The Financial Crimes Enforcement Network (“FinCEN”) issued on November 1 a Financial Trend Analysis regarding ransomware-related Bank Secrecy Act (“BSA”) filings during the second half of 2021 (the “Report”). This publication follows up on a similar ransomware trend analysis issued by FinCEN regarding the first half of 2021
On June 23, 2022, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective (SRP) for spring 2022. In the SRP, the OCC opines on its current safety and soundness concerns for banks under its regulatory umbrella, focusing on Russia sanctions, climate-related risk, and rising inflation. Despite these challenges, the OCC
On March 1, 2022, the U.S. Department of the Treasury (“Treasury”) published its National Risk Assessment for Money Laundering, Terrorist Financing, and Proliferation Financing (the “NMLRA”), identifying the national threats, vulnerabilities, and risks facing the U.S. financial system. The NMLRA is 74 pages long and comprehensively covers many different perceived threats and vulnerabilities, including the misuse of legal entities, virtual assets, real estate, investment advisors, and casinos. This post therefore selects three key issues for closer analyses.
First, cybercrime (a topic we cover frequently) in the form of ransomware received the dubious honor of representing “a larger and growing share of the overall money laundering threat in the United States.” Second, professional money laundering organizations (“PMLOs”) continue to peddle their illicit services internationally to launder the proceeds of cybercrime, narcotics trafficking, and other schemes on behalf of organized criminal enterprises. Third, merchants and professionals, such as lawyers, real estate professionals, and financial services employees, continue to perform – knowingly or unknowingly – critical functions in support of money laundering schemes and obfuscating the source of ill-gotten gains.
Partly due to the COVID-19 pandemic, cybercrime is on the rise. Whereas the 2018 NMLRA reported that in 2016, the FBI received 298,728 internet-facilitated fraud complaints totaling over $1.3 billion in losses, in 2020, the FBI received 791,790 complaints totaling over $4.1 billion. As the NMLRA points out, those figures likely significantly underestimate the amount of loss, because only a fraction of cybercrime is reported to the FBI.
Ransomware, as current events suggest, sharply increased in the last year. Suspicious Activity Report data analyzed by FinCEN revealed not only that the number of reported ransomware incidents increased 42% in the first half of 2021 compared to all of 2020, but that the median ransomware-related payout increased to $100,000. Part of the surge in ransomware attacks could be attributable to the proliferation of “ransomware-as-a-service,” whereby ransomware developers market and sell their malware to bad actors without the technical know-how to perpetrate the attack themselves. Additionally, municipalities, hospitals, and other critical infrastructure are now common ransomware targets.
In keeping with OFAC’s September 2021 advisory warning of potential sanctions for paying or facilitating ransomware payments to sanctioned entities (covered here), the NMLRA cautioned that “[t]he U.S. government continues to strongly discourage the payment of cyber ransom or extortion demands, which can be used to finance future attacks or other illicit activity,” and that “[r]ansomware payments may therefore not only fund activities that harm U.S. national security but also risk violating OFAC regulations.”
The NMLRA identified two additional cyber-threats: (1) business email compromise, in which bad actors pose as company officers via email and convince others in the company to transfer money to spoofed accounts; and (2) the compromise and sale of financial information, in which a bad actor harvests consumers’ personal information in large scale and sells it in online black markets to fraudsters.
The NMLRA pays special attention to PMLOs – groups that facilitate money laundering on behalf of other criminal enterprises continue to proliferate globally. These entities, for a fee, transport money from illicit activities into the retail banking system or to other individuals or entities. Two schemes highlight how PMLOs can both co-opt unsuspecting third parties into the money laundering process, and operate independently.
The first scheme is money-broker PMLOs, which purchase at a discount illicit proceeds from drug sales. The money-broker PMLO then acts as an intermediary to exchange and transfer funds across international borders and obfuscate the funds’ sources. In one example, the money-broker PMLO, in exchange for a commission, allegedly collected drug money in the United States and arranged for a corresponding amount of foreign currency to be transferred to the Drug Trafficking Organization (“DTO”). As cover, the money-broker PMLO arranged for the delivery of electronics from the United States to Colombia. This scheme avoided detection at customs because no physical money ever crossed the border.
The second scheme, dubbed Chinese Money Laundering Organizations (“CMLOs”), is a growing, if perhaps idiosyncratic, method by which wealthy Chinese nationals circumvent China’s capital flight restrictions and simultaneously facilitate money laundering on behalf of drug trafficking organizations in Mexico or elsewhere. For example, a Mexican DTO in the United States will sell dirty dollars to the CMLO, which pays the DTO in pesos. The CMLO then advertises the dirty money for sale to Chinese nationals via internet bulletin boards or private WeChat forums. The Chinese nationals buying the dollars circumvent China’s strict limits on exporting capital, and use the dollars to fund their lifestyles in the United States, purchase real estate or pay school tuition.
The NMLRA describes these PMLOs as purely criminal organizations – they exist solely to provide and launder illicit cash to those that are cash-starved. Further, the new PMLO trend is the co-opting of an array of third-party professionals. These professionals’ roles are discussed below.
The NMLRA identifies four types of professionals posing a money laundering risk: (1) merchants; (2) attorneys; (3) real estate professionals; and (4) financial services professionals. We repeatedly have blogged on money laundering concerns regarding third-party professionals, including here, here and here.
Unlike PMLOs, which the NMLRA considers a “threat,” these professionals represent vulnerabilities to the security of the financial system because they, wittingly or unwittingly, may become “complicit” and “help effectuate . . . money laundering schemes.” This language is perhaps understated—the NMLRA provides a litany of examples of professionals’ alleged knowing and active engagement in a money laundering scheme. For example, perfume store owners in Texas purportedly accepted loose bulk cash that was described to them as “narco dinero,” and for which the owners did not file the required Form 8300 to the Internal Revenue Service. In another example, a real estate broker allegedly purchased residences for overseas buyers, knowing that the homes would be used to illegally grow cannabis and taking steps to disguise the source of the funds.
While these cases are clear examples of professionals abusing their positions, the NMLRA’s discussion of an attorney’s “representation” of a narcotics trafficking organization may be the strongest example of a professional service allegedly transforming into criminal assistance. According to the superseding indictment filed in Baltimore, an attorney received drug proceeds from his client and the client’s associates, then used that money to promote the client’s unlawful business, pay for legal representation for his client’s co-conspirators, and pay himself commission for the laundering activities.
However, the NMLRA’s list regarding a few outlier prosecutions of knowingly complicit professionals does not address a much more difficult issue, which is the degree of due diligence that an average professional should conduct when onboarding a new client (and thereafter). The vast majority of fact patterns confronting professionals are much less clear and dramatic than the examples set forth in the NMLRA – and what type of KYC steps professionals not directly regulated by the Bank Secrecy Act should take in a given case is often a challenging question.
Introduction
Section 230 immunity, which long has protected entities that host online platforms from liability for their users’ actions, may be significantly cut back. Although the U.S. Supreme Court recently declined to hear Doe v. Facebook, which would have given it an opportunity to clarify and/or narrow existing interpretations of Section 230, there are calls from members of Congress to amend the law, in addition to agreement from executive agencies to do so. Section 230 may be amended further to create a duty of reasonable care, particularly with respect to online trafficking and child exploitation. Even in the absence of legislative change, lower courts have begun and may continue to chip away at what previously was considered Section 230’s broad immunity.
Continue Reading Trafficking and Child Exploitation Online: The Growing Responsibilities of Online Platforms
October is National Cybersecurity Awareness Month, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) kicked off the month by issuing two advisories that aim to increase cybersecurity awareness, assist financial institutions in detecting and reporting ransomware activity, and highlight potential sanctions risks for
The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.
Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.
Continue Reading The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)
The U.S. Supreme Court heard oral arguments this morning in United States v. Microsoft, No. 17-2, which presents the question whether a United States court may issue a search warrant to a U.S.-based electronic communications service for email account data held on a server outside of the United States.
Here’s the transcript of this
Consumers are not the only ones suing retailers for payment card data breaches. The U.S. District Court for the Western District of Washington recently denied, in large part, a motion to dismiss a data breach class action brought by Veridian Credit Union, on behalf of itself and other financial institutions, against Eddie Bauer, LLC. The class action relates to a January 2016 payment card data breach that allegedly impacted “every Eddie Bauer store in the United States and Canada.”
The court dismissed Veridian’s negligence per se claim, but allowed Veridian’s negligence and state statutory claims to proceed. The court’s analysis of choice of law and negligence issues is worth a read.
Continue Reading Federal Court Allows Credit Union Data Breach Class Action to Proceed Against Eddie Bauer