Last week, international regulators began issuing guidance and/or relief to impacted firms in response to the spread of COVID-19. The impact of this novel coronavirus has already begun materially to affect operations and behaviors in the financial services industry. Separately, a former chief operational risk and chief compliance officer of a US national bank was sanctioned US $450,000 by the Financial Crimes Enforcement Network for his role in the bank’s capping of suspicious activity alerts generated by the firm’s monitoring system for over five years in order to accommodate an inadequate number of anti-money laundering surveillance staff. As a result, the following matters are covered in this week’s edition of Bridging the Week:
In a Notice to Members dated March 4, the National Futures Association acknowledged its understanding that members developing contingency plans to deal with the impact of COVID-19 may have “specific concerns” regarding their ability to comply fully with all Commodity Futures Trading Commission and NFA requirements, particularly if some or all of their staff are unable to work from their offices or the firm’s backup locations. According to the regulated futures association, “NFA and CFTC staff intend to take a practical approach that will give Members appropriate flexibility in implementing contingency plans needed to continue to conduct business” if regulatory relief is required.
However, NFA encouraged members to review their business continuity plans to ensure they address situations like COVID-19 and contain up-t0-date information (e.g., current key persons and contact information). NFA also recommended that Members consider providing employees refresher or new training on working from remote locations.
Separately, the UK Financial Conduct Authority restated its expectation that all firms have contingency plans dealing with major events, and indicated it is currently reviewing, along with the Bank of England, “the contingency plans of a wide range of firms.” FCA indicated it expects that firms are taking “all reasonable steps” to ensure they meet their regulatory obligations, including, for example, the capability to enter orders and transactions into appropriate systems, record conversations when trading, and provide staff compliance support when required.
Although neither the Securities and Exchange Commission nor the Commodity Futures Trading Commission have issued any written guidance for brokerage firm registrants (i.e., broker-dealers or futures commission merchants), the SEC provided conditional regulatory relief for certain publicly traded companies’ filing obligations. Specifically, publicly traded companies required to file certain disclosure reports from March 1 through April 30, 2020, may have an additional 45 days to file such reports provided they give the SEC a summary of why they require the relief. The SEC also advised companies to consider their disclosure obligations under federal securities laws should they become aware of some risk to their business because of COVID-19.
The SEC’s Division of Investment Management separately indicated it would recommend no enforcement action against an investment fund board that did not comply with certain in-person voting requirements from March 4 through at least June 15, 2020, in case of “unforeseen or emergency circumstances affecting some or all of the directors.” The SEC indicated it might be open to extend its no-action position to a later date “as circumstances warrant.”
Getting the Business Done: The spread of the COVID-19 virus worldwide will continue to create unusual challenges for all businesses because of the difficulty of detecting carriers and the current lack of a vaccine. Apparently, persons may be contagious when asymptomatic, and even early tests of persons carrying the virus may not detect its presence. Additionally, it appears the virus may be transmitted without actual contact with a specific carrier – so-called “community” transmission.
As a result, the most important measure companies and individuals can take during the current crisis is to be informed by facts. The Center for Disease Control and Prevention maintains a robust website of relevant information, including frequently asked questions and answers, and persons may subscribe to automatic updates. (Click here to access the CDC website, and here for a subscription link.) It’s important that companies and individuals follow CDC’s myriad recommendations to the extent practical.
Separately, both the Financial Industry Regulatory Authority and the NFA require their members to maintain robust business continuity plans with certain prescribed elements. (Click here to access FINRA Rule 4370, here for NFA Rule 2-38, and here for NFA Interpretive Notice 9052.) Both the SEC and CFTC also require business continuity plans for certain registrants. (Click here, e.g., for CFTC Rule 23.603 related to swap dealers and major swap participants and here for SEC IM Guidance Update 2016-4 for investment companies.) The SEC proposed BCP requirements for investment advisors in 2016 but has not formally implemented any to date. (Click here to access the SEC’s proposal.) Both FINRA and NFA obligate members to provide and update the regulatory organizations with the name and contact information of key management personnel and certain other enumerated information. FINRA also provides a basic checklist of items that should be addressed in BCPs that make sense for all regulated organizations, as relevant:
Employees should have access to a firm’s BCP even when remote.
Additionally, following Hurricane Sandy in October 2012, the SEC, CFTC and FINRA issued a joint advisory on business continuity planning. Some of the key recommendations articulated then in response to lessons learned appear timely now. According to the advisory, firms should especially consider:
As suggested in the current NFA guidance, training is critical. In any case, BCPs should be reviewed to ensure they address or are modified as necessary to deal with infectious disease outbreaks.
Many employment law issues will also arise because of the COVID-19 virus spread. Among other things, CDC recommends that firms:
Additionally, it is important that employers review their policies and practices to ensure they are consistent with public health recommendations as well as prevailing state and federal workplace laws. (Click here to access CDC’s Interim Guidance for Businesses and Employers.)
It will be very important for management to promote calm among employees during the next few months until the COVID-19 outbreak diminishes. By thinking through as much as possible how the business needs to get done, and what can be done to effectuate those needs (sometimes considering non-intuitive solutions), financial service business can be conducted effectively with current technology even if many employees work remotely. To the extent there may be regulatory compliance challenges, try to discuss them in advance with relevant regulators and seek relief if possible; in all cases, ensure that all breaches are documented with as much specificity as possible.
In February 2018, four federal regulators imposed out-of-pocket sanctions on US Bancorp totaling US $613 million for alleged noncompliance with its anti-money laundering obligations from 2011 to 2015. The regulators were the US Department of Justice, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and FinCEN.
The regulators claimed that, during the relevant time, the bank failed to maintain an adequate staff level to conduct anti-money laundering oversight and capped the number of alerts generated by its AML surveillance system to accommodate the inadequately sized staff. This, alleged the regulators, caused the bank not to identify many potential AML issues and not to make many required suspicious activity reports. (Click here for additional background in the article “Bank Sanctioned US $613 Million for Capping Number of Suspicious Activity Reports” in the February 25, 2018 edition of Bridging the Week.)
FinCEN claimed, in its current enforcement action, that Mr. LeFontaine failed “to take sufficient steps to ensure that the Bank’s compliance division was appropriately staffed to meet regulatory expectations.” Moreover, charged FinCEN, two AML officers expressed concerns to Mr. LeFontaine that the bank’s surveillance system was “inadequate” because caps were imposed to limit alerts. One AML officer sent Mr. LeFontaine two memos with this warning – in December 2009 and April 2010 – and another, new AML officer expressed similar concerns to Mr. LeFontaine by the end of 2012. FinCEN indicated that Mr. LaFontaine did not respond adequately to information brought to his attention. Although FinCEN acknowledged that Mr. Lafontaine sought and received funding to upgrade the firm’s AML surveillance system, it said these actions “were inadequate to correct the deficiencies.”
Mr. LaFontaine admitted to the facts set forth in FinCEN’s determination and consented to the financial penalty.
Compliance Weeds: Applicable law and FinCEN rules require broker-dealers and other covered financial institutions (banks, Commodity Futures Trading Commission-registered futures commission merchants and introducing brokers and Securities and Exchange Commission-registered mutual funds) to file a SAR with FinCEN in response to transactions of at least US $5,000 which a covered entity “knows, suspects, or has reason to suspect” involve funds derived from illegal activity; have no business or apparent lawful purpose; are designed to evade applicable law; or utilize the institution for criminal activity. (Click here for a helpful overview of anti-money laundering requirements for broker-dealers, including SAR requirements. Click here for a similarly helpful compilation of AML resources for members of the National Futures Association.)
Additionally, covered institutions might also have to file SARs following cyber-events. (Click here for background in the article “FinCEN Issues Advisory Saying Cyber Attacks May Be Required to Be Reported Through SARs" in the October 30, 2016 edition of Bridging the Week.)
In July 2017, Electronic Transaction Clearing, Inc., a registered broker-dealer, agreed to settle charges brought by the Financial Industry Regulatory Authority that it failed to consider whether to file SARs, as required, in response to red flags of possible suspicious conduct as well as for other violations. According to FINRA, ETC did not file such reports even after it restricted trading by certain of its customers after 30 instances where the firm identified problematic conduct, including prearranged trades or trading without an apparent economic reason. ETC agreed to pay a fine of US $250,000 to resolve FINRA’s charges. (Click here for background regarding FINRA’s charges in the article “Clearing Firm’s Failure to File Suspicious Activity Reports in Response to Red Flags Charged as Violation of FINRA Requirements” in the March 26, 2017 edition of Bridging the Week.)
Previously, in August 2015, FINRA fined Aegis Capital Corp. US $950,000 for selling unregistered penny stocks and related supervisory violations, and suspended and fined two individuals – Charles Smulevitz and Kevin McKenna – who served successively as chief compliance and anti-money laundering officers for the firm. According to FINRA, Mr. Smulevitz and Mr. McKenna failed to “reasonably” detect and review red flags of potentially suspicious transactions. As a result, they did not make a “reasoned determination whether or not to report the suspicious transactions to the Financial Crimes Enforcement Network … by filing a Suspicious Activity Report … as appropriate.” (Click here for further details in the article “FINRA Fines and Suspends Two CCOs for Supervisory and AML Violations” in the August 14, 2015 edition of Bridging the Week.)
Covered financial institutions should continually monitor transactions they facilitate, ensure they maintain and follow written procedures to identify and evaluate red flags of suspicious activities and file SARs with FinCEN when appropriate.
Moreover, covered institutions should ensure that problematic transactions identified by non-AML personnel (e.g., compliance staff) that may violate legal or regulatory standards are evaluated by AML personnel to determine whether a SAR should be filed with FinCEN. Indeed, the more complete a ledger a firm can maintain of potential problems identified across otherwise separate surveillance functions, the more likely a firm will be able to recognize and act holistically when it possesses multiple red flags.
As amended, the CFTC might terminate an exemptive order granted to a foreign regulator or regulatory organization if:
In addition to permitting the affected party 30 business days to challenge any proposed revocation of an exemptive order, the CFTC authorized “any other person” to potentially respond to any proposed exemptive order cancellation.
In other legal and regulatory developments impacting cryptoassets:
ESMA Head Stresses Need for Harmonized EU Approach to the Regulation of Cryptoassets: Steven Maijoor, Chair of the European Securities and Market Authority, stressed the need for a “common, holistic approach” to the oversight of cryptoassets, in a speech last week before the Fourth Annual FinTech and Regulation conference in Brussels. He said it was important to ensure “the right level of protection without stifling innovation.” He specifically acknowledged the potential benefits of global stablecoins, including the promotion of financial inclusion and the potential to make global cross-border payments “easier, cheaper and quicker.” However, he cautioned that, although stablecoins may not constitute legal tender, they might, like Libra, be a “currency of [their] own.” All cryptoassets, he said, should be regulated in accordance with the risks they raise on a case-by-case assessment.
FCA Warns Investors That Renowned Cryptoasset Exchange Operates in UK Without Requisite Authorization: The UK Financial Conduct Authority issued a warning that it believed that Bitmex has been providing financial services in the United Kingdom without appropriate authorization. The FCA issued a similar notice regarding Kraken on March 3, but quickly removed the warning from its website without explanation. As of January 10, 2020, all UK businesses engaged in cryptoasset exchange provision services, including issuing new cryptoassets or providing custodian wallets, must comply with UK AML requirements. (Click here for background in the article” FCA Designated AML Supervisor of Many UK Digital Asset Activities” in the January 19, 2020 edition of Bridging the Week.)
For further information:
Business Not as Usual – Regulators Issue Guidance on Responding to COVID-19 and Firms Take Precautions to Adapt:
ESMA Head Stresses Need for Harmonized EU Approach to the Regulation of Cryptoassets:
FCA Warns Investors That Renowned Cryptoasset Exchange Operates in UK Without Requisite Authorization
Former Bank Chief Operational Risk Officer Fined US $450,000 by FinCEN for Role in Capping Number of Potential Suspicious Activity Alerts:
India Supreme Court Reverses Central Bank’s Ban on Regulated Banks Conducting Business With Virtual Asset Businesses:
NFA Describes Path for CTAs to Comply With Recent CFTC Rule Amendment Cancelling Need to File Form PR When Solely Acting as a CPO:
Precious Metals Traders Request Court Dismiss Criminal Charges Related to Alleged Spoofing Trading:
Reciprocity Is a Two-Way Street Warns CFTC in Approving Amendment to Cross-Border Rule:
SEC Proposes to Simplify Exempt Offering Framework:
What’s in a Fund’s Name Asks the SEC – Potentially Something Misleading:
The information in this article is for informational purposes only and is derived from sources believed to be reliable as of March 7, 2020. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made. Views of the author may not necessarily reflect views of Katten Muchin or any of its partners or employees.