AML Quarterly Update for Foreign Banks Fall/Winter 2021

AML Quarterly Update for Foreign Banks Fall/Winter 2021

November 30, 2021, Covington Alert

We are pleased to present Covington’s Fall/Winter 2021 quarterly update on U.S. anti-money laundering (“AML”) trends and expectations for global financial institutions.

In prior updates this year, we outlined key provisions in the U.S. Anti-Money Laundering Act of 2020 (the “2020 AMLA”) and described the new AML regulatory focus on certain previously unregulated market participants (e.g., antiquities dealers and investment advisors).

This quarter, we focus on a topic of substantial and increasing interest to U.S. regulators and policymakers: cryptocurrency and cybercrime. We also provide a brief update on the implementation of the 2020 AMLA.

We hope you find this report useful as you navigate evolving U.S. AML expectations and priorities for the international financial system. If you have any questions about the matters discussed here, please reach out to your Covington contact or any of the lawyers listed at the end of this update.

Since the Colonial Pipeline ransomware attack in May 2021, the U.S. government has redoubled its focus on cybercrime threats. For instance, Deputy Attorney General Lisa Monaco recently emphasized that the Department of Justice (“DOJ” or “Department”) will “press forward to hold accountable those who seek to go after our industries.”

U.S. authorities view AML enforcement actions and investigations as key components of combating cybercrime. The Treasury Department has been keenly focused on “disrupting criminal networks and virtual currency exchanges responsible for laundering ransoms . . . and increasing incident and ransomware payment reporting to U.S. government agencies.” Earlier in the summer, the Financial Crimes Enforcement Network (“FinCEN”) issued its first set of government-wide priorities for AML and countering the financing of terrorism (“CFT”) policy which, as we discussed here, highlighted “cybercrime, including relevant cybersecurity and virtual currency considerations” as a key risk area. And on November 23, 2021, the OCC, Federal Reserve and FDIC announced a joint initiative to provide U.S.-regulated financial institutions with renewed guidance on cryptocurrencies and crypto-assets over the course of 2022.

We expect that the U.S. government’s focus on the financial aspects of cybercrime, and its parallel emphasis on cryptocurrency, will both have implications for global banks. Below, we summarize three specific developments that may influence global AML enforcement by U.S. authorities over the long term.

A. FinCEN Report and Renewed Advisory on Ransomware

FinCEN has recently taken steps to increase the U.S. government’s ability to track ransomware and other cybercrime-related payments. Having previously issued advisories on cyber frauds (here and here), FinCEN this fall published a Report and a renewed Advisory on ransomware and the use of the financial system to facilitate ransom payments. Both publications emphasize the critical role that U.S.-regulated financial institutions are expected to play in identifying and reporting ransomware events.

Among other things, in both documents, FinCEN focuses on the use of foreign convertible virtual currency (“CVC”) exchanges to facilitate ransomware payments, and emphasizes that U.S.-regulated CVC exchanges, like financial institutions generally, should identify and report suspicious transactions associated with ransomware attacks by filing Suspicious Activity Reports (“SARs”). In its renewed Advisory, FinCEN additionally suggests that digital forensic and incident response companies and cyber insurance companies that facilitate ransomware payments may qualify as money service businesses (“MSBs”) and thus be responsible for filing SARs and currency transaction reports under U.S. law. 

Other U.S. government agencies are also strongly encouraging that ransomware payments be reported, and ransomware victims are thus increasingly reaching out to the Federal Bureau of Investigation and other U.S. authorities in connection with such payments. In light of the recent designations of certain ransomware actors under U.S. sanctions programs, firms may view proactive outreach to be a means of mitigating their exposure to sanctions risks. 

We expect FinCEN’s guidance, and the broader emphasis on reporting ransomware payments to U.S. authorities, to result in an uptick in ransomware-related SAR filings, which will facilitate an increase in related investigation and enforcement activity. As described below, DOJ is actively building enforcement capacity in related areas. 

B. Creation of the National Cryptocurrency Enforcement Team

On October 6, 2021, DOJ launched its National Cryptocurrency Enforcement Team (“NCET”), a group of prosecutors focused on illegal activity by cryptocurrency-related entities. The NCET will also help track down and recover assets lost to fraud and ransomware payments.

This unit, which does not yet have a head, will principally consist of attorneys from the Department’s Money Laundering and Asset Recovery (MLARS) and Computer Crime and Intellectual Property (CCIPS) sections, as well as attorneys from U.S. Attorneys’ Offices throughout the U.S.

The announcement of NCET’s creation follows DOJ’s publication of the Cryptocurrency Enforcement Framework, which it released in October 2020. Among other things, this Framework emphasized the Department’s authority to prosecute cryptocurrency-related crimes, including through the federal money laundering statutes, and indicated that the Department would take a coordinated and synchronized approach with other interested regulators, such as FinCEN and OFAC.

While the NCET has yet to bring any public enforcement actions, it is likely that it will become more visible in the coming months. One closely watched question is the extent to which the NCET will make use of cross-border subpoena powers, including the newly expanded AMLA subpoena power (further discussed in our alert here) to facilitate its investigative activity.

C. FATF’s Guidance on Virtual Assets

On October 8, 2021, the Financial Action Task Force (“FATF”) published updated Guidance on Virtual Assets, expanding its prior 2015 virtual currency guidance and outlining its regulatory expectations for entities that deal in virtual assets. Among other things, the update identifies concerns regarding stablecoins, particularly in light of their potential for mass adoption. FATF has emphasized that jurisdictions should supervise stablecoin projects before they are launched and ensure that these projects have AML/CFT controls in place. The U.S. has recently echoed FATF’s concerns on stablecoins, including in the November 1 report of President Biden’s Working Group on Financial Markets (further discussed in our alert here).

Of particular interest, FATF’s guidance indicates that, to the extent that virtual asset service providers (“VASPs”), including cryptocurrency exchanges, engage in correspondent banking-like activities, countries should apply commensurate due diligence processes over them. To that end, FATF advised that countries should require VASPs and participating financial institutions (“FIs”) to: gather information about peer VASPs and FIs, their customers, and relevant risk control frameworks; assess the corresponding VASP’s or FI’s AML/CFT controls; and obtain senior management approval before establishing any correspondent-like relationship(s). 

Along these same lines, FATF recently updated its guidance regarding the travel rule’s application to VASPs and virtual currency transfers, proposing that both FIs and VASPs should conduct counterparty due diligence, including researching the counterparty VASP’s ownership and AML/CFT systems, prior to executing virtual asset transfers. This updated guidance follows FinCEN’s proposed reform to its own travel rule regulations and FinCEN’s proposed unhosted wallet rule, both of which remain pending, as well as related developments in the UK (discussed here).

These various proposals aim to increase not just the level of diligence and controls around cryptocurrency transfers, but also government visibility into such transfers. Like the other initiatives discussed above, they reflect an attempt to increase the government’s ability to identify and investigate cybercrime-related or otherwise suspicious cross-border flows of value.

A. Antiquities ANPRM

As noted in our Spring 2021 update here, the passage of the 2020 AMLA resulted in an increased focus on the global art and antiquities market.

Under Section 6110(a) of the 2020 AMLA, Congress specifically tasked FinCEN to regulate persons “engaged in the trade of antiquities” (but not art dealers), a previously un-regulated trade. Pursuant to this mandate, on September 24, 2021, FinCEN released an Advanced Notice of Proposed Rulemaking (“ANPRM”), beginning the regulatory process for its new antiquities regulations and seeking public comment on questions (21) aimed at safeguarding the antiquities market from money laundering. Comments were due October 25, 2021.

Although the rulemaking process is ongoing, the ANPRM does signal that FinCEN may take a broad view as to who may qualify as an antiquities dealer. For instance, the ANPRM solicits input concerning “advisors, consultants, dealers, agents, intermediaries, or any other person who engages as a business in the solicitation or the sale of antiquities,” a reference that suggests FinCEN may be considering implementing a rule that would apply widely to a variety of businesses and individuals involved in antiquities. 

Notably, the ANPRM followed a March 9, 2021 FinCEN announcement requesting financial institutions to specifically identify art- and antiquities-related SARs (by using a specifically-defined reference code and filing type). This new requirement is likely related to the 2020 AMLA requirement requiring the U.S. Treasury and other agencies to submit a study on art and money laundering, which is due December 27, 2021 — which coincides with when FinCEN should, under the statutory timeline, issue a proposed antiquities AML rule.

B. Looking Ahead to Other AML Rulemakings

1. Beneficial Ownership and SAR Pilot Program

As noted previously, under the 2020 AMLA, FinCEN is required to promulgate a beneficial ownership reporting rule, applicable to a broad swath of companies operating or registered in the U.S., by January 1, 2022, and to establish a SAR pilot program, allowing U.S. institutions to share SAR-related information with its foreign branches, subsidiaries and affiliates, by the same date.

Earlier this year (in April), FinCEN issued an ANPRM on a proposed beneficial ownership rule, soliciting public comment on a variety of topics (as further discussed in our alert here). In response, FinCEN received over 200 comments. Thus far, however, FinCEN has not published a proposed beneficial ownership rule, and it has not published a proposed rule on the SAR pilot program either.

Given the length of time that has passed and the proximity to the January 1, 2022 deadline, it appears that FinCEN may miss the statutory implementation deadline, although it remains possible that FinCEN may issue an interim final rule prior to the deadline.

2. What Remains on the AML Agenda

As indicated in our prior alerts, many of the key provisions in the 2020 AMLA established new programs and reporting requirements that will need to be built out in detailed rules.

Of particular relevance to foreign banks with U.S. operations are provisions governing:

• amendments to banks’ customer due diligence processes (which are to follow the publication of the beneficial ownership rule, discussed above);
• guidance on updating of AML programs to ensure they are effective and risk-based; and
• the possible streamlining of suspicious activity and currency transaction reporting requirements.

In addition, under the 2020 AMLA, the U.S. is to conduct regulatory studies on de-risking and China- and Russia-related AML issues.

A graphic reflecting key dates in the implementation of the Act can be found here.

* * *

As busy as the last few months have been in U.S. AML regulation, the pace of change will likely increase in the coming months with FinCEN’s publication and finalization of certain key rules under the 2020 AMLA.

Covington would be pleased to discuss these AML developments with you, and to address questions about how they affect your specific business and risk environment. If you have any questions about the matters discussed in this report or any other AML topics, please reach out to your Covington contact or any of the lawyers in our global financial crime compliance and investigations team.