Key takeaways:

• • • Navigating regulatory change 鈥� The Trump administration is introducing many regulatory changes that will affect how financial institutions meet their reporting obligations under the BSA.

    • AI helps and harms both sides 鈥� Advances in AI offer the promise of more accurate, efficient BSA compliance processes, but they also give criminals an ever-expanding toolkit for committing fraud and other types of financial crime.

    • Compliance pros are optimistic about AI 鈥� Corporate compliance personnel are cautiously optimistic about using AI, but insist that better guardrails, usage standards, and agreed-upon best practices still need to be developed.

LAS VEGAS 鈥� Those who assess and manage risk at financial institutions are caught in a whirlwind of change, and the health of the global financial system may very well depend upon how they manage the fallout.

At of the Association of Certified Anti-Money Laundering Specialists (ACAMS), the word disruption was used frequently to describe the kind of systemic change that experts in Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance are up against. And this change is coming at them in many forms: regulatory, technological, geopolitical, digital, ethical, and criminal, just to name a few.

Dissatisfaction with the status quo

In his opening keynote address, John K. Hurley, the U.S. Undersecretary of the Treasury for Terrorism and Financial Intelligence, expressed the Trump administration鈥檚 dissatisfaction with the current state of financial crime enforcement. Hurley also outlined several reforms the administration is pursuing, all of which are aimed at delivering targeted, actionable intelligence to law enforcement much faster than the current system allows.

Hurley decried the proliferation of burdensome regulations and 鈥渘ot-so-useful鈥� Suspicious Activity Reports (SARs), the main method that financial institutions use to report suspicious financial activity to the U.S. Treasury鈥檚 Financial Crimes Enforcement Network (FinCEN).

To address these problems, Hurley said the administration intends to simplify the SARs filing process and overhaul the government鈥檚 regulatory oversight of financial institutions to focus on 鈥渙utcomes鈥�, such as how effectively financial institutions identify criminal activity, rather than examiner evaluations (and criticisms) of an institution鈥檚 BSA and AML compliance processes.

One of the motivations behind these moves, Hurley said, is to encourage BSA compliance personnel to apply their 鈥渆xperience and creative talent鈥� to devise better crime-detection methods using new technologies.

鈥淚 believe fully that well-governed technology is a force multiplier,鈥� Hurley explained. 鈥淲hen a financial institution invests the time and money to experiment with AI and successfully drops its false-positive ratio [of SARs] and escalates vital information to law enforcement more rapidly, their team should be celebrated, not written up because this new approach reveals gaps in their previous manual method.鈥�

AI in BSA/AML compliance: A double-edge sword

Indeed, the use of AI-enhanced technologies to improve know-your-customer (KYC) protocols and other risk-management practices was another main theme of the conference. During several sessions dedicated to AI, panelists and conference attendees expressed both optimism and wariness about the use of AI in BSA/AML compliance activities.

For example, the use of agentic AI 鈥� a form of AI that essentially thinks for itself and can proceed without constant human prompting 鈥� could be extremely useful for first-level KYC risk screening, but it remains to be seen whether the technology can be adequately controlled for BSA/AML compliance purposes.

The double-edged nature of new technologies was also discussed in-depth. Carole House, an ACAMS Distinguished Senior Fellow, pointed out that while new technologies may improve our ability to detect and deter financial crime, they also give criminals a robust set of high-tech tools to use to help subvert the financial system.

鈥淲hen you democratize access to these systems, it opens to the door to illicit uses,鈥� House said, adding that new and better forms of digital malfeasance 鈥� such as fake IDs, bogus credentials, deep fakes, identity scams, crypto-based money-laundering, ransomware, and more 鈥� are all on the rise, and ever-improving forms of generative AI (GenAI) will empower criminals even more.

Despite these caveats, there was almost unanimous agreement that AI will play an increasingly important role in BSA compliance and risk management, because there is no other way to keep up with criminals in the digital economy. And because AI adoption is inevitable (and is, in fact, already happening), efforts now need to be focused on building adequate regulatory guardrails, improving digital skillsets, and establishing AI best practices to ensure responsible use of advanced technology.

New rules, old problems

On the regulatory front, several recent changes that likely will impact how AML compliance personnel do their jobs were also discussed at length during the conference.

In March, for example, FinCEN issued a new rule exempting certain United States-based companies and citizens from their previous obligation under the Corporate Transparency Act (CTA) to report beneficial ownership information to FinCEN. (Foreign entities doing business in the US still have to file beneficial ownership information.)

FinCEN claims the rule change is intended to reduce the reporting burden on small companies, but AML experts are concerned because it gives financial institutions less information to assess the legitimacy of their customers, potentially re-opening a window to fraud that had previously been closed and hindering attempts to assist law enforcement.

Support for crypto-regulation

On another matter, AML experts are generally supportive of recent efforts to regulate cryptocurrency assets. For example, creates new regulatory framework for stablecoins, which are a type of cryptocurrency whose value is backed a fiat currency such as the US dollar.

Congress is also considering passage of the Digital Asset Market Clarity Act, which would create guidelines for the classification, sale, and oversight of digital assets. And a series of new policy directives collectively known as The Blanche Memo (because they were issued by Deputy U.S. Attorney General Todd Blanche) aims to end so-called 鈥渞egulation by prosecution鈥� of crypto exchanges and shift the emphasis of law enforcement to individuals who use digital assets to support 鈥渢errorism, narcotics and human trafficking, organized crime, hacking, and cartel and gang financing.鈥�

In addition to these changes and concerns, BSA/AML compliance professionals are also contending with Chinese money laundering, ever-shifting sanctions, tariff evasion, global regulatory volatility, worldwide financial threats, lack of institutional trust, and pervasive economic uncertainty 鈥� so by any measure, they have very full plates.

As Dan Stipano, a partner at Davis Polk & Wardwell, remarked during one panel discussion: 鈥淭he big problem with the BSA is that if everything is a priority, nothing is a priority,鈥� 鈥� and that too must change.

You can find more of our coverage of ACAMS events here

Despite AI and machine learning “getting better by the day” and nearing readiness for deployment, ACAMS had heard from many institutions that “maybe [the institutions’] own data is not quite ready,” said Craig Timm, senior director of anti-money laundering (AML) with ACAMS, a trade association for anti-financial-crime professionals.

With AML budgets shrinking, AI and related technology “is the only answer” to adequate risk management, Timm explained. “It’s the way they’re going to get more efficient while maintaining effectiveness,” he said. “It’s the way they’re going to fight back against the criminal use of this technology 鈥� there are just steps to get there.” In addition to financial institutions needing to clean up their data, regulators must also create structures and guidance to allow firms to implement AI, he added.

Joby Carpenter, global subject-matter expert on technology and illicit finance at ACAMS, agreed that regulators must also step up. “[Regulators] have not yet got to the point where they’ve said, ‘you can turn off [your] legacy systems and just rely on AI in order to do your due diligence, or your screening, or whatever it may be’,鈥� Carpenter said. 鈥淪o, that’s a big issue.鈥�

Carpenter explained that 鈥渞egulators accept that they are in that position 鈥� that they haven’t given permission to turn off those legacy systems 鈥� and they are trying to get around that with initiatives like sandboxes and tech sprints, in order that AI can then be demonstrated鈥� as being effective and falling into line with regulatory requirements, but it does seem to be a fairly slow process to get to that point.”

Justine Walker, head of sanctions, compliance & risk at ACAMS, agreed, adding: “This is a radical moment in time in terms of technology, both in terms of its benefits to the anti-financial crime function, but also the challenges it brings.鈥� Walker added that she thinks that 鈥渋n five years’ time we’re going to be discussing this in a very, very different way 鈥� in what way? I don’t think any of us quite know, but it is changing by the day.”

Top 10 financial crime threats

The AI challenge was only one element of a broader 2024 Global Anti-Financial Crime Threats Report that ACAMS released. The report also outlined the top 10 financial crime threats that ACAMS saw as “high on the radar” in 2024, based on discussions at events held around the world, plus a global survey conducted between Sept.18 and Oct. 22, 2023.

The top ten threats assessed by ACAMS, beginning with the number-one threat, include:

1. Anti-financial crime team budget cuts

The top threat stems from budget cuts and declining anti-financial crime staff amid an evolving and heightened risk environment, the report said. “If institutions cannot manage this threat, it will negatively impact their ability to manage all the other threats in this report and the overall effectiveness of the anti-financial crime function,” ACAMS wrote.

2. Geopolitical tensions and fragmentation

These “dominating concerns” present “fundamental challenges with conflict, cybersecurity, energy security, and strategic competition, which fuel growing risk dilemmas,” the report stated, adding that navigating this fragmented environment “requires adept handling of聽emerging scenarios involving conflicts of law and regulations, personnel risks, and evolving market volatility.”

3. Cyber-enabled fraud

Recent technological advancements have prompted a rapid surge in cybercrime, including fraud that鈥檚 enabled by digital media platforms and the darknet, the report noted.

Additionally, pig butchering 鈥� a type of cryptocurrency scam targeting wealthy individuals online through romantic deception to gain their trust and steal their assets 鈥� has led to the loss of billions of dollars since 2021.

4. Sanctions and evasion

While it ranked fourth in the ACAMS threat hierarchy, sanctions and related evasion of sanctions are “paramount in the minds of executive leadership, causing them sleepless nights,” the report stated, adding that those concerns “stem from the use of sanctions for foreign policy objectives and the persistent complexity of maintaining ‘sanctions compliance.'”

Anticipated sanctioning trends in 2024 include two primary drivers. First, stronger alliances will likely lead to the convergence of sanctions and export controls, strategically aimed at restricting Russia’s access to sensitive technology and degrading its war capabilities. Second, there will be a heightened US enforcement campaign against Russia’s sanctions-evasion tactics.

5. Scale and pace of change

The scale and pace of anticipated regulatory change influences the full spectrum of anti-financial crime programs, with emphasis on expected changes affecting AML, sanctions, cybersecurity, crypto-assets, data privacy/data protection, and fraud, the report stated.

6. Abuse of legal entities and arrangements

Amid the backdrop of the global AML-standard setting and renewed demands for global corporate transparency from the global money laundering and terrorist financing watchdog, the Financial Action Task Force, the misuse of legal entities and arrangements also has emerged as a critical threat.

“Anonymous legal entities persist at the epicenter of significant cases involving major corruption, money laundering, tax evasion, and sanctions evasion,” the report noted. “Authorities are anticipated to intensify efforts by enforcing corporate registry structures and imposing more stringent requirements for beneficial ownership due diligence.”

7. Balancing counter-terrorist financing with financial access and humanitarian aid

Maintaining balance between counter-terrorist financing efforts and the facilitation of financial access to humanitarian aid remains a core priority for the international community, humanitarian actors, and compliance functions, according to the report.

8. Lack of risk-based approach

The lack of an effective risk-based approach to regulation and supervision is consistently viewed as a hindrance to the ability of AML regimes to fight financial crime.

9. Weaponized technology

ACAMS also flagged the hostile use of commercial spyware, ransomware, and offensive cyber-capabilities as a growing concern.

10. Internal threats

Concerns about this multifaceted threat were “spearheaded by senior executives and law enforcement figures,” the ACAMS report stated.

Value of threat report insights

AML and sanctions compliance professionals may wish to convey some of the insights gleaned from the ACAMS report to their senior executives 鈥� and perhaps ultimately to the board of directors 鈥� as evidence of the need for adequate AML compliance resources and to increase awareness about the growing role of new forms of technology that could be of use to organizations鈥� anti-financial crime functions.

The remarks, made recently at , are far from surprising, given the flood of targeted sanctions imposed by governments worldwide since Russia’s February 2022 invasion. And the fact that Russian oligarchs have sought to shield their assets and evade sanctions by assigning family members, associates, and others as nominee owners only has added to the work banks must do.

During early examinations, regulators found that banks were struggling to comply with “regional-focused sanctions” imposed by the United States Treasury’s Office of Foreign Assets Control (OFAC), said Lisa Arquette, associate director, anti-money laundering (AML) and cyber fraud branch with the Federal Deposit Insurance Corporation, and speaker at the ACAMS conference. “Those became a little bit more difficult for institutions to implement at the beginning,鈥� Arquette noted. 鈥淏ut I think they’ve worked through that, and OFAC as a partner to financial institutions has done a lot of outreach.”

Arquette explained that it was vital that when there is a change in beneficial ownership of a legal entity customer, banks should “make sure you have a process to identify that person or those people so that they can also be scanned” against sanctions lists. 鈥淭here are lots of moving parts related to a lot of commercial entities and legal entities聽鈥� intentionally聽鈥� and it’s difficult to know who to add to the scanning process to make sure that you’re not processing transactions that should be blocked or rejected.” she said.

“Malicious actors, threat actors, intentionally may change that information, which is why your diligence is so critically important.”

Stretching ‘finite resources’

As the deluge of Russia sanctions came in wave after wave, banks with “finite resources” needed to devote “an incredible amount of time and energy [to] sanctions compliance,” said speaker Koko Ives, manager,聽聽AML compliance section in the Division of Supervision and Regulation at the Federal Reserve Board. “The pace, the number, the complexity, of Russia sanctions was really unprecedented,” Ives said.

“The global response with E.U., U.S. and U.K. coordination but not identical sanctions, made it particularly difficult for globally operated institutions to navigate all those sanctions, and that was done well,” Ives said. “I guess their existing sanctions programs were pretty strong because that was surprisingly well done in an incredibly time-intensive and difficult [environment].”

The Fed is examining “with the same frequency as before” and “nothing has changed with our examination process,” she added. “Any sort of [bank compliance] issues are garden variety鈥� related to not being able to update software for [sanctions lists] timely enough so there might be something that slips through, or misunderstanding of [OFAC] general licenses, that kind of thing that causes compliance issues.”

Most banks have done ‘really good job’

Another speaker, Donna Murphy, deputy comptroller for compliance risk with the Office of the Comptroller of the Currency (OCC), said she “would echo” what Arquette and Ives said and added that “institutions spent a tremendous amount of resources dealing with those very fast-moving and complex sanctions programs, and in general did a really good job.

“Where we’ve seen issues is where the sanctions programs were not dynamic enough and sometimes maybe didn’t have the capability 鈥� at least initially, and it had to be built 鈥� to deal with targeted, regional sanctions as opposed to country sanctions, or the complex and evolving structures of some of the sanctioned entities,” Murphy said.

Changes in beneficial ownership or control of legal entities “are very difficult to keep up with as sanctions are evolving and the entities are evolving,鈥� she explained. 鈥淚t is challenging and needs a lot of focus. I think in general the institutions have done a very good job of implementing these really critical programs for our national security.”

Murphy said the OCC has “spent a lot of time focusing on providing as many resources as possible to our examiners.”

She noted that sanctions have not always been a major focus of OCC supervision, but “we’ve really tried to make sure that our examiners understand these evolving and changing sanctions, and [that] we can provide the support for the exams and the institutions.”

Ives added that some Fed supervised institutions have taken “a forward-looking view of the next geopolitical target.

“Some of the institutions are already developing potential strategies if there are going to be new sanctions in a new part of the world, how might that affect the supply chain, assets that could get hung-up, parties you can no longer transact with, and how that may impact their operations,” Ives noted.

Using interagency regulatory guidance

On the topic of third-party risk management, both Arquette and Ives noted that updated interagency regulatory guidance is imminent and could be released any day. Use of third parties by financial institutions is increasing, Ives added. “It can be incredibly beneficial, especially in the fintech area where [banks] may need the expertise,” she said. “But how is [suspicious activity report] information going to be shared? Do you have what you need to be on the right side of sanctions compliance?”

The intent of the updated interagency guidance is to make consistent federal banking agency guidance on third-party risk management “to make it manageable and holistic” for financial institutions, Ives said.

鈥淭echnology advancements are a great thing, but the Metaverse combined with Web 3.0 allows people to be more anonymous than ever,鈥� says Jim Lee, chief of the Internal Revenue Service Criminal Investigations unit (IRS-CI). 鈥淎s a result, we all know that the criminal element is going to come out somewhere, somehow.鈥�

Is prevention possible?

Lee spoke recently at the recent聽21^st聽Annual Anti-Money Laundering & Anti-Financial Crime Conference, held by聽,聽where the challenge of preventing Web 3.0 from becoming a safe haven for criminals was discussed in a number of forums.

ACAMS is attended primarily by bank regulators and other defenders of the traditional financial system, and the consensus opinion among this crowd is that anticipating how criminals could exploit Web 3.0 is the key to preventing it. Mistakes made building the current internet should have taught us that addressing content problems after the fact is a losing game, many experts say, so it鈥檚 essential to build controls and safeguards into Web 3.0 before criminals even have the opportunity to commit a crime.

Or so the thinking goes.

There are several holes in that proposition, however. Among them: i) regulators and Web 3.0 technologists would need to find a way to work together somehow; ii) not everyone agrees on the nature of the problem or how to prevent it; iii) lawmakers have a dismal record when it comes to recognizing and addressing issues involving technology before they happen; and iv) is already on the rise, so the clock is ticking.

What is Web 3.0?

Though the terms are sometimes used interchangeably, Web 3.0 and the Metaverse are not the same thing. Web 3.0 is the underlying architecture of the Metaverse, which itself is the immersive, three-dimensional digital world that proponents of the technology (such as Meta CEO Mark Zuckerberg) claim is the future of the internet.

Though the Metaverse is still in the early stages of development, elements of Web 3.0 are already being used today in the world of cryptocurrencies and other digital assets (such as with non-fungible tokens and stablecoins), all of which are based on blockchain technology. One of the key differences between today鈥檚 internet (Web 2.0) and Web 3.0, however, is that the latter is built entirely on blockchain smart-ledger technology-driven by machine learning and artificial intelligence.

The key features of Web 3.0 that most concern government officials and law enforcement are decentralization and anonymity. Not coincidentally, these are the same features that make crypto-based crimes and crypto-enabled criminal networks so hard to thwart.

The core idea of Web 3.0 and hence the Metaverse, however, is that it is entirely decentralized, meaning that no central power or government controls it. And for many Web 3.0 evangelists, that鈥檚 the central selling point of Web 3.0: Freedom from governmental control.

From a government regulator鈥檚 perspective, however, total decentralization is a huge problem. What it essentially means is that anyone can do anything, anonymously, and with no accountability, and there鈥檚 very little that conventional law enforcement can do to stop it.

Virtual crime, real-world victims

That鈥檚 not all. The trouble really starts when criminal activity in the Metaverse leaks over into the real world. At ACAMS, Lee asked his audience to imagine strapping on some virtual-reality (VR) goggles and walking into a building in the Metaverse: 鈥淔loor 1 is the ID theft room, where you exchange some sort of digital asset and they instantly give you a driver鈥檚 license, a date of birth 鈥� Personal Identifiable Information (PII) 鈥� that you can then go use for credit-card fraud, bank fraud, or whatever crime you can think of using PII.鈥�

Floor 2 is the firearms floor in Lee鈥檚 digital dystopia. There, you can purchase the location of a gun in the real world, with no background check, 鈥渁nd now you鈥檝e got a person who shouldn鈥檛 have a weapon,鈥� Lee says. Floor 3 is devoted to human trafficking. Floor 4 to money laundering. Floor 5 to terrorism. And so on.

鈥淚t鈥檚 an ugly picture,鈥� Lee warns.

Anjana Rajan is the Chief Technology Officer for Polaris, the largest anti-human trafficking NGO in the United States. At ACAMS, she explained that Congress should be concerned about the rise of Web 3.0 because of the 鈥減hilosophy鈥� of institutional distrust behind it. 鈥淚t鈥檚 really about society and the future of our political system,鈥� Rajan explains. 鈥淚n its best form, this technology can create economic inclusion and a more secure internet, but in its worst form it can also drive the same thing that happened on January 6.鈥�

Proponents of Web 3.0 have a distressing amount in common with anti-government violent extremists, namely, that 鈥渢hey don鈥檛 trust US institutions, they don鈥檛 trust the US dollar, and they don鈥檛 trust the corporations and oligarchs who run the economy,鈥� she adds.

The difference is that Web 3.0 and the Metaverse are being built by some of the richest, most powerful people 鈥� and the largest tech companies (such as Meta, Google, and Microsoft) 鈥� in the world.

Re-thinking trust

A lawless, entirely unregulated Metaverse is not inevitable, these experts say, but it will require a re-thinking of some of the basic concepts upon which financial institutions and society at large are currently based, such as identity and trust. For example, our concept of identity in the real world revolves around a person鈥檚 PII, such as date of birth, social-security number, driver鈥檚 license number, address, etc. However, it may be time for the government 鈥渢o start moving away from normal concepts of identity-based trust and instead move to concepts of trust within the ecosystem,鈥� notes Frederick Reynolds, Chief Compliance Officer for the fin-tech start-up Brex.

In the ecosystem of the Metaverse, one鈥檚 identity is defined by the metadata on their blockchain, and trust within the ecosystem is built through blockchain activity that is independently verified by a decentralized network of fellow users. So in a sense, blockchains build trust by eliminating the need for it.

For better or worse, this is how the Metaverse works. Yet, if we鈥檙e not careful, these experts warn, criminals will figure out how to make it work for themselves before law enforcement can figure out how to stop them.

A key concern is that banks may ultimately have responsibility for validating the accuracy of registry data and be required to file suspicious activity reports (SARs) when information is suspect. Another is that a massive volume of registry data could force institutions聽to hire additional investigators to probe automated alerts from sanctions screening systems.

Late last month, Treasury’s Financial Crimes Enforcement Network (FinCEN) 聽鈥� pursuant to the Corporate Transparency Act (CTA), part of the Anti-Money Laundering Act of 2020 鈥� laying out which legal entities will be required to report their beneficial ownership data, beginning on Jan. 1, 2024. Companies required to report will include, with some exemptions, limited liability partnerships, business trusts, and most limited partnerships, in addition to corporations and limited liability companies.

Congress enacted the CTA to combat the longstanding abuse of shell companies by criminals.

FinCEN also vowed to issue two additional rules 鈥� one detailing access to the database and another amending the Treasury bureau’s聽聽that requires financial institutions to collect beneficial ownership data from customers. It will likely be years before the rules come into effect, experts say.

“The elephant in the room鈥� is ‘What are the next milestones that we’re looking for with regard to beneficial ownership changes that may be forthcoming from FinCEN?'” Kieran Beer, director of editorial content with the Association of Certified Anti-Money Laundering Specialists (ACAMS), told an ACAMS conference earlier this month.

Unanswered questions loom

Financial institutions will need time to adjust their compliance programs once FinCEN issues the remaining rules and clarifies how the database will affect existing CDD requirements, Heather Allen, deputy director of financial crime with Truist Financial Corp, told the conference.

“I think all of us are very much invested in the need to have the registry, but there are a lot of questions that remain unanswered,” Allen said. For example, the question of who will “own” responsibility for verifying the beneficial ownership information that legal entities report to FinCEN remains unanswered, she added. “If we have information that comes out of that system that is inconsistent with the bank data that we have, what is our responsibility as bankers?”

The CTA directed that financial institutions have the ability to access database information about customers who grant them permission, which raises questions regarding what the banks will be expected to do with the mountain of new data.

Sanctions against Russia raise stakes

As FinCEN is drafting rules to establish the database, which is expected to house information on tens of millions of companies and other entities, the U.S. and its allies scramble to combat the evasion of .

“We’re sitting in the midst of the greatest use-case of greater beneficial ownership in Russia-Ukraine sanctions, so the timing is incredibly good, or it’s incredibly bad, depending on which side of the table you sit on,” James Candelmo, chief Bank Secrecy Act and AML sanctions officer with PNC, said at the ACAMS conference.

The 2020 AML legislation originally “landed in our board rooms” as “potentially some relief” from AML and sanctions compliance burdens, but in the wake of Russia’s invasion and the resulting global push to unveil assets controlled by sanctioned parties, “I don’t believe that will be the case,” Candelmo said.

Database could lead to more SARs duties

Referencing remarks from FinCEN Acting Director Himamauli聽Das earlier in the ACAMS conference, Sarah聽Runge, a former Treasury official who now is director of regulatory programs, policy, and governance with聽Facebook Payments, said she is concerned that financial institutions could end up being responsible for validating information in the beneficial ownership database.

When asked whether financial institutions will be expected to compare information in the database with the data they collect from customers under FinCEN’s customer due diligence rule, Das “pivoted to talk about how financial institutions will continue to have [SARs] filing requirements,” Runge said. “From my perspective, that’s when every part of every hair on my body sort of went up, because he didn’t answer (the) question, but he pivoted to expectations to identify suspicious activity. And I read it to mean that if there is a discrepancy, that that might rise to be suspicious where we would be expected to file a SAR and effectively be verifying and validating the database, which from my perspective is the worst-case scenario.鈥�

Requiring financial institutions to report discrepancies would be consistent with requirements imposed by European countries with registries, explained Markus Schulz, global head of change management for financial crimes compliance at ING. “If we pull information from the registry, then we find in our own due diligence or in the course of dealing with a customer that there is a different director or change in ownership鈥� financial institutions are obliged to report back to the central registry that there is a discrepancy,鈥� Schulz said. 鈥淭he central registry will then confront the company and hold the company accountable to make it correct, so鈥� we’re not completely responsible for the integrity [of the registry], but if we have that intelligence it’s our obligation to inform the authorities.”

In September, the White House issued its , an aspirational document short on specifics but long on promises, including protecting consumers and investors, combating illegal finance schemes, and encouraging 鈥渞esponsible innovation鈥� of financial products using the underlying blockchain technology that makes digital assets unique.

More regulation, please

To date, however, US regulatory agencies have mostly restricted their communication on digital assets to official advisories, notifications of enhanced enforcement of existing laws, and recommendations to Congress to get busy and pass some crypto-relevant legislation. Because until Congress grapples seriously with the many regulatory questions posed by digital assets, government agencies are somewhat handcuffed by the current legal framework for financial dealings, which was developed well before digital assets ever existed.

US regulatory agencies are not entirely without resources and strategies for dealing with the risks associated with digital assets, however.

At the recent 21^st聽Annual Anti-Money Laundering & Anti-Financial Crime Conference, held by聽,聽a panel of federal regulators shared their thoughts on managing digital assets and what their agencies are doing to support the president鈥檚 stated objectives. The panel included representatives from the Federal Reserve Board, the Federal Deposit Insurance Corp. (FDIC), the Financial Industry Regulatory Authority (FINRA), the Financial Crimes Enforcement Network (FinCEN), and the Officer of the Comptroller of Currency (OCC).

Enforcement: FinCEN & FINRA

On the enforcement side, representatives from both FinCEN and FINRA emphasized that their agencies are working hard to improve their technical capabilities to better keep up with criminals, while aggressively pursuing and prosecuting illegal financial activity of all kinds. They鈥檙e also seeking to strengthen their working relationships with banks and financial institutions to create a stronger public/private safety net.

Panelist Andrew McElduff, senior director of FINRA, which oversees non-bank financial institutions, said his agency has added a crypto-assets investigative team and created a 鈥渂lockchain lab鈥� 鈥� however, the team itself is new, so information-gathering is its top priority at the moment.

Another panelist, FinCEN鈥檚 Director of Office Compliance Jay Song, said the agency was in discussions about amending the Bank Secrecy Act (BSA) to address concerns about digital assets in the US financial system, but he also cautioned bank compliance officers (a large component of the ACAMS audience) not to wait for guidance from FinCEN. 鈥淩egardless of the absence of outright regulation, there is an obligation to meet BSA requirements,鈥� Song said. 鈥淭he fact that a regulation doesn鈥檛 exist for [a given financial activity] does not mean you can ignore the financial institution鈥檚 obligations under the BSA.鈥�

US regulatory agencies have mostly restricted their communication on digital assets to official advisories, notifications of enhanced enforcement of existing laws, and recommendations to Congress to get busy and pass some crypto-relevant legislation

For banks and financial institutions, those obligations primarily involve following standard know-your-customer (KYC) protocols and filing suspicious activity reports (SARS), which FinCEN relies on to identify criminal financial activity of all kinds, including cyber-crime and crypto-fraud.

The Fed & the FDIC: Be careful

Likewise, panelist Lisa Arquette, associate director of anti-money laundering (AML) and cyber-fraud with the FDIC, noted that her agency has issued two institutional advisories this year: one asking FDIC-insured institutions to alert the FDIC if they intend to engage in 鈥� or are already engaging in 鈥� any crypto-related financial activity; the other warning about crypto companies that lead their customers to believe crypto deposits are insured by the FDIC, just like any other bank deposit, when they are not.

While the FDIC does support crypto-related financial activities that are 鈥渟afe, sound, and legal,鈥� Arquette said, she added that 鈥渨e have concerns that crypto-related activities represent a risk to consumers, and that insured depository institutions face risks in effectively managing the application of consumer protection laws and regulations.鈥�

In other words: Be careful, because danger lurks. Consumers beware.

The Federal Reserve Board鈥檚 deputy associate director, Suzanne Williams, offered a similar assessment of the crypto situation on the panel, noting that the Fed has issued guidance of its own and encourages banks to inform the Fed if they are contemplating involvement in a 鈥渃rypto-asset relationship.鈥� If they do, the Fed will help evaluate the wisdom of that relationship, she said, or at least identify the risks involved.

In the meantime, Williams reinforced the message that financial institutions offering crypto-related products to their customers (or thinking about it) should make sure they have the proper risk-management systems and controls in place, especially if those products are being outsourced to a third party.

The Fed: A digital dollar?

The Federal Reserve鈥檚 primary interest is in maintaining the stability of the traditional financial system, of course, so it exists in tension with other parts of the government that want to keep the door open to innovation that could lead to potentially lucrative new financial vehicles.

One innovation Arquette would not discuss, however, is the federal government鈥檚 interest in developing its own Central Bank Digital Currency (CBDC), a digital form of the US dollar that the government says should, if implemented, 鈥減rotect consumers, promote economic growth, improve payment systems, provide interoperability with other platforms, advance financial inclusion, protect national security, respect human rights, and align with democratic values.鈥�

That鈥檚 a lot to ask of a digital currency. What the government doesn鈥檛 say 鈥� but crypto enthusiasts understand implicitly 鈥� is that a US-backed CBDC would mean giving control of the currency鈥檚 blockchain over to the US government, which raises serious privacy issues and strikes many people as a step too far for Big Brother. For all of their risks and volatility, cryptocurrencies are kept on decentralized blockchains, so no government controls it, which is why crypto was created in the first place.

Leaders in both the traditional financial system and the decentralized finance, or De-Fi, industry agree that a more reliable, relevant, and equitable regulatory landscape needs to be established. Until further legislation is drafted, however, the government鈥檚 advice on digital assets of all kinds still amounts to: Be careful because danger lurks. Consumers beware.

At the 21^st Annual Anti-Money Laundering & Anti-Financial Crime Conference, held by , Rebecca Kiethley, a Federal Bureau of Investigation (FBI) fraud specialist, explained that people over 70 years of age control 75% of the wealth in America, and over the next 10 years somewhere between $30 trillion and $68 trillion in assets is expected to be transferred from the Baby Boomer generation to their Gen X and Millennial generation heirs.

Criminals know all of this, of course, and they are preparing to steal as much of that money as they can.

According to the FBI鈥檚 , seniors over 60 lost more than $1.7 billion to fraud last year (a 74% increase from 2020), with the average victim losing $18,246. In fact, people over 60 lost $239 million in 2021 to investment schemes alone, many of which were get-rich-quick scams involving digital assets, or cryptocurrencies. And it is estimated that for every 1 complaint the FBI receives, 44 go unreported.

Crypto scammers target seniors for several reasons. In addition to seniors being more trusting of people, they also tend to be less knowledgeable about technology in general, and digital assets in particular. Worse yet, many people currently in their 60s who have not saved enough for retirement are now trying to 鈥渃atch up,鈥� which makes them vulnerable to investment schemes that promise quick, large returns.

An abuse of trust

Speaking at the ACAMS conference, Kiethley said that seniors are most likely to fall victim to investment scams, but they can also be taken in by romance scams, Ponzi schemes, fake lottery prizes, tech-support scams, real-estate swindles, or people pretending to represent a government agency such as the IRS, Medicare, or Medicaid.

Unfortunately, victims of such scams are much less likely to get their money back if the scheme involves crypto, due to the anonymous, decentralized nature of digital currencies. The FBI has created a special virtual-asset investigative unit to combat an expected rise in crypto crime, and the unit has already had some success in recovering stolen digital assets using sophisticated financial forensics. The odds of recovering money lost to a crypto scam, however, are still very long.

When targeting seniors, many scammers make initial contact via social media or over the phone, pretending to have dialed a wrong number. Scammers often research their target on the internet or social media, then use that information to establish a sense of personal connection with their victim. After gaining the person鈥檚 trust through a few friendly interactions, the scammers will move to the next phase: extracting money from their victim.

In a typical crypto investment scam, for instance, the scammer might mention a great crypto investment opportunity and invite the victim to participate by giving them a small amount 鈥� $100, for example. A week later, the scammer might show the victim a crypto wallet with $1,000 in it as proof that the investment has paid off. Then the scammer might persuade the victim to 鈥渋nvest鈥� more money 鈥� $500 or $1,000 this time 鈥� and claim soon after that the victim has made $10,000. Excited by such gains, the victim might then be willing to part with $10,000 or more, after which both the scammer and money disappear.

Investment scams are the most common ones involving cryptocurrency, but other types of fraud can involve digital assets as well. Indeed, according to the FBI鈥檚 Elder Abuse report, 鈥渃ryptocurrency is becoming the preferred payment method for all types of scams,鈥� because digital assets are so difficult to trace.

How to recognize elder fraud

Because seniors are so vulnerable to such tactics, government agencies, law enforcement, regulators, and bank personnel are all ramping up efforts to educate the public and encourage training that teaches front-line personnel how to recognize signs that a senior is being scammed 鈥� and if so, where to report it.

Mike Brunow, who oversees the criminal money laundering and fraud division of the United States Postal Service, told the ACAMS audience that there are a number of red flags for elder abuse of which front-line bank workers and other financial personnel should be aware. These red flags include:

• • • customer behavior that is out of character;
    • a sudden change in deposit habits;
    • someone unfamiliar showing interest in the customer鈥檚 financial affairs;
    • a customer adding someone unexpected to their bank security card;
    • a customer who purchases a large number of pre-paid cards; and
    • unorthodox transactions or money transfers.

Bank employees who suspect foul play can try to engage a customer in conversation to find out more, or, failing that, file a Suspicious Activity Report (SAR) detailing the circumstances and reasons for suspicion. Also, anyone can file a complaint with the FBI鈥檚 .

Trying to help seniors who are experiencing some form of cognitive decline can be tricky, however. Bank employees and police investigators are not doctors, after all, and bank customers are technically free to do whatever they wish with their money.

According to another ACAMS speaker 鈥� Jessica Clemens, assistant VP of risk management with Timberline Bank in Grand Junction, Colo. 鈥� another problem is that even if a scam is uncovered, it is sometimes difficult to convince seniors that they are being duped.

鈥淭hese people often don鈥檛 realize that they are victims,鈥� Clemens says, adding that then the question becomes, 鈥淲hat do we need to do as a community to educate them 鈥� to say you are being taken advantage of, that the lovely individual at the other end of the line is never coming to see you, and the car full of cash is never going to show up?鈥�

Approximately 17% of the US population is over 65 years of age, and that number will climb to more than 20% by 2030, according to . And to crypto scammers, those numbers mean opportunity. To everyone else, they should be a wake-up call 鈥� a push to expand awareness and prevention efforts and ensure that the oldest among us are not being fleeced by criminals posing as friends.

“I really believe that if we do this right, this can have by far the biggest impact on AML since the (USA) PATRIOT Act, but more importantly, have a true impact on crime and really make the world a safer place,” said Craig Timm, managing director of financial crimes & emerging risk at Bank of America. Timm moderated the bankers panel at the . “It’s so important,鈥� he added. 鈥淲e’re at a cusp right now where this is a really big deal.”

The AML Act of 2020 required Treasury’s Financial Crimes Enforcement Network (FinCEN) to issue National AML/CFT Priorities as part of a legislative effort to clarify on what areas financial institutions should focus their efforts to police transactions for illicit activity more effectively.

The priorities, publicly announced on June 30, included corruption, cyber-crime, domestic and international terrorist financing, fraud, transnational criminal organizations, drug trafficking organizations, human trafficking and human smuggling, and proliferation financing. FinCEN said at the time that it would propose regulations to bring the priorities into force “in the coming months.” The technical deadline for the regulations was the end of 2021, but the new rules have yet to be issued. Many experts believe a proposed rule will be issued in the coming weeks along with a requirement that firms’ AML programs be “effective and reasonably designed.”

Financial institutions were “glad to see” the FinCEN priorities announced in June because it provided clarity regarding the criminal activity on which Treasury wants the private sector to focus, said panelist Lisa Grigg, chief of enterprise financial crimes compliance at US Bank.

Looking for vulnerabilities and checking controls

Most institutions reacted by looking at their portfolios and the suspicious activity reports (SARs) they have filed related to the criminal activities enumerated, Grigg said. “At my institution, how vulnerable am I to certain types of activities that we’re seeing with the priorities?” she asked. “That can be influenced by a lot of different factors 鈥� locations, customers that you serve, whether you have a correspondent bank 鈥� all those types of things can influence certainly where you might see yourself as vulnerable to these activities.”

Grigg advised that the next step is assessing whether appropriate controls are in place, such as whether it is clear how your institution will look for the ‘red flags’ signaling specific crimes. “Most institutions are just looking at their vulnerability and assessing ‘What’s my risk?’ and ‘What controls do I maybe already have in place?’ And ‘How am I dealing with these types of priorities?'” she said, adding that none of the priorities named by FinCEN “are foreign to our industry.”

Measuring exposure to prioritized crimes

Another panelist, Andrea Sharrin, a former FinCEN official who now serves as head of financial crimes for the Americas and global investment banking at Barclays, suggested that institutions should be weighing the question, “What is my specific exposure to these priorities?”

“There’s going to be an anticipation that not every institution is going to have the same level of exposure to each one of these priority areas,” Sharrin explained, noting that some institutions are choosing an area of exposure 鈥� such as their SARs filings 鈥� and doing a “deep dive into that.鈥�

“That’s where you can really make a difference,” she added.

Sharrin said that another interesting aspect of FinCEN’s implementing regulations those items that aren’t on the list of FinCEN priorities and how businesses incorporate that into their risk assessment. “I would imagine regulators are going to expect that you still cover those risks, that you still identify them, you still look at them, you still make sure that your program still reasonably mitigates those risks.”

Adjusting risk assessments

Timm agreed that institutions should be considering how to adjust their risk assessments. “We’ve started to revamp our risk assessment process,” he said. “We don’t know what the regulations are going to say, but it’s almost certain that, at least from my view, that we’re going to have to be able to demonstrate that we understand the risk and the priority areas.鈥� That includes knowing how those risks impact your institution, and how you can demonstrate that you’re doing a good job in risk management.

When his team identifies a risk, Timm said they ask themselves if we鈥檙e taking the appropriate actions, such as changing the risk rating, exiting the client, or other similar actions. “We look at each of the priorities through those lenses and we think that if we can demonstrate we’re doing those three, then that’s an effective program and that’s where the government wants to go.”

Priorities a potential ‘game-changer’

Panelist Dan Stipano, a partner with Davis Polk, who spent more than 30 years at the Office of the Comptroller of the Currency in senior legal and enforcement roles, noted that these priorities “were intended 鈥� and have the potential 鈥� to be a game-changer in terms of how AML compliance is done, and maybe more importantly, how it’s measured by regulators, by examiners.”

“But whether it achieves that all depends on the implementation and I, personally, am kind of skeptical that it’s going to play out that way,” Stipano said.

Indeed, the fact the AML Act of 2020 required that FinCEN issue a list of priorities “really resulted from longstanding complaints by the financial services industry 鈥� particularly large banks and perhaps other large institutions 鈥� that they do all this good stuff for law enforcement鈥� but they don’t get any credit for that,'” Stipano explained. “When you get examined, the emphasis is much more on check-the-box compliance with the technical regulations that apply to your institution.鈥� Unfortunately, that means you could be an institution that does a great deal to help law enforcement and put the bad guys in prison and still end up with a cease-and-desist order or some other enforcement action, he added.

Stipano said he thinks this is a legislative response to how firms follow the rules. 鈥淭he government is now being forced to tell financial institutions what [it thinks] is important 鈥� these eight priorities 鈥� and if you successfully incorporate them into your program, then in a perfect world, you should get good marks from your examiners when you’re examined,” he said, adding again however, that he is 鈥渟keptical that it will play out that way.”

“Our key priority 鈥� our biggest focus 鈥� is building a beneficial ownership registry that鈥檚 not only useful to U.S. law enforcement, but useful to our financial institutions as well,鈥� said Scott Rembrandt, deputy assistant secretary for strategic policy at the U.S. Treasury Department. 鈥淭hat, we believe, can help us do more to combat corruption that anything.” Rembrandt鈥檚 comments came during held by the Association of Certified Anti-Money Laundering Specialists (ACAMS).

“Misuse of legal entities is one of the yawning gaps in the U.S. [AML net] that we need to better address, and we are addressing,” he said.

Read our coverage of the keynote from this year’s ACAMS conference here

The Biden administration launched its anti-graft campaign on June 3 when it released a study memorandum that prioritized public corruption as a national security issue. The memorandum gave the U.S. government 200 days to outline ways of combating corruption-related illicit finance, to take action related to the flow of corruption funds into real estate, and to find new ways to cooperate with foreign partners, noted Rembrandt, who also heads the U.S. delegation to the global AML standard-setting Financial Action Task Force (FATF).

“It’s meant to highlight that combating corruption is a key national priority,鈥� Rembrandt said. 鈥淎nd corruption is a key national security threat because it not only undermines the rule of law, it hurt democracies, it fosters radicalism and it also exacerbated mass migration.” Rembrandt explained that for those individuals who grow up in countries where bribes must be paid to get good grades in school, to get a driver’s license, to succeed in business, there grows a lack of confidence in the government. “That leads to a lack of support for democratic governance, which ultimately hurts us.”

More expected from financial institutions

When ACAMS representative William Grob, who moderated the discussion, asked what message the memorandum intended to send to financial institutions, Rembrandt confirmed that one goal was to enlist greater private sector assistance.

“Yes, in part it’s meant to focus the financial sector’s attention on what more can be done to combat corruption,” Rembrandt said. “I think there’s an expectation that financial institutions will understand the risks related to corruption 鈥� depending on the products and services they offer and the geography of their clientele 鈥� and implications for customer due diligence and enhanced due diligence.鈥� Financial institutions should ask themselves whether they service politically exposed persons (PEPs) or senior foreign political figures, or whether there are types of transaction monitoring programs the institution can put into place based upon their risk.

“For many financial institutions, they’re already doing this, but [the memorandum] is to amplify this for folks both here and abroad,” Rembrandt added.

Government priorities and rulemaking

Rembrandt observed that there also is a greater expectation with regard to “what the U.S. government itself needs to do.” Developing rules that will bring into force the requirements of the Corporate Transparency Act (CTA) 鈥� legislation enacted by Congress on January 1 as part of sweeping AML reforms 鈥� is Treasury’s top priority, he said.

The CTA’s goal is to prevent criminals from using shell companies to anonymously engage in financial transactions tied to illicit activity, allowing them to launder money with virtual impunity. Moving forward to create a registry containing information about the beneficial owners of U.S. legal entities, and finding ways to reduce the laundering of corrupt funds via real estate “are among several issues that we as the federal government need to manage,” he said.

On April 1, Treasury’s Financial Crimes Enforcement Network (FinCEN) took the first step in what will be a months-long rulemaking process to enact the CTA, issuing an Advanced Notice of Proposed Rulemaking that requested public comment. FinCEN is required to issue a final rule implementing the registry by January 1 of next year. Then, the next step will be for FinCEN to issue a Notice of Proposed Rulemaking (NPRM) outlining its implementation plan and once again seeking public comment.

The process is being watched closely by the financial services industry as the final rule could have a significant impact on the customer due diligence (CDD) obligations of banks and other financial institutions.

“When FinCEN publishes the NPRM for beneficial ownership, they, and we, would welcome comments on how the registry would actually work and ultimately how it could be used for CDD purposes, which has some implications for combating corruption,” Rembrandt explained.

Global cooperation sought

He added that working more closely with global partners is a high priority for the Biden administration as “cross-border flows of corrupt proceeds continues to be a very significant issue.”

Indeed, efforts are underway to hold a “summit of democracies” this year that involves inviting dozens of democratic governments to a virtual meeting “to talk concretely what more we can do to combat authoritarianism, human rights abuses, and corruption,” Rembrandt explained.

“Broadly, I think we want to get our own house in order and plug some of the outstanding gaps related to real estate,鈥� he said. 鈥淎nd then we want to figure out how we can offer foreign governments technical assistance in new and improved ways of combating corruption.鈥�

Giving the keynote of the annual Association of Certified Anti-Money Laundering Specialists (ACAMS) conference, Carole House, director for cybersecurity and secure digital innovation with the National Security Council, said it was crucial that financial institutions protect themselves.

“First, defend yourselves. Implement basic cyber-hygiene practices, look at your framework, look at your architecture, and make some decisions about the cybersecurity measures that can be put in place, implementing measures like multi-factor authentication鈥� can really help to defend against cybercrime,” House said, adding that it also is critical that institutions share information with authorities when they become aware of a ransomware attack or related ransom payment.

“Report it to us, fill out your suspicious activity reports (SARs) for cyber-enabled financial crime, and provide as much readily available information that’s relevant to the incident as possible 鈥� specific indicators and other institutions that may be involved,” she said. “All of that information helps the U.S. government build out this broader threat picture and helps us bring accountability to the actors that are behind this.”

Recent multiple ransomware attacks “highlight the urgent need for change” on the part of government, small businesses, critical infrastructure providers, and major corporations, House explained. “All of them have been targets of nation-state and cybercriminal activity.

Security can’t be an afterthought, it has to be incorporated into design of systems upfront.

“For too long the public and private sectors have failed to implement basic cybersecurity hygiene practices and steps to modernize our cybersecurity incident response and defenses,” she explained. “Security can’t be an afterthought, it has to be incorporated into the design of systems upfront.”

Identity verification plays a vital role in stopping cybercrime attacks, House added. “We’ve heard estimates from the industry that the majority of ransomware incidents would have been thwarted simply through implementation of multi-factor authentication.”

Ransomware, which is “inherently an international threat,” involves transnational organized crime and money laundering networks. “The threat continues to escalate in scale and severity,” she said.

Ransomware a ‘money-laundering problem’

During the past several months, ransomware attacks have targeted critical U.S. infrastructure, Irish and French hospitals, a Japanese manufacturing firm, and food processing companies, House noted, adding that such attacks involve criminals who use malware to prevent victims from accessing vital systems and then demanding a ransom be paid 鈥� typically in cryptocurrency 鈥� to allow access.

“The administration recognizes ransomware as a money-laundering problem 鈥� and as a financial crime problem 鈥� so all of you here are partners that we need鈥� to help us in this fight against ransomware and to disrupt the financial ecosystem that supports these criminals,” she said.

House also noted steps that the U.S. Treasury’s Office of Foreign Assets Control (OFAC) took on September 21 to combat ransomware. OFAC blacklisted a cryptocurrency exchange for allegedly enabling illegal payments from ransomware attacks and issued an updated enforcement advisory outlining steps financial institutions and other businesses can take to mitigate sanction risks associated with ransomware payments.

OFAC encouraged “improved cybersecurity across the private sector and increasing incident and ransomware payment reporting to U.S. government agencies, including Treasury and law enforcement authorities,” House said.

In introducing House to the crowd of 2,500 in-person and online ACAMS conference attendees, Kieran Beer, chief analyst and director of editorial content at ACAMS, said cybersecurity “initially was kind of peripheral to what people did in AML departments, but you’re being called in to not only write the SARs, but to figure out what’s happening in general with regard to cybersecurity.”

Katie Ford, deputy associate director of the policy division at the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) said during a subsequent panel at the ACAMS event that FinCEN considers ransomware a top financial crime threat and noted that cybercrime was among the top national identified by the agency earlier this year.

鈥淲e highlighted in particular the threat of ransomware, so this is something we’re very focused on,鈥� Ford said.