BSA/OFAC Update: Recent Actions and Guidance
Fall 2021 is finally here. This fall and winter could potentially see some changes to the Bank Secrecy Act (BSA) landscape, as regulations are expected to implement provisions of the Anti-Money Laundering Act of 2020 and the Corporate Transparency Act of 2020. While we wait for those developments to be announced, let’s review some recent actions and guidance from the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC).
FinCEN Notice on Online Child Sexual Exploitation
Last week, FinCEN issued notice FIN-2021-NTC3 to “call attention to an increase in online child sexual exploitation (OCSE).” The notice recounts that law enforcement authorities have noticed an increase in crimes related to OCSE during the COVID-19 pandemic. Additionally, “OCSE offenders are increasingly using convertible virtual currency (CVC) (some of which provide anonymity), peer-to-peer mobile applications, the darknet, and anonymization and encryption services to try to avoid detection.”
The notice provides the following instructions for filing SARs relating to OCSE:
- Including “OCSE-FIN-2021-NTC3” in Field 2 of the SAR form;
- When completing the SAR narrative, including the keyword “OCSE-FIN-2021-NTC3” and using terms and definitions from the “Child Sexual Exploitation (CSE) terms and definitions” (which is included as an Appendix at the end of the notice);
- Selecting field 38(z) (other) as the suspicious activity type and including “OCSE” in the text box;
- For internet based contact with the credit union, completing SAR field 43 (IP address and date) if known;
- Selecting additional fields if other suspicious activity is also suspected, such as human trafficking (field 38(h)) or human smuggling (field 38(g));
The notice also reminds readers about previous FinCEN guidance on reported cyber-enabled crime, such as this advisory and this FAQ, which provide useful information on reporting IP addresses, file names, virtual currency addresses, and more.
OFAC Designates Virtual Currency Exchange and Updates Ransomware Advisory
Virtual currency has been catching the eye of federal regulators, particularly as it relates to illegal activity. As mentioned above, the FinCEN notice on OCSE identified that offenders are increasingly using CVC as currency to facilitate OCSE-related activities.
On September 21, 2021, the U.S. Department of Treasury announced its first-ever designation of a virtual currency exchange, SUEX OTC S.R.O. (SUEX). This designation means that SUEX has been added to OFAC’s Specially Designated Nationals (SDN) list. The announcement states that all property and interests in property of SUEX are blocked, and U.S. persons are “generally prohibited from engaging in transactions” with SUEX. In announcing the designation, Treasury noted that SUEX has been involved in CVC transactions resulting from ransomware, and that analysis showed at least 40 percent of SUEX’s transaction history has been associated with “illicit actors.” The announcement also noted some virtual currency exchanges “are a critical element” of the criminal ecosystem, and CVC is “the principle means of facilitating ransomware payments and associated money laundering activities.”
In addition to the designation of SUEX, OFAC released an updated advisory on the potential sanctions risks for facilitating ransomware payments – an update to an advisory that we have blogged about previously. The updated version references that SUEX has been added to the SDN list and identifies potential mitigating factors in OFAC’s enforcement response, such as whether the institution had improved cybersecurity practices and whether the institution cooperated with OFAC and law enforcement. Finally, the updated advisory reminds financial institutions that facilitating ransomware payments encourages future ransomware payment demands and risks violating OFAC sanctions.
About the Author
Nick St. John, was named regulatory compliance counsel in March 2020. In this role, Nick helps credit unions with a variety of compliance issues.