Welcome to the FinScan’s Regulatory Roundup August 2024. In the last month, we’ve seen significant regulatory updates across multiple domains: FinCEN published FAQs on the BOI Reporting Rule, while joint notices highlighted timeshare fraud; major enforcement actions involving several banks and other institutions; new sanctions guidance released by UK, EU, and US authorities; and new AI guidelines issued by NIST and CISA, with some emphasis on international collaboration on AI standards.
Anti-money Laundering
FinCEN publishes FAQs relating to BOI Rule
FinCEN has prepared Frequently Asked Questions (FAQs) in response to inquiries received relating to the Beneficial Ownership Information (BOI) Reporting Rule and Beneficial Ownership Information Access and Safeguards Rule.
FinCEN, OFAC, and FBI issue joint notice on timeshare fraud
The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a joint notice with Treasury’s Office of Foreign Assets Control (OFAC) and the Federal Bureau of Investigation (FBI) to financial institutions, urging them to be vigilant in detecting, identifying, and reporting timeshare fraud perpetrated by Mexico-based transnational criminal organizations (TCOs). The TCOs use proceeds from timeshare fraud to diversify their revenue streams and finance other criminal activities, including the manufacturing and trafficking of illicit fentanyl and other deadly synthetic drugs into the United States.
Enforcement Actions
United States: Silvergate Bank, Citibank, and Green Dot Bank
Silvergate Bank was charged with failure to effectively monitor internal bank transfers as part of it Silvergate Exchange Network for suspicious activity; combined penalties: $63,000,000. Citibank’s deficiencies in various areas including risk management, internal controls, and data governance led to two penalties – FRB, $60,625,620; and OCC, $75,000,000 (totaling $136.5 million) on top of the $400 million fine that Citi paid back in 2020 when the original consent order was signed. Green Dot Bank was cited for deficiencies in, among other things, compliance with Bank Secrecy Act and 31 CFR Chapter X; penalty: $44,000,000.
Canada: Gestion de Patrimoine Blue Bridge Inc. and Masters Realty (2000) Ltd.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) imposed an administrative monetary penalty of $49,500 on Gestion de Patrimoine Blue Bridge Inc. for failure to develop and apply written compliance policies and procedures that are kept up to date, and failure to assess and document the risk of a money laundering or terrorist financing offence, taking into consideration prescribed factors. FINTRAC also imposed an administrative monetary penalty on Masters Realty (2000) Ltd., also operating as RE/MAX Masters Realty, of $83,655 due to inadequate policies and procedures, training, risk assessment and documentation, and customer information record upkeep.
United Kingdom: Ground-breaking public-private partnership launched to identify criminality
The National Crime Agency (NCA) and seven UK banks have launched a major project to identify and take action against organized crime. The participating banks are providing the NCA with account data indicative of potential criminality. Subject matter experts and investigators from the NCA and the banks have formed a joint team to analyze the data, alongside the NCA’s own data. Any intelligence outputs will inform the NCA’s investigative work and help the banks to identify risk.
Singapore: MAS issues circular on establishing source of wealth (SOW)
The Monetary Authority of Singapore’s (MAS) recent circular is intended to provide further guidance in the wealth management sector on the establishment of source of wealth (SOW). Financial institutions are instructed to take “appropriate and reasonable measures” to establish SOW, and have policies and procedures in place to be risk-proportionate and reasonable considering materiality, prudence, and relevance. In addition, senior management are asked to exercise close oversight of higher risk accounts and ensure ongoing monitoring taking into account customer risk.
Germany: BaFin publishes in-depth information on loan fronting
Financial regulator BaFin has published in-depth information on loan fronting, which takes place when a credit institution grants loans on behalf of third parties. The risk of money laundering and terrorist financing is particularly high if the investors or the origin of the loan collateral are unknown. It is also problematic if the institution does not receive sufficient information about the investor’s business model – or does not know where source of the funds with which the loan is repaid.
Dubai: Actions against Symphony Services Ltd – and its CEO
The Dubai Financial Services Authority (DFSA) published decision notices imposing penalties on Symphony Services Limited (SSL) for failing to comply with DFSA requirements and obstructing the DFSA. Penalties include USD 210,000 and withdrawal of SSL’s registration as a Designated Non-Financial Business or Profession (DNFBP). It also includes fining its CEO USD 140,000 and prohibiting him from holding office in or employment of any Authorised Person, DNFBP, Reporting Entity or Domestic Fund, and performing any function in connection with the provision of Financial Services in or from the DIFC.
Sanctions Guidance
UK authorities publish amended cyber sanctions guidance
The UK’s Secretary of State for Foreign, Commonwealth and Development Affairs has provided this guidance to assist in the implementation of, and compliance with, the Cyber (Sanctions) (EU Exit) Regulations 2020, as amended from time to time. The guidance document addresses prohibitions and requirements imposed by the Cyber (Sanctions) (EU Exit) Regulations 2020, how these sanctions measures will be enforced, circumstances once one receives an authorization or license for a sanctioned activity, and other information.
UK updates to global anti-corruption sanctions guidance available
The UK’s Secretary of State for Foreign, Commonwealth and Development Affairs has provided this guidance to assist in the implementation of, and compliance with, the Global Anti-Corruption Sanctions Regulations 2021. It contains guidance on the prohibitions and requirements imposed by the Regulations and on best practices for complying with them; the enforcement of them; and circumstances where they do not apply.
EU provides update on best practices for the effective implementation of restrictive sanctions measures
While directed at national authorities, the EU’s latest best restrictive sanctions practices can be applied to sanctions screening. Best practices address: designation and identification of persons and entities subject to targeted restrictive measures; financial restrictive measures; prohibitions on the provision of goods; coordination and cooperation; and horizontal sanctions regimes.
Artificial Intelligence
US: New NIST draft guidance and software to AI help developers evaluate, mitigate risk
For the first time, the U.S. Department of Commerce makes public new NIST draft guidance from the U.S. AI Safety Institute to help AI developers evaluate and mitigate risks stemming from generative AI and dual-use foundation models through five product releases covering various aspects of AI technology. They include: an initial public draft of a guidance document for software developers; a testing platform designed to help AI system users and developers measure how certain types of attacks can degrade the performance of an AI system; guidance documents on managing the risks of generative AI; and a proposed plan for U.S. stakeholders to work with others around the globe on AI standards.
Does open-source AI pose security threats? CISA expert responds
The accelerated development of new artificial intelligence (AI) capabilities, including with large language models (LLMs), has spurred international debates around the potential impact of “open-source AI” models. Does open sourcing a model benefit society because it enables developers to rapidly innovate by studying, using, sharing, and collaboratively iterating on these state-of-the-art models? Or do such capabilities pose security threats, allowing adversaries to leverage these models for greater harm? The Cybersecurity and Infrastructure Security Agency’s (CISA) open-source security expert chimes in.
Explaining decisions made with AI: UK’s ICO and The Alan Turing Institute offer guidance
Co-badged guidance by the ICO and The Alan Turing Institute aims to give organizations practical advice to help explain the processes, services and decisions delivered or assisted by AI, to the individuals affected by them. The guidance consists of three parts: (1) the basics of explaining AI, (2) explaining AI in practice, and (3) what explaining AI means for your organization.
Understanding the EU AI Act
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonized rules on artificial intelligence (the “AI Act”) was published in the Official Journal of the EU. The AI Act came into force on August 1, 2024, setting out key definitions, scope, penalties, and effective dates depending on the type of AI system.practical advice and instructions on the processing of personal data when using generative AI systems, to facilitate their compliance with the requirements of the data protection legal framework.
Commentaires