This blog will end with a simple “yes” or “no” question.
On October 10, 2024, the Financial Crimes Enforcement Network (FinCEN) announced a record-breaking $1.3 billion penalty against TD Bank. This serves as a stark reminder of the consequences of financial institutions failing to maintain robust anti-money laundering (AML) and know-your-customer (KYC) compliance programs.
More importantly, this unprecedented action underscores the increased scrutiny financial institutions and other regulated corporations are facing in an era of digital transformation and evolving illicit activities.
The measurement of our jaw drop, however, is no surprise—this is entirely consistent with the approach and activity of FinCEN in recent years. And coupled with the fact that we are still dealing with the “same old problem” that regulators sought to manage with the Bank Secrecy Act of 1970 (as updated, the BSA), the key demands remain the same for chief executive, compliance, and risk officers (not to mention general counsels).
Paving a cobbled path
FinCEN is in the unenviable role of key enforcement officer in the US to combat money laundering (MF), terror financing (TF), and other financial crimes—a challenge that is even more mind-boggling given the explosion of financial transaction volumes in traditional and online settings, with the added swerve of new crypto currencies, and an exponential improvement in technology to assist the Dark Side with their closeted activity.
With the odds firmly against them, the agency has since 2019 led this challenge through the issuance of several significant guidance and advisory releases and regulations, from a range of angles, some of which have directly impacted the identity verification (IDV) and remote onboarding landscape.
Some notable examples include:
Joint FinCEN industry programs
Following the passing by congress of the AML Act in 2021, FinCEN developed new programs such as the FinCEN Exchange to facilitate a voluntary public-private exchange between FinCEN, various national security agencies and industry.
One primary goal of this initiative was improving communication of critical information to disrupt ML, TF, and other financial crimes. Similar programs have opened with tech vendors for FinCEN to gain a better perspective on current best-in-tech solutions.
Office of the Comptroller of the Currency (OCC) Office of Financial Technology (OFT)
In October 2022, the OCC (a sibling federal branch to FinCEN, sitting under the Department of the Treasury) announced the formation of the OFT. The OFT issued guidance in June 2023 on third-party risk management, an interesting outline of recommendations on how banking organizations should consider their selection and management of relationships with third-party suppliers, notably fintech companies.
Such guidance included the notion that when engaging outside vendors, you are only as good as they are—a theme that supports FinCEN motivation for AML/KYC effective compliance.
Beneficial ownership information
In 2021, FinCEN issued guidance on the implementation of the Beneficial Ownership Information Reporting Act, which requires certain legal entities to report information about their beneficial owners to FinCEN. This manifested in the Corporate Transparency Act, which requires reporting on beneficial ownership information, with first deadlines by January 1, 2025.
This mandate has placed a greater emphasis on the need for accurate and up-to-date IDV of beneficial owners.
Virtual currency
As early as 2019, FinCEN issued an advisory on virtual currency (relating to money services businesses), highlighting the risks associated with its use in ML and TF. This led to increased scrutiny of financial institutions that deal with virtual currencies, including the need for robust identity verification and transaction monitoring.
As a follow-on, in October 2023, FinCEN released its proposal of rulemaking to extend virtual currencies as a class of primary ML concern.
Human trafficking
Human trafficking is perhaps not a type of risk that a financial institution has in mind when executing its ID verification approach. FinCEN considers it worthy enough, as noted in its 2021 guidance release on human trafficking, highlighting the role that financial institutions can play in combating this crime.
This guidance emphasized the need for robust IDV and transaction monitoring to detect suspicious activity related to human trafficking. A window into the result of this effort appears in FinCEN’s February 2024 release reflecting significant increases in BSA reporting associated with the use of virtual currency and online child sexual exploitation and human trafficking.
Shouting from the rooftops
As additional context on the challenges of FinCEN in countering more current attack vectors, FinCEN issued these releases over the past year:
“Pig butchering”
In September 2023, FinCEN issued an alert on a prevalent virtual currency investment scam commonly known as “pig butchering.” This scam involves fraudsters targeting victims online and luring them into investing in fake cryptocurrency platforms.
FinCERN’s alert highlighted the need for financial institutions to be aware of this scam and to take steps to protect their customers.
Counterfeit US passport cards
In April 2024, FinCEN issued a notice alerting financial institutions to the use of counterfeit US passport cards to perpetrate identity theft and fraud schemes. The notice highlighted the need for financial institutions to be vigilant in detecting and reporting suspicious activity related to these counterfeit cards.
Anecdotally, both of these “trends” are very in line with the IDVerse experience and attacks that we see with high frequency on the ID verification and documentation authentication battle frontlines.
Also in the naughty corner
TD Bank is not the only bulge bracket financial institution that has been sent home with a note reporting its poor AML/KYC behavior. In September of this year, the OCC issued enforcement against Wells Fargo to resolve allegations of failing to implement effective KYC procedures including customer due diligence and its customer identification program (CIP).
The enforcement order called for, among other actions, “procedures to require the collection and verification of appropriate CIP information for the opening of new accounts.”
Identity verification is seemingly so innocuous in the KYC process—and yet it sits in a quiet corner underpinning one of the most damning AML enforcement actions in US history.
The TD action at a glance
The TD Bank enforcement action is the largest settlement against a depository institution in US Treasury and FinCEN history. In reading the tone of FinCEN—even outside of the size of the penalty—the agency was quite stern in its delivery of the enforcement notice:
“The vast majority of financial institutions have partnered with FinCEN to protect the integrity of the U.S. financial system. TD Bank did the opposite. From fentanyl and narcotics trafficking, to terrorist financing and human trafficking, TD Bank’s chronic failures provided fertile ground for a host of illicit activity to penetrate our financial system.”
Despite knowing its AML program was deficient, TD Bank failed to properly verify customer identities, allowing individuals to open accounts using fraudulent information. This enabled illicit actors to exploit the bank for ML, human trafficking, and other criminal activities.
The $1.3 billion penalty and four-year monitorship underscore the severe consequences of such failures that could pervade so widely across an organization, and the importance of robust KYC compliance.
Implications for IDV & remote onboarding
When taking a Google Earth view of the stepping stones that FinCEN has laid out over the past few years, one can now notice the pattern. On a broad level, the agency pursues highbrow (low jaw-drop) FI targets to highlight best practice expectations for KYC practices.
Coupled with this, FinCEN advises FIs how to approach selecting their fintech partners while at the same time making sure that all non-tolerated behaviors (such as fast moving crypto and decades old human trafficking) are broadcast loud and clear as firmly within their net.
Status alert on IDV and identity document authentication technology expectations for AML/KYC compliance in Q4 of 2024: It is vividly clear that the real risks that regulators and enforcement agencies seek to blunt have not changed since the BSA was first inked. Even though the landscape has become even more complicated, further entangled by the surge in the number of customers and transactions to monitor.
We live in a world of online bots launching tens of thousands of attacks per second. There is no more romance in fraud artists as depicted by Leonardo DiCaprio in Catch Me if You Can.
To rise to the occasion, financial institutions and other regulated companies need tech that is:
- Accurate: Capable of reliably verifying the identities of customers, even in the face of fraud attempts.
- Efficient: Able to process large volumes of transactions quickly and efficiently.
- Compliant: Adhering to all applicable AML and KYC regulations, including those relating to expectations from third-party suppliers.
- Scalable: Capable of handling increased volumes of transactions and customers.
So…what is the question?
As promised, this blog will end with a simple yes or no question: C-suite, do you Know Your Customer?
About the post:
Images and videos are generative AI-created. Prompt: Disappointed Latina mom with arms crossed holding catching her son taking a cookie from a jar, son looks ashamed, humorous, animated style, colorful, exaggerated expressions, Pixar-inspired, kitchen background. Tools: Midjourney, Luma.
About the author:
Terry Brenner is the Head of Legal, Risk, and Compliance for IDVerse Americas. He oversees the company’s foray into this market, heeding to the sensitivities around data protection, inclusivity, biometrics, and privacy. With over two decades of legal experience, Brenner has served in a variety of roles across a diverse range of sectors.
