Can a Failed Privacy Program Lead to Fentanyl Trafficking or OFAC Violations?

/ Andrea Perez / Allison Spagnolo CIPP July 30, 2024

In July 2024, the Federal Bureau of Investigation and Department of Treasury’s Financial Crime Enforcement Network and Office of Foreign Assets Control (OFAC) released a joint notice discussing how Mexican-based Transnational Criminal Organization (TCOs) facilitate timeshare fraud to diversify revenue and finance other illicit operations to include fentanyl trafficking.[1]  Between 2019 and 2023, there were 6,000 reported U.S. victims of timeshare fraud who lost an aggregate amount of almost $300 million.  The notice discusses the methodology utilized by TCOs to conduct timeshare fraud, the transfer of funds to Mexico, red flags for financial institutions to incorporate into their Bank Secrecy Act and Anti-Money Laundering programs as well as the importance of financial institution reporting obligations.  With these revelations, the timeshare industry and hospitality industry as a whole should consider reviewing their privacy program frameworks to mitigate civil, criminal litigation and possibly OFAC risk.

Hospitality Industry, Timeshare Fraud and TCOs

Unlike the heavily regulated residential real-estate market, which strives to put the consumers best interest first, the timeshare industry has less regulatory oversight. This makes the market, for both sellers and buyers, a breeding ground for predatory, unfair, and illicit transactions. Although timeshare ownership often includes a stake in a physical property such as a house, apartment, condominium, or resort; it is typically only for a fraction of the property. This structure does not allow a lender to place a lien on said property. This does not mean there is zero oversight. The county, state, or other locality jurisdiction where the property is located is primarily responsible for ensuring the brokers or agents involved in selling and marketing timeshares are properly licensed.  There are several companies that deal exclusively in timeshare rentals, these include several international companies that operate hotels, residences, timeshares and other lodging properties.

Mexican-based TCOs would not be able to conduct timeshare fraud without conspiring with certain timeshare employees.  Specifically, TCOs obtain Personally Identifiable Information (PII) about U.S. owners of timeshares in Mexico from complicit employees who sell the information to the TCOs.  Upon gaining the PII, the TCO conduct a variety of social engineering techniques of timeshare owners to obtain advance fees and taxes for fictitious real estate transactions.  The stolen funds are laundered into the U.S. financial system and transferred to Mexico.  In some cases, the funds are sent to sanctioned entities based in Mexico.    The notice does not cite specific timeshare properties in Mexico where PII was stolen.  Timeshare properties in Mexico may be owned by developers, hotels or resorts with parent companies or significant interests in the U.S.

OFAC sanctioned Jalisco New Generation Cartel

Multiple Mexican TCOs engage in this timeshare scam activity; however, the notice specifically focuses on Jalisco New Generation Cartel (CJNG).   CJNG is one of the most prominent TCOs in Mexico with a primary focus on drug trafficking.  CJNG was initially sanctioned by OFAC in April 2015.  In July 2024, OFAC sanctioned multiple businesses and individuals linked to CJNG timeshare scam operations.

Privacy Policy Failures and OFAC

Failure to protect customer data does not only expose the timeshare and their parent company to civil or criminal penalties; they could also be exposed to reputational risk for indirectly helping TCOs conduct OFAC violations and other criminal activity. 

Timeshares and their parent company’s should implement Privacy Program controls to mitigate criminal and/or civilly liability for defrauding customers and furthering OFAC violations by:

  1. Reporting suspected or known violations of PII information to law enforcement, financial institution (Suspicious Activity Report or SAR), and corresponding bank regulator.
  2. Instituting a zero-tolerance policy of disclosing PII information and clearly stating disciplinary actions that will be taken in the event of a disclosure. Reinforce these principles through a mandatory training program where employee attendance is tracked and monitored.
  3. Developing a whistleblower program to identify deficiencies in the compliance program. Accompany the whistleblower mechanisms with a clear anti-retaliation policy so employees feel safe to report issues.
  4. Providing a confidential reporting mechanism for employees to notify management of other employees potentially working with CJNG with procedures in place to notify law enforcement.
  5. Developing internal investigations programs
  6. Employing rigorous third-party oversight
  7. Implementing access controls by which PII and other sensitive information can only be accessed by required individuals. The temptation for a bad actor to sell PII may still exist, but if that bad actor is unable to access the information, the entity can attempt to limit disclosures. In the event information is sold, the company can more easily determine who is at fault and take disciplinary actions.
  8. Using data minimization and deletion principles so only the necessary data is collected and retained for the least amount of time.

The Bottom Line

As criminal organizations become more complex and diversify their revenue streams, so must our compliance frameworks.  Timeshares and the hospitality industry as a whole could be subject to criminal or civil penalties for failing to protect their customers’ information.  Although, it is unlikely a timeshare could face OFAC violation penalties, the reputational risk from a OFAC violation due to privacy failures could be equally devastating.  To mitigate these risks, it is crucial to be proactive and conduct an evaluation of the existing privacy program and compliance procedures. Engaging a third-party compliance consultant can further enhance the organization’s efforts by providing expert insights and ensuring that all regulatory requirements are met.

 

[1] Treasury sanctions cartel accountants, announces joint notice on Timeshare Fraud in Mexico. U.S. Department of the Treasury. (2024, July 16). https://home.treasury.gov/news/press-releases/jy2465

Andrea Perez wearing a black jacket and a floral shirt is smiling for the camera

Andrea Perez

Associate Director

Andrea Perez has more than 15 years of experience as a senior regulatory examiner analyzing the effectiveness of compliance programs within state-chartered financial institutions. She is highly proficient in state and federal compliance banking regulations; collaborating with federal agencies; and providing detailed written analysis of compliance-oriented evaluations. Ms. Perez is well-versed in lending regulations including the Homeowner’s Protection Act, Truth-in-Lending Act, and the Community Reinvestment Act; as well as deposit and retail regulations; privacy laws; and Dodd-Frank.

Alison Spangolo with curly hair is wearing a black jacket and a plaid shirt

Allison Spagnolo CIPP

Chief Privacy Officer, Senior Managing Director

As Chief Privacy Officer and Senior Managing Director, Allison Spagnolo leads the Artificial Intelligence (AI) practice, ensuring governance and compliance for clients’ AI usage, and compliance engagements across sectors including financial institutions, healthcare, and government contractors. This includes reviewing anti-money laundering (AML) and sanctions (OFAC) issues for global banks and multi-national companies, as well as advising on financial crime compliance issues specific to cryptocurrency exchanges and Fintech companies. She has traveled extensively in Europe and Asia for the purpose of leading and conducting on-site inspections and reviews related to NYDFS and Federal Reserve monitorships, BSA/AML audits and other compliance matters.

InvestigationHotlines