THE MOST COMPREHENSIVE MORTGAGE COMPLIANCE SOLUTIONS IN THE UNITED STATES.

LENDERS COMPLIANCE GROUP belongs to these National Organizations:

ABA | MBA | NAMB | AARMR | MISMO | ARMCP | ALTA | IIA | ACAMS | IAPP | MERSCORP

Thursday, March 10, 2022

Russian Sanctions: Filing the Suspicious Activity Report

QUESTION

We have just gotten our first potential SAR filing obligation triggered by the Russian sanctions. We contacted other financial institutions in our area, and they are starting to get a few transactions affected by these sanctions. 

Our legal team says we should be filing the SAR, but they have no idea what information should be filed specific to the Russian sanctions themselves. 

We’re also not sure of the Red Flags to use in connection with the sanctions. We implement a risk-based, customer due-diligence program, especially since we began accepting cryptocurrency transactions late last year. 

We are desperate for guidance since the SAR has to be filed immediately. 

What types of Red Flags should we be alert to for the Russian sanctions? 

About the cryptocurrency transactions, how do we monitor them for SAR filing? 

And, how do we complete the SAR to ensure it gets recognized as a SAR involving a Russian sanction? 

ANSWER

Given the critical impasse you are at and the immediate demand for BSA compliance caused by the horrific war in Ukraine, we have moved your inquiry to the top of the FAQ list. I will provide a response that should help you procedurally. The Financial Crimes Enforcement Network (FinCEN) closely monitors SARs filed in response to the sanctions relating to Russia and Belarus (and other affiliated persons). 

If you are unsure of the filing requirements and need information, I suggest that you contact FinCEN’s Regulatory Support Section at frc@fincen.gov. If you need to expedite the filing, you should call FinCEN’s toll-free hotline at (866) 556-3974 (continuously monitored). Keep in mind that you should immediately report any imminent threat to law enforcement officials in your region. 

It is helpful that you contacted and shared your concerns with financial institutions in your area. Information sharing among financial institutions is critical to identifying, reporting, and preventing evolving sanctions evasion, ransomware and cyber attacks, and laundering of the proceeds of corruption. 

Financial institutions and associations of financial institutions sharing information under the safe harbor authorized by section 314(b) of the USA Patriot Act may share information with one another regarding individuals, entities, organizations, and countries suspected of possible terrorist financing or money laundering.[i] Indeed, FinCEN strongly encourages such voluntary information sharing. 

The financial institutions affected by the Russian sanctions include:

·       Casinos;

·       Depository Institutions;

·       Insurance Industry;

·       Money Services Businesses;

·       Mortgage Companies and Brokers;

·       Precious Metals and Jewelry Industry;

·       Securities and Futures. 

A financial institution is required to file a SAR if it - 

(A) knows, suspects, or has reason to suspect a transaction conducted or attempted by, at, or through the financial institution involves funds derived from illegal activity, or attempts to disguise funds derived from illegal activity;

(B) is designed to evade regulations promulgated under the BSA;

(C) lacks a business or apparent lawful purpose; or

(D) involves the use of the financial institution to facilitate criminal activity, including sanctions evasion.[ii] 

Furthermore, all statutorily defined financial institutions may voluntarily report suspicious transactions under the existing suspicious activity reporting Safe Harbor.[iii] 

Filing the SAR does not in itself mean that somebody is guilty of money laundering. Nevertheless, it is imperative to be attentive to efforts to evade the expansive sanctions and other U.S.-imposed restrictions implemented in connection with the Russian Federation’s invasion of Ukraine. 

In the last two months, Lenders Compliance Group has experienced a substantial increase in engagements for Anti-Money Laundering Program Tests (statutorily required), Anti-Money Laundering Program Risk Assessments, and Anti-Money Laundering Program Training (statutorily required). You must retain a recognized compliance firm whose audits, reports, and training meet a high level of regulatory scrutiny to ensure you have appropriate protection and remain in full compliance with FinCEN guidelines. 

Please get in touch with us HERE, and we’ll do our best to get your AML compliance needs into our schedule as soon as possible. 

In a recent FinCEN alert,[iv] FIN-2022-Alert001,” (sic) a set of select Red Flags were provided to identify potential sanctions evasion activity; however, the list is not meant to be exhaustive. The issuance also provides the obligations with respect to cryptocurrency, generically referred to as “convertible virtual currency” (CVC). 

Evading sanctions is nothing new for crooks. However, due to the Russian and Belarusian actions, sanctioned Russian and Belarusian actors may seek to evade sanctions through various means, such as by moving transactions through non-sanctioned Russian and Belarusian financial institutions and financial institutions in third countries. Red Flags should be taken as one of the tools to identify such transactions, but you will also need to add to the list as incidents require. 

Activities involving the evasion of sanctions are often conducted by various actors, including CVC exchangers and administrators within or outside Russia, given that these entities may retain at least some access to the international financial system. The money laundering pipeline consists of all manner of individuals, such as corrupt senior foreign political figures, their families, and their associates (viz., foreign “politically exposed persons” or PEPs),[v] or associated entities and financial facilitators, to evade U.S. sanctions or otherwise hide their assets.

Now, I will provide a select list of Red Flags, grouped by fiat currency, CVC transactions, and ransomware – with the proviso that you should consider the relevant facts and circumstances of each transaction in keeping with a risk-based approach to compliance because no single financial red flag indicator is determinative of illicit or suspicious activity. 

NOTE: I will not treat due diligence obligations involving senior foreign political figures, enhanced due diligence obligations for private banking accounts, general obligations for correspondent account due diligence and AML Programs, OFAC compliance obligations, or the specific requirements of Executive Order 14024, which sets forth the detailed, specific prohibitions relating to sanctions in response to the further invasion of Ukraine. [Executive Order 14024 of April 15, 2021, Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation, Federal Register, Vol. 86, No. 73, Monday, April 19, 2021)

Red Flags – Selected List (Fiat Currency) 

·       Use of corporate vehicles (i.e., legal entities, such as shell companies, and legal arrangements) to      obscure (i) ownership, (ii) source of funds, or (iii) countries involved, particularly sanctioned jurisdictions. 

·       Use of shell companies to conduct international wire transfers, often involving financial institutions in jurisdictions distinct from company registration. 

·       Use of third parties to shield the identity of sanctioned persons and/or PEPs seeking to hide  the origin or ownership of funds, such as hiding the purchase or sale of real estate.[vi] 

·       Accounts in jurisdictions or with financial institutions that are experiencing a sudden rise in value being transferred to their respective areas or institutions, without a clear economic or business rationale. 

·       Jurisdictions previously associated with Russian financial flows that are identified as having a notable recent increase in new company formations. 

·       Newly established accounts that attempt to send or receive funds from a sanctioned institution or an institution removed from the Society for Worldwide Interbank Financial Telecommunication (SWIFT). 

·       Non-routine foreign exchange transactions that may indirectly involve sanctioned Russian financial institutions, including transactions that are inconsistent with activity over the prior 12 months (i.e., the Central Bank of the Russian Federation may seek to use import or export companies to engage in foreign exchange transactions on its behalf and to obfuscate its involvement). 

Red Flags – Selected List (CVC Transactions) 

With regards to CVC transactions, although large scale sanctions evasion using CVC by a government – such as the Russian Federation – is not necessarily practicable, it should be noted that sanctioned persons, illicit actors, and their related networks or facilitators may attempt to use CVC and anonymizing tools to evade U.S. sanctions and protect their assets around the globe (viz., including in the United States). As I mentioned above, CVC exchangers and administrators, and other financial institutions may observe attempted or completed transactions tied to CVC wallets or other CVC activity associated with sanctioned Russian, Belarusian, and other affiliated persons.[vii] 

·       A customer’s transactions are initiated from or sent to the following types of Internet Protocol (IP) addresses: non-trusted sources; locations in Russia, Belarus, FATF-identified jurisdictions with anti-money laundering (AML), countering the financing of terrorism (CFT), and counter proliferation (CP) deficiencies,[viii] and comprehensively sanctioned jurisdictions; or IP addresses previously flagged as suspicious. 

·       A customer’s transactions are connected to CVC addresses listed on OFAC’s Specially  Designated Nationals and Blocked Persons List. 

·       A customer uses a CVC exchanger or foreign-located MSB in a high-risk jurisdiction with AML/CFT/CP deficiencies, particularly for CVC entities and activities, including inadequate “Know-Your-Customer” (KYC) or customer due diligence measures. 

Red Flags – Selected List (Ransomware and Other Crimes) 

One other Red Flags list requires your attention. That is a list for possible ransomware attacks and other cybercrimes. 

I have written extensively about ransomware and cybersecurity challenges. HERE is a link to recent articles. 

We offer a free checklist as well as a policy and procedures. Click HERE to request more information about our ransomware compliance support (we’ll also provide the free checklist). 

FinCEN has provided numerous issuances regarding the dangers posed by Russian-related ransomware  campaigns.[ix] Russian actors may be involved in ransomware and cybercrime activities, and it is essential to use a range of indicators to help detect, prevent, and report potential suspicious activity. 

·       A customer receives CVC from an external wallet and immediately initiates multiple, rapid  trades among multiple CVCs with no apparent related purpose, followed by a transaction off the platform. This may indicate attempts to break the chain of custody on the respective block chains or further obfuscate the transaction. 

·       A customer initiates a transfer of funds involving a CVC mixing service. 

·       A customer has either direct or indirect receiving transaction exposure identified by block chain tracing software as related to ransomware. 

Filing the SAR 

Now, let us turn to how best to file the SAR in accordance with FinCEN guidelines relating to the Russian and Belarusian sanctions. When completing the SAR, you should reference the above-stated alert FIN-2022-Alert001 (sic) in SAR field 2 (Filing Institution Note to FinCEN), and the narrative should include the following key term “FIN-2022-RUSSIASANCTIONS.” (sic) 

You should identify and immediately report any suspicious transactions associated with ransomware attacks. For purposes of meeting a financial institution’s SAR filing obligations, FinCEN and law enforcement consider suspicious transactions involving ransomware attacks to constitute “situations involving violations that require immediate attention.”[x] Financial institutions also should include any relevant technical cyber indicators related to cyber events and associated transactions within the available structured cyber event indicator fields (42-44) on the SAR. 

Any data or information that helps identify the activity as suspicious should be included as an indicator. And be sure to add that indicator to the list, if needed. Examples that could be added to the list include chat logs, suspicious IP addresses, suspicious email addresses, suspicious filenames, malware hashes, CVC addresses, command and control (C2) IP addresses, C2 domains, targeted systems, and MAC address or port numbers.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
___________________________

[i] For further guidance related to the 314(b) Program, see “Section 314(b) Fact Sheet,” FinCEN (December 20, 2020)
[ii] See 31 CFR § 1020.320, 1021.320, 1022.320, 1023.320, 1024.320, 1025.320, 1026.320, 1029.320, and 1030.320
[iii] See 31 U.S.C. § 5312(a)(2) and 31 U.S.C. § 5318(g)(3). Note: all financial institutions with SAR filing requirements also may file a SAR regardless of the amount involved (if any) or if the transaction is only attempted.
[iv] FIN-2022-Alert001, March 7, 2022, FinCen Alert. I will rely on this issuance as a source document.
[v] See Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, FinCEN, National Credit Union Administration, and Office of the Comptroller of the Currency, “Joint Statement on Bank Secrecy Act Due Diligence Requirements for Customers Who May Be Considered Politically Exposed Persons” (August 21, 2020)
[vi] See FinCEN “Advisory to Financial Institutions and Real Estate Firms and Professionals” (August 22, 2017)
[vii] See FinCEN, “Advisory on Illicit Activity Involving Convertible Virtual Currency” (May 9, 2019)
[viii] See FinCEN, “Financial Action Task Force-Identified Jurisdictions with Anti-Money Laundering and Combating the Financing of Terrorism and Counter-Proliferation Deficiencies” (October 26, 2021)
[ix] See “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments,” (November 8, 2021); FinCEN Report, “Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data between January 2021 and June 2021,” (October 15, 2021); and FinCEN, “Anti-Money Laundering and Countering the Financing of Terrorism National Priorities,” (June 30, 2021). See also the Cybersecurity and Infrastructure Security Agency’s “Shields Up” and “StopRansomware.”
[x] See, for instance, 31 CFR § 1020.320(b)(3) (Banks), 31 CFR. § 1022.320(b)(3) (Money Services Businesses), and 31 CFR § 1025.320(b)(3) (Insurance Companies)