FINRA March fines summary  

FINRA has published its latest disciplinary summary for March 2023 covering a range of enforcement actions. Amongst those mentioned for violations are UBS Securities, Deloitte Corporate Finance and Nomura Securities. 

HKMA CEO outlines risk approach to asset management   

In a statement, Eddie Yue noted that, for the asset management sector, “the most important requirements are those aimed at investor protection and safeguarding our financial system from being exploited by fraudsters and other criminals.” He added that these requirements should not impose delay on business however, and highlighted three areas where the HKMA will be taking further steps to assist business practice: 

• Account opening and customer due diligence. 
• Selling of investment products Selling of investment products. 
• Sophisticated high-net worth investors. 

HKMA consults on Banking (Exposure Limits) Rules (BELR) and the Banking (Capital) Rules (BCR) 

The Executive Director of Banking Policy, Daryl Ho, has written to the Hong Kong Association of Banks and the DTC Association seeking their views on amendments which are being proposed largely as a consequence of the concurrent proposed amendments to the BCR for the implementation of the Basel III final reform package. 

In a statement published on the SEC website, Chief Accountant Paul Munter highlighted “shortcomings related to the lead auditor’s performance of its responsibilities in planning, supervising, and evaluating the work performed by other auditors, including in engagements involving the use of network-member other auditors”. He also noted the importance of quality control when lead auditors engage other firms stating: “we remind all auditors, regardless of their role as either lead or other auditor, of the importance of the proper design and application of quality control policies and procedures to sufficiently reduce the risks to audit quality that are inherent in audits involving other auditors. For lead auditors, an appropriately designed quality control system should include critical incremental quality control policies and procedures such that the lead auditor consistently meets its supervision and review requirements over the other auditors.” 

The Securities and Exchange Commission has announced proposed amendments to Regulation S-P that would enhance the protection of customer information by, among other things, requiring broker-dealers, investment companies, registered investment advisers, and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm. 

“Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches,” said SEC Chair Gary Gensler. “I think we should close this gap. Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves.” 

Regulation S-P requires registered firms to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” 

The Association for Financial Markets in Europe (AFME) has published its responses to the European Banking Authority (EBA) consultation paper on its draft Guidelines on the overall recovery capacity (ORC) in recovery planning. The consultation’s deadline was 14th March 2023. The objective of the ORC is to provide a summary of the overall capability of an institution to restore its financial position after a significant deterioration by implementing suitable recovery options. AFME note in their response: “The most problematic part is the new regulatory assessment and rating of the ORC: the ORC score assessments and benefits are not clear at this stage and we urge caution to inclusion in the Supervisory Review and Evaluation Process assessment given ORC assessments must be tailored to each banks specific profile, is highly dependent on the scenario chosen, and therefore is inherently not conducive to comparison or benchmarking.” 

The Justice Department has closed ChipMixer, a darknet cryptocurrency “mixing” service responsible for laundering more than $3 billion worth of cryptocurrency since 2017. Ransomware, darknet market, fraud, cryptocurrency heists and other hacking schemes are amongst the crimes with which it was allegedly involved.  The operation involved US federal law enforcement’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account, as well as the German Federal Criminal Police’s (the Bundeskriminalamt) seizure of the ChipMixer back-end servers and more than $46 million in cryptocurrency 

As alleged in the complaint, ChipMixer attracted a significant criminal clientele and became indispensable in obfuscating and laundering funds from multiple criminal schemes.  Between August 2017 and March 2023, ChipMixer processed: 

• $17 million in bitcoin for criminals connected to approximately 37 ransomware strains, including Sodinokibi, Mamba and Suncrypt; 
• Over $700 million in bitcoin associated with wallets designated as stolen funds, including those related to heists by North Korean cyber actors from Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge in 2022 and 2020, respectively; 
• More than $200 million in bitcoin associated either directly or through intermediaries with darknet markets, including more than $60 million in bitcoin processed on behalf of customers of Hydra Market, the largest and longest running darknet market in the world until its April 2022 shutdown by U.S. and German law enforcement; 
• More than $35 million in bitcoin associated either directly or through intermediaries with “fraud shops,” which are used by criminals to buy and sell stolen credit cards, hacked account credentials and data stolen through network intrusions; and 
• Bitcoin used by the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center, military unit 26165 (aka APT 28) to purchase infrastructure for the Drovorub malware, which was first disclosed in a joint cybersecurity advisory released by the FBI and National Security Agency in August 2020.