White Collar & Corporate Investigations Alert
Financial institutions with anti-money laundering responsibilities under the Bank Secrecy Act (BSA) take note: there’s a new sheriff in town. The Commodity Futures Trading Commission recently finished its fiscal year with three actions against futures industry firms for violations of AML obligations, including its first ever for a violation of CFTC Regulation 42.2. Based on work by its Bank Secrecy Act Task Force, the CFTC alleged violations against Interactive Brokers, A&A Trading, and BitMEX of CFTC Regulation 42.2, which requires futures commission merchants and introducing brokers to comply with the BSA, including by adopting BSA-compliant AML and Know Your Customer (KYC) programs.
The CFTC’s recent entry into AML enforcement began with its August 10, 2020, action against Interactive Brokers, a registered futures commission merchant (FCM), in a coordinated resolution with cases brought against the firm by the SEC and FINRA. The CFTC found that Interactive Brokers failed to maintain adequate AML compliance policies and failed to ensure its employees appropriately supervised customer accounts. The CFTC found that these shortfalls caused Interactive Brokers to miss red flags that, if detected and appropriately escalated, would have alerted it to the fact that at least five of its account holders were subject to regulatory and criminal enforcement actions related to fraudulent trading activity. The CFTC found that Interactive Brokers failed to meet its obligations to monitor account activity and file suspicious activity reports (SARs) when appropriate.
CFTC’s recent foray into AML enforcement has not been limited to registered entities with endemic AML violations involving millions of dollars in undetected fraud; the regulator brought one case involving a single failure to file an SAR, as a follow-on to an action alleging unauthorized trading. In September, the regulator filed and simultaneously settled charges against A&A Trading, Inc., a registered introducing broker, for failing to file an SAR within thirty days of discovering information suggesting that just one of its business partners was engaged in unauthorized trading in customer accounts. The CFTC further found that A&A Trading failed to diligently supervise its employees to ensure that orders accepted from that business partner were authorized by customers. Without admitting or denying the CFTC’s findings and conclusions, A&A Trading agreed to a settlement that included a monetary penalty of $400,000 and disgorgement of $95,329.
Note that in bringing an enforcement action based upon a single failure to file an SAR, the CFTC appears to have acted inconsistently with at least two recent statements by regulators about BSA enforcement (which concededly do not apply directly to the CFTC). On August 13, 2020, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency issued a joint statement in which they stated that they will bring an action for failure to file an SAR if it “evidences a systemic breakdown in its policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation.” Similar, in an August 18, 2020, Statement on Enforcement of the Bank Secrecy Act issued by the Financial Crimes Enforcement Network (FinCEN), FinCEN stated that one factor it considers when evaluating an appropriate disposition of a violation of the BSA is the systemic nature of violations, that is, the number and extent of violations, among other things. A&A Trading’s single failure to file an SAR does not appear to rise to that level.
Rounding out the CFTC’s recent trio of AML enforcement actions is its recent action against BitMEX, one of the largest cryptocurrency exchanges in the world. In a wide-ranging complaint filed on October 1 in the U.S. District Court for the Southern District of New York, the CFTC accused BitMEX’s executive officers and various BitMEX corporate entities of, among other things, illegally operating the exchange as an unregistered FCM, swap execution facility, and designated contract market, as well as failing to implement a BSA-compliant AML program. (For a discussion of the CFTC’s jurisdiction over retail commodity transactions involving virtual currency, see our prior coverage here.) The complaint alleges a litany of violative conduct against the defendants, including deleting customer identification information, failing to establish rules to minimize conflicts of interest, failing to ensure that contracts offered on BitMEX are not readily susceptible to manipulation, and failing to report market participants who engage in misconduct.
BitMEX is also the subject of a criminal AML action. On October 1, the United States Attorney for the Southern District of New York unsealed an indictment charging BitMEX executives with deliberately failing to implement BSA-compliant AML and KYC programs. The indictment charges that by at least September 2015, the defendants began taking affirmative steps to exempt BitMEX from federal AML regulations, including purporting to withdraw BitMEX from the U.S. market and transferring the company’s registration to the Seychelles. However, BitMEX’s executives allegedly continued actively targeting—and profiting off—U.S. customers, while purposely failing to implement controls that would identify and block U.S. customers from the platform. The indictment additionally charges the defendants with willfully refusing to adopt AML and KYC programs and failing to file any SARs reporting known and suspected illegal use of the platform, including by individuals from sanctioned countries such as Iran.
These three CFTC enforcement actions represent no small development in futures regulation. The CFTC has been empowered to require futures commission merchants and introducing brokers to comply with the BSA’s requirements since it enacted Regulation 42.2 in 2003 pursuant to the USA PATRIOT Act. However, the CFTC has not invoked the Regulation in any enforcement action before bringing these three recent cases and appears to have charged and found AML-related violations only once before, as a violation of its supervisory rule, CFTC Rule 166.3. In that case, the regulator filed an enforcement action against 1Pool Ltd., an offshore entity that illegally offered retail commodity transactions that were margined in Bitcoin, under circumstances somewhat similar to those in BitMEX. In resolving the action in March 2019, the CFTC found that even though 1Pool was not registered with the CFTC, it was required to adopt an AML program because it should have been registered as an FCM and Rule 166.3 also applies to any firm “required to be registered with the CFTC.” But the CFTC did not charge or find violations of Regulation 42.2. The CFTC imposed total sanctions and disgorgement of $421,000 in that case and ordered 1Pool Ltd. to refund 93 Bitcoins worth roughly $570,000 to U.S. customers.
With the recent actions, the CFTC appears to have chosen to enter the AML arena in earnest. Its dedicated task force suggests that the regulator has invested resources into pursuing enforcement actions, presumably through examining both registrants’ AML policies and procedures and their implementation. The recent examinations appear to take place through reviewing SARs and investigating whether futures firms whose customers engaged in illegal conduct—such as unauthorized trading—had identified the conduct and filed an SAR to report it.
Although Rule 42.2 applies AML obligations only to FCMs and introducing brokers, the agency has noted that other CFTC registrants also have AML obligations:
However, it should be noted that [commodity pool operators, commodity trading advisors, swap dealers, major swap participants, and retail foreign exchange dealers] have certain AML-related reporting obligations under the existing currency transactions reporting regulations, foreign bank and financial account reporting regulations and international transportation of currency or monetary instrument regulations.
See Anti-Money Laundering, CFTC, https://cftc.gov/IndustryOversight/AntiMoneyLaundering/index.htm (last visited Oct. 14, 2020).
These cases reflect the range of enforcement actions that the CFTC could pursue in enforcing AML requirements. The action against Interactive Brokers is similar to the standard type of action that other regulators such as the SEC or FINRA have been bringing for years—finding systemic failures to implement an AML program that allow potentially illegal conduct to go unreported. The A&A Trading action shows that a registered firm is exposed even if it fails to identify and report a single instance of improper conduct by a customer. And as the action against BitMEX shows, even an unregistered entity can be exposed to the same consequences as a registrant; in this case, the CFTC established that the entity was acting in a registered capacity and leveraged that finding into imposing AML requirements upon the firm that it failed to satisfy.
Thus, futures industry registrants now have an additional reason for complying with the BSA: the real threat of enforcement actions and the accompanying substantial penalties. Firms that have not engaged in a risk assessment in the last year should do so with these developments in mind, immediately take steps to revise their AML compliance policies and procedures as needed, and ensure that they have the adequate systems and personnel in place to implement their programs. In addition, they should pay attention to guidance issued this year by AML regulators FinCEN, FATF, the SEC, FINRA, the OCC and the DOJ, which put firms on notice about their expectations. Those expectations have been impacted by circumstances created by the global pandemic, as discussed here. Attention to their compliance programs now may help firms avoid serious negative consequences.
To receive the latest updates from our team, click here to subscribe to our White Collar mailing list.