Top Story Security Related

The CFPB has released a report, "State Consumer Privacy Laws and the Monetization of Consumer Financial Data," summarizing state laws that give consumers more control over their data, how these rights complement the protections under federal law, and the gaps in protection that result from state law exemptions for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) or the Fair Credit Reporting Act (FCRA).

The CFPB suggests that state policymakers should assess gaps in their state data privacy laws, and consider the importance of ensuring that their citizens are protected in instances where federal law currently has gaps or may be ineffective.

The Treasury Department yesterday announced that OFAC has sanctioned Abdel Rahman Joma’a Barakallah for his leadership role in the Rapid Support Forces (RSF), a primary party responsible for the ongoing violence against civilians in Sudan since April 2023.

For identification information on Barakallah and a notice on amendments to OFAC's Sudan Sanctions Regulations, see yesterday's BankersOnline OFAC Update.

FinCEN has reported its September 2024 outreach efforts on its Beneficial Ownership Reporting Rule requirements.

The report also included a list of upcoming events at which FinCEN representatives are scheduled to further disseminate BOI reporting information through the end of the year.

OFAC is asking for user opinions of their website. They are asking site users to take about ten minutes to complete a survey to help them improve their services, enhance users' experience, and create new features.

The survey can be found HERE.

Yesterday, the Treasury Department reported that OFAC has designated one individual and one entity who support a corrupt patronage network in Bosnia and Herzegovina (BiH) that is attempting to evade U.S. sanctions.

For the names and identification information of the designated individual and entity, see yesterday's BankersOnline OFAC Update.

FinCEN recently announced that certain victims of Hurricane Milton, Hurricane Helene, Hurricane Debby, Hurricane Beryl, and Hurricane Francine will receive an additional six months to submit beneficial ownership information reports, including updates and corrections to prior reports.

FinCEN has issued the five Notices below extending the filing deadlines for reporting companies that 1) have an original reporting deadline beginning one day before the date the specified disaster began and ending 90 days after that date, and 2) are located in an area that is designated both by the Federal Emergency Management Agency as qualifying for individual or public assistance and by the Internal Revenue Service as eligible for tax filing relief.

Notice regarding—

• Hurricane Milton
• Hurricane Helene
• Hurricane Debby
• Hurricane Beryl
• Hurricane Francine

The NCUA has announced it issued three consent orders and one prohibition notice in October permanently prohibiting individuals from participating in the affairs of any federally insured depository institution.

Consent orders were issued to:

• Gloria J. Hall, a former employee of Prairie View Federal Credit Union, Prairie View, Texas
• Diane Stephens, a former employee of Priority First Federal Credit Union, Du Bois, Pennsylvania
• Laurie Allen, a former employee of Vibrant Credit Union, Danville, Illinois

A Notice of Prohibition was issued to Salusthian Lutamile, a former employee of IDB Global Federal Credit Union, Washington, D.C.

The FBI, the Treasury Department, and the Israel National Cyber Directorate have issued a Cybersecurity Advisory (CSA) to warn network defenders of new cyber tradecraft of the Iranian cyber group Emennet Pasargad, which has been operating under the company name Aria Sepehr Ayandehsazan (ASA) and is known by the private sector terms Cotton Sandstorm, Marnanbridge, and Haywire Kitten.

The group exhibited new tradecraft in its efforts to conduct cyberenabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that occurred during and targeting the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider. ASA has also undertaken a project to harvest content from IP cameras and used online resources related to Artificial Intelligence. Since 2023, the group has exhibited new tradecraft including the use of fictitious hosting resellers to provision operational server infrastructure to its own actors as well as to an actor in Lebanon involved in website hosting. Recently released reporting from Microsoft indicates this group has demonstrated interest in election-related websites and media outlets, suggesting preparations for future influence operations.

The CSA provides the threat group’s tactics, techniques, and procedures (TTPs), including its leveraging of online resources related to Artificial Intelligence, and indicators of compromise (IOCs). The CSA also highlights similar activity from a previous FBI advisory that was published on 20 October 2022. This new advisory’s information and guidance are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. and foreign organizations and engagements with numerous entities impacted by this malicious activity.

The authoring agencies recommend all organizations follow guidance provided in the Mitigations section to defend against the Iranian cyber group’s activities.

Yesterday, the Treasury Department reported that OFAC had sanctioned five Mexican nationals and two Mexico-based entities linked to La Linea, a violent Mexico-based drug trafficking organization responsible for trafficking fentanyl and other deadly drugs into the United States.

See BankersOnline’s October 31, 2024, OFAC Update for the names and identifying information of the designated individuals and businesses .

FinCEN has reported that the Financial Action Task Force (FATF), an intergovernmental body that establishes international standards for anti-money laundering, countering the financing of terrorism, and countering the financing of proliferation of weapons of mass destruction (AML/CFT/CPF), updated its lists of jurisdictions with strategic AML/CFT/CPF deficiencies at the conclusion of its plenary meeting this month. FinCEN said U.S. financial institutions should consider the FATF’s stance toward these jurisdictions when reviewing their obligations and risk-based policies, procedures, and practices.

On October 25, 2024, the FATF added Algeria, Angola, Côte d’Ivoire, and Lebanon to its list of Jurisdictions Under Increased Monitoring and also removed Senegal from the list.

The FATF’s list of High-Risk Jurisdictions Subject to a Call for Action remains the same, with Iran, the Democratic People’s Republic of Korea (DPRK), and Burma subject to calls for action. Iran and DPRK are still subject to the FATF’s countermeasures, while Burma is still subject to the application of enhanced due diligence, but not countermeasures