notably, FinCEN strongly encourages US financial institutions that have information about CVC flows, including exchangers or administrators of CVC to: (1) be mindful of efforts to evade expanded US sanctions and export controls related to Russia and Belarus, summarized by Steptoe here; (2) submit Suspicious Activity Reports (SARs) as soon as possible regarding such conduct; (3) undertake appropriate risk-based due diligence of customers, and where required, enhanced due diligence; (4) voluntarily share information with other financial institutions consistent with Section 314(b) of the USA PATRIOT Act; and (5) consider using tools to identify assets that must be blocked or frozen under applicable sanctions.Continue Reading What US Financial Institutions Need to Know about FinCEN’s Russian Sanctions Evasion and Ransomware Guidance

On December 7, 2021, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), published a proposed rule to implement the Corporate Transparency Act (CTA), which was enacted as part of the Anti-Money Laundering Act of 2020 within the National Defense Authorization Act for Fiscal Year 2021.  The proposed rule is intended to implement the CTA’s beneficial ownership reporting provisions, but does not yet have the force and effect of law. In short, the proposed rule would require certain business organizations and entities to report affirmatively information to FinCEN about the beneficial owners and controllers of such organizations and the individuals who have filed an application with state or tribal authorities to form the entity or register it to do business.  Below we summarize a number of the proposed rule’s key provisions, for which interested persons may submit public comments before February 7, 2022.
Continue Reading FinCEN Issues Proposed Rule on Reporting of Corporate Ownership

On October 15, 2021, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued anticipated Sanctions Compliance Guidance for the Virtual Currency Industry and updated two related Frequently Asked Questions (FAQs 559 and 646).  OFAC has published industry-specific guidance for only a handful of other industries in the past two decades; the new guidance demonstrates the agency’s increasing focus on the virtual currency (VC) sector.  It also clarifies US sanctions compliance practices in ways that could lay a foundation for future OFAC enforcement actions.

OFAC’s guidance was announced as part of broader US government enforcement priorities to combat ransomware, money laundering, and other financial crimes in the virtual currency sector, as noted in the Department of Justice’s recent announcement of a National Cryptocurrency Enforcement Team.  The OFAC guidance was published in tandem with a Financial Crimes Enforcement Network (FinCEN) analysis of ransomware trends in suspicious activity reporting, but the guidance is directed at the VC industry in general and is not specific to ransomware.  A ransomware actor who demands VC may or may not be a target of OFAC sanctions, and sanctioned actors may engage in a wide variety of VC transactions that do not involve ransomware.  The recommended compliance practices in OFAC’s new guidance are focused on the full range of sanctions risks that arise from virtual currencies.Continue Reading OFAC Issues Compliance Guidance for the Virtual Currency Industry

On July 20, 2021, the European Commission published its long-awaited legislative package titled “Anti-money laundering and countering the financing of terrorism” as announced in the Commission’s 2020 Action Plan for a comprehensive EU policy on preventing money laundering and terrorist financing (ML/TF).

As expected, the proposals seek to harmonize the application of more detailed anti-money

On January 15, 2021, the Financial Crimes Enforcement Network (“FinCEN”) announced that Capital One, National Association (“CONA”) had been fined $390,000,000 for “willful” and “negligent” violations of the Bank Secrecy Act (“BSA”) and its anti-money laundering implementing regulations. CONA is a wholly owned subsidiary of Capital One Financial Corporation (“COFC”).  As part of the agreement, CONA will pay $290,000,000 to the U.S. Department of Treasury (it previously paid $100,000,000 to The Office of the Comptroller of the Currency (“OCC”) in 2018 for similar violations).

The fine, which was one of the larger fines in FinCEN’s history, was imposed even though CONA had taken substantial remedial measures including enhancing its anti-money laundering (“AML”) budget, voluntarily commencing an extensive lookback into years of potentially suspicious transactions, and voluntarily exiting the cash checking business, which was the source of its violations.

From 2008 to 2014, CONA owned and operated the Cash Checking Group (“CCG”) which was a check cashing service for small businesses in the New York- and New Jersey-area.  According to FinCEN, during this time, CONA and CCG’s BSA violations were “significant” and “willful.”Continue Reading FinCEN Announces $390,000,000 Civil Penalty Against Capital One for Bank Secrecy Act Violations

In late December, the United States Court of Appeals for the Second Circuit affirmed the conviction of Chi Ping Patrick Ho on seven counts alleging multiple FCPA and money laundering (and related conspiracy) violations.[1] The decision is notable for its construction of various FCPA provisions, and further demonstrates the expansive jurisdictional reach of anti-money laundering laws to dollar-denominated transfers.

Ho, a citizen of Hong Kong, served as an officer and director of the Hong Kong-based non-governmental organization China Energy Fund Committee (CEFC-NGO), which was funded by Shanghai-based energy conglomerate China CEFC Energy Company Limited (CEFC).[2] Ho also served as an officer and director of a CEFC-affiliated US non-profit (US NGO), funded by CEFC NGO.[3]

Ho’s conviction, for which he was sentenced to 36 months imprisonment and a US$400,000 fine,[4] stemmed from two alleged bribery schemes involving (1) an attempted US$2 million cash delivery to the President of Chad (which was purportedly rejected by the President) and (2) a US$500,000 wire transfer to a charity associated with the foreign minister of Uganda.[5] Notably, the US dollar-denominated wire originated from a bank in Hong Kong, which was transmitted through its operating unit in the United States as a correspondent to another bank in New York, which in turn was acting as a correspondent for a beneficiary bank in Uganda for final credit to an ultimate beneficiary NGO. Both acts were allegedly made for the benefit of CEFC’s commercial interests in Africa.[6]

On appeal, Ho challenged his 2018 conviction on a number of grounds.[7]Continue Reading United States v. Ho

On January 1, 2021, the United States enacted the National Defense Authorization Act for Fiscal Year 2021 (“NDAA”) after the US House of Representatives and US Senate voted to override a presidential veto of the law.  Included within the NDAA are a significant number of provisions related to anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”), including provisions reforming the Bank Secrecy Act (“BSA”), a collection of statutes underpinning most of the current AML regulatory framework.  These amendments, many of which have been under consideration for years, represent the most substantial AML-related reforms enacted since at least the USA PATRIOT Act of 2001.  Below, we outline ten of the most significant AML provisions contained in the NDAA.  Given the breadth of the reforms, it is particularly important for US “financial institutions” – including money services businesses (“MSBs”) and other non-traditional financial institutions subject to the BSA – to carefully review the Act to understand how their compliance obligations may have changed or may change in the future as the Act is implemented via regulation.

  1. Amendments to BSA to Explicitly Cover Digital Assets

The NDAA includes several changes to make clear that cryptocurrency and other digital assets are within the scope of the regulatory requirements of the BSA.  For example, the NDAA amends the BSA in several provisions to clarify that the BSA also may apply to “value that substitutes for currency.”  For example, Section 6201(d) of the NDAA amends 31 USC § 5312 to include “value that substitutes for currency” in the definitions of a financial agency, currency exchanger, and licensed sender of money, types of US financial institutions subject to the BSA’s AML obligations.  It also amends the definition of “monetary instrument” to include “value that substitutes for any monetary instrument.”  Section 6102(a)(3) of the NDAA, expressing the sense of Congress, explains that “although the use and trading of virtual currencies are legal practices, some terrorists and criminals, including transnational criminal organizations, seek to exploit vulnerabilities in the global financial system and increasingly rely on substitutes for currency, including emerging payment methods (such as virtual currencies), to move illicit funds.”

Some of this reflects useful codification of existing guidance from the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”).  For example, FinCEN has long taken the position that “administrators” and “exchangers” of so-called “convertible virtual currency” are subject to FinCEN’s BSA regulations, and, in 2011, the agency amended the regulatory definition of “money transmission” to include the transmission of “other value that substitutes for currency.” 31 CFR § 1010.100(ff)(5)(i)(A).  (Money transmitters are a type of MSB subject to FinCEN regulation).  While FinCEN has held this position for several years, industry has raised questions regarding the scope of FinCEN’s statutory authority with respect to digital assets.  The amendments contained in the NDAA appear intended, at least in part, to resolve any doubts regarding Congress’s delegation of authority to regulate this space under the BSA.Continue Reading Ten Key Takeaways from the NDAA’s AML Reforms

On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) published advisories on the sanctions and anti-money laundering (AML) risks of facilitating ransomware payments.

Ransomware attacks have become increasingly common in recent years with malicious attacks targeting companies in a variety of industries, including healthcare, technology, and education, among others.  Ransomware attacks typically involve a hacker breaching a company’s information technology (IT) infrastructure and encrypting a company’s data or other systems. The attacker then typically demands the victim pay a ransom in exchange for a decryption key that allows the victim to unlock the IT systems or data.  Such attacks can have severe consequences for the victim, often preventing the victim from being able to conduct business operations in whole or in part, and, in the case of healthcare companies such as hospitals, can potentially lead to loss of life, as reportedly occurred recently with a ransomware attack on a hospital in Germany.  Such inability to conduct business can also have ripple effects on other companies or individuals whose data is affected.  In some instances, an attacker may also threaten to disclose private information or data unless the ransom is paid.

As a result, victims of ransomware attacks often choose to pay the ransom.  However, because ransomware attackers rarely, if ever, identify themselves, and often demand payment in cryptocurrency, victims making such payments are generally forced to do so without a clear understanding of the recipient.  Such conduct potentially exposes the victim, and third party service providers (including financial institutions and incident response consultants, among others), to violations of and obligations under US sanctions and/or AML laws.

The OFAC and FinCEN advisories provide information to the public regarding the sanctions and AML risks to victims and third party service providers, including US financial institutions, who assist victims in responding to ransomware attacks.  While in many respects the guidance does not break new regulatory ground, it is a stark reminder of the way that those trying to deal with the consequences of a ransomware attack can find themselves in trouble with the US government.  This puts victims and companies that assist them in a difficult conundrum: don’t pay the ransom and potentially watch the victim company’s business get destroyed, or pay the ransom and run the risk of violating US sanctions and AML laws.  It is therefore imperative that victim companies and those in the business of facilitating ransom payments carefully consider the legal risks and evaluate potential ways to avoid or minimize them.Continue Reading Five Key Takeaways from OFAC and FinCEN’s Ransomware Advisories

On August 18, 2020, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) published a statement outlining the agency’s approach to enforcement of the Bank Secrecy Act (“BSA”), including anti-money laundering (“AML”) regulations issued by FinCEN pursuant to the BSA.  As described in a press release accompanying the statement, the document “aims to provide clarity and transparency to [FinCEN’s] approach when contemplating compliance or enforcement actions against covered financial institutions that violate the BSA.”

This relatively brief statement apparently represents FinCEN’s first published guidance that comprehensibly identifies the agency’s enforcement priorities and policies, and it may reflect an effort by FinCEN to place more emphasis on its enforcement function.   The statement lacks the details of enforcement guidance published by other agencies on issues of trade and financial regulation, such as Treasury’s Office of Foreign Assets Control (“OFAC”).  While many of the topics covered by the FinCEN statement will be familiar to covered financial institutions, there are also a few noteworthy clarifications in the statement.Continue Reading FinCEN Publishes Statement Setting Forth Agency’s Approach to BSA Enforcement