About Us | Contact Us | Press Room | Login
In October, the Office of Foreign Assets Control (OFAC) published more targeted guidance for digital asset companies related to compliance with sanctions and best practices for mitigating risks. OFAC's virtual currency guidance is directed at the entire industry, "including technology companies, exchangers, administrators, miners, wallet providers, and users." It aims to "help the virtual currency industry prevent exploitation by sanctioned persons and other illicit actors," according to the press release issued with the guidance. Essentially, the guidance emphasizes that anyone subject to U.S. sanctions laws and regulations must continue to abide by them when engaging with virtual currencies.
The guidance provides several best practices that entities involved in virtual currency activities should follow to remain in compliance and to mitigate penalties in instances of compliance failures. These practices will be familiar to anyone with experience in sanctions compliance best practices applicable to other industries. This said, the document notes, compliance solutions should reflect a risk-based approach and should be tailored to the type of product or business involved, its size and level of sophistication, its clients and counterparties, and the locations it serves. OFAC also expects companies to implement these practices sooner rather than later in the company's existence, before any products and services are released. While there is no single compliance program to suit all scenarios, implementing OFAC's best practices, as follows, can prevent sanctions violations and serve as a mitigating factor should any violations occur: Management Commitment Management should commit to enforcing a culture of compliance throughout the organization from the company's earliest days. OFAC recommends specific actions that management can take to set an appropriate tone from the top, including reviewing and endorsing compliance procedures, allocating adequate resources to compliance, delegating autonomy and authority to the compliance department, and appointing an experienced sanctions compliance officer. Risk Assessment Regular and ongoing risk assessments should be conducted to identify risks associated with sanctions compliance. Activities and relationships associated with foreign jurisdictions or foreign persons should be assessed for their potential to expose a company to sanctioned persons or places. A virtual currency company’s risk assessment process should be tailored to the types of products and services offered and the locations in which such products and services are offered. Appropriately customized risk assessments should reflect a company’s customer or client base, products, services, supply chain, counterparties, transactions, and geographic locations, and may also include evaluating whether counterparties and partners have adequate compliance procedures. Internal Controls Internal controls should be able to "identify, interdict, escalate, report (as appropriate), and maintain records for" prohibited activities. Useful internal controls include sanctions screening, geolocation tools, know your customer ("KYC") procedures, and transaction monitoring and investigation to identify virtual currency addresses and other data associated with sanctioned individuals, entities, or jurisdictions. OFAC includes virtual currency addresses as identifying information for designated persons, so these should be used in screening as well. While OFAC does not require the virtual currency industry to use any particular in-house or third-party software, OFACT states that such software can be a helpful tool for an effective sanctions compliance program. Testing and Auditing Testing and auditing procedures can include ensuring that screening and IP blocking are working effectively. Companies that incorporate a comprehensive, independent, and objective testing or audit function within their sanctions compliance program are equipped to ensure that they are aware of how their programs are performing and what aspects need to be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment. The size and sophistication of a company may determine whether it conducts internal and external audits of its sanctions compliance program. Some best practices for testing and audit procedures in sanctions compliance programs for the virtual currency industry include: sanctions list screening, keyword screening, IP blocking, and investigation an reporting. Training Companies should conduct trainings for relevant employees at least annually. The best practices for the virtual currency industry are not new, nor are they unique to the industry. However, the recent guidance from OFAC indicates that the industry will be a particular focus for enforcement, and companies in the industry should implement these measures as soon as possible to the extent they have not already done so. The scope of a company’s training will be informed by the size, sophistication, and risk profile of the company. OFAC training should be provided to all appropriate employees, including compliance, management, and customer service personnel, and should be conducted on a periodic basis, and, at a minimum, annually. A well-developed OFAC training program will provide job-specific knowledge based on need, communicate the sanctions compliance responsibilities for each employee, and hold employees accountable for meeting training requirements through the use of assessments Remedial measures Where a sanctions violation has occurred, OFAC can consider the remedial measures a company has taken as a mitigating factor in a penalty determination. Remedial measures can include adding and/or strengthening the tools listed above to fill gaps and repair weaknesses in the compliance program. Conclusion OFAC is placing much greater scrutiny on the virtual currency industry. Industry members should be mindful of implementing and maintaining robust compliance measures early and often.
The Agencies (OCC, FRB, FDIC, FCA and NCUA) have recently proposed revisions to the Interagency Questions and Answers Regarding Flood Insurance. The purpose of this proposal is to supplement the July 2020 proposed Q&As which only contained two proposed questions on private flood insurance. These new proposed Q&As are formulated based off questions received by the Agencies regarding private flood insurance rules that went into effect July 1, 2019 and include 24 proposed Q&As on private flood insurance.
In attempts to provide additional clarify on requirements, the proposed Q&As use the term “Act” in reference to the National Flood Insurance Act of 1968 (NFIA) and the Flood Disaster Protection Act of 1973 (FDPA), as well as “Regulation,” to refer to each Agency’s current flood insurance rule. The new proposed Q&As are divided into three main categories regarding private flood insurance:
Mandatory Acceptance Key Takeaways Anytime renewals, or when a borrower presents a new private flood insurance policy regardless of whether a MIRE event occurred (making, increasing, renewing, or extending of a loan), the lender is required to review the policy to determine if it meets the mandatory purchase criteria. If it does not, the lender may still accept the policy if it meets the discretionary acceptance criteria. If a lender has a policy to not originate mortgage loans in nonparticipating communities or coastal barrier regions where NFIP is not available, private flood insurance requirements are not going to require the lender to change its policy. Lenders are not required to accept private flood insurance policies solely because the policy contains the compliance aid assurance clause when the lender reviews it and determines the policy actually does not meet the mandatory acceptance requirements. But that does not alleviate the lender from reviewing a policy that does not contain the compliance aid assurance clause to determine whether it meets the requirements for private flood insurance before rejecting the policy. The policy must contains the compliance aid assurance clause language in the policy or an addendum before the bank accepts without conducting a review. Even if that is true, the lender must still ensure that the coverage is at least equal to the lesser of the outstanding principal balance of the loan or the maximum amount of the coverage available under the Act for the type of property and that other key aspects of the policy are accurate, like the borrower’s name and address. Lastly, if a policy lacks the compliance aid assurance clause, the lender is still free to review the policy to determine if it meets the criteria under discretionary acceptance from the Regulation. But it must still determine, even if the policy does not meet the requirement for discretionary acceptance, whether they are still required to accept under mandatory acceptance. Discretionary Acceptance Key Takeaways Under the discretionary acceptance test, lenders must evaluate the sufficiency of the insurer’s solvency, strength, and ability to satisfy claims under general safety and soundness principles. They may obtain information from a State insurance regulator for the State in which the property is located and rely on licensing and other processes used by the State insurance regulator for such an evaluation. Additionally, if a lender has previously accepted a private flood insurance policy under the discretionary acceptance requirements and that policy is renewed, the lender still must review the policy to ensure it continues to meet the discretionary acceptance requirements. A conclusion to this fact must be documented in writing. General Compliance Key Takeaways There are additional requirements when it comes to mandatory acceptance or discretionary acceptance and deductibles when it comes to coverage amounts exceeding or not exceeding the amount available under the NFIP. Additionally, lenders are not prohibited when using a third party to review private flood insurance policies from charging a fee to the borrower. Disclosure requirements regarding the fee do come into play, however. If a declarations page provides enough information for the lender to make a determine on mandatory or discretionary acceptance, or if the declarations page contains the compliance aid assurance clause, lenders are free to rely on the declarations page to determine if the policy complies with the Regulation but should request additional information about the policy if not able to make that determination. Lastly, servicers must comply with the Regulation as well when determining whether private flood insurance may be accepted under the mandatory or discretionary acceptance provisions if the lender is supervised by the Agencies. Comments for these new proposals are due May 17, 2021. |
Archives
November 2021
Categories |
RSS Feed