Strategic Planning in 2024: AML, CFT & OFAC Priorities

As your financial institution prepares for its annual directors meeting to discuss strategic planning for 2024, what are some of the hot topics in AML/CFT/OFAC to focus on, and what are the regulatory expectations?

There are a number of emerging threats to the banking system that should be areas of focus in 2024, including cybercrime, fraud, and money laundering in the real estate, crypto asset, and fintech space. However, regulators are also looking out for these threats, among other priorities. There is a broader focus among regulators for financial institutions to appropriately tailor their anti-money laundering (AML) programs to match their business model, meeting suspicious activity reporting obligations under the Bank Secrecy Act (BSA) and adequate independent testing. In addition, the new Beneficial Ownership Reporting Rules for covered entities may also bring implications for financial institutions in 2024. As for the Office of Foreign Assets Control (OFAC), expectations are that OFAC will begin putting more emphasis on “export control” as part of its enforcement actions/compliance tool.

Below, we explore these topics in greater detail, so your organization is well-equipped to prepare for your strategic planning initiatives in 2024.

Cybercrimes in a Post-Pandemic World

Ever since the start of the COVID-19 pandemic, the incidents of cybercrime have skyrocketed. The estimated $6 trillion global impact is a result of the U.S and global economy pivoting away from cash and traditional payment mechanisms, becoming a heavily digitized and remote environment. This leads to a greater emphasis on internet-based transactions and remote applications (generally, fintech). These vehicles give rise to increased phishing schemes, business email compromise (BEC), and ransomware/malware attacks on customers’ and financial institutions’ websites, apps, and payment platforms.

Additionally, information theft from these systems has increased money laundering opportunities, such as fake e-commerce sites, identity theft, and the use of “money mules,” who are mostly unwitting accomplices to the movement of illicit funds through the internet, automated clearing house (ACH), and wires. Financial institutions should focus on improving information security processes and controls, training staff to respond to incidents, increased vendor due diligence when partnering with fintechs, and training risk and compliance personnel. This will allow your institution to properly respond to law enforcement, including preparing and filing suspicious activity reports (SARs).

Crypto Asset & Fintech-Related Fraud

The crypto asset field is still undergoing rapid expansion, and regulatory frameworks are still developing to catch up. Over 70% of deepfakes and fraud are occurring in the cryptocurrency industry and 8% are occurring in fintech, according to current news and experts in the field. Money launderers and fraudsters take advantage of the relative anonymity of cyberspace, and more areas of commerce are being affected.

Compounding this is the increasing use of artificial intelligence (AI) and machine learning, which while providing more technology to suspicious activity monitoring, also increases the risks of AI-generated fraud, synthetic ID theft, and fake documentation as it relates to cybercrime and AML/CFT concerns. Chatbots (i.e., ChatGPT and OpenAI) are increasingly utilized to facilitate these crimes. Money mules are a growing concern as well due to the rapid and remote on-boarding process used by fintech entities and the digital nature of the transactions.

Finally, financial institutions should not only focus on the customer due diligence and enhanced due diligence controls. Institutions must also implement a robust sanctions (OFAC) regime given the global footprint of the crypto and fintech industry.

Money Laundering In The Real Estate Sector

While money laundering through real estate is not a new phenomenon, COVID-19 Payment Protection Program scams and new sanctions on Russian and Ukrainian oligarchs have made this a new priority for federal regulators. Setting up anonymous shell companies to purchase real estate, using cash, third parties, and hiding true beneficial owners of the property all contribute to illicit funds flowing through the banking system. Properties are used as stash houses, and waypoints for human traffickers and smugglers among other activity. However, real estate professionals and attorneys involved in this field are not required to adhere to AML and CFT programs and regulations.

Financial institutions should ensure that there are adequate controls to collect beneficial ownership information for any borrowing entities, strict scrutiny of source of funds and payment mechanisms (cash, virtual currency, etc.), and awareness of lending activity red flags, such ones found in the Federal Financial Institutions Examination Council (FFIEC) examination manual.

Wire Fraud & Business Email Compromise

Wire fraud and business email compromise are interrelated topics making current headlines, especially in real estate. Dollar amounts in these transactions can be quite large and bad actors target when the money starts exchanging hands, redirecting the money to accounts under their control. This is typically done via a scam email from a title company, real estate company, or attorney. Regularly, the victim is unaware until it is too late, and they lose thousands, if not millions of dollars. Once the money gets redirected, the bad actors start layering and integrating the funds into other accounts and payment vehicles, including money orders, bank checks, and virtual currency.

Counterfeit Checks & Check Fraud

Check usage is decreasing, but still billions of checks are out there, and SAR statistics bear out the fact that it’s still a problem. Stolen checks get washed, forged, and altered. The USPS reported an increase in armed robberies, and facilitated fraud can occur by RDC and ATM. Financial institutions might be inclined to switch to FedNow processing (instant payments), and the fed is working on implementing processes and controls to combat potential fraud in this area. Therefore, financial institutions should be aware of these potential threats to their organization.

Romance Scams

With the aging of the U.S. population, this form of fraud is becoming more problematic. Romance scammers create fake profiles on social media, striking up a relationship, and building trust with the victim. The key takeaway is that the scammer will eventually ask for money for a “family emergency” or other scenario where the scammer needs help/money. Payment instructions will then be forthcoming, and they will ask for all sorts of information, such as PIN numbers, passwords, and account numbers. Financial institutions should be on the lookout for these red flags.

Romance scams are also a component of a recent phenomenon called “pig butchering.” This is where seemingly “innocent” chats initiated by fraudsters lure victims to invest in crypto-related businesses by gaining their trust and blending the seemingly great opportunity to make money with elements of “romance” or “companionship” to the scam. The businesses appear as legitimate, well-funded investments that promise great returns. Once the victims are parted from their funds, the scammers disappear completely.

The Federal Trade Commission (FTC) and FBI have excellent articles on what to look out for in this area. The articles are geared toward the consumer, however financial institutions should also be aware of the red flags to ensure they act upon conduct exhibited by their customers that may be indicative of these scams.

Continued COVID-19 Fraud

Continued fraud scheme fallout from the COVID-19 pandemic has been noted by U.S. Government Agencies, such as the IRS, FBI, Government Accountability Office, and Office of the Inspector General.

Major scams include ongoing repercussions from PPP loans and Employee Retention Credit claims, which have been put on hold as of December 31, 2023.

Additionally, individuals are still using testing sites, telemarketing calls, text messages, social media platforms, and door-to-door visits to perpetrate COVID-19-related scams aimed at obtaining personal medical information and identification.

Tailored AML Program to Match Business Model

The AML Act of 2020 clearly states that financial institutions should have a risk-based AML program. The Office of the Comptroller of the Currency (OCC) in their Fiscal Year 2024 Bank Supervision Operating Plan states that, “Examiners should evaluate banks’ BSA/AML programs to assess whether banks’ operations and systems are reasonably designed and implemented to mitigate and manage money laundering and terrorist financing risks from business activities, including products and services offered and customers and geographies served. Examiners should also evaluate systems and processes for compliance with the U.S. sanctions administered and enforced by OFAC. Additional areas of focus should include evaluating banks’ preparations for implementing the AML Act of 2020.”

The ultimate goal of this risk-based approach is to properly identify suspicious activity and report it to FinCEN by filing Suspicious Activity Reports (SARs).

Customer & Enhanced Due Diligence

With the growing sophistication of money laundering schemes, there will be a heightened focus on enhancing customer due diligence (CDD) processes. This includes leveraging advanced analytics (AML software and AI) to identify and verify customer identities, and assess the risk associated with each customer. Fraud and some overall BSA/AML analytics employed by AML software vendors are moving to real-time monitoring to keep up with the digital world. Financial institutions should be aware of this trend and take appropriate measures to ensure their monitoring program meets regulatory expectations regarding identification of suspicious activity and adequate CDD.

In the area of enhanced due diligence, including the periodic review of higher-risk customers, examiners will be focusing on the depth and detail of the monitoring. Financial institutions are expected to use the risk-based approach to ensure that higher risk customers receive thorough periodic reviews. Too many high-risk customers are equally problematic as too few. Thinking of the rationale behind enhanced due diligence, financial institutions review higher risk customers periodically, above and beyond what AML software analytics accomplish to ensure that these customers are not engaging in out-of-normal activity.

Again, the ultimate goal of the exercise is to identify activity that may lead to a SAR filing, such as a mom-and-pop corner store suddenly installing an ATM and cashing checks, where this activity was not part of the customer profile, and not declared or hidden from the financial institution. This ties back to effective CDD and properly identifying higher risk customers and their activity, including expected vs. actual.

Although the Securities and Exchange Commission (SEC) is not a regulator of traditional financial institutions, it is leading the way in enforcement of the risk-based approach of its members. As the SEC deals with many crypto asset issues on the securities side, it is able to provide guidance, especially in this area.

The SEC’s 2024 Examination Priorities Report states, “The BSA requires certain financial institutions, including broker-dealers and certain registered investment companies, to establish anti-money laundering (AML) programs that are tailored to address the risks associated with the firm’s location, size, and activities, including the customers they serve, the types of products and services offered, and how those products and services are offered. These programs must, among other things, include policies, procedures, and internal controls reasonably designed to achieve compliance with the BSA.” Additionally, that (its members) are “appropriately tailoring their AML program to their business model and associated AML risks; conducting independent testing; establishing an adequate customer identification program, including for beneficial owners of legal entity customers; meeting their SAR filing obligations.” The final sentence leads to the below priority for 2024.

New Beneficial Ownership Reporting Rules for Covered Entities & Implications for Financial Institutions in 2024

FinCEN’s Beneficial Ownership Information (BOI) reporting requirement for covered businesses became effective January 1, 2024. This does not change the requirement for the collection of beneficial owners’ information and certifications from what is currently expected from financial institutions. However, financial institutions should be aware of these rules and prepare for upcoming “access” rules FinCEN will be promulgating at some point in the near future. As of this writing, FinCEN has issued a Request for Comment on this issue to obtain the thoughts of “interested parties.” Educating customers on reporting is one thing financial institutions can do right now.

Financial institutions must also begin to prepare on how and under what circumstance they will be allowed access to the FinCEN information. FinCEN is working on what is known as “scaled access” and from recent updates, financial institutions will be the last to be allowed access (after regulators and law enforcement, etc.). Some of the details financial institutions should think about is whether they want to access the information (not mandatory), and if they do, craft procedures on how to access, under what circumstances they will access, and who will own the process.

Additionally, there will be Graham-Leach-Bliley (GLBA) privacy certification requirements, as financial institutions will have to certify to FinCEN that they have these privacy procedures in place. Finally, as access is only after consent from the customer, procedures would need to be crafted on how consent will be obtained, documented, and certified to FinCEN. FinCEN has not issued any regulations on how this is to be accomplished or on the certification format as of this writing.

How Can You Prepare Now?

One of the major changes to start preparing for is the change in the CDD portion of beneficial ownership. Under the Corporate Transparency Act (CTA), FinCEN must revise the rule to align with the CTA requirement within a year after the final rule’s effective date. The major change will be in the “control prong,” where the new final rule expands the definition to “any individual, who directly or indirectly…exercises substantial control over such reporting company.”

Although no regulations have been issued, financial institutions should be looking out for changes to CDD rules on who is classified as a beneficial owner/control for proper collection of required information, as the number of individuals may grow (most likely) from the current single control person.  

Again, as of this writing, nothing has changed for financial institutions as far as obtaining and certifying beneficial ownership information as part of their CDD program, and they should continue to follow established procedures to collect and document this information.

Finally, FinCEN is already receiving fraud reports about attempts to solicit information from individuals and entities, asking them to click on a URL or QR code indicating an “important compliance notice.” Financial institutions should be aware of this should customers seek guidance in this area.

OFAC

OFAC will begin putting more emphasis on “export control” as part of its enforcement actions and compliance tool. Recent enforcement actions, including actions against well-known companies such as Microsoft bear this out.

Regulators and industry experts emphasized the increasing use of export controls as an enforcement tool around OFAC sanctions. Traditionally, sanctioned areas such as Iran and Cuba are now supplemented by Russia, Ukraine, Belarus, and other jurisdictions. Additionally, digital platforms and transactions have been in the news recently, such as the $30 million fine issued against Wells Fargo/Wachovia Bank, which had provided software that was used to process transactions with U.S.-sanctioned jurisdictions and persons. Financial institutions should be cognizant of the rapidly evolving sanctions programs and ensure OFAC processes and controls are up-to-date and periodically validate the filtering criteria used by each system (wires, databases, etc.).

All things considered, there are several hot topics and regulatory requirements in this space that financial institutions must be wary of when preparing for their 2024 strategic planning. If you are interested in discussing your AML, CFT and OFAC programs, or in need of an audit in this area, please reach out to a member of Wolf’s Regulatory Compliance team!