27th November 2020

US and Iran Sanctions, SARs in the UK, New Crypto Rules in the US.

The incoming Biden administration considers its options on Iran, annual FinTech SAR volumes surge in the UK, and the US crypto-industry responds to the ‘Travel Rule’.  

We share our financial crime regulatory highlights from the week of 23 November 2020.

Biden’s Options on Iran

A recent statement from European foreign ministers in Berlin has highlighted one of the first major challenges likely to face the incoming Biden administration on 20 January 2020: whether, and how, to return to the Iran Nuclear Deal – the Joint Comprehensive Plan of Action (JCPOA) – originally negotiated by President Obama’s administration in July 2015. 

The representatives of Germany, France and the UK met in Berlin this week to discuss the future of the deal to which they remain signatories, which allows Iran to undertake limited trade, especially in oil and other hydrocarbon products, in return for it restricting its nuclear program. The Trump administration withdrew from the deal in May 2018, reimposing a range of sanctions on Iran, and the foreign ministers expressed hope that the arrival of a Biden presidency will signal a new attitude. 

In the last week, the Iraninan president, Hassan Rouhani, has also expressed his hopes about a possible rapprochement. Speaking at a meeting of his cabinet, the president highlighted positive comments the US president-elect had made about the JCPOA during the election campaign. Rouhani is reported to have said that it “would be easy to solve the country’s problems with the US,” as long as Biden remained true to his rhetoric. 

However, those expecting a swift change in the US sanctions regime towards Iran should remain cautious, despite the optimistic tone from several key players. President-elect Biden did indeed signal his willingness to rejoin the JCPOA on the campaign trail, but on condition that Iran returned to full compliance with the agreement. Since the Trump administration’s withdrawal from the deal, Iran has made several acknowledged breaches of the agreement, including stockpiling enriched uranium and restarting advanced centrifuges that can be used to create the core materials for nuclear weapons. European governments have also condemned these activities, and although they support the deal, have expressed concerns about Iran’s current path. 

While President Rouhani is relatively disposed to accommodation with the West, he has also said that Iran would require compensation for the economic and financial losses Iran has faced due to the reimposition of US sanctions. Facing a re-election battle in June of 2021, Rouhani is seeking to fend off accusations of weakness by more hawkish candidates and appease the more hardline views of the country’s supreme religion leader, Ayatollah Ali Khameni. Khameni recently commented that he did not expect to see “a quick opening from abroad.”

Progress towards a US return to the JCPOA and a lifting of the relevant US sanctions is likely to be slow therefore, and dependent on the outcome of the Iranian presidential election in June. If a hardliner such as former president Mahmoud Ahmadinejad were to win, then the deal will be in serious trouble. Even if Rouhani were to be re-elected, moreover, Iranian demands for compensation are unlikely to be palatable to the US, and the new US administration is unlikely to spend early political capital on pleasing the Iranians. Much likelier is a period of ongoing negotiation in the second half of 2021 before any outcome – positive or otherwise – will be delivered. 

The current state of US-Iran relations suggests that it will be difficult for the incoming Biden administration to take a radically different approach to their predecessors on sanctions, at least initially. The Trump administration has used sanctions as a primary foreign policy tool over the last four years, imposing restrictions on more than 900 entities or individuals, an 80% increase compared to under Obama, according to figures compiled by the Wall Street Journal. 700 of those have been imposed in 2020 alone. 

President-elect Biden has also made it clear that he values sanctions as a tool of foreign policy, especially with regard to the support of democracy and human rights. In the presidential debate on 22 October, he took a strong line on sanctions against North Korea, and he has also criticised President Trump for not taking a harsher approach to China over their treatment of the Uighur people. Sanctions will very much remain on the agenda, with the question being when and where – rather than whether – they are applied. 

For those operating in financial crime risk, therefore, 2021, the inauguration of the new president will necessitate an ongoing emphasis on maintaining compliance with US rules as they stand. However, professionals will also need to keep a close eye on how the situation develops over the coming year, as the shape and emphasis of the US sanctions strategy evolve under new geopolitical imperatives. The key, as ever, will be having effective and flexible scanning and monitoring solutions in place to respond to those changes as they come.

Huge Rise in UK FinTech SAR Volumes

The UK Financial Intelligence Unit (UKFIU) has recently revealed a massive rise in the volume of Suspicious Activity Report (SARs) from Financial Technology (FinTech) firms in their 2020 SAR report. The UKFIU – part of the UK’s National Crime Agency (NCA) – stated that they had received and processed 83,609 SARs from FinTechs in 2019-20 – up 264% from 2018-19. 

This flood of new SARs from the FinTech sector has contributed to an overall annual rise in the numbers of SARs received from 478,437 to 573,085 over the last year, a 20% increase. This is a significant acceleration on figures from 2019, which showed only a 3% rise in overall volumes over the previous year. 

As in the past, the vast majority of SARs – about 75% – have come from banks, with around 20% from other financial and credit institutions, categories which include the FinTech sector. Around 3% came from professions such as accountancy, the law and estate agency and other AML/CFT regulated sectors such as gaming – only one percent more than from non-regulated sectors with no obligations to report. 

The poor returns from the professions will add to ongoing concerns amongst AML/CFT experts that these sectors are still not doing enough to detect and report suspicious activity. This follows recent media reports on AML/CFT failures at online estate agent Purplebricks, as well as the prominence of UK Corporate Service Providers (CSPs) in recently leaked US SARs held by the US FIU, the Financial Crimes Enforcement Network (FinCEN), known as the ‘FinCEN Files’.

The rise in overall SAR figures is likely to be partly related to the impact of the COVID-19 pandemic. Financial crime appears to have risen in incidence, and certainly in public and industry awareness, as a result of proliferating COVID-linked scams and frauds. The pandemic has also led to much closer joint working between the NCA and the financial services providers who participate in the UK’s Joint Money Laundering Intelligence Taskforce (JMLIT), with both sides staffing a public-private Fusion Cell to fight COVID-related crimes. 

Nonetheless, the unique surge in SAR volumes from FinTechs reflects other influences too. The sector has proved resilient in the face of combined public health and economic crises, and has also shown growing levels of financial crime risk awareness and an increasing focus on the ‘professionalisation’ of AML/CFT compliance. Such developments have been further nurtured by cross-industry associations such as the FinTech FinCrime Exchange (FFE), which bring together FinTechs from across the globe to collaborate on best practice in financial crime risk management.

Although this remarkable development is worth celebrating, the key issue for UK FinTechs is ensuring that complacency does not set in, and recent gains in AML/CFT performance are not only retained, but built upon. SAR volume is important, but as Ian Mynot, Head of the UKFIU, told the Financial Times last week, quality remains an issue, with a “tendency to defensive reporting” in many cases. Firms therefore need to have well-calibrated but agile AML/CFT controls and platforms in place to ensure that they are taking a risk-based – and risk-focused – approach.  

US Travel Rule Changes Stir Crypto Concern

This week, a US regulatory consultation into controversial proposals for changes to the ‘Travel Rule’ came to a close. The ‘Travel Rule’ places obligations on financial institutions to share originator and beneficiary information on international payments above a certain threshold, which has been set at  $3,000 since 1995. Now, however, the Federal Reserve, the US central bank, along with FinCEN, would like to see this radically reduced to $250. 

The proposals stress that the changes will cover both fiat currencies and Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) – in particular, “transactions involving convertible virtual currencies and digital assets with legal tender status”. This would mean those dealing in crypto will need not only to record and share the amount to be transmitted and the date of execution, but the name and address of the originator, and details of the beneficiary’s financial institution, even for relatively small amounts. 

One consequence of this will be a significant increase in the amount of Customer Due Diligence (CDD) data that VASPs based and operating in the US – and especially cryptocurrency exchanges – will be required to maintain. This has led to criticisms from VASPs themselves, who see the lowering of the threshold as an additional compliance cost on a growing, but still fledgling, industry. According to Coin Center, a VA-focused think tank in Washington, D.C. the rule would result in significant direct costs to small and medium-sized VASPs, which would then be passed on to clients.

Cryptocurrency users have also voiced concerns in the consultation. An anonymous contributor commented that the rule undermined the purpose of VAs; “the whole point of Bitcoin is to remain decentralized and unregulated”, they argued, and “by creating rules, laws, and regulations, you are defeating the purpose of its use”. Promoting similar sentiments, a digital civil liberties advocacy group, ‘Fight for the Future’, has encouraged its supporters to submit critical comments to the review, to “stop attacking crypto and our privacy rights,” and has claimed over 3,000 responses so far. 

Other contributors have expressed concerns about rising data security problems for crypto exchanges as they become increasingly attractive targets for hackers. One commented that efforts would need to be made to improve protection of user data, because crypto exchanges “have a track record of bad operational security when it comes to securely storing client information”, a view borne out by a number of successful hacks of customer details from VASPs, including crypto hardware wallet manufacturer Ledger, earlier in 2020.

But it seems unlikely that these comments will deter the US regulatory authorities from preceding with the change. Speaking recently at the V20 VASPs Summit, Carole House, a cyber expert at FinCEN, confirmed that her agency sees changes to the rule as an important way in which to mitigate emerging AML/CFT risks. “Criminals are using smaller value transfers and virtual currencies to facilitate terrorism financing, narcotics trafficking and other illicit activities, like cybercrime,” she told delegates. House explained that lowering data collection thresholds would support the efforts of law enforcement and national security authorities.

House also noted that the US also would need to undertake the changes to remain aligned with the course set by the Financial Action Task Force (FATF), the international standard-setter for AML/CFT.  In June 2019, FATF updated its 40 Recommendations to require all its member states to introduce a Travel Rule for VAs, and speaking at the V20 conference, FATF Executive Secretary David Lewis was supportive of the proposed US changes. “If you want this industry to have a good reputation and to continue to operate out in the open, then it’s the central prerequisite,” he said. “Non-compliance…would be very short-sighted for companies that want to continue to operate in this space.”

The direction of travel for the VA industry – not just in the US but globally –  is thus increasingly clear. Although governments and regulators are keen to see the exploitation of new technologies to support financial inclusion and economic growth, they will not do so at the expense of shared goals around fighting financial crime. VASPs and VA users will have to accept that the ongoing health of the sector will involve increasing ‘normalisation’ of its approach to compliance, and that in these circumstances, robust but cost-effective CDD and other AML/CFT controls will be essential.