The FinCEN Exchange has gone through two versions: the implied, pre-AML Act of 2020 version, and the codified, post-AML Act of 2020 version. It may soon shift to version three: the “oops we weren’t really allowed to invite who we invited, so we had Congress fix it” version.
Whatever version FinCEN ends up with, the FinCEN Exchange is a great initiative. Anything that can foster public sector and private sector information sharing – known as the “Public Private Sector Partnership” – is to be encouraged, and FinCEN deserves accolades for its initiative in establishing the FinCEN Exchange. Like anything, the Exchange isn’t perfect: it could use a little more transparency (what private sector entities are invited, and why? Are all the private sectors participating? What general learnings can be shared?), but that issue and those questions should be addressed by a report to Congress on the extent and effectiveness of the Exchange, including any benefits realized by law enforcement agencies, that is due by January 1, 2022.
But what is the FinCEN Exchange? Let’s start at the beginning: December 4, 2017.
FinCEN Exchange Version One – 2017 through 2020: Only Financial Institutions (But Not Really)
In a December 4, 2017 press release FinCEN launched the FinCEN Exchange program to “strengthen public-private partnership to combat financial crime” and “to enhance information sharing with financial institutions.” FinCEN further wrote that “as part of this program, FinCEN, in close coordination with law enforcement, will convene regular briefings with financial institutions to exchange information on priority illicit finance threats, including targeted information and broader typologies. This will enable financial institutions to better identify risks and focus on high priority issues, and will help FinCEN and law enforcement receive critical information in support of their efforts to disrupt money laundering and other financial crimes.”
And in the accompanying Frequently Asked Questions FinCEN described the Exchange as “FinCEN’s voluntary public-private information sharing partnership among law enforcement, national security agencies, financial institutions, and FinCEN”. FinCEN also provided the legal justification for the Exchange: it was “operating under FinCEN’s legal authorities, including but not limited to 31 U.S.C. § 310(b)(2)(E) (“FinCEN authorities”) …”.
What authorities does 31 U.S.C. § 310(b)(2)(E) convey? This section gives the FinCEN Director the “duties and powers” to “furnish research, analytical, and informational services to financial institutions, appropriate Federal regulatory agencies with regard to financial institutions, and appropriate Federal, State, local, and foreign law enforcement authorities, in accordance with policies and guidelines established by the Secretary of the Treasury or the Under Secretary of the Treasury for Enforcement, in the interest of detection, prevention, and
prosecution of terrorism, organized crime, money laundering, and other financial crimes.”
How did FinCEN decide which financial institutions would attend an Exchange meeting? Again, the FAQs provide the answer:
“FinCEN can use FinCEN Exchange to convene operational briefings with law enforcement, FinCEN, and financial institutions to provide specific information on priority illicit finance and national security threats. To convene a briefing, FinCEN, in consultation with law enforcement, will invite financial institutions to voluntarily participate when FinCEN has reason to believe that the financial institution may have, or is capable of providing, information relevant to (or have an ability to support) a particular FinCEN Exchange briefing. An invitation to participate in a specific matter is not an invitation to participate in all briefings. As part of a particular invitation, FinCEN may encourage an invited financial institution to register, if it has not previously registered, under USA PATRIOT Act Section 314(b) before the financial institution participates in the FinCEN Exchange briefing. FinCEN oversees the registration of the 314(b) program, which is voluntary and authorizes particular information sharing among participating financial institutions. Registration under 314(b) or participation in a FinCEN Exchange briefing does not obligate the financial institution to participate in 314(b) information sharing.”
The third FAQ was “is the FinCEN Exchange an enhancement to the section 314(a) program?”. The answer: “FinCEN views FinCEN Exchange as a significant enhancement to its support of law enforcement and a further enhancement to its advisory role with financial institutions, but there are no changes to the program under USA PATRIOT Act Section 314(a). FinCEN may use 314(a) to issue information to financial institutions, however, there are no changes to the 314(a) program.”
The fourth FAQ was “how can a financial institution voluntarily participate in the FinCEN Exchange?”. The answer: “FinCEN Exchange will bring together law enforcement, FinCEN, and different types of financial institutions from across the country to share information … FinCEN encourages all types of financial institutions to reach out to FinCEN with ideas on how particular sectors can work collectively and together with other financial sectors and law enforcement through FinCEN Exchange to tackle particular types of illicit activity that the private sector has identified … Upon vetting feedback that FinCEN receives and in consultation with law enforcement, as appropriate, FinCEN will invite financial institutions to voluntarily participate when FinCEN believes that the financial institution may have information relevant to a particular FinCEN Exchange briefing or other ability to support the priorities within the scope of the particular engagement.”
FAQs 6 and 7 deal with the responsibilities of the financial institutions that participate in the FinCEN Exchange. These are important, as these highly regulated financial institutions have (as FinCEN answered FAQ 6) “obligations under the Right to Financial Privacy Act (RFPA) (12 U.S.C. § 3401, et seq.), which generally requires banks to comply with certain procedural requirements before sharing customer specific financial information (not general typology information) with the Federal government, or under the SAR statute (31 U.S.C. § 5318(g)) and implementing regulations, which generally prohibit a financial institution from disclosing a SAR or its existence to any person other than FinCEN, an appropriate law enforcement agency, or its Federal or State regulatory examiner for BSA compliance.”
So it appears clear that the pre-AML Act of 2020 version of the FinCEN Exchange limited its private sector participants to regulated financial institutions, or those with obligations to protect the information they would receive.
From when it announced the FinCEN Exchange program to the passage of the AML Act of 2020 on January 1, 2021, FinCEN issued two press releases announcing that it had held a FinCEN Exchange meeting. The first press release was published July 16, 2019. It began with “In New York City today, FinCEN convened another in a series of meetings under its ongoing FinCEN Exchange forum.” I cannot find other press releases or any other indication of earlier meetings, but it appears there were some. This meeting focused on business email compromise (BEC) scams. The press release noted that “representatives from depository institutions, Federal and State government agencies, a Federal task force, money transmitters, third-party service providers, and technology companies attended the session.”
Hold it! Money transmitters are “financial institutions” subject to the obligations and protections of the Bank Secrecy Act. But third-party service providers and technology companies are not. As FinCEN noted in its answer to FAQ 6, those unregulated entities have no “obligations under the Right to Financial Privacy Act (RFPA) (12 U.S.C. § 3401, et seq.), which generally requires banks to comply with certain procedural requirements before sharing customer specific financial information (not general typology information) with the Federal government, or under the SAR statute (31 U.S.C. § 5318(g)) and implementing regulations, which generally prohibit a financial institution from disclosing a SAR or its existence to any person other than FinCEN, an appropriate law enforcement agency, or its Federal or State regulatory examiner for BSA compliance.”
Perhaps that was a one-time mistake. Or not … a November 12, 2020 press release announced that FinCEN convened a “virtual FinCEN Exchange with representatives from financial institutions, technology firms, third-party service providers, and federal government agencies to discuss growing concerns regarding ransomware, as well as the efforts to curtail it. Topics discussed included ransomware detection and reporting, emerging trends and typologies, and recovery of victims’ funds.”
Again, non-regulated technology firms and third-party service providers attended a meeting that, based on FinCEN’s enabling statute used to justify the Exchange, they should not have been invited to or allowed to attend. But they did.
Perhaps the AML Act of 2020, which by this November 2020 had been circulating in draft form and included a then-draft section 5103 that codified the then-existing FinCEN Exchange as a “voluntary public-private information sharing partnership among law enforcement agencies, financial institutions, and FinCEN.” No mention of technology firms and third-party service providers.
What did the final version of the AML Act of 2020 provide?
FinCEN Exchange Version 2 – Post AML Act of 2020: Only Financial Institutions (But Not Really)
On January 1, 2021, Congress enacted the National Defense Authorization Act for Fiscal Year 2021. One of the eight divisions of this 1,400+-page funding law was Division F, the Anti-Money Laundering Act of 2020 (AML Act, or AMLA). Section 6103 of the AML Act codified (as that term is used when something that has existed in practice, but not in law, goes from practice to law, or “code”) the FinCEN Exchange.
What exactly did section 6103 establish?
Section 6103 amended section 310 of title 31 of the US Code, the section that sets out FinCEN’s duties and powers (and where FinCEN found its implied powers to establish the Exchange at the end of 2017). The full text of the section reads as follows:
SEC. 6103. FINCEN EXCHANGE.
Section 310 of title 31, United States Code, is amended (1) by redesignating subsection (d) as subsection (l); and (2) by inserting after subsection (c) the following:
(d) FINCEN EXCHANGE. —
(1) ESTABLISHMENT. — The FinCEN Exchange is hereby established within FinCEN.
(2) PURPOSE. — The FinCEN Exchange shall facilitate a voluntary public-private information sharing partnership among law enforcement agencies, national security agencies,
financial institutions, and FinCEN to —
(A) effectively and efficiently combat money laundering, terrorism financing, organized crime, and other financial crimes, including by promoting innovation and technical advances in reporting — (i) under subchapter II of chapter 53 and the regulations promulgated under that subchapter; and (ii) with respect to other anti-money laundering requirements;
(B) protect the financial system from illicit use; and (C) promote national security.
(3) REPORT. —
(A) IN GENERAL. — Not later than 1 year after the date of enactment of this subsection, and once every 2 years thereafter for the next 5 years, the Secretary of the Treasury shall submit to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives a report containing — (i) an analysis of the efforts undertaken by the FinCEN Exchange, which shall include an analysis of — (I) the results of those efforts; and (II) the extent and effectiveness of those efforts, including any benefits realized by law enforcement agencies from partnering with financial institutions, which shall be consistent with standards protecting sensitive information; and (ii) any legislative, administrative, or other recommendations the Secretary may have to strengthen the efforts of the FinCEN Exchange.
(B) CLASSIFIED ANNEX. — Each report under subparagraph (A) may include a classified annex.
(4) INFORMATION SHARING REQUIREMENT. — Information shared under this subsection shall be shared —
(A) in compliance with all other applicable Federal laws and regulations;
(B) in such a manner as to ensure the appropriate confidentiality of personal information; and (C) at the discretion of the Director, with the appropriate Federal functional regulator, as defined in section 6003 of the Anti-Money Laundering Act of 2020.
(5) PROTECTION OF SHARED INFORMATION. —
(A) REGULATIONS. — FinCEN shall, as appropriate, promulgate regulations that establish procedures for the protection of information shared and exchanged between FinCEN and the private sector in accordance with this section, consistent with the capacity, size, and nature of the financial institution to which the particular procedures apply.
(B) USE OF INFORMATION. — Information received by a financial institution pursuant to this section shall not be used for any purpose other than identifying and reporting on activities that may involve the financing of terrorism, money laundering, proliferation financing, or other financial crimes.
(6) RULE OF CONSTRUCTION. — Nothing in this subsection may be construed to create new information sharing authorities or requirements relating to the Bank Secrecy Act.
In codifying the FinCEN Exchange, the AML Act of 2020 limited its private sector participants to highly regulated financial institutions: relevant but not BSA-regulated entities such as technology firms and third-party service providers were not included.
In its first post-AMLA FinCEN Exchange held on March 23, 2021, FinCEN appears to have adhered to the approved cast of private sector attendees and invited only regulated financial institutions. It’s press release of the same date referred to a “virtual FinCEN Exchange event to discuss Bank Secrecy Act (BSA) filing statistics for low-dollar, voluntarily-filed suspicious activity reports (SARs) that contain a transaction nexus to Arizona, New Mexico, Texas, Oklahoma, and Louisiana” where “representatives from depository institutions, money services businesses, law enforcement, and FinCEN reviewed SAR-filing information, including the top reported SAR filing categories and discussed potential trends in suspicious activity.”
But in its second post-AMLA FinCEN Exchange, FinCEN went back to its pre-AMLA ways: on July 15, 2021 FinCEN issued a press release that it intended to “convene a FinCEN Exchange in August 2021 with representatives from financial institutions, other key industry stakeholders, and federal government agencies to discuss ongoing concerns regarding ransomware, as well as efforts by the public and private sectors.” The press release doubled-down on these non-BSA stakeholders in its new, revised description of the FinCEN Exchange: “FinCEN Exchange is a voluntary public-private partnership that convenes relevant stakeholders, including law enforcement and financial institutions.”
And it continued: on August 10, 2021 FinCEN issued a press release that it had “convened a virtual FinCEN Exchange with representatives from financial institutions, technology firms, third-party service providers, and federal government agencies to discuss ongoing concerns regarding ransomware, as well as efforts by the public and private sectors. Topics discussed include cybercrime, trends and typologies, detection and reporting, and the recovery of funds after ransomware attacks.”
And the private sector invitee lists for the next (and last) two Exchanges appear to have gone back and forth: the November 9, 2021 virtual FinCEN Exchange included “members of the financial industry and law enforcement”, and a November 16, 2021 FinCEN Exchange included “representatives from financial institutions, law enforcement, and Federal government”.
But there may be a legislative fix on the horizon!
FinCEN Exchange Version 3 – Not Just Financial Institutions?
As the NDAA for Fiscal Year 2021 wound its way through the House, to the Senate, then to joint House and Senate committees, adding and subtracting thousands of pages of non-defense provisions, so is the NDAA for Fiscal Year 2022. There have been two versions: the House version, HR 4350, 3,300 pages; and the Senate version, S1605, a mere 2,120 pages. Both spending authorization bills include much more than national defense provisions. In fact, Division E or F (House and Senate) is titled “Non-Department of Defense Matters”. Title LI (fifty-one) of the House version and Title LXI of the Senate version are even more specific: they are both titled “Financial Services Matters”.
[As an aside, Title LIV of the House version is one of the marijuana banking bills, the SAFE Banking Act. That did not survive the Congressional horse-trading.]
Beginning on page 2090 of HR4350 and on page 1,943 of S1605 is the following (identical language):
SEC. 5128/6101. FINCEN EXCHANGE.
Section 310(d) of title 31, United States Code, is amended —
(1) in paragraph (2), by inserting ‘‘other relevant private sector entities,’’ after ‘‘financial institutions,”;
(2) in paragraph (3)(A)(i)(II), by inserting ‘‘and other relevant private sector entities’’ after ‘‘financial institutions’’; and
(3) in paragraph (5) —
(A) in subparagraph (A), by inserting ‘‘or other relevant private sector entity’’ after ‘‘financial institution’’; and
(B) in subparagraph (B) —
(i) by striking ‘‘Information’’ and inserting the following: ‘‘(i) USE BY FINANCIAL INSTITUTIONS. — Information’’; and
(ii) by adding at the end the following: ‘‘(ii) USE BY OTHER RELEVANT PRIVATE SECTOR ENTITIES. — Information received by a relevant private sector entity that is not a financial institution pursuant to this section shall not be used for any purpose other than assisting a financial institution in identifying and reporting on activities that may involve the financing of terrorism, money laundering, proliferation financing, or other financial crimes, or in assisting FinCEN or another agency of the U.S. Government in mitigating the risk of the financing of terrorism, money laundering, proliferation financing, or other criminal activities.’’.
Congress may be coming to FinCEN’s rescue! What does this do to section 310(d)? Let’s plug in the new (proposed) language – highlighted in blue italics:
(d) FINCEN EXCHANGE. —
(1) ESTABLISHMENT. — The FinCEN Exchange is hereby established within FinCEN.
(2) PURPOSE. — The FinCEN Exchange shall facilitate a voluntary public-private information sharing partnership among law enforcement agencies, national security agencies,
financial institutions, other relevant private sector entities, and FinCEN to —
(A) effectively and efficiently combat money laundering, terrorism financing, organized crime, and other financial crimes, including by promoting innovation and technical advances in reporting — (i) under subchapter II of chapter 53 and the regulations promulgated under that subchapter; and (ii) with respect to other anti-money laundering requirements;
(B) protect the financial system from illicit use; and (C) promote national security.
(3) REPORT. —
(A) IN GENERAL. — Not later than 1 year after the date of enactment of this subsection, and once every 2 years thereafter for the next 5 years, the Secretary of the Treasury shall submit to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives a report containing — (i) an analysis of the efforts undertaken by the FinCEN Exchange, which shall include an analysis of — (I) the results of those efforts; and (II) the extent and effectiveness of those efforts, including any benefits realized by law enforcement agencies from partnering with financial institutions and other relevant private sector entities, which shall be consistent with standards protecting sensitive information; and (ii) any legislative, administrative, or other recommendations the Secretary may have to strengthen the efforts of the FinCEN Exchange.
(B) CLASSIFIED ANNEX. — Each report under subparagraph (A) may include a classified annex.
(4) INFORMATION SHARING REQUIREMENT. — Information shared under this subsection shall be shared —
(A) in compliance with all other applicable Federal laws and regulations;
(B) in such a manner as to ensure the appropriate confidentiality of personal information; and (C) at the discretion of the Director, with the appropriate Federal functional regulator, as defined in section 6003 of the Anti-Money Laundering Act of 2020.
(5) PROTECTION OF SHARED INFORMATION. —
(A) REGULATIONS. — FinCEN shall, as appropriate, promulgate regulations that establish procedures for the protection of information shared and exchanged between FinCEN and the private sector in accordance with this section, consistent with the capacity, size, and nature of the financial institution to which the particular procedures apply.
(B)(i) USE BY FINANCIAL INSTITUTIONS. — Information received by a financial institution pursuant to this section shall not be used for any purpose other than identifying and reporting on activities that may involve the financing of terrorism, money laundering, proliferation financing, or other financial crimes. (ii) USE BY OTHER RELEVANT PRIVATE SECTOR ENTITIES. — Information received by a relevant private sector entity that is not a financial institution pursuant to this section shall not be used for any purpose other than assisting a financial institution in identifying and reporting on activities that may involve the financing of terrorism, money laundering, proliferation financing, or other financial crimes, or in assisting FinCEN or another agency of the U.S. Government in mitigating the risk of the financing of terrorism, money laundering, proliferation financing, or other criminal activities.
(6) RULE OF CONSTRUCTION. — Nothing in this subsection may be construed to create new information sharing authorities or requirements relating to the Bank Secrecy Act.
Conclusion
The Senate version, section 6101 of S1605, the National Defense Authorization Act for Fiscal Year 2022, survived (with some changes from the House) and was passed by Congress on December 15, 2021. Technology firms and third-party service providers have taken an increasingly important role in providing financial services. Many remain unregulated; some are regulated but lightly supervised. They need to be part of the public/private sector efforts to fight financial crime, and in playing that part they need to be subject to the obligations and protections of their regulated private sector partners.
JRR – November 30, 2021, revised December 17, 2021 to reflect the passage of the NDAA for Fiscal Year 2022.