US Prosecutors Target Foreign Bank Records in North Korean Cyber Hunt

US authorities may be signalling their intent to increasingly leverage the USA PATRIOT Act to gain access to foreign bank records in North Korea sanctions investigations, says Nick Turner at Steptoe & Johnson.

Headlines about Kim Jung Un’s absence from the public sphere drew attention away from other important North Korea developments in recent weeks. Among them was the publication of a UN Panel of Experts report, in April 2020, chock full of examples of sanctions evasion facilitated by nationals of UN member states.

Another was a guidance document published on 15 April 2020 by the US Departments of State, Treasury, and Homeland Security, and the Federal Bureau of Investigation on North Korean cyber threats that “pose a significant threat to the integrity and stability of the international financial system.”

Tucked away at the end of the document was a reference to the US government’s power to subpoena records of non-US banks held overseas in relation to transactions through US correspondent accounts. Introduced in Section 319(b) of the USA PATRIOT Act, in 2001, and codified at 31 U.S.C.§ 5318(k), this authorisation to demand foreign records—upheld by a US federal court last year—could power a fresh wave of US sanctions investigations in Asia.

Here are some points for financial institutions to keep in mind.

North Korea Cyber Threats

The joint guidance highlights five major cyber attacks attributed to North Korea by the US government since 2014, including the theft of USD 81 million from the Bangladesh Bank in February 2016 and the theft of USD 250 million worth of digital currency from a non-US digital currency exchange in April 2018. In the latter case, the DOJ (US Department of Justice) indicted two Chinese nationals, in March 2020, for helping to launder funds in connection with the digital currency heist.

On the same day, OFAC (the US Office of Foreign Assets Control) added the individuals to the SDN List (the List of Specially Designated Nationals and Blocked Persons), freezing their property under US jurisdiction and effectively cutting them off from the US financial system.

The guidance offers several suggestions for countering cyber-enabled threats from North Korea, including strengthening AML/CTF (anti-money laundering and counter-terrorist financing) and CPF (counter-proliferation financing) compliance measures. This includes encouraging financial institutions to “give special attention to business relationships and transactions” involving North Korea and regulating and supervising digital asset service providers in line with standards released by the FATF (the Financial Action Task Force) in June 2019.

According to the guidance document, the US government is “particularly concerned” about digital asset service providers offering anonymous services without effective AML/CTF or CPF controls.

Overseas Records

Consider the following hypothetical scenario.

A cryptocurrency exchange based in Asia suffers a major security breach, losing several million dollars’ worth of customers’ digital currency, which is promptly transferred to digital wallets held by other providers. After several weeks of transactions between seemingly unrelated accounts, meant to disguise the origin of the stolen assets, the currency is eventually consolidated into a single account at an exchange where it is traded for US dollars. The dollars are deposited into a bank account in Hong Kong, with a portion immediately transferred to a deposit account at a bank in Dubai via a correspondent account held at the Hong Kong bank’s New York affiliate.

The laundered funds are then used to purchase luxury goods that are shipped to Southeast Asia before being transferred to a vessel bound for a port near the North Korean border.

After an investigation, the U.S. government determines that the cyber heist was orchestrated by a hacking group linked to the North Korean government. The luxury goods that were shipped from Dubai were ultimately destined for North Korea in breach of UN Security Council sanctions.

Soon after, both the Hong Kong and Dubai banks receive subpoenas from the DOJ via their registered agents in the United States for records related to the accounts of the originator and beneficiary of the USD wire transfer that passed through the Hong Kong bank’s affiliate in New York. Those records are held in Hong Kong and Dubai, respectively.

Are the Hong Kong and Dubai banks obliged to respond to the US subpoena? Yes, they probably are.

In a well-publicised decision in August 2019, the DC Circuit Court of Appeals upheld a lower court decision affirming the US government’s power under Section 319(b) to subpoena records from three Chinese banks concerning a North Korean front company with accounts in Hong Kong. (Two of the banks had submitted to US jurisdiction by opening branches in the United States; the other maintained a US correspondent account, which was subject to Section 319(b).)

Provided the records sought are “related to” activity in a US correspondent account, either the DOJ or Treasury Department can subpoena those records as part of an investigation into money laundering or other crimes. Banks that fail to respond risk losing their US correspondent accounts.

In the case of our hypothetical Hong Kong and Dubai banks, US investigators may be interested in the identities of their customers, their counterparties, or their beneficial owners, as well as sources of funds and other information that may help unravel a network of sanctions evaders.

Implications for Non-US Banks

Section 319(b) is by no means limited to North Korea. In the nearly twenty years since the PATRIOT Act’s adoption, US prosecutors have used Section 319(b) to facilitate investigations into a wide range of foreign activity related to transactions that have passed through the US financial system. However, last year’s DC Circuit decision put a spotlight on how the US government can use Section 319(b) as leverage to gain access to foreign records, despite resistance from foreign banks or their governments.

By linking this power to North Korean cyber threats, in particular, US authorities may be signalling their intention to aggressively investigate overseas activities that touch on the US financial system, even tangentially, especially in cases involving state-sponsored hacking, theft of digital assets, and unregulated digital currency markets.

What are the takeaways for banks in Asia?

First, ensure there is a process and a clear line of communication between US-based branches or registered agents and non-US offices for assessing, gathering information about, and responding to, US law enforcement requests, with the assistance of in-house or external legal counsel. Keep in mind that some, like Section 319(b) subpoenas, have strict deadlines.

Second, think about incorporating cyber-related risks into institutional AML/CTF and sanctions risk assessments. For example, consider how transactions with digital currency exchanges or their customers may heighten money laundering and sanctions risks and how to mitigate those risks. In particular, consider exposure to the US financial system, including the use of US correspondent accounts subject to 319(b).

Third, don’t be caught unawares. Effective customer due diligence and monitoring is one way to avoid onboarding customers who engage in illicit activity in the first place. For example, the DOJ noted that accounts used to launder proceeds from the April 2018 digital currency heist received no incoming deposits in the months prior to the theft. Sudden, large transactions in dormant accounts is a classic money laundering red flag.

As for digital asset service providers, there’s no time like the present to institute an effective AML/CTF and sanctions compliance program. Many jurisdictions have instituted or are moving toward regulations for digital assets in line with the FATF standards. Meanwhile, US investigators are increasingly focused on the intersections between the traditional and digital financial systems.

Nick Turner is Of Counsel at Steptoe & Johnson in Hong Kong, where he specialises in economic sanctions, international regulation and compliance.  He is a Certified Anti-Money Laundering Specialist (CAMS). Nick also publishes a weekly summary of sanctions news and commentary on LinkedIn and Medium. The views expressed are his own and do not constitute legal advice.

To Top
Share via
Copy link
Powered by Social Snap