Top Story Operations Related

The Treasury Department has announced that OFAC has sanctioned two companies that are linked to the Private Military Company “Wagner” (Wagner Group). Mining Industries SARLU and Logistique Economique Etrangere SARLU were designated pursuant to Executive Order (E.O.) 14024 for enabling Wagner Group security operations and Wagner Group-linked illicit mining endeavors in the Central African Republic (CAR).

For the identification information of the designated parties, see the May 30, 2024, BankersOnline OFAC Update.

The FDIC has issued Financial Institution Letters with guidance to provide regulatory relief to financial institutions and facilitate recovery in areas of—

• Boyd, Carter, Fayette, Greenup, Henry, Jefferson, Jessamine, Mason, Oldham, Union, and Whitley Counties in Kentucky (FIL-28-2024) affected by severe storms, straight-line winds, tornadoes, landslides, and mudslides on April 2, 2024.
• Adair, Montgomery, Polk, and Story Counties in Iowa (FIL-29-2024) affected by severe storms causing significant property damage May 20–21, 2024.
• Boone, Cabell, Fayette, Kanawha, Lincoln, Marshall, Nicholas, Ohio, Putnam, Wayne, and Wetzel Counties in West Virginia (FIL-30-2024) affected by severe storms, straight-line winds, tornadoes, flooding, landslides, and mudslides caused significant property damage April 2–6, 2024.

The Treasury Department yesterday announced it has published a 2024 Non-fungible Token (NFT) Illicit Finance Risk Assessment. The risk assessment explores how vulnerabilities associated with NFTs and NFT platforms may be exploited by illicit actors for money laundering, terrorist financing, and proliferation financing.

The assessment finds that NFTs are highly susceptible to use in fraud and scams and are subject to theft. The report determines that illicit actors can use NFTs to launder proceeds from predicate crimes, often in combination with other methods to obfuscate the illicit source of proceeds of crime. It also found little evidence of the misuse of NFTs by terrorists or proliferators, in contrast to fraudsters, to date. The assessment finds that inadequate cybersecurity protections, challenges related to copyright and trademark protections, and the hype and fluctuating pricing of NFTs can enable criminals to perpetrate fraud and theft related to NFTs and NFT platforms. Moreover, some NFT firms and platforms lack appropriate controls to mitigate risks to market integrity and to combat money laundering and terrorist financing, and sanctions evasion. The assessment recognizes that mitigation measures, such as industry tools, law enforcement authorities, and analysis of public blockchain data, can partially mitigate such risks.

To address outstanding risks, the risk assessment recommends several U.S. government actions, including:

• Raising awareness within industry of existing obligations
• Continuing to enforce existing laws and regulations related to NFTs and NFT platforms; and
• Considering further application of regulations to NFTs and NFT platforms

In a CFPB Blog article ("Banks' responsibility for scams")posted yesterday, CFPB General Counsel Seth Frotman described an ongoing case in which Citibank has been sued by the state of New York for failing to respond adequately when people promptly told the bank that scammers had stolen money by initiating wire transfers from the consumers’ accounts online. The losses New York alleges people have suffered are serious: for example, New York alleges that one person discovered that a scammer had changed her online banking password, transferred money from her savings to her checking account, and then stole $40,000 via wire transfer—all through Citibank’s online banking platform. And New York alleges that instead of complying with the Electronic Fund Transfer Act’s protections in circumstances like these, Citibank looked to a law that was intended to govern transactions between commercial entities which does not provide the same level of consumer protection to victims of scams.

Mr. Frotman reports that, in response to New York’s allegations, Citibank has argued that the Electronic Fund Transfer Act doesn’t apply because the scammers ultimately used a wire transfer to take the money, and the Act contains an exemption for transfers made by banks “by means of” a wire service. But the CFPB disagrees with Citibank's stance, as it explained in a Statement of Interest (amicus brief) submitted to the court. The Bureau's position is that when a bank connects wire transfer capabilities to its online consumer banking platform and a person authorizes (or a scammer purports to authorize) a transfer online, the Electronic Fund Transfer Act applies to the transaction except for the bank-to-bank portion of it.

Editor's Note: CFPB Blog articles are not official interpretations of law or regulations. The ABA and other industry associations have issued a statement opposing the CFPB's blog article, arguing that the “CFPB cannot reinterpret a statute and reverse decades of settled law in an amicus brief and then use a blog post to suggest that its position is the law.”

The staff of the Federal Trade Commission has provided its annual report to the Consumer Financial Protection Bureau on its enforcement and related activities in 2023 on the Truth in Lending Act (TILA), Consumer Leasing Act (CLA), and Electronic Fund Transfer Act (EFTA).

The report highlights the FTC’s enforcement actions and initiatives under these laws and their implementing regulations, including in the areas of automobile financing and leasing, payday lending, other credit and leasing, and electronic fund transfers.

• Press release

The Department of the Treasury announced yesterday that OFAC has designated three individuals, Yunhe Wang, Jingping Liu, and Yanni Zheng, for their activities associated with the malicious botnet tied to the residential proxy service known as 911 S5. OFAC also sanctioned three entities—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—for being owned or controlled by Yunhe Wang.

For identity information on the designated individuals and entities, see the BankersOnline May 28, 2024, OFAC Update.

The Office of Foreign Assets Control (OFAC) has amended the Cuban Assets Control Regulations, 31 C.F.R. Part 515 (CACR) to further implement portions of the president’s foreign policy toward Cuba. Among other things, these amendments increase support for internet freedom for the Cuban people and independent Cuban private sector entrepreneurs by expanding authorizations for internet-based services and a range of financial transactions. The rule was published in the Federal Register and became effective today.

OFAC also issued six new, Cuba-related Frequently Asked Questions (FAQs 1174-1179) and amended eight Cuba-related Frequently Asked Questions (FAQs 732, 736, 745, 748, 757, 769, 770, and 785).

Acting Comptroller of the Currency Michael J. Hsu discussed recovery planning via livestream in remarks May 27 at the Entrepreneurship, Markets and Technology: Regulation's Challenges in a Changing World Conference in Zurich, Switzerland.

In his remarks, Mr. Hsu discussed the importance of recovery planning and how it can mitigate the too-big-to-fail problem. He highlighted the importance of recovery planning at large banks in the context of the bank failures in March 2023 and offered thoughts on expanding recovery planning guidelines to apply to banks with at least $100 billion in assets.

The FDIC on Friday issued FIL-27-2024 with steps intended to provide regulatory relief to financial institutions and facilitate recovery in areas of Texas affected by severe storms, straight-line winds, tornadoes, and flooding on April 26, 2024, and continuing.

The affected areas are Harris, Liberty, Montgomery, Polk, San Jacinto, Trinity, and Walker Counties.

The Federal Housing Administration's Mortgagee Letter 2024-10, issued yesterday, requires FHA-approved mortgagees to notify HUD when a cyber incident occurs. The letter, effective immediately, applies to all FHA insurance programs.

The mortgagee letter adds a new section, Significant Cybersecurity Incident, which requires FHA-approved mortgagees to report cyber incidents to HUD within 12 hours of detection. Reports will be made to HUD's FHA Resource Center and to HUDs Security Operations Center.