Cybercrime, Sanctions, and Global Compliance

In this episode of This Week in AML, Elliot Berman and John Byrne cover a wide range of global developments impacting financial crime compliance. Topics include new OFAC sanctions targeting North Korean cybercrime and updates from New York's Department of Financial Services on cybersecurity compliance. They also discuss the UN's new Cybercrime Convention, the closure of sanctioned Mexican banks, and identity verification reforms in the UK. Additional highlights include regulatory updates from the European Banking Authority, FINTRAC’s annual report, corruption investigations in Portugal, and California’s new data privacy laws. Tune in for insights on how these changes may shape AML strategies worldwide.

Cybercrime, Sanctions, and Global Compliance - Transcript

Elliot Berman: Hi John. How are you today?

John Byrne: I'm good. Elliot? Here in Virginia, we just had our off year elections and we're gonna have for the first time ever a female governor, so that's always exciting. So that's good. Also today there's oral argument before the Supreme Court on whether or not the president has various types of unlimited power regarding tariffs. And why should we care? I think depending on how this shakes out, there could be obligations for financial institutions to track possible tariff evasions of their customers. Now that's not part of this case, of course, but you never know. I think we should always be paying attention to whatever's going up before the Supreme Court.

But given some of the economists I've talked to, I think that's a potential possibility. So it will be interesting 'cause we obviously deal with sanctions evasion, and that's one of the first things I'm gonna mention. But I also think that's something that could come down the road to be a possible compliance requirement. So we'll see. So anyway, that's as we're recording today.

But related to sanctions just the other day, the Treasury has sanctioned through OFAC, of course various illicit acts, schemes, including cyber crime and information technology worker fraud by the Democratic People's Republic of Korea. According to the press release, North Korean state sponsored hackers steal and launder money to fund the regime's nuclear weapon program. And that is one of the rationales for this and the press release also talks about the key enablers of cyber crime and IT workers. So it urged folks to take a look at the OFAC website for the information related to this recent sanction.

Elliot Berman: Staying on the theme of cybersecurity New York's D epartment of Financial Services NYDFS published a a press release and updated their cybersecurity resource center. They created this to assist explaining how to comply with the cybersecurity regulations that are in place for New York DFS regulated entities. And among other things, it provides, of course links to industry guidance, some FAQs, detailed information on how to submit cybersecurity related filings including notification of DFS regarding compliance, cybersecurity incidents, and exemption status. Some organizations are exempt from parts of regulation. So another good resource. You and I have talked a fair amount over the last quarter or two about actions by DFS in part because, we see some states, DFS probably being the leader stepping in and doing things that we were used to seeing federal regulators and agencies doing.

And those agencies at the federal level are still doing it to some extent, but we are seeing some of the gaps being filled in by the bigger state level financial service regulators.

John Byrne: The United Nations Office on Drugs and Crime issued a report. The subtitle of the Five Reasons Why The New Cyber Crime Convention Matters. And so there's a legally binding agreement on cybercrime that was done after five years of negotiation. And the five key points were announced in late October. The convention talks about various issues. I'll just give you the headlines here. You can read the specifics when you have time.

A new tool for a growing threat. Around the clock cooperation. Another item, protecting children because of all the issues we've talked about before. Responding to victims' needs because as they say, anybody could be a victim of cybercrime. And then the final improved prevention. Responding to cyber crime incidents they say after they occur is not enough, there needs to be strong investment in prevention. And that's why that new cybercrime convention requests the various states to develop prevention measures, and that's training and rehab and programs for victims and more. So this is a document just issued late last week from the United Nations Office on Drugs and Crime.

Elliot Berman: In the last week or so three Mexican banks that were previously sanctioned by the US for being organizations of primary money laundering concern with illicit opioid trafficking have closed. Intercam, Banco, CIBanco, and a brokerage firm, Vector Casa de Bolsa are all winding down their operations according to Mexican Banking A ssociation. I think this is significant because it does show impact of sanctions.

On the other hand together these three organizations represent less than 2% of banking operations in Mexico. And I'm not proposing that we should start sanctioning the biggest banks in Mexico unless there's legitimate reason to do that. But it is interesting that these sanctions have actually caused these organizations to close.

John Byrne: Related to sanctions, but this is under the Export Control Act. The FBI has just announced a Belarusian citizen has been arrested for illegally exporting what they're calling US sourced aviation components to Russia.

So this citizen who most recently resided in Russia was extradited from France on an indictment charging her with conspiring to violate the Export Control Reform Act, to commit smuggling, money laundering and defraud the United States. So that was just announced by the FBI.

Elliot Berman: And in the UK, and we've talked about some of the precursors of this, Companies House, which is the federal level organization that issues company charters and manages that. For those of you in the US you are aware that if you wanna form a corporation, you get your charter from the state in which you choose to incorporate. In the UK, that is done at the federal level.

And in 2023, the UK passed the Economic Crime and Corporate Transparency Act, and it has had several phase in dates. Effective the 18th of this month directors and persons with significant control referred to there as PCSs, of UK companies are legally required to verify their identities when forming or controlling entities. So the policy is going to initially focus on newly formed companies, but Companies H ouse has gone through and reviewed its records identified over 100,000 unverified identities.

And this is looking directly at addressing the fundamental vulnerabilities exploited in illicit finance, which is anonymity. And as we know here in the US after many years, to try to get some corporate transparency we've now reversed field. I think the view there is that this is going to make their registry useful and reliable tool as it fully forms up with this verification process for KYC and other activities by financial services companies to know who they're dealing with. An interesting thing happening there again, directionally different than what we're doing here in the US.

John Byrne: I'll say. Giving credit to the law firm Norton Rose Fulbright they posted a description of what the European Banking Authority did late last week. They responded to the EU's call for advice on six regulatory mandates under AMLA. And according to the description from the firm, they included drafting regulatory technical standards under methodology that supervisors will use to classify inherent and residual risks. Technical standards on risk assessment. Which institutions will directly it will directly supervise.

Also on information obliged entities will have to, as part of customer due diligence. And the way supervisors will classify breaches of the new regime by severity and the criteria they will apply when setting the amount of pecuniary sanctions or taking administrative measures. So the way this works, it falls to AMLA and consultation with the Commission to take these proposals forward. So again, giving credit to the firm for identifying this. This was done late last week by the European Banking Authority.

Elliot Berman: And the lens they use to provide, this advice is the principles of, and I'm quoting here from the article that you've referenced, the principles of a proportionate risk-based approach that can be applied effectively by financial institutions and their AML supervisors and is conducive to limiting the cost of compliance where possible.

So a balancing test there. You and I have spent the last 30 years talking about a risk-based approach. Maybe it's starting to come to the US. We'll see. But I thought that was interesting. I think what's happening in the EU is a great model for the rest of the globe, at least to see how a group of countries is moving from how they used to do it individually to a much more unified approach. And it's following in parallel with a lot of the things that FATF is doing.

John Byrne: Up in Canada FINTRAC has released its 2024-25 Annual Report subtitled Safe Canadians, Secure Economy. This has a whole host of recommendations.

Their financial intelligence disclosures to law enforcement contained more than 1.3 million transactions and included almost 8,700 subjects. They supported hundreds of major law enforcement investigations, including the things that we're all trying to deal with as combating fentanyl fraud, human trafficking, auto theft, and terrorist financing.

So the annual report is obviously on the FINTRAC website, which includes a lot of descriptions besides what we highlighted very quickly. They talk about public-private partnership. The need to be global leaders. And things like enhancing the awareness of money laundering, terrorist financing and sanctions evasion plus other related and relevant connecting topics.

So again, take a look at that annual report when you have a, when you have the time.

Elliot Berman: A bank in Portugal. Novo Banco was raided by Portuguese Police recently. And its premises were search along with the local office of the auditing firm, km KPMG as part of an investigation into suspected corruption linked to the sale of the bank's assets, is what the prosecutors have said.

So Novo Banco's got a checkered history. It was originally spun out of a bank that collapsed. Then those assets were purchased by a bank in France. And now those assets have been purchased again by a private equity firm. But the prosecutors have said that the facts in question are likely to constitute the crimes of active and passive corruption in the private sector, aggravated fraud and money laundering in the context of the sale of the assets over a period of years.

We've talked a lot about the challenges of corruption and the need for vigilance. This is an example of an investigation that's been ongoing in Portugal for quite some time. And John, I know that the Basel Institute issued a working paper that talks about corruption. You wanna talk about that?

John Byrne: Sure. Yes. And again, Basel is a group that if you don't already follow them on LinkedIn, you really should. They do excellent work. We've been fortunate enough to interview a number of them in the past. This particular document is called Understanding the Enemy, and it argues specifically that looking at networks rather than individuals, we can better understand how corruption functions.

So they said this is based on 15 years of research on informal networks. And there's recommendations in there on how to improve anti-corruption responses. So particularly they focus on collective action initiatives and explaining how emulating what they call quote positive aspects, unquote, of informal networks can make them more effective.

Again, go to the Basel website for their new working paper. This is the Basel Institute on Governance. Just posted in the past 24 hours that from when we recorded.

Elliot Berman: And it's Working Paper 60. John I know that we have a webinar coming on the 20th. There's still time for folks to register for that. Can you tell us a little bit about that?

John Byrne: Sure. So this is covering broadly the issue of global compliance challenges, and we have representatives that are international and focus on US, EU, Asia Pacific region. And they'll give us insight regarding the need for measuring effectiveness and consistency and just recommendations on all the different challenges that we have. I think you're gonna find this extremely not just relevant, but important and useful as you train your staffs regarding global compliance.

I did wanna mention one other item. We did talk about FATF in detail 'cause they just finished their October plenary. After plenaries they issue final reports on a number of things. And in case you missed it, they did do their October 2025 update of the FATF Recommendations. So that report is available on the FATF website.

I won't give you the highlights. You can take a look at that. But again, after every plenary, there's always a number of reports in the next month or two that FATF will finalize. So it's always important not just to look at the outcomes from the plenary, but certainly the reports, guidance documents, and other things that are issued after that particular plenary.

Elliot Berman: Well, John anything else you wanna talk about?

John Byrne: There's quite a bit going on. I think that's it. I did see, again, giving credit to various law firms that do some really good work, Perkins Coie or reported that California has seven new data privacy laws that just went into effect. So I would just leave that to those that pay attention to the privacy aspects of AML and related topics to take a look at that. Again, these are state laws. A lot of times if California or New York or some of these larger states do certain things, they can be bellwethers of what other states, and maybe even in some cases what may happen at the federal level.

These are a series of laws that deal with social media and data brokers and all sorts of things that challenge all of us as compliance professionals and frankly, as members of the of communities.

Elliot Berman: Okay, John. You have a good rest of the week and I will talk to you next week.

John Byrne: Take care. See you soon.

Elliot Berman: You too. Bye-bye.