OFAC encourages any individual or entity who may have violated US sanctions regulations to self-disclose apparent violations. Voluntary self-disclosures must include or to be submitted as a follow through within a reasonable period of time, which sufficiently provides a complete understanding of circumstances of the apparent violation/s.
OFAC requires covered persons or entities to fully comply with reporting obligations on blocked or unblocked property and rejected transactions. The initial reporting is required within 10 business days of the action or occurrence date with an Annual Report of Blocked Property (ARBP) to be filed by September 30.
OFAC SANCTIONS EXPORT CONTROLS | US
Any business entity that becomes aware of a potentially willful violation of export control laws, sanctions laws, or related criminal statutes on money laundering, fraud, or false statements must disclose the discovery to DOJ’s National Security Division’s Counterintelligence and Export Control Section.
AML AND SANCTIONS PROGRAMS
PART 504 CERTIFICATION | NEW YORK
All NYS DFS Covered Entities must establish and maintain transaction monitoring and OFAC sanctions watchlist filtering programs and are required to annually certify compliance by April 15 with Part 504.
CYBERSECURITY PROGRAM
PART 500 CERTIFICATION | NEW YORK
All NYS DFS Covered Entities must establish and maintain a cybersecurity program and, absent an exemption, are required to annually certify material compliance or an acknowledgement of noncompliance by April 15 with Part 500.
CYBERSECURITY INCIDENT
PART 500 | NEW YORK
All NYS DFS Covered Entities are required under Part 500 to report the occurrence of a cybersecurity event as soon as possible, but no later than 72 hours. NYS DFS will actively follow up on reported incidents.
CYBERSECURITY INCIDENT | TEXAS
Texas Department of Banking (TX DOB) requires regulated entities, including MSBs, to report any significant cybersecurity or computer-security related incidents, as soon as possible, but no later than 15 days, and prior to consumer notification.
MONEY SERVICES BUSINESSES | US
The Bank Secrecy Act (BSA) requires a MSB performing certain services to register with Financial Crimes Enforcement Network (FinCEN). The owner or controlling person of the MSB must initially register with the FinCEN within 180 days after the MSB establishment date.
MONEY TRANSMITTER LICENSING | US
All US state-licensed money transmitters are required to complete the MSB Call Report, which includes national and state-level MSB financial and transactional data submitted on a quarterly and annual basis through NMLS.
MONEY TRANSMITTER LICENSING | US
Companies with state licenses managed through NMLS are required to renew their licenses on an annual basis. The NMLS renewal period is from November 1 until December 31. However, state agencies may impose different submission deadlines.
CALIFORNIA FINANCING LAW | CALIFORNIA
The California Financing Law (CFL) requires all licensees under its regulation to file an annual report (CFL Annual Report) with the California Department of Financial Protection and Innovation (DFPI) on or before March 15 of the following year, even if no business was conducted.
FOREIGN BANK & FINANCIAL ACCOUNTS | US
The BSA requires any US person who have financial interest in or signature authority over foreign accounts exceeding an aggregate value of $10,000 to annually file a Report of Foreign Bank and Financial Accounts (FBAR) on or before April 15 of the following year, absent an exemption.
The Corporate Transparency Act (CTA) requires certain US companies to report beneficial owner information to FinCEN. As of March 21, 2025, FinCEN issued an Interim Final Rule (IFR), which redefined “reporting companies” and exempts US companies and persons from reporting requirements. BOI reporting remains applicable to foreign entities.
MONEY SERVICES BUSINESSES | CANADA
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) requires reporting entity sectors, including MSBs, to comply with electronic funds transfer (EFT) reporting requirements. The MSB must submit an EFTR within five (5) business days after a transfer is initiated or received.
PAYMENT SERVICE PROVIDER | CANADA
The Canada Retail Payment Activities Act (RPAA) is for a payment service provider (PSP) to register with the Bank of Canada (the Bank) at least 60 days before retail payment activities are intended to be performed. If a registration application is submitted outside the 60-day window, a PSP will not be allowed to operate as a PSP until 60 days after the submission date.
All entities or individual in Australia that send or receive instructions to transfer money internationally must submit an International Funds Transfer Instruction (IFTI) report to the Australian Transaction Reports and Analysis Centre (AUSTRAC) within 10 business days.
All AUSTRAC reporting entities that provide designated services or those about to provide one are obliged to submit Suspicious Matter Reports (SMRs) within 24 hours if the suspicion is related to terrorism financing or within 3 business days if the suspicion is related to other matters such as money laundering.
The AUSTRAC Compliance Report is a required annual self-assessment under Australia’s AML/CTF Act. Entities that provide designated services such as banks, remittance providers, and digital currency exchanges must submit the Report between 1 January and 31 March each year.
RISK | STRATEGY | CYBER COMPLIANCE MANAGEMENT
