Top Story Operations Related

The Treasury Department yesterday announced it has published a 2024 Non-fungible Token (NFT) Illicit Finance Risk Assessment. The risk assessment explores how vulnerabilities associated with NFTs and NFT platforms may be exploited by illicit actors for money laundering, terrorist financing, and proliferation financing.

The assessment finds that NFTs are highly susceptible to use in fraud and scams and are subject to theft. The report determines that illicit actors can use NFTs to launder proceeds from predicate crimes, often in combination with other methods to obfuscate the illicit source of proceeds of crime. It also found little evidence of the misuse of NFTs by terrorists or proliferators, in contrast to fraudsters, to date. The assessment finds that inadequate cybersecurity protections, challenges related to copyright and trademark protections, and the hype and fluctuating pricing of NFTs can enable criminals to perpetrate fraud and theft related to NFTs and NFT platforms. Moreover, some NFT firms and platforms lack appropriate controls to mitigate risks to market integrity and to combat money laundering and terrorist financing, and sanctions evasion. The assessment recognizes that mitigation measures, such as industry tools, law enforcement authorities, and analysis of public blockchain data, can partially mitigate such risks.

To address outstanding risks, the risk assessment recommends several U.S. government actions, including:

• Raising awareness within industry of existing obligations
• Continuing to enforce existing laws and regulations related to NFTs and NFT platforms; and
• Considering further application of regulations to NFTs and NFT platforms

In a CFPB Blog article ("Banks' responsibility for scams")posted yesterday, CFPB General Counsel Seth Frotman described an ongoing case in which Citibank has been sued by the state of New York for failing to respond adequately when people promptly told the bank that scammers had stolen money by initiating wire transfers from the consumers’ accounts online. The losses New York alleges people have suffered are serious: for example, New York alleges that one person discovered that a scammer had changed her online banking password, transferred money from her savings to her checking account, and then stole $40,000 via wire transfer—all through Citibank’s online banking platform. And New York alleges that instead of complying with the Electronic Fund Transfer Act’s protections in circumstances like these, Citibank looked to a law that was intended to govern transactions between commercial entities which does not provide the same level of consumer protection to victims of scams.

Mr. Frotman reports that, in response to New York’s allegations, Citibank has argued that the Electronic Fund Transfer Act doesn’t apply because the scammers ultimately used a wire transfer to take the money, and the Act contains an exemption for transfers made by banks “by means of” a wire service. But the CFPB disagrees with Citibank's stance, as it explained in a Statement of Interest (amicus brief) submitted to the court. The Bureau's position is that when a bank connects wire transfer capabilities to its online consumer banking platform and a person authorizes (or a scammer purports to authorize) a transfer online, the Electronic Fund Transfer Act applies to the transaction except for the bank-to-bank portion of it.

Editor's Note: CFPB Blog articles are not official interpretations of law or regulations. The ABA and other industry associations have issued a statement opposing the CFPB's blog article, arguing that the “CFPB cannot reinterpret a statute and reverse decades of settled law in an amicus brief and then use a blog post to suggest that its position is the law.”

The staff of the Federal Trade Commission has provided its annual report to the Consumer Financial Protection Bureau on its enforcement and related activities in 2023 on the Truth in Lending Act (TILA), Consumer Leasing Act (CLA), and Electronic Fund Transfer Act (EFTA).

The report highlights the FTC’s enforcement actions and initiatives under these laws and their implementing regulations, including in the areas of automobile financing and leasing, payday lending, other credit and leasing, and electronic fund transfers.

• Press release

The Department of the Treasury announced yesterday that OFAC has designated three individuals, Yunhe Wang, Jingping Liu, and Yanni Zheng, for their activities associated with the malicious botnet tied to the residential proxy service known as 911 S5. OFAC also sanctioned three entities—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—for being owned or controlled by Yunhe Wang.

For identity information on the designated individuals and entities, see the BankersOnline May 28, 2024, OFAC Update.

The Office of Foreign Assets Control (OFAC) has amended the Cuban Assets Control Regulations, 31 C.F.R. Part 515 (CACR) to further implement portions of the president’s foreign policy toward Cuba. Among other things, these amendments increase support for internet freedom for the Cuban people and independent Cuban private sector entrepreneurs by expanding authorizations for internet-based services and a range of financial transactions. The rule was published in the Federal Register and became effective today.

OFAC also issued six new, Cuba-related Frequently Asked Questions (FAQs 1174-1179) and amended eight Cuba-related Frequently Asked Questions (FAQs 732, 736, 745, 748, 757, 769, 770, and 785).

Acting Comptroller of the Currency Michael J. Hsu discussed recovery planning via livestream in remarks May 27 at the Entrepreneurship, Markets and Technology: Regulation's Challenges in a Changing World Conference in Zurich, Switzerland.

In his remarks, Mr. Hsu discussed the importance of recovery planning and how it can mitigate the too-big-to-fail problem. He highlighted the importance of recovery planning at large banks in the context of the bank failures in March 2023 and offered thoughts on expanding recovery planning guidelines to apply to banks with at least $100 billion in assets.

The FDIC on Friday issued FIL-27-2024 with steps intended to provide regulatory relief to financial institutions and facilitate recovery in areas of Texas affected by severe storms, straight-line winds, tornadoes, and flooding on April 26, 2024, and continuing.

The affected areas are Harris, Liberty, Montgomery, Polk, San Jacinto, Trinity, and Walker Counties.

The Federal Housing Administration's Mortgagee Letter 2024-10, issued yesterday, requires FHA-approved mortgagees to notify HUD when a cyber incident occurs. The letter, effective immediately, applies to all FHA insurance programs.

The mortgagee letter adds a new section, Significant Cybersecurity Incident, which requires FHA-approved mortgagees to report cyber incidents to HUD within 12 hours of detection. Reports will be made to HUD's FHA Resource Center and to HUDs Security Operations Center.

The FDIC yesterday issued FIL-26-2024 announcing revisions to Call Reports and the FFIEC 002 Report as published [89 FR 45046] on May 22, 2024, in the Federal Register.

Proposed changes were issued on September 28, 2023 (FIL-52-2023) and December 27, 2023 (FIL-68-2023). After considering the comments received on these notices, the agencies are moving forward with certain proposed revisions related to replacing references to “troubled debt restructurings” with “modifications to borrowers experiencing financial difficulty” consistent with ASU 2022-02, the reporting on the internet website addresses of depository institution trade names, and the adoption of the standards for electronic signatures. These updates to the Call Report and FFIEC 002 report forms and instructions will be effective as of the June 30, 2024, report date.

The agencies are implementing revisions related to reporting of loans to NDFIs as of the December 31, 2024, report date. The agencies are also adding a new Memorandum item that would identify the amounts reported as a structured financial product that are guaranteed by U.S. Government agencies or sponsored agencies, which would be effective as of the December 31, 2024, report date.

The agencies are continuing to review comment letters related to loan modifications to borrowers experiencing financial difficulty under ASU 2022-02, as well as the proposed clarification on the reporting of past due loans and proposed reporting of long-term debt requirements, for further changes to the Call Report and the FFIEC 002. Comments on the May 22, 2024, Federal Register notice will be accepted through June 21, 2024.

The OCC yesterday reported recent enforcement actions against two national banks and five institution-affiliated parties to OCC-supervised institutions.

• A formal agreement with Comerica Bank & Trust, National Association, Ann Arbor, Michigan, for unsafe or unsound practices, including those relating to the bank’s risk governance framework and internal controls
• A formal agreement with Lemont National Bank, Lemont, Illinois, for unsafe or unsound practices, including those relating to capital planning, strategic planning, succession planning, and liquidity risk management
• An order of prohibition against Stanley Acosta, a former senior specialist relationship banker at a Dartmouth, Massachusetts, branch of Santander Bank, N.A., Wilmington, Delaware, for stealing approximately $27,449 from cash deposit bags that customers provided to the bank via the night deposit vault
• An order of prohibition against Bahtia Greene, a former associate operations processor at the Philadelphia, Pennsylvania, lockbox facility for Wells Fargo Bank, N.A., Sioux Falls, South Dakota, for misappropriating confidential information of bank customers and selling the information to a third party, resulting in fraudulent transactions and a loss to the bank of approximately $688,000
• An order of prohibition against Sabina Prince, former teller at a Mountain Brook, Alabama, branch of PNC Bank, National Association, Wilmington, Delaware, for taking $15,000 in cash from the bank and manipulating cash shipment processing receipts to hide her actions
• An order of prohibition against Stephanie Sanders, former relationship banker at NBT Bank, N.A., Norwich, New York, for misappropriating approximately $30,650 from the bank by crediting her checking and savings accounts over 100 times
• A notice of charges for Gerald E. Milligan, II, a former teller at a Royal Palm, Florida, branch of PNC Bank, N.A., Wilmington, Delaware. The Notice of Charges alleges, among other things, that Milligan knowingly made false attestations and provided false supporting documentation for a Paycheck Protection Plan (PPP) loan application, received PPP loan proceeds in the amount of $141,530, and used the funds for personal gain.