In October 2023, the Wolfsberg Group, an association of twelve global banks that aims to develop frameworks and guidance for the management of financial crime risks, issued revised payment transparency standards, addressing the growing complexity of global payments. The Wolfsberg Group had previously issued updated guidelines on effective anti-bribery and corruption compliance programs in April 2023.
II. Regional Developments
A. Americas
1. U.S. Anti-Money Laundering Regulatory Updates
In the United States, the most critical development in 2023 has been the continued conversation around the U.S. Department of the Treasury’s Financial Crimes Enforcement Network’s (FinCEN) regulatory activity regarding the Corporate Transparency Act of 2021 (CTA). FinCEN issued its highly anticipated rule implementing the beneficial ownership reporting requirements on September 30, 2022. The rule produced the most significant revisions to the U.S. AML compliance framework in more than twenty years, implementing sweeping beneficial ownership disclosure requirements applicable to all U.S. entities as well as foreign entities registered in the United States. Beginning on January 1, 2024, the rule requires all covered entities (reporting companies) to provide FinCEN with detailed information regarding natural person beneficial owners as well as individuals who substantially control such entities, unless the entity meets certain defined exemptions set out in the rule. As issued, the rule requires reporting companies to make such filing within thirty days of formation. Reporting information will also have to be updated within thirty days of any change. Companies formed prior to January 1, 2024, will have until January 1, 2025, to make initial filings.
On November 30, 2023, FinCEN issued a rule extending the deadline for certain reporting companies to file their beneficial ownership information (BOI) reports with FinCEN. Reporting companies created or registered in 2024 will have ninety calendar days from the date of receiving actual or public notice of their creation or registration becoming effective to file their initial reports. FinCEN will not accept BOI reports from reporting companies until January 1, 2024.
Penalties for violations of the rule will apply only to willful violations, including willful failure to file, willful provision of false or fraudulent information, or willfully failing to provide complete or updated information. The rule does not provide for penalties in the case of negligent or reckless failures.
The September 2022 rule was the first of three rulemakings required to implement the CTA. It addressed neither access to the information collected and safeguards to ensure that it is secured, nor required revisions to FinCEN’s customer due diligence rules to incorporate this new process. On December 15, 2022, FinCEN issued a Notice of Proposed Rulemaking implementing provisions of the CTA on security and confidentiality to protect sensitive personally identifiable information reported to FinCEN.
On November 8, 2023, FinCEN issued a final rule on the use of FinCEN identifiers for reporting beneficial ownership information of entities. The rule specifies when and how entities required to report beneficial ownership information to FinCEN may use a FinCEN identifier to report beneficial ownership information. FinCEN has not yet issued a final rule regarding beneficial information access and safeguards.
Another closely watched area of development in the U.S. AML world remains the proposed regulation under the Establishing New Authorities for Business Laundering and Enabling Risks to Security Act (“Enablers Act”) of certain previously unregulated categories of service providers regarded as gatekeepers or otherwise potential facilitators of money laundering. The proposed legislation would bring under the ambit of the U.S. Bank Secrecy Act providers of (i) corporate structuring and formation services; (ii) trust services; and (iii) third-party payment services, as well as legal and accounting services to the extent that they facilitate services described in (i) through (iii). If passed, the legislation could result in significant new regulatory burdens for corporate formation agents, trustees, and law or accounting firms. These regulatory burdens could result in implementation of robust customer due diligence programs and potential requirements to monitor and file reports relating to suspicious transactions engaged in by clients (i.e., suspicious activity reports or SARs).
The Enablers Act has received broad bipartisan support in the U.S. Congress. But, the U.S. Senate nevertheless blocked passage of the Enablers Act in December 2022. The legislation is expected to be reintroduced as a standalone bill to face more lengthy debate over its specific terms in the near future. Another developing area is digital assets regulation. In December 2022, FinCEN announced digital asset regulation as a “key priority area.”
Additionally, on April 10, 2023, the U.S. Department of the Treasury published the 2023 De-risking Strategy pursuant to the Anti-Money Laundering Act of 2020 (AMLA). The Strategy “summarizes key findings and recommendations to address the issue of de-risking, which refers to financial institutions terminating or restricting business relationships indiscriminately with broad categories of customers rather than analyzing and managing specific risks associated with those customers.” Among other recommendations, the report recommends “clarifying and revising anti-money laundering (AML/CFT) Bank Secrecy Act (BSA) regulations and guidance for Money Service Businesses, and proposing regulations that require financial institutions to have reasonably designed and risk-based AML/CFT programs supervised on a risk basis, possibly taking into consideration the effects of financial inclusion.”
2. Cayman Islands Anti-Money Laundering Regulatory Updates
For the Cayman Islands, 2023 marks the removal from the FATF list of “jurisdictions under increased monitoring,” as well as the continuation of a long series of reforms of the AML/CFT frameworks. A revised version of the Anti-Money Laundering Regulations (AMLR) was published in January 2023, consolidating prior amendments. In August 2023, revised Guidance Notes on the Prevention and Detection of Money Laundering (ML), Terrorist Financing (TF), and Proliferation Financing (PF) were issued, incorporating changes to facilitate the use of e-KYC and Remote Customer Due Diligence, in line with existing FATF-issued guidance on digital identification. The new rules now permit remote onboarding of clients and the use of e-KYC and digital identification technologies on an ongoing basis, where appropriate based on the risk assessment of clients.
At the same time, the Cayman Island government published the Beneficial Ownership Transparency Bill, 2023, aimed at fulfilling the commitment made in 2019 concerning the introduction of public registers of beneficial ownership information.
3. British Virgin Islands Anti-Money Laundering Regulatory Updates
The British Virgin Islands (BVI) are currently being evaluated by the FATF. Following an onsite visit in March 2023, the mutual evaluation report is expected to be finalized and published by the end of 2023 or early 2024.
One of the major areas of focus for BVI in 2023 has been the Virtual Assets Service Providers Act (VASP Act) that took effect in February 2023, requiring persons providing virtual asset services to be registered with the Financial Services Commission (FSC) to perform such activities. Persons that conducted these activities prior to February 1, 2023, were allowed until July 31, 2023, to submit applications for registration.
In addition, the FSC and partnering agency BVI Financial Investigation Agency (FIA) published the 2022 Virgin Islands ML Risk Assessment Report in June 2023 and hosted a live webinar to elaborate on the findings in July 2023.
B. Asia Pacific
1. Singapore Anti-Money Laundering Regulatory Updates
In Singapore, the Monetary Authority of Singapore (MAS) recorded more than $20 million in penalties in its Fourth Enforcement Report, as well as high-profile enforcement actions against four financial institutions for insufficient AML/CFT measures. This comes following a background of increased enforcement actions and additional scrutiny in 2023. In April 2023, Singapore’s Ministry of Home Affairs proposed stricter laws against money mules, via amendments to the Corruption, Drug Trafficking, and Other Serious Crimes (Confiscation of Benefits) Act and the Computer Misuse Act, which would hold money mules criminally liable for their actions.
In May 2023, new guidance for financial institutions was published on CFT controls, following an industry-wide survey which considered CFT-related controls and assessed understanding of terrorist financing.
Also in May 2023, parliament passed the Financial Services and Markets (Amended) Bill creating a regulatory framework for MAS secure information-sharing platform, Collaborative Sharing of Money Laundering/Terrorist Financing Information and Cases (COSMIC), which is due to launch in the second half of 2024. Financial institutions will be required to use the network to share information about customers and transactions when “material risk thresholds” are breached. Singapore is also proposing to close loopholes for single-family offices (SFOs) and adding new investor protection measures for Digital Payment Token service providers.
C. Europe and the Middle East
1. U.K. Anti-Money Laundering Regulatory Updates
In February 2023, the U.K. Office of Financial Sanctions Implementation (OFSI) issued new public guidance on ransomware and financial sanctions, reminding the industry that making ransomware payments to designated entities is prohibited and that breaching financial sanctions is “a serious criminal offense.” This correlates with industry reports indicating that the U.K. has the highest number of cybercrime victims per million internet users.
Also, in February 2023, the U.K. government announced that fraud would be reclassified as a national security threat. According to the 2022 cross-government fraud landscape report, public sector fraud and error loss are estimated at £33 billion annually. As a result, a new fraud strategy was published by the U.K. government in May 2023, setting out over fifty measures to reduce fraud and cybercrime by ten percent by 2025. The 2022 Annual Fraud Report published by U.K. Finance revealed that more than £1.2 billion was stolen by criminals through authorized and unauthorized fraud in 2022.
On March 30, 2023, the U.K. government published its new three-year Economic Crime Plan (2023–2026), proposing a “more comprehensive” approach to improving the effectiveness of U.K. money laundering regulations after a disappointing 2022. The plan is centered around several initiatives, including reforming the role of Companies House for more transparency and limiting the abuse of corporate structures (the Economic Crime and Corporate Transparency Bill), supervisory reform, increasing enforcement for the use of crypto/virtual assets to launder illicit funds, improving suspicious activity reports (SARs), and recovering more criminal assets. The plan also highlights increased cooperation with the United States, the European Union, and other jurisdictions, and support of the NCA’s Combatting Kleptocracy Cell.
In April 2023, the Financial Conduct Authority (FCA) introduced new measures for financial institutions after a report estimated that hundreds of millions of British pound sterling are laundered each year in the U.K. through the cash deposit channel at the Post Office. In July 2023, the U.K. government called on the FCA to review its guidance on risk management for politically exposed persons (PEPs) among reports that some financial institutions are restricting the access of PEPs and their associates to financial services. It is possible that bank de-risking and financial inclusion will be among the big trends for 2024.
Finally, in June 2023, HM Treasury released another consultation paper on the Reform of the Anti-Money Laundering and CounterTerrorism Financing Supervisory Regime, part of the reform plan under the Economic Crime Plan, after a 2022 report had noted that supervisory standards for the accountancy and legal sectors did not reflect the sectors’ high risk.
2. EU Anti-Money Laundering Regulatory Updates
In the European Union (EU), the long-term goal of a pan-European AML/CFT program is now closer with the creation of the EU Anti-Money Laundering Authority (AMLA). The proposed AML/CFT framework continues to progress through legislative processes. AMLA is expected to become fully operational in 2026 and will monitor, support, and coordinate AML/CFT efforts in the EU. Although the responsibility for AML/CFT currently remains in the hands of member states, AMLA is intended to have direct supervision over the riskiest entities with a focus on large lenders and non-bank financial institutions and will also have the ability to impose fines. During 2023 negotiations, the Parliament requested that AMLA be given additional powers. The AMLA is expected to help harmonize supervisory practices, oversee high-risk and cross-border financial entities, and coordinate financial intelligence units (FIUs). AMLA is intended to be fully independent with its own executive board and will be able to act internationally through the FATF and through its relationships with third countries.
Another major development which dominated both 2022 and 2023 is the new EU Market in Crypto-assets (MiCA) regulation, providing a comprehensive regulatory regime tailored specifically to crypto-assets. This regime includes an EU-wide registration, although businesses will be required to register in each country separately under AML/CFT regulations. MiCA integrates into a wider net of EU regulatory frameworks that are currently in place or being developed, including AMLA, a reform of the AML/CFT rules, and the Transfer of Funds Regulation (TFR), which requires that information about the sender and the beneficiary of a transaction travel together with the funds (fiat or crypto). The TFR was endorsed by the Parliament and Council in April and May 2023 and will come into effect in January 2025, roughly in parallel with the MiCA regulation, bringing a broad spectrum of digital service providers into EU financial regulation.
Reinforcing this collaboration trend, EU countries are increasing their efforts to combat terrorism via Eurojust, with more flexibility to provide information related to terrorism cases via the European Judicial Counter-Terrorism Register (CTR) after an amendment to the Eurojust Regulation on October 31, 2023. In September 2023, Europol issued its first pan-European financial and economic crime threat assessment. This assessment discussed threats of money laundering, corruption, and organized crime, and highlighted several EU sanctions evasion methods (e.g., concealing beneficial ownership, fraudulent documents and intermediaries, and using third countries to send transactions from Russia).
In the banking industry, the European Banking Authority (EBA) published a report in June 2023 on the money laundering and terrorist financing (ML/TF) risks associated with EU payment institutions. This report found that ML/TF risks in the sector may not be assessed and managed effectively by institutions and their supervisors. In addition, the report highlighted emerging risks due to “white labeling” (i.e., a bank providing its license to an independent third party for business purposes), virtual international bank account numbers (IBANs), which cannot hold a balance, and third-party merchant acquiring (i.e., when a payment processor outsources part of the process to a third party and depends on outside AML/CFT controls).
In August 2023, the EBA published its third report on the functioning of AML/CFT colleges, which are the permanent structures that serve to enhance cooperation between different supervisors involved in the supervision of cross-border institutions in the EU. The report noted that these new institutions had not reached maturity as approximately fifty colleges had not held their first meeting, and the sharing of relevant information remained insufficient.
3. United Arab Emirates Virtual Assets Updates
The United Arab Emirates’ (UAE) Cabinet Resolution No. (111) of 2022 Concerning the Regulation of Virtual Assets and their Service Providers (the Resolution) is a landmark piece of legislation that established a comprehensive regulatory framework for the UAE’s virtual asset sector. The Resolution, which came into effect on January 13, 2023, is designed to protect investors and promote the responsible development of the virtual asset industry. Under the resolution, a virtual asset is defined as “[a] digital representation of value that can be digitally traded or transferred, and can be used for investment purposes. It does not include digital representations of paper currencies, securities, or other funds.” The Central Bank of the UAE (CBUAE) does not recognize virtual assets as legal tender in the UAE, as the only legal tender in the UAE is the UAE dirham. Businesses that accept virtual assets as payment assume any risk associated with the future acceptance or recognition of virtual assets.
Under Articles 9 and 15 of the AML-CFT Law, virtual asset service providers (VASPs) must report suspicious transactions and related information to the UAE Financial Intelligence Unit (FIU). VASPs are defined as businesses that provide services related to virtual assets, such as trading, custody, and exchange, but exclude internal transfers of virtual assets by a single legal person and the acceptance of virtual assets as payment for goods and services. VASPs are overseen by the Virtual Asset Regulatory Authority. Under Articles 13 and 14, supervisory authorities are authorized to assess the risks of VASPs, conduct inspections, and impose administrative penalties on VASPs for violations of applicable laws and regulations. The Resolution mandates the licensing of all VASPs operating in the UAE, with the exception of those operating in financial free zones.
The CBUAE licenses payment token service providers (PTSPs) under the Retail Payment Services and Card Schemes Regulation. PTSPs are businesses that issue, buy, sell, exchange, or facilitate payments to merchants, enable peer-to-peer payments, or provide custodian services for payment tokens. Payment tokens are a type of cryptocurrency backed by fiat currencies that may be digitally traded and used as a medium of exchange, unit of account, or store of value, supported only by agreement within the community of users.
The Resolution notes that under the Stored Values Facilities (SVF) Regulation of 2020, the CBUAE licenses and supervises providers of SVFs. SVFs are facilities that allow customers to store money or “money’s worth” and transfer it as a means of payment. Under the SVF Regulation, “money’s worth” includes other forms of monetary consideration or assets, such as values, reward points, cryptocurrencies, and virtual assets. If SVF providers engage in virtual asset exchange or transfer activities, or other VASP activities, they must be licensed by UAE authorities.
The Resolution reiterates the Abu Dhabi Global Market 2018 regulatory framework for virtual assets and the Financial Services Regulatory Authority’s Financial Services and Markets Regulations of 2015. The Dubai Financial Services Authority regulates crypto in the Dubai International Financial Centre and updated its regulatory framework for crypto assets in 2022 to include crypto tokens.
D. Africa
1. South Africa Anti-Money Laundering Regulatory Updates
On February 24, 2023, South Africa found itself on the FATF “grey list,” signifying an increased level of scrutiny and prompting the jurisdiction to take significant steps in adapting its regulatory framework. Despite being added to the grey list, South Africa has vowed to persist in enhancing its AML/CFT system, not only to meet FATF requirements in targeted areas but also to bolster its overall ability to combat money laundering, terrorist financing, corruption, and financial crimes, thereby benefiting the nation, its economy, financial system, and the safety of its citizens. The evolving landscape reflects the nation’s commitment to fostering innovation and protecting consumers in the digital age.
As a showcase to South Africa’s commitment to and the implementation of the FATF Recommendations, the Intergovernmental Fintech Working Group, together with the Financial Intelligence Centre (FIC), paved the way by publishing a position paper outlining the definition of crypto assets and regulatory measures for Crypto Asset Service Providers (CASPs), which aligns with international best practices and FATF Recommendations. Following thereon, the South African Reserve Bank (SARB) classified cryptocurrency as a financial asset, requiring crypto exchanges to adhere to exchange control laws and AML/CFT rules. The SARB also issued guidelines allowing financial institutions to handle funds related to digital assets and encouraged banks not to indiscriminately block all crypto clients, enabling them to act as intermediaries for crypto transactions and facilitate fiat currency conversions. Towards the end of 2022, the Financial Sector Conduct Authority (FSCA) declared crypto assets as “digital representations of value” subject to regulation in South Africa, including foreign exchange controls and licensing requirements.
Several key pieces of legislation underpin South Africa’s digital asset regulatory framework, including the Financial Advisory and Intermediary Services (FAIS) Act, FIC Act, and guidance from the SARB and South African Revenue Service (SARS) on taxation of cryptocurrencies. The latest regulatory developments, which include the implementation of a license framework for CASPs, represent a significant stride in enhancing consumer protection through the imposition of accountability measures on CASPs.
As of June 2023, CASPs can apply for licenses from the FSCA under the FAIS Act, and they are granted a leniency period that extends until December 2023 for this purpose. To streamline the transition for CASPs, applicants can continue offering financial services related to crypto assets without a license if they apply for a license during the designated exemption period. This exemption remains in effect until the approval or rejection of the license application. CASPs must adhere to specific legal, operational, and compliance standards. This includes appointing a compliance officer who must be actively involved in the day-to-day operations and designating a Key Individual with a recognized qualification as well as relevant knowledge and experience. The FIC Act also imposes AML/CFT requirements on CASPs. The upcoming year will be pivotal to observing South Africa’s response to its greylisting and the progress of CASP applications and registrations.
III. Enforcement & Litigation Trends - United States
In the United States, 2023 included several high-profile AML enforcement actions by U.S. federal and state regulatory authorities, including FinCEN, the Office of Foreign Assets Control (OFAC), the Securities and Exchange Commission (SEC), New York State Department of Financial Services (NYDFS), Internal Revenue Service (IRS) Criminal Investigation, among others. Key themes include AML program deficiencies, failures regarding suspicious activity reports (SARs), sanctions violations, and fraud in the digital assets market.
On January 4, 2023, the NYDFS and Coinbase, Inc. entered into a consent order under which Coinbase, a major cryptocurrency exchange, agreed to pay a $50 million penalty and commit to investing an additional $50 million to remediate and enhance its compliance program over the next two years. Coinbase also agreed to extend a previously appointed Independent Compliance Monitor for an additional year.
On January 18, 2023, FinCEN issued an order identifying virtual currency exchange Bitzlato as a “primary money laundering concern” in connection with Russian illicit finance. FinCEN determined that Bitzlato is a financial institution operating outside of the United States. Bitzlato “plays a critical role in laundering Convertible Virtual Currency by facilitating illicit transactions for ransomware actors operating in Russia, including Conti, a Ransomware-as-a-Service group with links to the Russian government.” As a result of FinCen’s determination, certain fund transfers by covered financial institutions involving Bitzlato are prohibited.
On February 9, 2023, the SEC charged Payward Ventures, Inc. and Payward Trading, Ltd., both commonly known as Kraken, with “failing to register the offer and sale of their crypto asset staking-as-a-service program, whereby investors transfer crypto assets to Kraken for staking in exchange for advertised annual investment returns as much as twenty-one percent.” To avoid litigation, “the two Kraken entities agreed to immediately cease offering and selling securities through crypto asset staking services or staking programs and to pay $30 million in disgorgement, prejudgment interest, and civil penalties.”
On March 30, 2023, Wells Fargo Bank, N.A. settled with OFAC for $30 million in relation to apparent violations of three sanctions programs. From 2008–2015, “Wells Fargo, and its predecessor, Wachovia Bank, provided a foreign bank located in Europe with software that the foreign bank then used to process trade finance transactions with U.S.-sanctioned jurisdictions and persons.” Wells Fargo did not identify or stop the European bank’s use of the software platform for trade-finance transactions involving sanctioned jurisdictions and persons for seven years, despite potential concerns raised internally within Wells Fargo on multiple occasions. The settlement amount reflects OFAC’s determination that Wells Fargo’s 124 apparent violations, which occurred between approximately December 27, 2010 and December 7, 2015, were voluntarily self-disclosed.
On November 28, 2023, FinCEN and OFAC announced a settlement with Binance Holdings Ltd. and its affiliates, the world’s leading virtual currency exchange. Binance settled with FinCEN for $3.4 billion and with OFAC for $968 million for violations of the Bank Secrecy Act (BSA) and apparent violations of multiple sanctions programs. Binance maintained a significant U.S. user base without registering with FinCEN. Binance also failed to maintain an effective AML program; it has never filed a SAR with FinCEN as required by the BSA, and it did not begin to collect KYC information until May 2022. FinCEN entered a consent order with Binance and its founder, CZ, which, in addition to assessing a civil monetary penalty of $3.4 billion, imposed a five-year monitorship and required significant compliance undertakings, including ensuring Binance’s complete exit from the United States. OFAC also entered a consent order with Binance for violations of multiple sanctions programs.