Why it matters: The New York State Department of Financial Services—or DFS—was created in 2011 from two previously separate state agencies to regulate banks and other financial institutions subject to New York insurance, banking and financial services laws. The Financial Crimes Enforcement Network—or FinCen—is part of the U.S. Department of Treasury and was created in the early 1990s as a collector and repository of financial intelligence with added regulatory and enforcement capabilities. FinCen's mission is to "follow the money" in its attempts to stem criminal financial activity. In recent years, the DFS and FinCen have increased their respective profiles in the area of enforcement, joining the DOJ and SEC as primary financial crimes enforcement agencies. A recap of both agencies' activities from late-2015 foreshadows a trend for 2016 and beyond. Read on for the details.
Detailed discussion: Reviewing the regulatory and enforcement activities from the final months of 2015 of the New York State Department of Financial Services (DFS) and the Financial Crimes Enforcement Network (FinCEN) underscores that these two agencies are becoming serious enforcement agencies in their own right, a trend that we expect will continue and even increase in 2016. Here's the breakdown:
DFS: The DFS was created in October 2011 by Governor Andrew Cuomo and the New York legislature by combining the New York State Insurance Department and the New York State Banking Department. New York and international banks with New York branches, as well as other financial service entities, such as check cashers and investment houses with a New York nexus, fall under the regulatory authority of the DFS. As New York is an international banking center, DFS's reach is therefore potentially very broad, in particular as to foreign banks with a New York presence. The DFS website states that the mission of the DFS is to "reform the regulation of financial services in New York to keep pace with the rapid and dynamic evolution of these industries, to guard against financial crises and to protect consumers and markets from fraud." Over the nearly five years since its creation and in keeping with its stated mission, the DFS has increasingly flexed its muscles in the financial crimes regulatory and enforcement arena. Illustrative of this are the actions DFS took in November and December of 2015, where the agency proposed new strict regulations regarding antiterrorism, anti-money laundering (AML) and cyber security requirements for the institutions under its authority and announced high-profile enforcement actions that it undertook on its own, independent of the DOJ or SEC:
DFS proposed rules/regulations:
- December 1, 2015—Proposed rule that would require N.Y.-regulated financial institutions to comply with enhanced antiterrorism and AML requirements, including annual certification filings for chief compliance officers subjecting them to potential criminal liability for noncompliance: On behalf of the DFS, on December 1, 2015, Governor Cuomo announced proposed new antiterrorism and AML regulations applicable to N.Y.-regulated institutions that include a requirement, modeled on a similar provision in the Sarbanes-Oxley Act of 2002, that chief compliance officers certify that their institutions have sufficient systems in place to "detect, weed out, and prevent illicit transactions." In the press release, Governor Cuomo underscored the need for such regulations, stating that "[g]lobal terrorist networks simply cannot thrive without moving significant amounts of money throughout the world. At a time of heightened global security concerns, it is especially vital that banks and regulators do everything they can to stop that flow of illicit funds." The "key requirements" proposed to be imposed on "regulated institutions" include (1) the maintenance of a "Transaction Monitoring Program" for the purpose of "monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting"; (2) the maintenance of a "Watch List Filtering Program" for the purpose of "interdicting transactions, before their execution, that are prohibited by applicable sanctions, including OFAC and other sanctions lists, politically exposed persons lists, and internal watch lists"; and (3) the annual certification by the regulated institution's chief compliance officer, to be filed with the DFS, that the institution is in compliance with the regulation's requirements. In this last regard, the language of the proposed rule provides that "[a] Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing." The DFS instituted a 45-day comment period with respect to the proposed rule.
- November 9, 2015—"Potential" new cyber security regulation requirements "aimed at increasing cyber security defenses within the financial sector": In a memo to the Financial and Banking Information Infrastructure Committee (FBIIC), Acting Superintendent of Financial Services Anthony J. Albanese states that DFS "considers cyber security to be among the most critical issues facing the financial world today—and one that poses a particular challenge to regulatory agencies." The agency's hope is that the memo to fellow financial agency regulators would "help spark additional dialogue, collaboration, and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions." The memo states that, to this end, it is inviting feedback from FBIIC members on "key regulatory proposals" currently being considered by DFS for the institutions under its authority, including the requirements that "covered entities" (1) adopt, implement and maintain (i) written cyber security policies and procedures covering the areas set forth in the memo, (ii) policies and procedures ensuring the security of sensitive data accessible to third-party service providers and (iii) written procedures, guidelines and standards "reasonably designed" to ensure security of all applications utilized by the entity; (2) adopt procedures to implement multifactor authentication for access to both internal and external systems; (3) designate a Chief Information Security Officer (CISO) who would be responsible for (i) overseeing, implementing and enforcing the entities' cyber security policies; (ii) filing board-reviewed annual reports with the DFS assessing the strength of the cyber security program and the cyber security risks to the entity; and (iii) reviewing on an annual basis the entities' application security procedures; (4) employ personnel "adequate" to manage the entities' cyber security risks and provide mandatory ongoing training so that such personnel is able to "stay abreast" of changing cyber security threats; (5) conduct annual "penetration testing" and quarterly "vulnerability assessments" and maintain an "audit trail system"; and (6) immediately notify the DFS of any cyber security incident that has a "reasonable likelihood" of materially affecting the normal operation of the entity.
DFS enforcement actions:
- December 17, 2015—Enforcement action against the only U.S. branch of Pakistan's largest bank, Habib Bank Limited, for "significant breakdowns" in the branch's AML compliance: The DFS announced that the AML compliance issues were identified during the most recent examination of Habib Bank Limited's New York branch (Bank and Branch, respectively) by the DFS and the Federal Reserve Bank of New York. Under the Order signed by the Bank and Branch, without the prior written approval of the DFS and FRB, the Bank and/or the Branch are restricted from increasing the aggregate dollar value of the Branch's U.S. dollar clearing activities above the aggregate dollar value balance as of the date of the Order or accepting any new foreign correspondent accounts or new customer accounts at the Branch for U.S. dollar clearing. In addition, the Bank and the Branch are required to retain an independent and qualified third party acceptable to the DFS and FRB to review the Branch's AML compliance procedures as well as its procedures involving the OFAC and other sanctions lists and, in both cases, provide a written report of findings, conclusions and recommendations to DFS.
- November 18, 2015—Enforcement action against New York branch of Barclays Bank PLC resulting in the payment of an additional $150 million penalty and termination of senior employee in connection with alleged misconduct involving its automated, electronic foreign exchange (FX) trading "Last Look" program:The DFS announced that, together with a previous May 2015 enforcement action against the New York branch of Barclays Bank PLC (Branch and Bank, respectively) also related to manipulation in the spot FX trading market, the overall penalty the Bank has paid to the DFS pursuant to the FX enforcement actions is $635 million. In the Consent Order, the Bank and Branch admitted to using the Last Look system to automatically reject client orders that would be unprofitable for the Bank due to subsequent price swings during milliseconds-long latency (hold) periods and to misleading clients as to the reason for the rejected trades. In addition to paying the additional $150 million penalty, the Bank also agreed to terminate its Global Head of Electronic Fixed Income, Currencies, and Commodities Automated Flow Trading.
FinCEN: The Financial Crimes Enforcement Network (FinCen) is a bureau of the U.S. Department of Treasury that was first established by order of the Treasury Secretary in 1990 as a collector and repository of financial information through which information sharing with law enforcement agencies and regulators was coordinated. In 1994, its purview was broadened to include both regulatory and, via its merger with the Treasury Department's Office of Financial Enforcement, enforcement responsibilities for violations of the Bank Secrecy Act (BSA). FinCen's stated mission on its website is to "safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities." In 2015, FinCEN significantly raised its enforcement profile in the area of AML violations and failures under the BSA, including a $20 million assessment against Oppenheimer & Co. in January, a $75 million assessment against King Mail & Wireless in June and an $8 million assessment against Caesars Palace in September. In December 2015, FinCen forayed into new territory and announced two "first ever" enforcement actions against a precious metals dealer and a "card club," respectively, both deemed to be "financial institutions" under the BSA and thus subject to FinCen regulation:
- December 30, 2015—Enforcement action announced against precious metals dealer: In its "first action against a dealer in precious metals, precious stones, or jewels," FinCEN announced that Los Angeles-based B.A.K. Precious Metals, Inc., its sole owner and its designated compliance officer admitted to violations of the AML laws of the BSA and were assessed a $200,000 civil penalty. B.A.K. and the individuals were further required to hire an external auditor and report back to FinCen on an annual basis through 2020 regarding their institution and implementation of a comprehensive AML program.
- December 17, 2015—Enforcement action against a "card club" gaming business: FinCEN announced its "first settlement with and assessment against a 'card club' gaming establishment." Emeryville, California-based Oaks Card Club admitted that it "willfully violated" the AML and suspicious activity reporting requirements of the BSA and agreed to pay a $650,000 fine. Among other things, FinCEN found that the card club relied on inaccurate and misleading AML policies to train its staff, including failing to give instruction as to when employees should file Suspicious Activity Reports as required by the BSA.
See here and here to read (1) the DFS's 12/1/15 press release titled "Governor Cuomo Announces Anti-Terrorism Regulation Requiring Senior Financial Executives to Certify Effectiveness of Anti-Money Laundering Systems" and (2) the proposed regulation titled "Part 504—Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications."
See here to read the DFS's 11/9/15 memo to the Financial and Banking Information Infrastructure Committee titled "Potential New NYDFS Cyber Security Regulation Requirements."
See here to read the DFS's 12/17/15 press release titled "NYDFS Announces Enforcement Action Against Habib Bank Limited."
See here to read the DFS's 11/18/15 press release titled "NYDFS Announces Barclays to Pay Additional $150 Million Penalty, Terminate Employee for Automated, Electronic Foreign Exchange Trading Misconduct."
See here to read FinCEN's 12/30/15 press release titled "FinCEN Assesses Money Penalty against Precious Metals Dealer for Violations of Anti-Money Laundering Laws."
See here to read FinCen's 12/17/15 press release titled "FinCEN's First Card Club Enforcement Action Leads to $650k Settlement with California's Oaks Card Club."