The Regulatory and Enforcement Outlook for Financial Institutions in 2017

Economic sanctions, anti-money laundering and cybersecurity remain at the forefront of U.S. regulatory priorities. This memorandum surveys major developments and trends in these areas in 2016 and early 2017 and provides an outlook for financial institutions in the year ahead. As discussed below, although the new administration brings considerable uncertainty, we believe the strong federal agency focus in these areas is likely to continue. And, at the state level, the New York Department of Financial Services’ attention to these areas will continue to be rigorous. Boards of directors, senior management, general counsel and compliance officers of both U.S. and non-U.S. financial institutions would be well advised to continue their vigilance in these areas. We also provide some practical suggestions for continuing to strengthen compliance in this challenging environment.

Sanctions/Anti-money Laundering

Bookended by the implementation of the Iran nuclear deal in January 2016 and the presidential transition in January 2017, the past year saw a number of sea changes in sanctions programs administered by Treasury’s Office of Foreign Asset Control (“OFAC”). As summarized below, the Obama Administration eased or rolled back sanctions on Iran, Cuba, Burma and Sudan, and, for the first time, imposed cyber sanctions, designating certain Russian targets for interference with U.S. election processes. OFAC also entered into a number of enforcement settlements showing the agency’s increasing concern with financial institutions that fail to identify that their customers were—or later became—sanctioned parties or were linked in some manner to sanctioned parties or countries.

In the Bank Secrecy Act/anti-money laundering (“AML”) area, the publication of the Panama Papers in April 2016 brought intense global focus to issues of money laundering and shell companies. A month later, Treasury’s Financial Crimes Enforcement Network (“FinCEN”) finalized its broad new rule on customer due diligence and beneficial ownership, adding new compliance challenges to banks and other covered institutions. And, although there were no blockbuster enforcement actions last year at the federal level, 2017 began with a half-billion dollar AML resolution by the Department of Justice (“DOJ”), FinCEN and the Federal Trade Commission against a prominent money services business. Last year also saw active AML enforcement from the Financial Industry Regulatory Authority (“FINRA”), which levied several penalties against broker-dealers, including its largest AML penalty to date of $17 million.

At the state level, the New York Department of Financial Services (“DFS”) continued its aggressive activity on the regulatory and enforcement fronts. Following Maria Vullo’s confirmation as Superintendent, the agency finalized its Part 504 regulation, which prescribes broad requirements for transaction monitoring and sanctions screening programs and mandates annual senior-level compliance certifications. DFS also issued four significant consent orders against non-U.S. banks and their New York branches, each $180 million or higher. Three of these orders demonstrate DFS’s increasing willingness to issue sizable penalties based primarily on findings of AML (and, to a lesser extent, sanctions) compliance deficiencies, rather than on specific violative transactions. The fourth order is notable for imposing a large penalty focused on AML deficiencies at a non-U.S. branch, with little attention given to the actions or inactions of the bank’s New York offices.

We also provide an update on the latest expansive turn in Anti-Terrorism Act civil litigation, which can follow in the wake of sanctions/AML enforcement actions.

As discussed in more detail in the complete publication (available here), to strengthen sanctions/AML compliance we would recommend that financial institutions consider the following steps, many of which are abiding themes:

1. Exercise increased caution in light of a changed administration.
2. Bolster tone at the top and the culture of compliance.
3. Focus on data integrity, systems, and programming issues.
4. Further prepare for enforcement focused on compliance deficiencies rather than specific violative transactions.
5. Bolster customer due diligence and daily customer screening across the institution.
6. Strengthen due diligence on non-U.S. branches and other affiliates.

Cybersecurity

In another year marked by high-profile cyberattacks, financial regulators showed an increased focus on promulgating regulations—a harbinger of increased examination attention and, potentially, enforcement actions in the years ahead. The most aggressive step was taken by DFS, which proposed a cybersecurity regulation in September 2016, revised the proposal in December 2016, and issued the final regulation on February 16, 2017. The landmark regulation prescribes an array of cybersecurity program requirements and requires senior-level annual certifications of compliance. Last October, the federal banking agencies issued an advanced notice of proposed rulemaking on enhanced cybersecurity standards for the largest banks and branches. While banks have thus far not experienced sizeable penalties in connection with cyberattacks, under increasingly detailed cybersecurity regulatory requirements they may find themselves the targets of regulatory criticism and enforcement for their failure to avert cybercrime.

Other financial regulatory agencies showed increased activity in cybersecurity last year. For example, the Securities and Exchange Commission (“SEC”) imposed a $1 million penalty in connection with the alleged failure of a registered broker-dealer and investment advisor to adopt adequate policies and procedures that would have prevented an employee’s theft of customer information. And, the Consumer Financial Protection Bureau (“CFPB”) took its first cybersecurity action against a company for purportedly mispresenting the strength of its data protection practices.

As discussed in more detail on pages 29-31, we would suggest consideration of the following steps to strengthen cybersecurity:

1. Prepare for a tougher regulatory approach to cybersecurity, potentially including enforcement actions.
2. Review external policies and statements regarding data security.
3. Emphasize employee training.
4. Clarify roles between U.S. branches and the bank’s headquarters.
5. Continue to monitor the private litigation environment and bolster incident response planning.

The complete publication is available here.