Top Story Security Related

The OCC on Monday announced it has issued a Consent Cease and Desist Order against Bank of America, N.A., for deficiencies related to its Bank Secrecy Act (BSA) and sanctions compliance programs.

The OCC's press release indicates the agency took this action based on violations and unsafe or unsound practices relating to these programs, including a failure to timely file suspicious activity reports and failure to correct a previously identified deficiency related to its Customer Due Diligence processes. The order also identifies deficiencies in the internal controls, governance, independent testing, and training components of the bank’s BSA compliance program.

The Securities and Exchange Commission has announced it has charged registered broker-dealer Deutsche Bank Securities Inc., a subsidiary of Deutsche Bank AG, for failing to file certain Suspicious Activity Reports (SARs) in a timely manner. Deutsche Bank Securities has agreed to pay a $4 million civil penalty to settle the SEC’s charges.

According to the SEC’s order, Deutsche Bank Securities received requests in connection with law enforcement or regulatory investigations or litigation that prompted it to conduct SARs investigations. However, the SEC’s order finds that, in certain instances from April 2019 to March 2024, Deutsche Bank Securities failed to conduct or complete the investigations within a reasonable period of time, including at least two instances where Deutsche Bank Securities took more than two years to file the SARs.

The Department of the Treasury has released a report following its 2024 Request for Information (RFI) on the Uses, Opportunities, and Risks of Artificial Intelligence (AI) in Financial Services, which summarizes key themes from respondent feedback and recommends several next steps.

The report highlights increasing AI use throughout the financial sector and underscores the potential for AI – including Generative AI – to broaden opportunities while amplifying certain risks, such as risks related to data privacy, bias, and third-party providers. The report builds on Treasury’s work on AI-related cybersecurity risks in the financial sector, including its March 2024 report.

The CFPB has announced it has brought suit against the operator of Zelle and three of the country's largest banks for failing to protect consumers from widespread fraud on America’s most widely available peer-to-peer payment network.

In its Complaint filed with the U.S. District Court for the District of Arizona, the CFPB alleges that Early Warning Services, LLC, which operates Zelle, along with three of its owner banks—Bank of America, JPMorgan Chase, and Wells Fargo—rushed the network to market to compete against growing payment apps such as Venmo and CashApp, without implementing effective consumer safeguards. Customers of the three banks named in today’s lawsuit have lost more than $870 million over the network’s seven-year existence due to these failures. The CFPB’s lawsuit describes how hundreds of thousands of consumers filed fraud complaints and were largely denied assistance, with some being told to contact the fraudsters directly to recover their money. Bank of America, JPMorgan Chase, and Wells Fargo also allegedly failed to properly investigate complaints or provide consumers with legally required reimbursement for fraud and errors. The CFPB is seeking to stop the alleged unlawful practices, secure redress and penalties, and obtain other relief.

Early Warning Services, LLC is a financial technology and consumer reporting company based in Scottsdale, Arizona. Early Warning Services designed and operates the Zelle network. It is co-owned by seven of the largest banks in the United States: Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo.

Zelle allows near-instant electronic money transfers through linked email addresses or U.S.-based mobile phone numbers, known as “tokens.” Users can create multiple tokens across different banks and quickly reassign them between institutions, a feature that the CFPB alleges has left consumers vulnerable to fraud schemes. The CFPB alleges that Bank of America, JPMorgan Chase, Wells Fargo, and Early Warning Services violated federal law through critical failures including leaving the door open to scammers, allowing repeat offenders to hop between banks, ignoring red flags that could prevent fraud, and abandoning consumers after fraud occurred.

• Press Call Remarks of CFPB Director Rohit Chopra

The OCC has released a list of enforcement actions taken against national banks and federal savings associations (banks), and individuals currently and formerly affiliated with banks the OCC supervises.

• A Formal Agreement with the The Fairfield National Bank, Fairfield, Illinois, for unsafe or unsound practices, including those related to staffing and training, credit risk rating, credit underwriting, credit administration, loan review, allowance for credit losses, and a violation related to failure to file true and correct Reports of Condition and Income.
• A Formal Agreement with The First National Bank of Williamson, Williamson, West Virginia, for unsafe or unsound practices, including those related to staffing, capital planning, strategic planning, interest rate risk management, audit committee oversight, allowances for credit losses, credit administration, and commercial credit.
• The Cease and Desist Order against USAA, Federal Savings Bank that we reported in yesterday's Top Stories.
• A Notice of Charges for an Order of Prohibition against Armando De Leon, former Store Manager at a Hialeah, Florida, branch of TD Bank, N.A., Wilmington, Delaware, alleging, among other things, that while he was a bank employee, De Leon submitted fraudulent Payment Protection Program loan applications that received over $80,000 in funding.
• A Notice of Charges for Order of Prohibition against Emily M. Niedwiecky, former Senior Customer Service Representative at a Raleigh, North Carolina, Auto Operations Center of Wells Fargo Bank, N.A., Sioux Falls, South Dakota, alleging, among other things, that Niedwiecky falsely disputed with the bank approximately $22,000 in purchases she made with her personal debit cards.
• An Order of Prohibition against Wendell Pialet, former Business Relationship Manager at a San Diego, California, branch of JPMorgan Chase Bank, N.A., Columbus, Ohio, for accepting a bribe to open a bank account that was to be used to receive proceeds from fraudulent Paycheck Protection Program loans.

The Treasury Department issued three news releases yesterday to announce OFAC actions:

• Continued pressure on Houthi procurement and financing schemes: OFAC sanctioned a dozen individuals and entities based in multiple jurisdictions, including the head of the Houthi-aligned Central Bank of Yemen branch in Sana’a, for their roles in trafficking arms, laundering money, and shipping illicit Iranian petroleum for the benefit of the Houthis. OFAC also identified five cryptocurrency wallets associated with Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF)-backed Houthi financial official Sa’id al-Jamal (al-Jamal), who operates under the aliases “Khrpi,” “Ahmad Sa’idi,” and “Hisham,” among others.
• Maintaining pressure on Iranian shadow fleet: OFAC imposed sanctions on four entities and three vessels involved in the trade of Iranian petroleum and petrochemicals, which generate billions of dollars’ worth of revenue for the Iranian regime. Treasury also announced concurrent action by the State Department against four entities in multiple jurisdictions involved in the movement of Iranian petroleum.
• Sanctions against Georgian Ministry of Internal Affairs officials: OFAC sanctioned two Georgian officials from Georgia’s Ministry of Internal Affairs which has engaged in brutal crackdowns on media members, opposition figures, and protesters — including during demonstrations throughout 2024.

For the names and identification information of the designated parties, see yesterday's BankersOnline OFAC Update.

The Financial Crimes Enforcement Network (FinCEN) has reported it has issued an Alert [FIN-2024-Alert005] to raise awareness of fraud schemes abusing FinCEN’s name, insignia, and authorities for financial gain. These FinCEN-specific fraud schemes include scams that exploit beneficial ownership information reporting; misuse FinCEN’s Money Services Business Registration tool; or involve the impersonation of, or misrepresent affiliation with, FinCEN and its employees.

The alert provides guidance to the public on how to identify and avoid these scams and provides typologies and red flag indicators to help financial institutions detect, prevent, and report potential suspicious activity to FinCEN. The public is reminded that any solicitations from individuals or entities abusing FinCEN’s name, insignia, or authorities, or impersonating a FinCEN employee should be reported to Treasury’s Office of Inspector General and the Federal Trade Commission.

Suspicious Activity Reports concerning these fraud schemes should reference FinCEN's alert by including the key term "“FIN-2024-FINCENSCAMS” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative. Financial institutions should also select SAR field 34(z) (Fraud – Other) and include any other relevant terms, including “BOI Scam,” “MSB Scam,” and/or “FinCEN Imposter Scam” in the text box, as applicable.

The Department of the Treasury yesterday reported that OFAC had sanctioned two entities and two individuals for their role in developing and procuring components for sensitive navigational systems for the Iranian military. Concurrent with this action, the U.S. Department of State designated one individual and two entities involved in Iranian UAV and missile development.

Treasury also reported that OFAC had designated three individuals and four entities in Bosnia and Herzegovina (BiH) that form part of U.S.-designated Republika Srpska (RS) President Milorad Dodik’s (Dodik) financial network and enable the Dodik family’s continued attempts to evade sanctions. OFAC's action also targets a BiH politician who serves as a key enabler of Dodik’s corruption and destabilizing political agenda. OFAC also designated Viktor Pavlovich Perevalov for operating or having operated in the construction sector of the Russian Federation economy.

For the names and identification information of the designated parties, see yesterday's BankersOnline OFAC Update.

The Office of the Comptroller of the Currency yesterday announced it had issued a comprehensive cease-and-desist order against USAA Federal Savings Bank to require the bank to correct a range of deficiencies. This order replaces prior cease-and-desist orders issued against the bank in 2019 and 2022.

The OCC reported it took this action based on unsafe or unsound practices relating to management, earnings, information technology, consumer compliance, and internal audit and suspicious activity reporting violations. The bank also was not in compliance with OCC’s Heightened Standards requirements for large banks detailed at 12 CFR Part 30, Appendix D.

The order incorporates articles from the 2019 and 2022 orders that remain in noncompliance and requires the bank to take comprehensive corrective actions to enhance its risk governance, compliance risk management, information technology management, fraud risk management, and third-party, affiliate, and shared services risk management. The order also imposes limitations on the bank’s ability to add certain new products and services, as well as expanding its membership criteria.

The Treasury Department yesterday reported that OFAC has sanctioned two individuals and one entity involved in a network that launders millions of dollars of illicit funds generated by the Democratic People’s Republic of Korea (DPRK) information technology (IT) workers and cybercrime to support the DPRK Government. Based in the United Arab Emirates (UAE), Lu Huaying and Zhang Jian worked through a UAE-based front company to facilitate money laundering and cryptocurrency conversion services that funneled the illicit proceeds back to Pyongyang. This network is led by OFAC-sanctioned Sim Hyon Sop (Sim), a PRC-based banking representative for the DPRK who orchestrates money laundering schemes to fund the regime.

Treasury also reported OFAC action against 12 individuals and eight entities, located across seven countries, who are linked to the global illicit drug trade. These sanctions are the result of strong collaboration with the Drug Enforcement Administration and a range of international law enforcement partners, including in Colombia, Lithuania, and New Zealand. This action was also enabled with support from Treasury’s Financial Crimes Enforcement Network and reporting from financial institutions under the Bank Secrecy Act, and was coordinated closely with various foreign Financial Intelligence Units.

For the names and identification information of the designated parties, see yesterday's BankersOnline OFAC Update.