Subject to Inquiry

Subject to Inquiry

THE LATEST ON GOVERNMENT INQUIRIES AND ENFORCEMENT ACTIONS

Government Investigations and White Collar Litigation Group
Anti-Money Laundering, FinCEN Guidance, Suspicious Activity Reports

FinCEN Imposes New Reporting Requirements on New York and Miami Real Estate Markets

The dominioFinancial Crimes Enforcement Network (FinCEN) recently announced two geographic targeting orders (GTOs) imposing new reporting and recordkeeping requirements on title insurance companies operating in New York City and Miami-Dade County. The requirements are effective beginning March 1, 2016, and continue in effect until August 27, 2016.

GTOs are temporary measures that FinCEN imposes on businesses when it believes additional reporting or recordkeeping is needed to prevent evasions of the Bank Secrecy Act. They are typically directed at businesses FinCEN believes are at high risk of being used for money laundering. In the past year, FinCEN has issued or renewed GTOs to electronics exporters in South Florida, armored-car services and common carriers transporting currency in parts of Texas and southern California, and check-cashing businesses in South Florida when cashing tax refund checks.

The new GTO requires each title insurance company to file a FinCEN Form 8300, commonly known as a Currency Transaction Report (CTR), within 30 days of an all-cash purchase of real estate worth over $3 million in Manhattan, or over $1 million in Miami-Dade County. More precisely, the CTR filing requirement applies to purchases (i) in Manhattan and Miami; (ii) by a partnership, corporation, LLC or other legal entity; (iii) for a purchase price over the respective threshold amounts; (iv) made without external financing; and (v) where payment is made “using currency or a cashier’s check, a certified check, a traveler’s check, or money order in any form.” These CTRs are due 30 days after closing.

The CTRs must identify not only the purchasing entity, but also any individual who beneficially owns 25 percent or more of the purchasing entity. This includes a requirement that insurers verify the identity and address of the beneficial owner in a manner that satisfies the CTR filing requirement, typically by reference to a driver’s license or passport. A copy of the identifying document must be kept on file.

The GTO also imposes recordkeeping requirements. Title insurers must retain all records relating to compliance with the GTO for five years after it expires. While that is currently August 27, 2016, FinCEN may extend the GTO by further order.

All-cash purchases were previously not subject to CTR or Suspicious Activity Report (SAR) requirements – making the high-end real estate market an attractive vehicle for foreign oligarchs to expatriate their wealth through shell companies, as reported by a 2015 New York Times exposé.

On a practical level, title insurers operating in Miami and Manhattan should ensure that their employees and compliance officers are notified of the GTO and CTR filing requirement and trained about what it requires. And they, along with other participants in the real estate market, should be on the lookout for further extensions of the order by FinCEN. The GTO represents an experimental effort to prevent the U.S. high-end real estate market from being used for money laundering. FinCEN will almost certainly investigate if all-cash purchases fall off as a result of its order (or tick upward sharply before the order takes effect), and how much. Depending on the quality of information gleaned from the CTRs and market data, FinCEN could make the CTR requirement permanent through rulemaking, expand it to other metro areas, modify the amount that triggers a filing requirement, or a combination of these. Since “dirty” money will always be looking for an entry point into the legitimate financial system, we can expect to see more FinCEN regulatory activity directed toward the real estate market in the future as criminals and law enforcement continue their efforts to outwit each other.

Compliance, Export Controls

Iran Sanctions and the Implementation of the JCPOA: Lots of Changes, but Little Impact on U.S. Businesses?

In recExport-Controls-136333535_jpg.jpgent days, the news has been full of stories referring to the “end” or “lifting” of U.S. sanctions against Iran, actions that were taken after the International Atomic Energy Agency confirmed on January 16, 2016, that Iran has met its obligations under the July 14, 2015, Joint Comprehensive Plan of Action (JCPOA) in connection with Iran’s nuclear program. The United States and Iran agreed to a prisoner exchange on the same day, and these actions may represent some thawing of almost 40 years of hostility between the two nations. Yet, notwithstanding the news stories describing the lifting of sanctions, very little has changed for most U.S. businesses.

In fact, some very important sanctions remain, in that the vast majority of transactions with Iran by U.S. persons, including U.S. companies, are prohibited under the general embargo that continues in place. There is little reason to expect further loosening of U.S. sanctions in the near future. Indeed, even as certain U.S. sanctions against Iran “ended,” the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 11 additional individuals and entities in connection with Iran’s ballistic missile program.

I. U.S. Sanctions Against Iran – What has Changed

The implementation of the JCPOA did include a number of important changes to the U.S. sanctions against Iran. Among other things, the implementation of the JCPOA resulted in the lifting of nuclear-related secondary sanctions against non-U.S. businesses engaged in commerce with Iran’s financial, energy, shipping, metal, and automotive industries. The removal of these sanctions, along with similar moves by other countries, will permit non-U.S. businesses to resume trade with Iran. The U.S. also unblocked hundreds of entities related to these Iranian sectors, thereby allowing them to conduct business around the world (though, as described below, generally not with U.S. persons).

Of most interest to U.S. entities, pursuant to the JCPOA, OFAC has issued General License H, which permits foreign entities owned or controlled by U.S. entities to engage in transactions with Iran that would be otherwise prohibited if engaged in by a U.S. person, as long as such activities do not otherwise violate U.S. law. Thus, foreign subsidiaries of U.S. entities are now lawfully permitted to engage in business with Iran in certain circumstances pursuant to General License H. The same license allows U.S. persons to alter the policies of U.S. entities in order to permit their foreign subsidiaries to pursue business in Iran. These changes could represent a significant opportunity for some foreign subsidiaries of U.S. businesses.

In addition, OFAC has amended its licensing policy with respect to civil passenger aircraft and related parts and services. Under this amended policy, both U.S. and non-U.S. persons will be permitted on a case-by-case basis to export, re-export, sell, lease, or transfer to Iran commercial passenger aircraft for civil use, as well as spare parts, components, and services related to such commercial passenger aircraft. This opening of Iran’s civilian aviation industry could bring significant benefits to the U.S. aviation industry.

Finally, the U.S. will also allow the unlicensed import of Iranian food, including saffron and caviar, and carpets pursuant to the JCPOA. These changes, taken as a whole, are a significant change in U.S. policy toward Iran. They do not, however, represent the end of U.S. sanctions against Iran and, most importantly, do not significantly reduce the compliance risk for U.S. companies concerned about sanctions against Iran.

II. U.S. Sanctions Against Iran – What hasn’t Changed

Critically for U.S. business, and notwithstanding the implementation of the JCPOA, the U.S. government’s trade embargo on Iran remains in place. Iran remains subject to sanctions in connection with its support for terrorism (E.O. 13224), regional destabilization (E.O. 13572, 13582, 13611), human rights abuses (E.O. 13553 and 13628), and ballistic missile development (E.O. 12938 and 13382), and to secondary sanctions under the Specially Designated Nationals List. Accordingly, with only limited exceptions, U.S. persons, including U.S. companies, continue to be broadly prohibited from engaging in transactions with Iran and its government, including the import of Iranian-origin goods and services and the export from the U.S. of goods and services to Iran. Both the Government of Iran and Iranian financial institutions remain persons whose property and interests in property are blocked by U.S. law. And U.S. persons remain generally prohibited from knowingly engaging in conduct intended to evade U.S. restrictions on Iranian dealings. As a result, any engagement with Iran by U.S. businesses remains subject to considerable restrictions, and U.S. businesses must remain cognizant that they are subject to more significant limitations with respect to Iranian business than their European counterparts.

III. U.S. Sanctions Against Iran – What’s Next?

The changes to U.S. sanctions against Iran have not decreased the compliance challenges for U.S. businesses. Moreover, the changes to sanctions may not remain in place for long. There is already considerable political pressure within the U.S. on the Obama administration to be tough on Iran as a result of its ongoing efforts in support of terrorism, regional instability in the Middle East, and missile proliferation. In addition, Iran policy has continued to be a topic of discussion in the U.S. presidential election cycle, and it is possible, depending on the outcome of the election, that a future U.S. administration will seek to undercut the JCPOA. Finally, the JCPOA itself provides that sanctions may “snap back” into place in the event that Iran violates its nuclear activity-related obligations under the agreement. It thus remains to be seen whether the implementation of the JCPOA will have a lasting impact on U.S. sanctions.

CFPB

CFPB Compliance Bulletin Outlines Requirements for Automatic Debit Authorization

On Government-Regulatory-and-Criminal-Investigations.jpgNovember 23, 2015, the Consumer Financial Protection Bureau (CFPB) issued a Compliance Bulletin reminding covered entities of their obligations under the Electronic Fund Transfer Act (EFTA) and Regulation E to obtain consumer authorization before automatically debiting a consumer’s account for preauthorized electronic funds transfers (EFTs). Before issuing the Bulletin, the CFPB observed that some companies had not fully complied with the requirements of the EFTA and Regulation E, and that others may not be certain of how these requirements intersect with the Electronic Signatures in Global and National Commerce Act (E-Sign Act). Despite this uncertainty, the Bulletin emphasizes that the CFPB will take appropriate action against entities that fail to comply with their obligation to obtain consumer authorization.

The Bulletin expressly outlines the requirements under the EFTA and Regulation E for entities that obtain consumer authorizations for preauthorized EFTs. Specifically, Regulation E requires that preauthorized EFTs from a consumer’s account be authorized “only by a writing signed or similarly authenticated by the consumer.” The entity must also provide a copy of the authorization to the consumer. Consumer authorizations can be provided in paper form or electronically, and Regulation E does not prohibit companies from obtaining signed, written authorizations from consumers over the phone if companies comply with the E-Sign Act requirements for electronic records and signatures. This includes the requirement that the electronic record be “inscribed on a tangible medium or . . . stored in an electronic or other medium and [be] retrievable in perceivable form.”

With respect to telephone authorizations, the CFPB noted that Regulation E may be satisfied if the consumer authorized preauthorized EFTs by entering a code into his telephone keypad, or if the company records and retains the consumer’s oral authorization, provided that the consumer intends to sign the record as required by the E-Sign Act. The CFPB concluded that entities do not violate Regulation E merely because they obtained authorizations that were signed or similarly authenticated by the consumer over the telephone.

As for the requirement that companies provide a copy of the authorization, the CFPB expressed concern that companies may be omitting important authorization terms such as the recurring nature of the preauthorized EFTs, or the amount and timing of the payments. The CFPB also noted that, as an alternative to providing a copy of the authorization after its execution, companies can comply with Regulation E before initiating the first automatic debit by providing a consumer with two copies of a preauthorization form and asking the consumer to retain the second copy.

The Bulletin specifically referenced companies engaged in mortgage servicing, student loan servicing, debt collection, and short-term, small-dollar lending. While not expressly outlining violations by entities within those industries, the Bulletin represents a warning to such entities that the CFPB will take appropriate supervisory or enforcement action if they do not comply with the automatic debit authorization requirements.

White Collar Crime

Addressing Adulterated Food Risk

As we enter 2016, adulterated food-related investigations are leading the headlines—and should be leading companies in the food and beverage industry to ask what they can do to prevent and prepare for a potential outbreak on their watch or in their supply chain.

From ice cream to eggs, and melons to Mexican food, a recent spate of significant adulterated food outbreaks and related criminal investigations and prosecutions have highlighted the need for companies at every step of the nation’s food supply to be increasingly vigilant in identifying and mitigating risks relating to food-borne illness.

The Federal Food, Drug & Cosmetic Act (“FD&C Act”) prohibits numerous acts, including introducing or receiving food in interstate commerce that is adulterated or misbranded. Depending on the nature of the violation, the FD&C Act provides for criminal prosecutions, including for misdemeanors (for first time, unintentional violations) and felonies (for repeat or knowing violations). Criminal FD&C Act enforcement has recently resulted in convictions and significant fines for corporations, and sentences of imprisonment for individual executives—including a 28-year sentence for a former CEO in a case where prosecutors were seeking life in prison.

We can expect this trend to continue, both because of the high profile these cases generate, and because of the unique role management has in responding. For individual executives, both the FDA’s Park Doctrine and the Responsible Corporate Officer Doctrine make it possible to prosecute certain executives even “without proof that the corporate official acted with intent or even negligence, and even if such corporate official did not have any actual knowledge of, or participation in, the specific offense.” Combined with DOJ’s renewed focus on high-level individual prosecutions pursuant to the recent guidance of the Yates Memo, revelation of an adulteration or misbranding issue could present the perfect storm for executives caught unprepared.

But there are steps companies in the food and beverage industry can take in advance of a crisis to mitigate the risk one will occur, and to maximize the chances of quickly remediating its effects if it does.

  1. Periodically Assess Your Risk Profile and Compliance Program. Every company in the food and beverage industry should have a robust set of compliance tools and controls designed to identify and address risks related to misbranding and adulteration. Executives and managers at every level of the company should understand what they are, and the company should periodically review them to ensure they are appropriate and effective, well-understood and adequately enforced.
  2. Trust but Verify. It is fine to trust that your employees would never engage in the type of negligence or recklessness that is often the cause of adulteration and misbranding issues, but only if you are taking steps to confirm that belief to be true. This should include regular compliance training that gives employees at all levels the tools and knowledge to understand why compliance matters.
  3. Communicate, Enforce and Support. Employees need to hear from management that compliance matters, and see that message in action through consistent discipline against those who fail to adhere. Only then will they feel supported in making hard decisions to do the right thing, when cutting a corner could save time or money but increase safety risks.
  4. Have a Response Plan. No company sets out to put adulterated or misbranded products on the market, but all must respond when it occurs. Accordingly, most enforcement actions focus less on the fact that an outbreak or other issue has arisen, and more on how the company and its executives responded once they became aware of it. Having a response plan in place, and trusted advisors on call to assist, could mean the difference between weathering a small storm and floundering at sea.
CFPB

FAST Act Drives Long-Awaited Gramm-Leach-Bliley Amendment

IniStock_000004688619Medium1 late 2015, Congress passed the Fixing America’s Surface Transportation Act − a vehicle for an amendment to the Gramm-Leach-Bliley Act (GLBA) meant to eliminate the need for certain companies to provide annual privacy disclosures to consumers.

The amendment, which took effect immediately, eliminates the annual notice requirement for financial institutions that:

  1. do not share consumer nonpublic personal information with nonaffiliated third parties (with some limited exceptions), and
  2. have not changed their policies and practices, with regard to disclosing nonpublic personal information, from the policies and practices disclosed in the most recent annual notice.

This amendment addresses long-held complaints that the GLBA’s previous disclosure requirements were unnecessarily onerous and expensive for some businesses.  In fact, the December 2015 amendment was just the most recent in a number of actions proposed to mitigate the burden and expense that resulted from the GLBA’s annual notice requirements.

In October 2014, the Consumer Financial Protection Bureau (CFPB) amended Regulation P to allow for electronic delivery or posting of annual privacy notices by financial institutions regulated by the CFPB.  The amendment allowed for alternative online delivery of the privacy notice, but only if the financial institution met a lengthy list of requirements.

However, the 2014 CFPB revision likely had limited impact for two reasons.  First, online delivery was permitted only for parties that met a laundry list of requirements, which may have been infeasible or impossible for certain financial institutions.  Second, the revision applied only to entities subject to GLBA regulations issued by the CFPB − not those regulated by the Federal Trade Commission (FTC), the Securities and Exchange Commission, or the Commodities Futures Trading Commission.

In June 2015, the FTC proposed to amend its own GLBA rules, which apply specifically to motor vehicle dealers.  Like the earlier CFPB amendment, the FTC proposal would have permitted certain motor vehicle dealers to notify customers that the annual privacy policy was available electronically, on the dealer’s website.

Unlike the CFPB and FTC actions, the most recent congressional amendment applies equally to all entities regulated by the GLBA, regardless of the regulator.  Regulation S-P and Regulation P will likely be amended by the SEC and the CFPB, respectively, to correspond to the congressional amendment.

Accountants Defense, Accounting Defendants, Compliance, PCAOB

PCAOB Adopts Audit Engagement Partner Disclosure

On December 15, 2015, the Public Company Accounting Oversight Board (PCAOB) continued its pursuit of providing investors with improved audit transparency and audit accountability by adopting new rules requiring auditors to disclose:

  • the name of the engagement partner;
  • the name, location and extent of participation of any other accounting firm participating in the audit whose work constituted at least 5 percent of total audit hours; and
  • the number and aggregate extent of participation of other accounting firms participating in the audit whose individual participation was less than 5 percent of total audit hours.

The goal of these new rules, as stated by PCAOB Chairman James R. Doty, is to “protect investors from poor auditing, and promote their interest in more informative, accurate and independent audit reports.”

The final rule requires the filing of Form AP, Auditor Reporting of Certain Audit Participants. Auditing firms will be required to file this form for each audit, and the filing deadline for Form AP will be 35 days after the date the auditor’s report is first included in a document filed with the Securities and Exchange Commission (SEC). For any initial public offerings, the filing deadline for the Form AP will be 10 days after the auditor’s report is first included in a document filed with the SEC. The information gathered from Form APs will be made available in a single, searchable database and will provide, as Chairman Doty stated, “investors and other financial statement users with the information they have continued to request.”

How did we get here? Back in 2008, the Treasury Department’s Advisory Committee on the Auditing Profession recommended that engagement partners be required to sign their audit reports. With this recommendation, the PCAOB became engaged in what it described as “extensive research” on the topic, including considering public concerns over four comment periods, and weighing comments from members of its own Standing Advisory Group and Investor Advisory Group. There were concerns from the accounting industry and others about what Chairman Doty described as the “unintended consequences of such a disclosure in the auditor’s report,” such as potential liability under federal securities laws and practical concerns surrounding the need to obtain consents for identified parties in connection with registered securities offerings. The PCAOB understood these concerns, but also recognized that disclosure both creates better-informed investors and increases auditor accountability.

Since the new rule does not require such disclosures on the auditor’s report (this is a voluntary option), the separate and required Form AP is likely the necessary compromise between the industry and the regulator. The PCAOB believes that disclosure on Form AP should not raise potential liability concerns under Section 11 of the Securities Act or trigger the consent requirement of Section 7 because the engagement partner and other accounting firms would not be named in a registration statement or in any document incorporated by reference. The PCAOB also stressed limited risk of potential liability under Exchange Act Section 10(b) and Rule 10b-5 under the Form AP approach, noting its goal is not to expose auditors to additional liability. But the board believes requiring disclosure is appropriate because the ability of engagement partners to promote a quality audit is of “singular importance to the ultimate reliability of the audit” and making this information available on Form APs, accessible in a searchable database, will allow the investing public to make better-informed decisions.

So far, as least publicly, the audit profession has not demonstrated much reaction to the announcement. The Center for Audit Quality (CAQ), an autonomous nonprofit group affiliated with the American Institute of CPAs (AICPA), expressed its support of the rule. CAQ Executive Director Cindy Fornelli stated in a recent news release in relation to the adoption of the Form A, “The board should be commended for its responsiveness to concerns raised by a variety of stakeholders.”

The SEC has final approval authority over the new rules and, with industry support and the reporting compromise in place, is likely to approve the adoption. Once approved, the disclosure requirement for engagement partners will be effective for auditor’s reports issued on or after January 31, 2017, or three months after SEC approval, whichever is later. Regarding the disclosure of other audit firms participating in the audit, the requirement will be effective for reports issued on or after June 30, 2017.

Broker-Dealer Defendants, SEC, Securities Litigation, Uncategorized

Variable Annuities Are Retirement Investment Product of Interest in SEC’s 2016 Examination Priorities

As we discussed yesterday, thLamp and looking glass #24e Securities and Exchange Commission’s (SEC’s) Office of Compliance Inspections and Examinations (OCIE) released its examination priorities for 2016 on January 11 (the “Examination Priorities”). Retirement investments continue to be an area of focus for OCIE as we march into the new year. Digging deeper into this area, OCIE identified variable annuities as a retirement product warranting special attention.

Variable annuities have become a popular component of retirement plans. Retirement investors are attracted to variable annuities because many variable annuities offer guaranteed income for life. The popularity and prominence of variable annuities have grown as employers have moved away from defined benefit plans toward defined contribution plans, a point highlighted by OCIE in its Examination Priorities. OCIE cited statistics showing that investors have twice as much money invested in defined contribution plans, as they do in defined benefit plans. Variable annuities often fill the gap created by the decline in defined benefit plans and provide peace of mind to investors that they will not outlive their retirement savings.

The shift toward defined contribution plans, and the attendant emergence of variable annuities, means that investors now bear more risk than ever when investing for their retirement. OCIE noted in its Examination Priorities that “the financial services industry is offering a broad array of information, advice, products, and services to retail investors to help them plan for, and live in, their retirement years.” OCIE plans to implement initiatives to assess the risks that variable annuities pose to investors. OCIE stated that it would assess three facets of variable annuities: (1) the suitability of sales to investors, (2) the adequacy of disclosures and (3) the supervision of variable annuity sales.

OCIE’s ReTIRE initiative, rolled out in July 2015, provides further insight into what OCIE may look for when conducting examinations of registrants selling variable annuities. The ReTIRE initiative focuses on the reasonable basis for recommendations, conflicts of interest, supervision and compliance controls, and marketing and disclosure practices. Registrants that sell variable annuities should therefore be prepared to provide information and respond to inquiries regarding, inter alia:

  • the process for recommending variable annuities to customers;
  • the due diligence performed around investment options;
  • compensation provided to incent representatives to recommend variable annuities;
  • implementation and compliance with controls, oversight and supervisory policies regarding the sale of variable annuities; and
  • the content and accuracy of marketing materials.

When OCIE rolled out the ReTIRE initiative, it encouraged registrants “to reflect upon their own practices, policies, and procedures in these areas to promote improvements in their supervisory, oversight, and compliance programs, as deemed appropriate.” In light of OCIE including variable annuities in its 2016 Examination Priorities, registrants that offer variable annuities should pay special heed to this advice.

Registrants that offer variable annuities and are subject to FINRA oversight should also be aware that FINRA made sales practices of variable annuities an examination priority in 2015. OCIE’s focus mirrors FINRA’s from last year. Just as OCIE has in its 2016 Examination Priorities, FINRA focused on “compensation structures that may improperly incent the sale of variable annuities, the suitability of recommendations, statements made by registered representatives about these products and the adequacy of disclosures made about material features of variable annuities.”

Compliance, Financial Regulation, SEC

SEC Provides Guidance on 2016 Examination Areas of Focus

On Monday, January 11, 2016, the Securities and Exchange Commission (SEC) announced its Office of Compliance Inspections and Examinations’ (OCIE) areas of focus for 2016, which include:

  • protecting retail investors and investors for retirement;
  • assessing issues related to market-wide risks; and
  • use of its ability to analyze data to identify and examine registrants that may be engaged in illegal activity.

The areas of focus include a few new priorities for 2016, including “liquidity controls, public pension advisers, product promotion, and two popular investment products – exchange-traded funds and variable annuities.” There is also a continued focus on “protecting investors in ongoing risk areas such as cybersecurity, microcap fraud, fee selection, and reverse churning.”

Retail and Retirement Investor Area

OCIE will undertake examinations to review exchange-traded funds (ETFs) and ETF trading practices, variable annuity recommendations and disclosure, and potential conflicts and risks involving advisers to public pension funds.

Market-Wide Risks Area

OCIE will focus on cybersecurity controls at broker-dealers and investment advisers. The evaluation of broker-dealers’ and investment advisers’ liquidity risk management practices, and firms’ compliance with the SEC’s Regulation Systems Compliance and Integrity (Regulation SCI) will also be areas of focus.

Data Analytics Area

OCIE will use data analytics to assess anti-money laundering compliance, detect microcap fraud, and review for excessive trading. Data analytics will also be used during examinations focused on promotion of new, complex, and high-risk products.

OCIE also expects to allocate resources to focus on municipal advisors, private placements, private fund advisers, transfer agents, and never-before-examined investment advisers and companies in 2016. Of course, these areas of focus are subject to change throughout the year as new issues arise.

SEC Chair Mary Jo White stated, “These new areas of focus are extremely important to investors and financial institutions across the spectrum,” and “through information sharing and conducting comprehensive examinations, OCIE continues to promote compliance with the federal securities laws to better protect investors and our markets.”

OCIE releases this information in the interest of transparency within the industry. OCIE Director Marc Wyatt stated, “We hope that registrants will use this information to inform the evaluation of their own compliance programs in these key areas.”

As Subject to Inquiry readers already know, it is important to have internal compliance programs that are communicated and followed throughout the organization. It is equally important to have internal compliance programs evaluated regularly. The release of this information by OCIE is an opportunity for companies to take a fresh look at their internal compliance programs and update as necessary.

White Collar Crime

STEALING BASES OKAY; STEALING DATA NOT SO MUCH

87790287_jpgOn January 8, 2016, Christopher Correa, the former director of Baseball Development for the St. Louis Cardinals, pleaded guilty to each count of a five-count criminal information, charging him with felony violations of unauthorized access to a protected computer, in violation of various sections of Title 18, United States Code, Section 1030.

As part of his written plea agreement with the United States Attorney’s Office for the Southern District of Texas in Houston, Mr. Correa acknowledged that from about March 2013 through March 2014, he accessed the computers of two former Cardinals employees who had subsequently gone to work for the Houston Astros.

Specifically, Mr. Correa admitted accessing one of the individuals’ email accounts, and also accessing the Astros’ online database known as Ground Control, which housed confidential data, such as scouting reports, statistics and contract information. In order to gain access to the information of one of the former employees, Mr. Correa used a variation of the password that the employee used on his Cardinals laptop while he was a Cardinals employee.

Among the information unlawfully accessed by Mr. Correa were:

  • statistics and notes on the recent performance and injuries of top scouting prospects;
  • lists of scouting prospects in order of desirability, including recommended player bonuses;
  • summaries of college pitchers and hitters;
  • notes of Astros’ trade discussions with other teams; and
  • reports about players in the Astros’ minor league system.

While the statute carries a maximum penalty of five years’ imprisonment and a $250,000 fine, Mr. Correa’s sentence will be determined by the court after its review of the United States Sentencing Guidelines. Components of that calculation include the amount of any intended monetary loss to the victim of the offense and the method by which the offense was committed. Mr. Correa and the government agreed that the intended loss was $1.7 million, and that he used sophisticated means to hide his identity, location and type of device he was using to carry out the crime. Mr. Correa also agreed to pay the Astros $279,000 in restitution for the amount the team actually lost as the result of his actions.

While the court has the authority and discretion to sentence Mr. Correa to the maximum penalty, the advisory range of incarceration under the Sentencing Guidelines will likely be 37-46 months, in addition to any restitution and fine the court may impose.

Mr. Correa’s sentencing is set for April 11, 2016.

Anti-Money Laundering, Corporate Compliance, Enforcement Actions, Financial Crimes, Financial Regulation

FinCEN Announces First Card Club AML Enforcement Action

Just in dominiotime for Christmas, the Financial Crimes Enforcement Network (FinCEN), the financial industry (including casinos and card clubs) regulator, announced its first-ever enforcement action against a card club, California’s Oaks Card Club (Oaks).

The enforcement action, which carried a penalty of $650,000, is the latest in a string of actions against gaming enterprises and is yet another reminder of the importance of implementing and maintaining an effective anti-money laundering (AML) compliance program. As FinCEN has demonstrated time and again, a failure to do so will result in often substantial penalties and enhanced regulator supervision. Also, in keeping with FinCEN policy, resolution through a consent order will require an admission to a willful violation of the Bank Secrecy Act (BSA).

In this case, FinCEN found (and Oaks agreed) that Oaks willfully violated the BSA in the following ways:

Failure to update AML policies and procedures. The Oaks compliance manual had not been updated between June 10, 2005, and 2011. As a result, the manual in place had “numerous inaccuracies and misstatements.” Among other concerns, the manual contained the following “problematic” advice: Employees should ask customers approaching the currency transaction report (CTR) threshold whether they were aware of Oaks’ responsibility to report transactions to the IRS, thus suggesting customers should structure transactions.

Failure to conduct independent testing. Though required by the AML regulations in Title 31, prior to March 2011 Oaks had not performed an independent test of its AML program.

Ineffective training. Oaks did not adequately train its employees in BSA / AML obligations. FinCEN highlighted that the training Oaks did provide did not include identification of unusual or suspicious transactions, or the obligation to report them.

Failure to File SARs. Finally, FinCEN observed that despite ample public information of “extensive criminal activity” occurring on premises, Oaks “failed to file a single suspicious activity report” before it was raided by state and federal law enforcement in March 2011.

Given the stipulated facts, this enforcement action is unsurprising. Over the past two years, FinCEN’s oversight of gaming operations has demonstrated that Title 31 compliance must command the attention of senior management. If any doubts exist as to the effectiveness of the AML compliance program, the gaming operation should seek, as Title 31 compels, a competent independent assessment of the program to confirm its effectiveness or obtain recommendations for improvements to become compliant.