Top Story Security Related

The OCC has released a list of 11 enforcement actions taken against national banks and federal savings associations and individuals currently and formerly affiliated with OCC-supervised financial institutions.

• The amended cease and desist order previously announced against Citibank, N.A., Sioux Falls, South Dakota.
• A cease and desist order against CNB Bank & Trust, N.A., Carlinville, Illinois, for violations of 12 CFR 21.21 (BSA/AML compliance program), 31 CFR 1020.210 (Customer Due Diligence), and 1020.220 (Customer Identification Program) as well as unsafe or unsound practices relating to the bank’s BSA/AML compliance, and failure to correct previously reported BSA/AML compliance problems.
• A formal agreement with Lincoln FSB of Nebraska, Lincoln, Nebraska, for unsafe or unsound practices, including those relating to strategic planning, liquidity risk management, contingency funding planning, interest rate risk management, and board oversight and corporate governance.
• A cease and desist order against Summit National Bank, Hulett, Wyoming, for unsafe or unsound practices including those related to capital and strategic planning, liquidity risk management, transactions with affiliates, and the bank’s BSA/AML compliance program, and violations including of 12 CFR 21.21 (BSA/AML compliance program).
• Orders of prohibition against the following individuals:
  • Cindy M. Flores, former branch operations associate manager at a Fargo, North Dakota, branch of Wells Fargo Bank, N.A., Sioux Falls, South Dakota, for misappropriating at least $47,600 by diverting funds from customer deposit accounts
  • Randall David Ditzer, former banking center team lead relationship banker at a Prairie Village, Kansas, branch of BOKF, N.A., Tulsa, Oklahoma, for making unauthorized withdrawals from the accounts of an elderly bank customer and depositing the funds into his own accounts.
  • Aaliyah Shaheed, former digital banking representative for Varo Bank N.A., Draper, Utah, who worked remotely from Charlotte, North Carolina, for improperly accessing and modifying customer account information, which resulted in approximately $21,700 of fraudulent transfers.
  • Kathryn Thomure (now known as Kathryn Makler), former business banking specialist at a Farmington, Missouri, branch of U.S. Bank, N.A., Cincinnati, Ohio, for making false representations on two Paycheck Protection Program loan applications to the U.S. Small Business Administration and receiving a loan for approximately $29,300.
  • Valeria Martinez Vazquez, former branch relationship banker at Zions Bancorporation, N.A., Salt Lake City, Utah, for misappropriating approximately $11,100 from a customer’s account.
  • Andre Jackson, former relationship banker at a Kenmore, New York, branch of Bank of America N.A., Charlotte, North Carolina, for misappropriating at least $8,000 in cash from the bank.
  • Cordia Shedde McDonald, former associate banker at a New Rochelle, New York, branch of JPMorgan Chase Bank, N.A., Columbus, Ohio, for misappropriating at least $10,000 in cash from the bank.

Yesterday, the Department of the Treasury announced that the Financial Services Sector Coordinating Council (FSSCC) and Treasury have published a suite of resources to share with financial services institutions on effective practices for their secure cloud adoption journey. These deliverables are the result of a year-long public-private partnership of the Financial and Banking Information Infrastructure Committee (FBIIC) and the FSSCC.

To provide leadership support for this joint effort the U.S. Department of the Treasury established the Cloud Executive Steering Group (CESG) in May 2023 at the direction of the Financial Stability Oversight Council (FSOC), to help close the gaps identified in Treasury's landmark report on the Financial Services Sector’s Adoption of Cloud Services. The documents published yesterday are intended to arm financial institutions of all sizes with effective practices for secure cloud adoption and operations, and to establish a continuing effort and partnership to begin to address the gaps identified in Treasury’s report, which include:

• Establishing a common lexicon that may be used by financial institutions and regulators in discussions regarding cloud.
• Enhancing information sharing and coordination for examination of cloud service providers.
• Assessing existing authorities for cloud service provider (CSP) oversight.
• Establishing best practices for third-party risk associated with cloud service providers, outsourcing, and due diligence processes to increase transparency.
• Providing a roadmap for institutions considering comprehensive or hybrid cloud adoption strategies including an update to the Financial Sector’s Cloud Profile.
• Improving transparency and monitoring of cloud services for better “security by design.”

Clear explanations for the utility and application of the documents can be found on the U.S. Treasury website. The website also includes links to the FSSCC-led outputs so that financial institutions can consult them at any part of their cloud services adoption journey and risk management process.

The U.S. Treasury Department yesterday announced that OFAC has sanctioned three Mexican accountants and four Mexican companies linked, directly or indirectly, to timeshare fraud led by the Cartel de Jalisco Nueva Generacion (CJNG). Concurrently, the Financial Crimes Enforcement Network (FinCEN) issued a Notice, jointly with OFAC and FBI, to financial institutions that provides an overview of timeshare fraud schemes in Mexico associated with CJNG and other Mexico-based transnational criminal organizations.

For the names and identification information of the designated parties, see this July 16, 2024, BankersOnline OFAC Update.

FinCEn, OFAC, and the FBI have issued a joint notice to financial institutions, urging them to be vigilant in detecting, identifying, and reporting timeshare fraud perpetrated by Mexico-based transnational criminal organizations (TCOs). According to the FBI, since at least 2012, the Jalisco New Generation Cartel (CJNG) and other Mexico-based TCOs have increasingly targeted U.S. owners of timeshare properties in Mexico. Older adults, including retirees, are frequent victims in these schemes. The TCOs use proceeds from timeshare fraud to diversify their revenue streams and finance other criminal activities,
including the manufacturing and trafficking of illicit fentanyl and other deadly synthetic drugs into the United States.

The notice provides an overview of methodologies associated with these schemes and related financial typologies, highlights red flag indicators, and reminds financial institutions of their reporting requirements under the Bank Secrecy Act (BSA). In addition to filing BSA reports, financial institutions are critical partners in preventing their customers from becoming victims of timeshare fraud in Mexico, assisting those that become victims, and—in the case of older customers—reporting suspected elder financial exploitation to law enforcement, their state-based Adult Protective Services, and any other appropriate authorities.

The White House’s Office of Information and Regulatory Affairs has released its Spring 2024 Unified Agenda of Regulatory and Deregulatory Actions, or URA. This semi-annual report details each federal agency’s upcoming plans to issue or rescind regulations.

The Consumer Financial Protection Bureau’s agenda includes four proposed rule actions, addressing the Fair Credit Reporting Act, or FCRA, mortgage servicing, the Financial Data Transparency Act and consumer financial product contracts under Regulation AA. The bureau released last month the initial part of its FCRA rulemaking and a final rule regarding the attributes a standard-setting body must demonstrate in order to be recognized by the CFPB for purposes of the personal data rights rule; the Bureau plans to finalize the remainder of the proposed rule regarding personal data rights rule in October. The proposed rules for mortgage servicing were issued last week and the Regulation AA proposal is expected in September.

According to the URA, the CFPB projects it will release final rules on non-sufficient fund fees in October and on overdraft fees in January 2025.

On the BSA/AML front, FinCEN expects an August 2024 unveiling of its final AML/CFT rules applicable to investment advisers and certain real estate professionals. FinCEN reported an October target for its proposed revisions to the Customer Due Diligence rule, and is aiming for a May 2025 reveal of proposed rules on 314(b) information sharing protections.

OFAC has released the second video in its “OFAC Basics” video series.

“My Funds Are Blocked, Now What?” provides viewers with guidance on what it means when funds are blocked in connection with OFAC sanctions, as well as recommended steps for what to do if their funds have been blocked.

Yesterday, FinCEN released a supplemental alert (FIN-2024-Alert002), highlighting five additional red flags regarding the financing of Israeli extremist settler violence against Palestinians in the West Bank.

FinCEN issued an alert (FIN-2024-Alert001) on February 1, 2024, to financial institutions related to the financing of Israeli extremist settler violence against Palestinians in the West Bank. This supplemental alert provides additional red flags to assist U.S. financial institutions in identifying and reporting suspicious activity related to the financing of this violence. Additionally, this alert requests that financial institutions continue to use the existing SAR code (FIN-2024-WBEXTREMISM) when submitting SARs specific to the financing of Israeli extremist settler violence in the West Bank and reminds financial institutions of their Bank Secrecy Act (BSA) reporting obligations.

Yesterday, the U.S. Department of State reported it has imposed sanctions on three individuals and five entities under Executive Order 14115 for being involved in violence or threats of violence targeting civilians, seizure or dispossession of property by private actors, or actions that threaten the peace, stability and security of the West Bank; or being owned or controlled by an individual designated under that order.

For the names and identification information of the designated parties, see this July 11, 2024, BankersOnline OFAC Update.

FinCEN has updated its Beneficial Ownership Information Frequently Asked Questions, adding three new Reporting Company questions (questions C.12 – C.14), and one new Beneficial Owner question (question D.17).

In related news, FinCEN has posted an alert on its Beneficial Ownership Information webpage concerning fraudulent attempts to solicit information from individuals and entities who may be subject to reporting requirements under the Corporate Transparency Act.