In this episode of This Week in AML, Elliot Berman and John Byrne cover a wide range of pressing topics in the anti-money laundering and financial crime compliance space. They discuss the UK’s latest sanctions targeting Russian energy giants, the European Banking Authority’s report on crypto asset risks, and the Charity & Security Network’s concerns about IRS scrutiny of nonprofits. The hosts also explore a revealing OCCRP investigation into corruption linked to Iraqi Kurdistan’s ruling family and break down FinCEN’s new FAQs on suspicious activity reporting. Plus, updates on GTO extensions and staffing concerns in EU regulators.
Sanctions, SARs, and Staffing: Global AML Challenges and Regulatory Trends - Transcript
Elliot Berman: Hey, John, how are you today?
John Byrne: I'm good, Elliot. Folks know that we record this midweek This Week in AML. Many times we've talked about things that occur after on Thursday and Friday, and obviously we'll pick 'em up in the following week. You can almost do a Today at AML given everything that's going on in the world. So, uh, I, everybody's well aware, not just in the states, but, but internationally.
And so I'll start with something I just saw this morning that we talked about offline briefly, and that's, uh, a report in the Daily Mirror in the UK that the, uh, United Kingdom has issued additional sanctions, part of 90 new sanctions attempting to go at the heart of Russia's economy. But two of them, uh, deal, deal directly with some of the world's biggest energy companies. And that's Rosneft and Lukoil. So the Foreign Secretary, Yvette Cooper told parliament that they were doing this and it's designed to obviously ramp up pressure on Moscow's economy and that the Foreign Office itself, uh, said that Rosneft alone is responsible for, uh, 6% of global and nearly half of all Russian oil production.
Elliot Berman: I saw that as well. Staying in Europe, rather I also saw that the European Banking Authority, EBA issued a report dealing with money laundering and terrorist financing risks in Crypto asset services. Did you see that report?
John Byrne: Yeah. The, it's a, it's a about a 30 page report and so I ask folks, you should take a look at it when you get a chance. It summarizes, uh, what they're calling lessons learned from actions that are recently taken by various authorities and the EBA regarding identifying and managing those risks, again, with the crypto businesses, but before and immediately after the implementation of their, uh, new regulatory framework.
So, and it also highlights, um, various safeguards that are designed to address these risks. And obviously, uh, they're hoping all of these rules with the safeguards will help with, um, stricter governance requirements, transparency and beneficial ownership. And then of course, equally important, they say a strong cross border cooperation, so information sharing and public transparency. So, uh, interesting report, obviously an issue that we care about here in the states and everybody cares about globally as well.
Elliot Berman: Yes. It's structured in a way where they pose an issue and then talk about use cases. And while they specifically tie the use cases to the various elements of of the regulations and rules in the across the EU I thought that the use cases in many situations were very valuable regardless of whether you're in the EU or not. It's well worth a read through. Uh, John, where do you want to go? I know you saw something from the Charity & Security Network. Do you wanna talk about that?
John Byrne: Yeah, so, um. That's an organization again, we have done several podcasts with representatives from uh, CS&N. And, uh, they are a group that was actually created after 9/11 because of the fears that some of the laws and regulations in the PATRIOT Act and some of the other adjacent rules could unintentionally harm the work of civic organizations and, uh, humanitarian groups.
They have a newsletter, a free newsletter, so I would suggest folks subscribe to it so they cover issues, not just in the US but uh, across the globe. And actually this week, myself and several others are gonna be participating in a round table, uh, that they, uh, have set up to deal with a number of these types of issues and sort of recommendations from the financial sector on how humanitarian groups can better understand what requirements might be that banks and others need.
But in, in any event, long way to get to the point. The point is that, their headline in this special edition of their newsletter, talks about a letter sent to the Internal Revenue Service from the Ways and Means Committee in the US House. The date of the letter was two years, obviously after the horrendous attacks by Hamas in Israel. And, the letter though is asking the Internal Revenue Service to strip away several US based NPOs of their 501(c)(3) tax exempt status. By alleging that those organizations are suspected of supporting terrorist activity. But frankly, CS&N and others have said there has really been no evidence of that.
I'm not speculating one way or the other, but I think it's important to note that the Ways and Means Committee is asking for the IRS to do this. And there has been some concern, Elliot, from others that the IRS could be utilized in the future to target certain entities and perhaps individuals not dissimilar from what was a major problem in the Nixon administration way, way back when.
But I would urge folks to take a look at what CS&N has put together. The letter is there. It's also a reaction to one of the, um, executive orders issued by the Trump administration, the most recent dealing with domestic terrorism. So, uh, I, again, I think this is an, an area that does impact the AML community because of what we may be required to do, detect and report. So I, I urge folks to take a look at, uh, what the Charity and Security Network has put together and some of their concerns, and of course, what the administration, their concerns are as well.
Elliot Berman: Yeah, very concerning. Um, still a, an evolving thing that we need to pay attention to. I wanna go back to the EU for a moment. Last week we talked about the fact that AUSTRAC, uh, the FIU in Australia had raised concerns about the fact that some of the major financial institutions in Australia had gone through a series of layoffs and reminding those institutions that if they have laid off people in the compliance space, that will not be an excuse for poor compliance.
This week saw the, EBA, European Banking Authority commenting on the fact that staff shortages in EU regulators are raising its concerns about whether or not those regulators can effectively police anti-money laundering compliance. The report that they have notes that a lack of budget support can be a reflection of limited political will.
Kind of interesting to watch now in, back to back weeks, we've seen concerns about support for financial crime compliance in Australia at the institution level and now in the EU, concerns about it at the regulatory level. So again, something that I'm sure we'll see more on through time, but people should keep an eye on that, particularly if you are in the EU or regulated by anybody in the EU.
John Byrne: Yeah, Elliot, we, um, pattern ourselves a little bit after Pardon the Interruption, a sports show in which two individuals talk about a number of issues and at the very end they always said, what did we mess up? So I want to do midway what I already messed up. The Charity and Security Network, so it should be C&SN. When I went CS&N people might have thought I was talking about Crosby, Stills and Nash. So,
Elliot Berman: Which you could have been.
John Byrne: Which I could have been. So I am, well, I am well aware of the Charity & Security Network. Anyway, go ahead.
Elliot Berman: And then, uh, I want to go to another organization that you've brought a lot of information from to our listeners, and that's the OCCRP. I know that you saw an in-depth, uh, report from one of their investigations that you wanted to talk about today.
John Byrne: Right. That's an organization, investigative journalists, one of several, the Organized Crime and Corruption Reporting Project. This is a again, these are international investigative journalist. This particular investigation the, and the headline is huh Mansions, horses and Designer bags. Al the ruling family of Iraqi Kurdistan Splurged. In the us So this story is very interesting. Here's some of the key findings from the investigation.
These are the quote Barzani brothers. Uh, their various acquisitions included a six bedroom mansion multiple apartments near Washington, DC places in Florida, Texas, California. They were purchased through offshore companies named after characters. In no lie quote, the parents, the Pirates of the Caribbean, unquote films, more than $10 million were used.
For these purchases originated from a Golden Eagle Global, which is an Iraqi Kurdish conglomerate that leaked documents suggest were controlled by the youngest of the brothers. Another $18 million came from the Ster Group. That's another conglomerate that the leak documents described as being under control of the Prime Minister, Masrour Barzani.
So, um, also the story does say that the lawyers for Barzani vehemently reject any wrongdoing and pointed to anti corruption measures that he had announced in Iraq Kurdistan. Anyway, interesting story that it does impact the US as well. I know this is an ongoing investigation but urge folks to take a look at this again, this is the organized crime and corruption reporting project.
They do excellent work and we appreciated the fact that our colleague Kevin Hall, reached out to us, uh, and let us know that this investigation was now posted on their website.
Elliot Berman: Even though the Foreign Corrupt Practices Act and other related corruption barriers in the US or related to US companies have been relaxed this kind of reporting reminds us that corruption is still going on worldwide. Some of it is touching the US or the funds related to it may be flowing through US institutions. And so, I think that following these types of organizations so that we're aware of what's happening and can be sure that our processes for detection are tuned to identify this if it happens to flow through our institution is still important.
So John, I I think the other things we wanted to talk about were FinCEN related. So where would you like to start there?
John Byrne: Actually before we, we jump into that, OFAC and FinCEN, in conjunction with, the UK they took, uh, action against the cyber criminal networks in Southeast Asia. So that's, uh, something called the Prince Group Transnational Criminal Organization. So that was one. And then you highlighted the, um, the extension of the GTOs. Do you wanna talk about that?
Elliot Berman: Yes. So, as we've talked about in the past, there are a number of geographic targeting orders that FinCEN has been using in the residential real estate space. We've also talked about the fact that the real estate reporting rule effective date was pushed back, uh, recently by FinCEN to March 1st, 2026. The GTOs that continue to cover the responsibility of title companies to identify the natural persons behind shell companies used in non-financial non-finance, rather purchase of residential real estate have been renewed.
They will now expire on February 28th, 2026 because that responsibility will be part of the real estate reporting rule when it goes into effect the next day. The renewed GTOs continue to cover certain counties and major metropolitan areas in California, Colorado, Connecticut, Florida, Hawaii, Illinois, Maryland, Massachusetts, Nevada, New York, Texas, Washington, Virginia, and the District of Columbia.
The sizes of transactions haven't changed, so whatever you've been doing, if you're affected by the GTOs, remains in place. But just be aware that they've filled the gap with this extension until the real estate reporting rule goes into effect.
John Byrne: Don't hold your breath on that one.
Right. See what happens.
Elliot Berman: Well, it can always extend it again.
John Byrne: That's exactly right. We do wanna spend a little bit of time on the FAQs regarding suspicious activity reporting requirements. It's, it's certainly caused a debate on LinkedIn and I'm sure in other fora. Four new FAQs and again, these are related to the filing of suspicious activity reports, and it was done jointly with the Fed, FDIC, NCUA, and the OCC. So all the agencies bought into this. So that's important to note.
These, according to the introduction, clarify regulatory requirements. Okay. And, but it does also say the answers to these FAQs do not alter existing BSA legal or regulatory requirements, or establish new supervisory expectations. I would hope it does establish new expectations in that the regulators will be trained on these because there is gonna be I find these pretty positive changes, but it's all in how the regulators oversee these things.
So I think that's important. And I know a few of the critics on LinkedIn said, oh, you know, don't change anything or what have you. But let's just go through them and then we can talk a bit about each of them. The first one is a financial required to file a SAR for transactions or a series of transactions at a value at or near the the over $10,000 reporting, uh, threshold, absent information that the transactions or series is designed to evade reporting requirements. They say no. They say that the mere presence of those transactions is not enough that you need to know, suspect or reason to suspect that it's designed to be, which has always been the requirement, by the way.
That's nothing new, but they say absent that knowledge, you're not required to file a SAR . But remember, you can always file a SAR 'cause you're protected by the civil safe harbor. So, you know, I think what we were hoping for, meaning the AML community, was a change in how these reports are filed in terms of maybe a, we've talked about short SARs and you know, that kind of thing.
So what's your take on question one Elliot?
Elliot Berman: As I think back to the days where I was on the ground and actively involved in looking at what kind of activity would generate a SAR, structuring was always tricky. Unless you had overt knowledge that a customer knew the requirements and therefore adjusted or, or prepared their transaction to avoid the requirement you were trying to divine from the surrounding circumstances, usually a pattern of deposits, whether or not it just raised itself to a level of suspicion where you thought you would file. This doesn't really clarify that. I think that I have two other comments.
One is I'd be very curious whether the regulatory agencies, before they put this FAQ out, had any comprehensive conversations with law enforcement agencies, not only federal, but also at the state and local level who we know use the uh, use structuring SARs in their investigative process.
So that's one question. The other is, and I guess I'd say this broadly about all four, and I know we're gonna cover the other three in a moment. My experience over many years as is yours, is that pronouncements from headquarters often take a long time to trickle down and really be implemented on the ground in the examination process.
So not only this one, but the other three as well, seem like they may need some commentary change, at least, if not more in the examination manual. And as you pointed out, training of examiners. We've both had the experience of, uh, examiners raising an issue in an exam and you have to find a gentle way to point out, are you familiar with the fact that headquarters has actually issued this guidance or this statement?
And often the answer is no, we weren't aware of that. Now, the why of that is a whole different conversation. But I think it's gonna be a while before what we read in the FAQs, whether we can tell how it's playing out on the ground.
John Byrne: The second question is is a financial institution required to conduct a review of a customer or account following the following of a SAR to determine whether suspicious activity has continued? I have direct knowledge of this issue. Having asked the question 25 years ago, when I was with the American Bankers Association, to FinCEN what to do when you file the SAR and there's been no follow up or activity from law enforcement or the regulators, and the activities continued.
FinCEN in this one says they suggested in October 20th, 2000, they didn't suggest, it actually said a rule of thumb that on repeated activity every 90 days so to revisit the activity and if you think it's important enough, send a new SAR. That was, it was a rule of thumb over the past 25 years, it's become a regulation.
So banks have actually been cited for this 90 day rule, which is not a rule. Uh, and FinCEN acknowledges this in this sentence where they say, over time, this suggestion, again, this rule of thumb, has become interpreted as a requirement or expectation. And then they finalize the section by saying it's not required to conduct a separate review manual or otherwise of a customer or following the filing with SAR to determine whether special activities continue. They should instead rely on risk-based internal policies and controls to monitor and report activities appropriate, provided that those are designed to identify and report such activities. So useful comment, right? But again, it's gonna depend on this not only trickling down to the examiners, but but being very specific in exam training that look folks, if they haven't filed again on the 91st day the question should be, uh, what are your systems? And there shouldn't be a citation for not filing this second SAR, but an understanding that the banks, they're paying attention to that account holder, but they've seen nothing to suggest that things have continued or they have seen things that have continued.
So I thought that was interesting and it is, you put it together with question three and that's a timeline that they give you. What's the timeline to file SARs in accordance with their continuing suspicious activity?
I'll let you talk about that part. Elliot.
Elliot Berman: Yeah, so they, um, they talk about extending the timeline out as much as to 150 days. I think that's helpful. It'll be important for each organization to take a look at its current processes, figure out how they're going about doing this, and, whether extending out helps them or not.
Again, this is guidance, so. You don't need to immediately run into your process department and start ripping everything out and starting over. You definitely should do a review. But I would recommend people do that review, take a look at the FAQ and see how FinCEN has laid out the actual, uh, windows of time to get to 150 days.
John Byrne: Right. And the last one is another one. I, I'm not sure that this fixes the problem, but has always driven me crazy being like you involved in the early days when SARs were first created, and that is the expectation and sometimes the citation of failure for that expectation to document why you didn't file a suspicious activity report.
That is a thing and that's something that our colleagues and clients have had to deal with. So question four is interesting and it says, is a financial decision required to document the decision not to file a SAR? They say no. They said that FinCEN though is previously encouraged but not required.
So again, the encouragement becomes a regulatory expectation. I think it's pretty, pretty clear. But the second paragraph, Elliot, is pretty interesting 'cause it says if you choose to document the decision the level of documentation may vary and they tell you why it should be risk based. But here's the line that I think will make banks think, oh, we still need to do this, in most cases, a short concise statement, documenting a financial institution SAR decision, will likely (comma), although an FI may consider more documentation to explain the factors that the institution considered in reaching a SAR filing determination in a more complex investigation scenarios.
So I'm not sure that eliminates the no SAR documentation requirement that there be documentation, but what's your take on that?
Elliot Berman: It's always been a challenge. If you have a good SAR filing decision process it will include some type of record keeping and notation about why you reached a no. And I think that generally for everyday SARs that has probably worked for you and that likely will continue to work for you. If you've got a big, complicated investigation that also triggers a SAR because big complicated investigations means something else is going on in the accounts or with the customers that you're looking at.
And at some point along the way it's like, oh yes, do we file a SAR about this as part of it? But the investigation itself is not strictly for the purpose of deciding whether you're gonna file a SAR. It's for figuring out what's going on and whether you have a problem. I think in those complex ones, your decisioning probably is more complicated. And ideally before this FAQ you processes resulted in a little more of an explanation or, documentation.
Not necessarily piles of documents, but documenting, we did a big investigation, we looked at a lot of different things and in the end, chose not to file a SAR because we were able to gather information that told us that, while this looked very unusual, when we really dug in, we found out that it was perfectly explainable and it was not illegal or money laundering or anything.,
John Byrne: I appreciate that they've said, you know, there should never have been a no SAR document requirement. There should never have been a 90 day rule. But obviously as we've said, the proof is in the proverbial pudding going forward. So we have to stay on top of these things, so, we'll see what happens.
Elliot Berman: And there's a lot of muscle memory on the ground about this stuff.
John Byrne: Yep, absolutely.
Elliot Berman: Next week will be our October webinar. It's on AML Compliance Best Practices. I'll be moderating with a great panel and, uh, urge people to, uh, register if they haven't and join us. And then, uh, on the 20th of November, uh, we will be doing a webinar on Global Regulatory Trends in Financial Crime Compliance. We have a great panel there too. And in addition to our US audience, this would be valuable for our non-US audience and for those in the US who have operations or extensive client relationships in the UK and EU and other places around the globe. John, anything else?
John Byrne: We just posted today a conversation I had with two experts in physical security. So you'll find that under the AML Conversations banner efforting a discussion with, uh, the folks from the Human Security Collective to talk about FAFT's Recommendation 8 and some of the issues that they're dealing with there.
Again, as always if you have a person you want us to interview, a topic, a theme, please, uh, feel free. Let us know. We are looking for more and more topics because obviously the AML field is so broad and continues to get broader. So, anything that's connected to national security sanctions, CFT, all those areas, financial crime, broad-based fraud, all those things are things we are very interested in, and we believe that you are as well.
Elliot Berman: All right, John. You have a good week and I'll talk to you next week.
John Byrne: Sounds good. Take care.
Elliot Berman: You too. Bye-bye.