The Office of Foreign Assets Control (OFAC) (which is part of the U.S. Department of the Treasury) recently published Sanctions Compliance Guidance for the Virtual Currency Industry. While many of our members may not consider themselves to be officially part of the virtual currency industry, the Guidance makes clear that all U.S. persons are responsible for ensuring they do not engage in unauthorized transactions or dealings with sanctioned person or jurisdictions. In addition, the Guidance also makes clear that the OFAC sanctions obligations “apply equally to transactions involving virtual currencies and those involving traditional fiat currencies.”
As we are all well aware, virtual currencies are playing an increasingly prominent role in the global economy. As a result of this growing prevalence as a payment method, there is greater exposure to sanctions risks (e.g., the risk that a sanctioned person or a person in a jurisdiction subject to sanctions might be involved in a virtual currency transaction). The goal of the Guidance is to help mitigate the risks that sanctioned people or entities exploit virtual currencies to evade sanctions, which can ultimately undermine U.S. foreign policy and national security interests.
When reviewing the Guidance, keep in mind that it is targeting a much broader audience than just financial institutions who are already well-versed in OFAC sanctions compliance. While much of the initial sections of the Guidance may be old news to our members, the latter parts of the Guidance contain valuable best practices for ensuring compliance in the virtual currency space. Key highlights from these sections are outlined briefly below, but it’s worth reviewing the Guidance in full for a complete understanding of regulatory expectations.
Management Commitment – Senior management’s support is critical, and it may consider the following steps to demonstrate its support for sanctions compliance: reviewing and endorsing sanctions compliance policies and procedures; ensuring adequate resources, including human capital, expertise, and information technology; and appointing a dedicated sanctions compliance officer with the requisite technical expertise.
Risk Assessment – While there is no “one-size-fits-all” risk assessment, it should include a complete review of the institution to assess touchpoints to foreign jurisdictions or persons. This will help identify areas of engagement with OFAC-sanctioned persons, countries, or regions, either directly or indirectly. The risk assessment process should be tailored to the types and locations of products and services offered.
Internal Controls – An effective sanctions compliance program should include controls to identify, escalate, report (as appropriate), and maintain records for transactions or activities prohibited by OFAC sanctions. An effective sanctions compliance program should enable sufficient due diligence on customers, business partners, and transactions, and identify red flags.
Testing and Auditing – Incorporating a comprehensive, independent, and objective testing or audit function will help ensure institutions are aware of how their programs are performing and what aspects need to be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment. Some best practices include sanctions list screening; keyword screening; IP blocking; and investigation and reporting.
Training – The scope of sanctions-specific training should be informed by an institution’s size, sophistication, and risk profile. Training should be provided to all appropriate employees, including compliance, management, and customer service personnel, and should be conducted on a periodic basis, and, at a minimum, annually. Effective training for the virtual currency industry should account for frequent changes and updates to sanctions programs, as well as new and emerging technologies in the virtual currency space.
The final sections of the Guidance outline a variety of resources to obtain further information on virtual currency compliance. As always, feel free to reach us on the Hotline with any additional questions.
The Biden administration has called upon Congress to pass legislation to strengthen government regulation of stablecoins. Before we say, “Sure, why not?” we have to ask ourselves: “Do we know what stablecoins even are?” Sounds like something I would pay my farrier with. Stablecoins are a form of cryptocurrency that has gained mass popularity in the last year. It is a technology like traditional cryptocurrencies, but is backed by real-world assets, which essentially makes them less prone to significant drops in value compared to their highly volatile cousins (think Bitcoin). So, by keeping, for example, each coin valued at $1 USD, stablecoins do not fluctuate wildly in price, and are potentially better suited for commercial transactions.
In a 22-page report issued by the U.S. Treasury in November, it was determined that legislation should require that stablecoin issuers become banks, potentially making them subject to a wide range of rules, including those requiring that banks hold sufficient cash reserves and implement measures to prevent money laundering and other illicit activities. The hard-line response from regulators was that stablecoins can be used for money-laundering and tax avoidance, all done with the aim of circumventing U.S. financial sanctions.
Currently, there are over 200 stablecoins worth nearly $130 billion, most of which are used in cryptocurrency exchanges in order to purchase other digital assets like Bitcoin. Most of those exchanges lack relationships with banks. As stablecoins increase in use, the risk of an It’s a Wonderful Life run to take George Bailey’s last two dollars moves closer to a reality—should a large number of holders of one stablecoin decide to redeem them for dollars, a lack of reserves to facilitate redemptions could pose financial risk. Currently, this is not a system with uniformity. Some issuers keep reserves in cash and short-term Treasuries to be quickly converted to cash, while others hold their cash reserves in riskier assets, like short-term business loans (commercial paper), corporate and municipal bonds, or even other cryptocurrencies.
So, what do these gaps in prudential authority over stablecoin mean for financial institutions at this time? Not much—the Working Group on Financial Markets, along with the FDIC and OCC in the “Report on Stablecoins” are, at this time, merely urging Congress to act promptly to enact legislation to ensure that payment stablecoins and payment stablecoin arrangements are going to be subject to a federal prudential framework on a consistent and comprehensive basis. But with that being said, it does raise the risks banks need to be mitigating for as with any cryptocurrency:
Consumer Risk: Consumers are falling victim to fraudster and cryptocurrency investment scams. Those who participate are at a risk of suffering losses, whether by the rise and fall of crypto’s value or assets being stolen by hackers or malicious developers.
Regulatory Scrutiny: When the OCC issued its January 4, 2021 Letter stating national banks could use stablecoin to conduct payment activities and other bank-permissible functions, that meant banks could use related stablecoins to carry out permissible payment activities, all under applicable law, and safe and sound and fair banking practices. With the uncertainties of a strictler regulatory environment for stablecoin issuers, what pandora’s box has been opened for banks who participated?
What this will create, however, is a new pool of competitors for community banks. The topic of cryptocurrency continues to remain on the tickertape. For additional information, please refer to C/A’s Cryptocurrency toolkit found here: https://compliancealliance.com/find-a-tool/by-toolkit/cryptocurrency-cvc-and-digital-assets
One of the ever-changing Home Mortgage Disclosure Act (HMDA) thresholds is changing again. This time it is the open-end threshold. You’ll recall that the Consumer Financial Protection Bureau (CFPB) issued a final rule in April 2020 which increased the closed-end threshold. Beginning July 1, 2020 an institution that originated at least 100 closed-end loans in each of the two preceding calendar years and met all other HMDA (Regulation C) institutional coverage criteria was required to collect, record and report data about its closed-end loans. The previous threshold in effect prior to July 2020 was 25 closed-end loans, so this increase will likely result in fewer institutions collecting, recording and reporting HMDA data about their closed-end loans since more loans can be made without triggering the HMDA requirements. Because the change to the closed-end threshold was a mid-year change, institutions were given the option to report closed-end data collected in 2020 if they were HMDA reporters as of January 1, 2020 (i.e., made more than 25 closed-end loans in 2018 and 2019), but were no longer required HMDA reporters as of July 1, 2020 because they made fewer than 100 closed-end loans in either 2018 or 2019, due to the increasing threshold. Any institution that opted to voluntarily report closed-end data for 2020 was expected to report closed-end data for the full calendar year.
That same final rule from April 2020 also adjusted the open-end threshold for HMDA reporting, but unlike the closed-end change which was effective in July 2020, the open-end threshold is not effective until January 1, 2022. In January 2022 the open-end threshold will decrease from its current temporary threshold of 500 open-end lines of credit to a permanent threshold of 200 open-end lines of credit. This decrease will likely result in a greater number of institutions collecting, recording and reporting HMDA data about their open-end lines of credit. Beginning January 1, 2022, an institution that originates at least 200 open-end lines of credit in each of the two preceding calendar years, and meets all other HMDA institutional coverage criteria, will be required to collect, record, and report data about its open-end lines of credit. For example, an institution that originated at least 200 open-end lines of credit in both calendar years 2020 and 2021, and meets all other HMDA institutional coverage criteria, will be required to collect, record, and report data about its open-end lines of credit for calendar year 2022 to be submitted by March 1, 2023.
In anticipation of the soon-to-be-changing-thresholds, the CFPB updated their HMDA FAQs in November 2021. These updated FAQs address the changing thresholds as well as a few different HMDA reporting scenarios. Additionally, Compliance Alliance can answer any questions you have about the existing thresholds, the new thresholds, reporting requirements and other HMDA-related questions.
Regulation E is one of the most consumer friendly regulations outlining the rights and responsibilities of both the consumer and financial institutions. It most well-known for the variety of protections it provides to consumers related to error resolution. This regulation applies to electronic funds transfers and remittance transfers and it’s critical that banks understand the requirements and liabilities as outlined in the regulation.
Regulation E has been around since 1978, but has become an increasingly more prevalent area of compliance over the past decade or so as automated teller machines (ATM), point of sale (POS), electronic fund transfers (EFT), and automate clearing house (ACH) transactions have become the norm among consumers for conducting financial transactions. While there haven’t been many changes since its implementation, financial institutions shouldn’t become too comfortable and still brush up on the compliance expectations every now and again. Since there is has been such an influx in electronic transactions in recent years, this in turn means an influx in the number of error complaints. Be ready for the intensified scrutiny you may face from regulators as they review and examine your financial institutions error-resolution processing and overall regulatory compliance.
With the holidays just around the corner, and a likelihood of increased error claims, let’s cover a simple breakdown of what should be included in your bank’s error-resolution process. First, your bank should be familiar with Section 1005.11 of Regulation E which defines an error and provides specific procedures which must be followed. It is critical to understand what is defined as an error so that the bank can adequately respond. Keep in mind that consumer negligence doesn’t necessarily alleviate the bank from a certain level of responsibility. For example, a customer who writes their pin number on the back of the debit card are still afforded the protections of Regulation E. While writing a pin number on the bank of a debit card is negligent to some degree, it still meets the definition of an error if the card were used without the customer’s consent. Therefore, the bank would have to follow the requirements of Regulation E in this situation just as they would if the pin number were not included on the back of the debit card and unauthorized transactions were conducted. Next, the bank should have procedures in place which cover the process from start to finish, from receiving the error claim to resolving the claim. One thing to note here is that the bank can require an error to be reported in writing, however, the bank must still begin their investigation of an error on the day the error is received, even if the first claim is made verbally. Ensure that the bank follows the proper error investigation time limits, including any extensions. Keep in mind that the regulation is very specific regarding the timeframes in which the bank must receive, investigate, and resolve an error. Examiners will expect to see this process documented in your procedures and followed in practice. So again, with the holidays quickly approaching, review your bank’s Regulation E – Error Resolutions to ensure they are up to date, accurate, and properly implemented. Don’t let the bank get caught up in an unwanted holiday surprise.