Welcome to FinScan’s Regulatory Roundup June 2024. This month spotlights AML and sanctions updates focused on harmonization and expansion, risk assessments and due diligence, enforcement for fintechs, strides in global cooperation, and ransomware enforcement. The topic of AI is heating up, with new laws and warnings about establishing risk management frameworks, data protection and quality, and public and consumer disclosure.
Anti-money laundering
EU adopts new rules to combat money laundering
The European Council has adopted a package of new anti-money-laundering rules that will protect EU citizens and the EU’s financial system against money laundering and the financing of terrorism. The new rules closes loopholes by harmonizing AML rules throughout the EU, while extending AML rules to new obliged entities such as the crypto sector, luxury goods traders, and football clubs and agents. They also aim to set tighter due diligence requirements, regulate beneficial ownership, sets a €10,000 limit on cash payments, and establishes the new European Authority for Anti-Money Laundering and Countering the Financing of Terrorism.
US arrests members of a transnational money laundering organization for laundering millions in drug proceeds
Two alleged members of a transnational money laundering organization were arrested on criminal charges related to their alleged involvement in a scheme to launder millions of dollars in illegal drug proceeds for Mexican drug trafficking organizations. The co-conspirators traveled throughout US to collect drug proceeds funneled through various accounts to conceal their origin. This demonstrates the need for financial institutions to effectively monitor activity and understand the origin of funds and the beneficiaries of funds transfers.
SEC and Treasury issue proposal on customer identification programs (CIPs) for registered investment advisers (RIAs) and exempt reporting advisers
The SEC and the Department of the Treasury issued a joint proposal to implement provisions of the Bank Secrecy Act (BSA), specifically section 326 of USA PATRIOT Act, requiring the Secretary of the Treasury to issue regulations that require financial institutions to implement specified procedures for identifying customers that seek to open an account, procedures referred to as Customer Identification Programs (CIPs).
Kabbage agrees to resolve PPP fraud allegations
The US Justice Department announced that now-bankrupt financial technology company Kabbage Inc., doing business as KServicing, has agreed to resolve allegations that it violated the False Claims Act (FCA) by knowingly submitting thousands of false claims for loan forgiveness, loan guarantees, and processing fees to the US Small Business Administration (SBA) in connection with its participation in the Paycheck Protection Program (PPP). Kabbage knowingly failed to implement controls to comply with its PPP and BSA/AML obligations by setting substandard fraud check thresholds.
CFTC warns students and job seekers to not become “money mules”
The Commodity Futures Trading Commission’s Office of Customer Education and Outreach (OCEO) today issued a customer advisory warning students and other job seekers looking for remote work to be aware of the warning signs and dangers of “money mule” scams. Money mule scams involve individuals sending and receiving money into their bank accounts, digital wallets, or spot-market crypto trading accounts as part of their job duties or at the direction of others.
BTC-e operator pleads guilty to money laundering conspiracy
A Russian national pleaded guilty to conspiracy to commit money laundering related to his role in operating the cryptocurrency exchange BTC-e, one of the world’s largest virtual currency exchanges, from 2011 to 2017. BTC-e was one of the main ways global cyber criminals transferred and laundered criminal proceeds, and an unregistered money services business in the US with no AML program or KYC processes in place.
UK’s HM Treasury releases AML/CFT Supervision Report 2022-23
Her Majesty’s (HM) Treasury’s latest report highlights FCA common issues identified through DBR, on-site visits, and multi-firm work; inadequate client and firm-wide risk assessments, compliance staff training, and risk assessment documentation; and insufficient risk-sensitive enhanced due diligence (EDD) processes and compliance monitoring and testing. It also identified deficiencies in the Gambling Commission’s ability to document policies and procedures, train staff, profile customer risk, and other issues.
Sanctions Guidance
US National Security Package (H.R. 815) signed into law
President Biden signed into law a national security package (H.R. 815) that includes the 21st Century Peace through Strength Act, the fourth pillar of a broader foreign aid package to assist Israel, Ukraine, and the Indo-Pacific. The law doubles the statute of limitations period for US sanctions violations from 5 to 10 years; reports on EU and UK sanctioned parties and whether they meet criteria for US sanctions; includes seizures of Russian sovereign assets, sanctions of Iranian petroleum exports, Hamas, and other terrorist groups; and establishes the Protecting Americans’ Data from Foreign Adversaries (China, Iran, DPRK, Russia) Act of 2024.
LockBit leader unmasked and sanctioned
A leader of what was once the world’s most harmful cybercrime group has been unmasked and sanctioned by the UK, US and Australia, following a National Crime Agency-led international disruption campaign. The Russian national provided Ransomware-as-a-service (RaaS). Between June 2022 and February 2024 more than 7,000 attacks predominantly in US, UK, France, Germany, and China.
Artificial Intelligence
CFTC Technology Advisory Committee advances report and recommendations on responsible AI in financial markets
The CFTC Tech Advisory Committee’s report indicates that without industry engagement and relevant guardrails, AI applications within and outside the CFTC could erode public trust in financial markets. The Commission, including the Technology Advisory Committee, should develop a framework for safe, trustworthy, and responsible AI systems. Governance structures, guided by principles like the Office of Science and Technology Policy’s “Blueprint for an AI Bill of Rights” and the NIST AI Risk Management Framework, are necessary to protect consumers and deployment contexts.
NIST launches new program to advance sociotechnical testing and evaluation for AI
The National Institute of Standards and Technology (NIST) is launching a new testing, evaluation, validation and verification (TEVV) program intended to help improve understanding of artificial intelligence’s capabilities, societal risks, and impacts. The Assessing Risks and Impacts of AI (ARIA) program will help develop ways to quantify how a system functions within societal contexts once it is deployed. ARIA’s results will support the U.S. AI Safety Institute’s testing to help build the foundation for trustworthy AI systems.
District of Columbia issues bulletin on the use of AI systems in insurance
The DC Department of Insurance, Securities and Banking’s (DCISB) bulletin stipulates that all insurers authorized to do business in DC are expected to develop, implement, and maintain a written program (an “AIS Program”) for the responsible use of AI systems that make, or support decisions related to regulated insurance practices. Programs are expected to address general guidelines, governance, risk management and internal controls, and third-party AI systems and data.
ICO warns organizations not to ignore data protection risks; issues Generative AI calls for evidence
Upon concluding its investigation into Snap, Inc’s launch of the ‘My AI’ chatbot, the UK’s Information Commissioner’s Office (ICO) warns the industry to engage with the data protection risks of generative AI before bringing products to market.
European Data Protection Supervisor shares thoughts on data privacy and AI
Read closing remarks by European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski delivered at the Computers, Privacy and Data Protection Conference. Key takeaways: Data protection and privacy will not merge, nor will disperse into AI; Respect for data protection and privacy is the essential prerequisite to put people at the centre and ahead of technology, so we must defend the identity of data protection in protecting humanity; There is a renewed importance of ethics in the AI context; We must devise the trajectory for a future that can be just and fair to everyone.
Coming soon: The EU’s AI Act
The EU’s Artificial Intelligence Act is entering into force soon. In preparation, the EDPS has initiated a plan for AI focusing on governance, risk management, and supervision, and the EU has launched an office to implement the AI Act and foster innovation.
Colorado becomes first US state to enact a comprehensive AI law
Colorado became the first state in the US to follow the EU AI Act and enact comprehensive legislation regulating artificial intelligence, with the signing of the Colorado AI Act which aims to protect consumers from potential harms associated with AI systems. The new act mandates stringent requirements for developers and deployers of high-risk AI systems to prevent algorithmic discrimination and ensure transparency.
HLG-DMA issues public statement on AI
High-Level Group (HLG) for the Digital Markets Act (DMA) made a statement on the impact of AI technology, both as catalysts for innovation and growth, and as a challenge to a safe, fair, and contestable digital environment. Key takeaways include: Consumers face an ambivalent mix of benefits and risks that may result from the use of AI tools; Data is fundamental to developing performant AI systems; The deployment of AI technologies has the potential to intensify societal risks; Gatekeepers of core platform services must comply with the obligations set out in the Digital Markets Act (DMA).