Loading…

FinCEN Director Ken Blanco is Crystal Clear on Virtual Currency Risks & Requirements

FinCEN Director Kenneth A. Blanco, delivered Prepared Remarks at the Consensus Blockchain Conference on May 13, 2020. They are available at Prepared Remarks and reproduced in full below.

Borrowing a page from Federal Reserve Chairman Jerome Powell, Director Blanco’s remarks are a clear tell-it-like-it-is message to the virtual assets/blockchain community.[1]

It is a refreshing change from many senior people in the public and private sectors who, coached by consultants and tamed by lawyers, are unwilling or unable to provide clear and concise guidance. Director Blanco’s remarks were clear and concise. Well done!

Below is the text of Director Blanco’s prepared remarks. My comments appear in blue italics.

Text of Director Blanco’s Prepared Remarks, Consensus Blockchain Conference (Virtual)

Introduction

Good morning, everyone.  Thank you so much for that very kind introduction.

It is great to be with you today, a bit ironic, via this virtual technology to discuss FinCEN, its mission, and how we—government and the virtual currency industry (all of you)—can work together to shape the virtual currency environment to combat criminal exploitation of this space, including the tech industry, to better ensure our national security and protect our financial system, our communities, and our families from harm.

This is truer today than ever before given the global situation we now find ourselves in—the need for our collaboration is clear and undeniable.

Joining this conference today are many financial institutions, including virtual currency service providers.  As I have said many times before, you are the backbone of the financial system and are on the front lines of the anti-money laundering (AML) and countering the financing of terrorism (CFT) framework—protecting people from harm.  I also know that many of FinCEN’s government partners are joining today too, experts and key leaders from the Department of Justice and other law enforcement agencies, fellow regulators, and many other government partners with whom we work on a daily basis to protect people from harm.

JRR Comment – I applaud Director Blanco’s statement that the front line of the AML/CFT regime is protecting people from harm (“the front lines of the anti-money laundering (AML) and countering the financing of terrorism (CFT) framework—protecting people from harm”). The front lines, or main focus of an AML/CFT regime has to be on protecting people from harm, and that is done by providing timely, actionable intelligence to law enforcement. The focus of financial institutions’ BSA, AML, and CFT programs must be on providing timely, actionable intelligence to law enforcement, and prudential regulators must examine and judge those programs solely on that basis … and not on whether they are complying with the technical requirements of documenting compliance with regulatory requirements for BSA/AML compliance programs..   

Both the public and private sectors are critical to combating exploitation of virtual currency, and when working together, our national security and citizens are safer.  There is no substitute for the private sector’s visibility into and ability to prevent criminal exploitation of virtual currency products and platforms—particularly those of you who are organizing, developing, and administering these products and platforms.  Our work together plays a significant role not just in advancing financial transparency, inclusion, and the development of the future of payment systems, but also in identifying, tracking, and stopping criminals including terrorists and other bad actors from harming others, particularly the most vulnerable.  It is our shared responsibility to ensure that this technology does not get hijacked by criminals and bad actors—we cannot let innovation become the conduit for crime, hate, and harm—it is a national security issue.

As many of you know, FinCEN plays two roles in the U.S. national security apparatus:

First:  FinCEN is the primary regulator and the administrator of the Bank Secrecy Act, or BSA, part of the comprehensive legal architecture in the fight against money laundering and its related crimes, and terrorism and its financing.  FinCEN, through its administration of the BSA, is a global leader in both regulating convertible virtual currency activity and taking action against its illicit use.

Second:  FinCEN is the Financial Intelligence Unit, or FIU, of the United States—the world’s largest and most powerful economy.

Today, I would like to share with you some of our recent work in the virtual currency space and use my brief time today to clarify a few misconceptions.

I will address three things:

  1. FinCEN’s efforts to provide guidance and combat money laundering and its related crimes, and terrorism and its financing, involving virtual currency related to the COVID-19 pandemic;
  2. The Travel Rule and trends FinCEN is seeing with respect to compliance; and
  3. Opportunities for collaboration in the fight against the illicit use of virtual currencies and key challenges.

COVID-19

These are, without a doubt, unprecedented times.  The last few months have had a profound effect on the world as we know it or knew it, including in the area of illicit finance threats and related crimes.  With businesses and individuals in our country and across the globe facing new and challenging circumstances, along with the rollout of major new Federal, State, local, and foreign government initiatives to combat the COVID-19 pandemic and its economic consequences, the entire AML community has been adapting in real time.

Over the last couple of months, FinCEN has pursued several important public-facing and strategic lines of effort relevant to your institutions:

  • First, AML Resources:  FinCEN has issued two Notices—one on March 16 and another on April 3 of this year—to financial institutions advising them to stay alert for malicious or fraudulent transactions, with examples of similar indicators that we have seen in the wake of natural disasters.  These Notices also provide financial institutions with information regarding AML operations during the COVID-19 pandemic and a direct contact mechanism for urgent COVID-19-related issues.  Please reach out to us proactively if you anticipate challenges fulfilling your BSA reporting obligations due to the pandemic.
  • Second, Criminal Typologies and Investigative Support:  FinCEN is also continuously monitoring criminal activity exploiting the current pandemic.  We are supporting law enforcement investigations into COVID-19-related cybercrime, scams, and fraud.  FinCEN also plans to publish multiple advisories highlighting common typologies used in the pervasive fraud, theft, and money laundering activities related to the pandemic to better help the financial sector detect and report this activity.  The mission for all of us in the financial space is to get badly needed funds to the intended recipients who need it—some for their financial survival—not to exploitive criminals and fraudsters.

Cybercrime:

I want to spend a few moments covering various forms of cybercrime that criminals continue to pursue and adapt during the pandemic.  FinCEN has observed that cybercriminals predominantly launder their proceeds and purchase the tools to conduct their malicious activities via virtual currency.  Your institutions have the opportunity, and obligation, to help identify these illicit criminal networks in your suspicious activity reporting to FinCEN, so that FinCEN can aggregate and analyze this information to identify red flags, permitting industry to spot risks.

JRR Comment: Director Blanco couldn’t be clearer: “FinCEN has observed that cybercriminals predominantly launder their proceeds and purchase the tools to conduct their malicious activities via virtual currency.”

To be clear, this obligation goes much deeper than to FinCEN or the law or to regulations—it is an obligation to others, your families, your loved ones, your friends, your neighbors, and fellow citizens who are victims or potential victims of these crimes.  During this time of crisis where our people could be more at risk and more vulnerable than ever, we, all of us, have a duty and  responsibility to use our abilities, tools, and talents to protect others and ensure the stability of this ecosystem that we are creating and that depends on trust.

Here is some of what we are seeing:

  • COVID-19 as Lure:  FinCEN and U.S. law enforcement have seen reports of cybercriminals leveraging COVID-19 themes as lures, often targeting vulnerable individuals and companies that seek healthcare information and products or are contributing to relief efforts.  This type of cybercrime in the COVID-19 environment is especially despicable, because these criminals leverage altered business operations, decreased mobility, and increased anxiety to prey on those seeking critical healthcare information and supplies, including the elderly and infirm.
  • Adapting to Opportunities Because of increased remote work by many companies and government institutions worldwide, many distinct threat vectors, risk considerations, and mitigation strategies are being used by criminals and bad actors.  FinCEN is aware that cybercriminals are targeting vulnerabilities in remote applications—including virtual private networks and remote desktop protocol exploits—to steal sensitive information and compromise transactions.  Whether with COVID-19 lures or not, cybercriminals and malicious state actors are using wide-scale phishing campaigns, malware, extortion, business email compromise, and other exploits against remote platforms to steal credentials, conduct fraud, and spread disinformation.
  • Scams:  Many prevalent scams involving virtual currency payments exploit COVID-19, from extortion, ransomware, and the sale of fraudulent medical products, to initial coin offering investment scams, which will likely continue to grow during the pandemic.
  • Undermining Due Diligence:  Criminals are also working to undermine “know your customer” processes in the remote environment.  Virtual currency businesses should remain vigilant against attacks targeting their onboarding and authentication processes, for example “deepfakes” manipulating digital images and account takeovers facilitated by credential stuffing attacks.  Financial institutions should consider the risks of the current environment in their business processes, and the appropriate level of assurance needed for digital identity solutions to mitigate criminal exploitation of your products and platforms.  Even financial institutions that typically manage their lines of business remotely, such as some virtual currency exchangers, may find themselves more exposed given the changing threat environment.

JRR Comment – Director Blanco has set this out in a way that makes it easy to understand and manage through the COVID-19 pandemic: lures, opportunities, scams, and fakes.

TRAVEL RULE

I now want to turn to another major topic, and the primary theme of today’s discussions, the Travel Rule.  The United States has long maintained an expectation that financial institutions identify counterparties involved in transactions for a variety of purposes, including AML/CFT and sanctions, even for transactions in virtual currency.  Any asset that allows the instant, anonymized transmission of value around the world with no diligence or recordkeeping is a magnet for criminals, including terrorists, money launderers, rogue states, and sanctions evaders.

As a result, we applaud steps taken by the Financial Action Task Force (FATF) last June to establish a consistent approach to the position we have taken when it adopted, as an International Standard, Interpretive Note to FATF Recommendation 15, which included, among other things, FATF’s interpretation that countries should apply FATF Recommendation 16’s Travel Rule to virtual asset service providers such as virtual currency exchanges.

We are encouraged that so many creative solutions are being developed by industry to address these Travel Rule obligations.

In particular, FinCEN is optimistic about the growth of various cross-sector organizations and working groups focusing on developing international standards and solutions addressing the Travel Rule.  I know those efforts involve many of you here today.  FinCEN will continue to monitor your developments, whether as observers in working groups, learning about your efforts in forums like this, or meeting with you under the FinCEN Innovation Hours Program, where fintech and regtech companies present to FinCEN new and innovative products and services for potential use in the financial sector.

While we are glad to see the increased emphasis on compliance, I must emphasize again that the United States has maintained this expectation to understand who is on the other side of a transaction for years.

JRR Comment – Director Blanco could have been more specific than “the United States has long maintained an expectation that financial institutions identify counterparties involved in transactions for a variety of purposes, including AML/CFT and sanctions, even for transactions in virtual currency” or “the United States has maintained this expectation to understand who is on the other side of a transaction for years.” The Travel Rule has been part of the BSA/AML regime for more than 20 years; and virtual currency exchanges and administrators have been subject to the BSA/AML regime since at least 2013.

As I mentioned at the Chainalysis conference in November, recordkeeping violations are the most commonly cited violation by our delegated Internal Revenue Service (IRS) examiners against money services businesses (MSBs) engaged in virtual currency transmission.

JRR Comment – Director Blanco was clear in remarks he made at a November 2019 ChainAlysis Blockchain Symposium, where he said the travel rule “applies to CVC, and we expect you to comply, period.” And CoinBase reported at that same symposium that Director Blanco said “you can’t build a car that only goes 150 miles per hour and ask us to change the speed limit. That’s not happening. Build your car to meet the requirements.”

We have also previously highlighted our confidence that industry can absolutely carry out this requirement.  We know technologies exist to support compliance with all recordkeeping obligations.  Most challenges we see across the sector relate to governance and process rather than technologies, and many solutions in both governance and technology models could ultimately comply.  FinCEN takes a technology neutral approach and we encourage the virtual currency sector to continue collaborative efforts to develop and implement these solutions and to keep FinCEN apprised of their progress, including by considering participating in FinCEN’s Innovation Hours Program.

OTHER OPPORTUNITIES FOR COLLABORATION AND CHALLENGES

Finally, I would like to briefly highlight some of our key opportunities for collaboration in combating illicit virtual currency use and the top remaining challenges we see, which hopefully those of you here today can help address.

Our partnerships across regulators, supervisors, law enforcement, and industry are the cornerstone of our efforts to disrupt the illicit use of virtual currency and illicit cyber activity.  FinCEN has worked alongside law enforcement initiatives like the National Cyber Investigative Joint Task Force (NCIJTF) and the Joint Criminal Opioid Darknet Enforcement (J-CODE) to investigate criminal networks exploiting virtual currency for the purchase of fentanyl, narcotics, cybercrime tools, and child pornography on darknet marketplaces.  We also work with international partners bilaterally or through multilateral forums like the Egmont Group of 164 FIUs, the Heads of FATF FIUs Symposium, of which we are a founding and leading member, and separately with FATF itself, with Europol, and with our FVEY partners as well, to enhance international capacity to investigate and prosecute criminals using virtual currencies for illicit purposes.

And of course, our partnerships with industry are paramount in the virtual currency space.  FinCEN has provided priority information on typologies of illicit virtual currency use to financial institutions through our advisory and FinCEN Exchange programs.  FinCEN is also sharing cyber indicators of compromise to help the financial sector detect, report, and defend against cyber activity that may be connected with illicit financial activity.

JRR Comment – Director Blanco is spot on with his comments. Effective Public/Private sector Partnerships, or PPPs, are the only way to combat AML and CFT, whether in the crypto space or fiat space.

The information we are able to share with industry is built on top of high quality information we receive in BSA reporting.

Since 2013, FinCEN has received nearly 70,000 Suspicious Activity Reports (SARs) involving virtual currency exploitation.  Just over half of these reports come from virtual currency industry filers, likely many of you participating today.  We also get valuable reporting from more traditional financial institutions that also have a unique window into illicit financial flows involving virtual currency, such as banks that may see ransomware payments made by customers or MSBs that see funds transfers derived from account takeovers.

This reporting is incredibly valuable to FinCEN and law enforcement, especially when you include technical indicators associated with the illicit activity, such as Internet Protocol (IP) addresses, malware hashes, malicious domains, and virtual currency addresses associated with ransomware or other illicit transactions.

JRR Comment – I would encourage Director Blanco to provide more information on the trends and patterns. There were 70,000 SARs filed: how many of those provided tactical or strategic value to law enforcement (I have called these TSV, or Tactical or Strategic Value, SARs)? Reporting financial institutions tune and enhance their monitoring and surveillance systems using an Alert-to-SAR analysis: the tuning and enhancing of those systems would be more effective, and the institutions more efficient, if they were able to use an Alert-to-TSV SAR analysis. Only the public sector can provide TSV information.

However, there remain significant issues that concern us in the virtual currency space.  Many of these are issues some of you may have heard me address before:

  • Risks associated with anonymity-enhanced cryptocurrencies, or AECs, remain unmitigated across many virtual currency financial institutions.  We expect each financial institution to have appropriate controls in place based on the products or services it offers, consistent with the obligation to maintain a risk-based AML program.  This means we are taking a close look at the AML/CFT controls you put on the types of virtual currency you offer—whether it be Monero, Zcash, Bitcoin, Grin, or something else—and you should too.  To be sure, FinCEN and our delegated examiners at the IRS are focused on this.

JRR Comment – I agree with Director Blanco that anonymity-enhanced cryptocurrencies are a key risk. Just as anonymity-enhanced legal entities are a key risk: lack of a federal standard that legal entities disclose their beneficial ownership, and provide that information to a publicly-available central registry, remains the biggest risk facing the American AML/CFT regime. 

  • We are also increasingly concerned that businesses located outside the United States continue to try to do business with U.S. persons without complying with our rules.  These include registering, maintaining a risk-based AML program, and reporting suspicious activity, among other requirements.  If you want access to the U.S. financial system and the U.S. market, you must abide by the rules.  We are serious about enforcing our regulations, including against foreign businesses operating in the United States as unregistered MSBs.  We take this very seriously and encourage you to include detailed information about such businesses in your SAR filings when you identify suspicious activity.  If you are going to avail yourself of the U.S. financial system from abroad, you cannot do so without engaging in the financial integrity practices that make this financial system so powerful, stable, trusted, and desirable.

Conclusion

As I conclude, I want to thank you all again for giving me this time today.  FinCEN is committed to enhancing our capabilities and understanding of virtual currencies and to encouraging and fostering responsible innovation.  We look forward to continuing our efforts with all of you in this regard.

Thank you.

JRR Conclusion – In an article I wrote and posted on July 11, 2019 – see RegTech Consulting Article July 11, 2019 – I wrote that “I have followed four Federal Reserve chairs (Greenspan, Bernanke, Yellen, and Powell), and have found that Chairman Powell is the only one of the four that I could consistently understand! In fact, Alan Greenspan’s infamous line – ‘Since becoming a central banker, I have learned to mumble with great incoherence. If I seem unduly clear to you, you must have misunderstood what I said’ – seems to have been the modus operandi of his successors, also … except for Chairman Powell.”

FinCEN Director Ken Blanco is another public official who is not only easy to understand, he makes it crystal clear what he and FinCEN expect of financial institutions when it comes to their AML/CFT obligations. It is refreshing, courageous, and essential as we all fight through the global pandemic of 2020 and try to emerge on the other side better and stronger. 

FOOTNOTE [1] On July 10, 2019, Federal Reserve Chairman Jerome Powell appeared before the House Financial Services Committee for his semi-annual report to Congress. Ranking Member McHenry’s opening statement included that Chairman Powell’s “candor is welcome and encouraged, and we thank you for attempting to speak like a normal human being …”.

FinCEN’s Marijuana-Related SAR Data: By Not Including MSBs, Are We Under-Reporting Marijuana Businesses’ Access to Financial Services?

Marijuana-Related Businesses may have greater access to financial services than is being reported, even if those services aren’t being provided by banks and credit unions

The only real guidance that financial institutions can turn to when deciding whether to provide financial services to marijuana-related businesses, or MRBs, is FinCEN’s February 14, 2014 guidance, FIN-2014-G001. The actual Guidance document – FIN-2014-G001 PDF – begins with: “The Financial Crimes Enforcement Network (“FinCEN”) is issuing guidance to clarify Bank Secrecy Act (“BSA”) expectations for financial institutions seeking to provide services to marijuana-related businesses.”

The section “Providing Financial Services to Marijuana-Related Businesses” begins with “This FinCEN guidance clarifies how financial institutions can provide services to marijuana-related businesses consistent with their BSA obligations. In general, the decision to open, close, or refuse any particular account or relationship should be made by each financial institution based on a number of factors specific to that institution.” Following that is a section on seven marijuana-related business-specific customer due diligence steps a financial institution should consider in assessing the risk of providing services to a marijuana-related business. Then there is guidance on the three types of marijuana-related Suspicious Activity Reports: Marijuana Limited, Marijuana Priority, and Marijuana Termination. Finally, there are two pages of “Red Flags to Distinguish Priority SARs”.

Throughout the Guidance, the term “financial institution” is used forty-four times in seven pages. The term “money services business” or “MSB” appears once (in the PDF version of the Guidance). In the “Currency Transaction Reports and Form 8300’s” section on the last page is: “Financial institutions and other persons subject to FinCEN’s regulations must report currency transactions in connection with marijuana-related businesses the same as they would in any other context, consistent with existing regulations and with the same thresholds that apply. For example, banks and money services businesses would need to file CTRs on the receipt or withdrawal by any person of more than $10,000 in cash per day.”

So, are MSBs covered by the 2014 Guidance or not? Are MSBs “financial institutions” and subject to the Guidance?

For BSA purposes, the term “financial institution” is defined in the regulations at 31 CFR s. 1010.100 as including banks, credit unions, broker dealers, casinos, mutual funds, and money services businesses, among other entities. So one could assume that the use of that term in the Guidance indicated that all entity types would be subject to the guidance – including money services businesses, broker dealers, casinos, card clubs, etc.

Although the PDF version of the FinCEN Guidance doesn’t define “financial institution”, both the news release and the non-PDF version had a reference to the term “Financial Institution” at the end (of both) that appears to mean that for the purposes of the “Guidance to Financial Institutions on Marijuana Businesses”, “financial institutions” meant money services businesses and depository institutions.

The term “depository institution” is defined in multiple banking regulations in Title 12 of the Code of Federal Regulations. To keep it simple, and in keeping with FinCEN’s reporting practices, it means banks and credit unions. So, according to FinCEN, it has issued guidance to clarify Bank Secrecy Act (“BSA”) expectations for banks, credit unions, and money services businesses seeking to provide services to marijuana-related businesses.

Since the publication of the that guidance, FinCEN has published a quarterly “Marijuana Banking” report that provides some high level data on the number of these marijuana-related SARs that it instructed depository institutions (banks and credit unions) and money services businesses to file. As can be seen from the chart, this reporting is limited to depository institutions – banks and credit unions. FinCEN hasn’t reported any marijuana-related SARs filed by any of the other “financial institution” types – money services businesses.

If FinCEN has provided guidance that banks, credit unions, and money services businesses are required to file marijuana-related SARs, why is it only reporting on the marijuana-related SARs filed by banks and credit unions?

Without knowing for sure whether any of the 227,745 MSBs (according to a GAO report released September 26, 2019 that looked at how BSA-related information was being shared between the public sector agencies and by FinCEN: see GAO-19-582 at page 9) have identified and reported any marijuana-related suspicious activity, one can assume that some of the millions of SARs filed by those MSBs since 2nd quarter 2014 must have included marijuana-related activity. Indeed, given the complaints by the cannabis/marijuana industries about the lack of access to traditional banking services, one can assume that marijuana-related businesses are turning to money services businesses and alternative financial services providers to conduct otherwise basic financial services such as paying suppliers, paying utility providers, paying taxes and license fees, even cashing checks for employees. And, if those marijuana-related businesses were doing those transactions at money services businesses, ALL of those transactions are supposed to be reported in a marijuana SAR. According to FinCEN.

The data may bear that out. FinCEN’s SAR Statistics allow you to drill down to SARs filed by depository institutions, by MSBs, by month and year, and by location of the reported suspicious activity (state, county, even metropolitan areas). See https://www.fincen.gov/reports/sar-stats

Let’s take a look at a marijuana hot spot – the Emerald Triangle of California: Humboldt, Trinity, and Mendocino counties that (reportedly) grow much of the illegal cannabis in California and about 35% of the legal cannabis.

In calendar year 2018, across all of the United States, MSBs filed about 90 SARs for every 100 SARs filed by Depository Institutions, or DIs. But for activity that occurred in California, MSBs filed 122 SARs for every 100 SARs filed by DIs. To put it another way, for suspicious activity across the United States, MSBs filed about 90% the number of SARs as banks and credit unions, but in California MSBs filed 122% the number of SARs as did DIs.  But according to FinCEN’s “heatmap” of SARs filed by MSBs by California county, there was a hotspot up in the three “Emerald Triangle” counties. Drilling down into the actual FinCEN data, in 2018 MSBs filed 327 SARs (10,076) for every 100 SARs (3,081) filed by DIs in the three Emerald Triangle counties. There are only 235,000 people in those three counties, which is 0.6% of California’s population, yet 4.6% of MSBs’ SARs were filed on activity that occurred in those three counties.

It could be that none of those 10,076 MSB SARs filed in 2018 on activity that occurred in the Emerald Triangle counties was flagged as a marijuana-related SAR for FinCEN to identify, track, and report. But the ratio of MSB-related SARs relative to the number of bank and credit union related SARs filed on activity in the Emerald Triangle – a ratio that has held steady for the last five years at 3.5 to 1 – suggests that FinCEN’s quarterly “Marijuana Banking” report of marijuana-related SARs filed by banks and credit unions may be under-reporting marijuana-related financial activity overall.

It’s logical – and likely – that this high MSB SAR count, both relative to depository institutions and to the population of the area, indicates that MSBs are filing “Marijuana Limited” SARs on all of the activity that marijuana-related businesses are doing with them, not just the traditional suspicious activity. In other words, MSBs are complying with the FinCEN guidance, and we don’t know it. The conclusion may be that marijuana related businesses have access to more financial services than is being reported, even if those financial services aren’t being provided by banks and credit unions.

Perhaps FinCEN can tell us in the next quarterly Marijuana Banking and Money Services Business Report …

Sponge Bob Square Pants, Alan Greenspan, Elton John, PPP Loans, and a Limited Safe Harbor

“Liar, liar, plants for hire”

On April 23rd the Treasury Department added a 31st question and answer to its series of Paycheck Protection Program (PPP) FAQs issued since April 6th. Question 31 that Treasury asked then answered was “Do businesses owned by large companies with adequate sources of liquidity to support the business’s ongoing operations qualify for a PPP loan?” The relevant parts of the answer were:

“… all borrowers must assess their economic need for a PPP loan under the standard established by the CARES Act and the PPP regulations at the time of the loan application … borrowers still must certify in good faith that their PPP loan request is necessary. Specifically, before submitting a PPP application, all borrowers should review carefully the required certification that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.” Borrowers must make this certification in good faith, taking into account their current business activity and their ability to access other sources of liquidity sufficient to support their ongoing operations in a manner that is not significantly detrimental to the business. For example, it is unlikely that a public company with substantial market value and access to capital markets will be able to make the required certification in good faith, and such a company should be prepared to demonstrate to SBA, upon request, the basis for its certification.”

Tacked to the end of answer 31 was the following stand-alone paragraph:

“Lenders may rely on a borrower’s certification regarding the necessity of the loan request. Any borrower that applied for a PPP loan prior to the issuance of this guidance and repays the loan in full by May 7, 2020 will be deemed by SBA to have made the required certification in good faith.”

This last paragraph didn’t get much attention. And the context of Q&A 31 was the “Shake Shack” controversy, where the publicly-traded company obtained two PPP loans totaling $20 million, faced an onslaught of adverse media attention, then publicly announced it would return the money. Among other things, one of the principals of Shake Shack posted an article on LinkedIn that one of the reasons they applied for the PPP loan was that the conditions were “confusing”. Fair enough, and no doubt a true statement that he made from the bottom of his heart.

Liar, Liar Plants for Hire – A Limited Safe Harbor?[1]

On April 24th Treasury published another FAQ document – tacking on four more questions and answers – but just as important, issued its fourth set of PPP-related Interim Final Rules – those pesky regulations that need to be published in the Federal Register that provide the “how things will happen” details to the CARES Act’s “what should happen” general provisions. Included in this fourth PPP Interim Final Rule was the following:

5. Limited Safe Harbor with Respect to Certification Concerning Need for PPP Loan Request
Consistent with section 1102 of the CARES Act, the Borrower Application Form requires PPP applicants to certify that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.” Any borrower that applied for a PPP loan prior to the issuance of this regulation and repays the loan in full by May 7, 2020 will be deemed by SBA to have made the required certification in good faith. The Administrator, in consultation with the Secretary, determined that this safe harbor is necessary and appropriate to ensure that borrowers promptly repay PPP loan funds that the borrower obtained based on a misunderstanding or misapplication of the required certification standard.

The CARES Act itself, and the first set of regulations referred to the certification by the PPP applicant/borrower that the loan is “necessary to support the ongoing operations” of the applicant/borrower. It doesn’t appear that Treasury, the CARES Act, or the SBA have defined or explained what they mean by “necessary to support the ongoing operations” or established the “required certification standard”. This is the Congressional equivalent of Alan Greenspan’s “mumbling with great incoherence.[2]

“I’ve learned to mumble with great incoherence”

No wonder borrowers have a misunderstanding. But I don’t know what Treasury intends by “misapplication”. Regardless, Treasury has given those who’ve misunderstood the standards, as well as those who have misapplied the standards, and even those who flat-out lied in their certifications, a limited safe harbor: “Pay the money back by May 7th and we’ll pretend it never happened.”

“Sorry Seems To Be The Hardest Word”

Let’s hope that there aren’t too many PPP recipients who misunderstood or misapplied the certification standard, or flat out lied about needing the money. Why? What about those deserving small businesses that were shut out of the PPP because of those that lied or cheated their way into a PPP loan? “Sorry seems to be the hardest word …”

One other thing. The FAQ provides a safe harbor-ish to those that applied prior to the issuance of the April 23rd guidance and repays the loan in full by May 7. The Interim Final provides a limited safe harbor for any borrower that applied for a PPP loan prior to the issuance of this regulation. The regulation was issued on April 24th but isn’t effective until the date it is published in the Federal Register. The first Interim Final Rule took almost two weeks to get published. Let’s see if they’re quicker with this fourth PPP Interim Final Rule.

[1] I couldn’t resist. For two years I’ve been looking for a reason to use a quote, any quote, from Sponge Bob Square Pants. In a great 11-second scene, Sponge Bob accuses Patrick of stealing his candy bar. Patrick replies, “Liar, liar, plants for hire”. https://www.youtube.com/watch?v=n-rhuo1vnKE

[2] In Congressional testimony in 1987, then-Federal Reserve Chairman Alan Greenspan said, “Since I’ve become a central banker, I’ve learned to mumble with great incoherence. If I seem unduly clear to you, you must have misunderstood what I said.”

BSA/AML Compliance Programs are Important, but Providing Timely, Actionable Intelligence to Law Enforcement Should be the Goal

Eighteen months ago I called for a renewal of the original purpose of the Bank Secrecy Act: with recent changes – and more expected changes – to the FFIEC’s BSA/AML Examination Manual, I’m renewing that call.

On April 15, 2020, state and federal bank regulatory agencies, through the Federal Financial Institutions Examination Council (FFIEC), updated one of the six main sections of the FFIEC’s BSA/AML Examination Manual, the section titled “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program.” What the regulators haven’t (yet) updated are the Introduction that precedes the newly-updated section, the core examination section on the regulatory requirements, the two expanded examination sections on products and services, and persons and entities, respectively, the expanded examination section on compliance compliance programs, and the twenty appendices.

So perhaps there’s time to influence their thinking.

The stated purpose of the Manual is to provide instructions to examiners as they assess the adequacy of a bank’s BSA/AML compliance program. But the Manual is much more than that: indeed, it could be called the “BSA/AML Program Design, Development, Testing, Auditing, and Examination” Manual. It is the proverbial Bible, Torah, and Koran for everyone involved in BSA/AML. It sets the tone, as well as expectations, for everyone involved in BSA/AML, not just examiners. What is written in the Manual is critical, because the Bank Secrecy Act, or BSA is critical: “The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses or financial crime, including money laundering, terrorist financing, and other illicit financial transactions.” So says the Introduction section of the Manual, at page 7.

That same Introduction section also includes this:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.” (emphasis added)

Eighteen months ago, Verafin released my White Paper titled “50 Years of the Bank Secrecy Act: It’s Time to Renew the Purpose of Providing Actionable Intelligence to Law Enforcement”. The Paper is available at https://verafin.com/resource/50-years-bank-secrecy-act/. I conclude with the following:

“I, and many others, believe that providing timely and actionable intelligence to law enforcement is critical to the successful prevention of illicit activity. Of course, as outlined in the FFIEC manual, a sound BSA/AML compliance program provides the necessary foundation for providing that intelligence. With that in mind, a first step in reforming the BSA/AML regime in the United States may be changing the language of the Manual itself. I propose that the language is changed from ‘a sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions…’ to ‘providing timely and actionable intelligence to law enforcement is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions, and a sound BSA/AML compliance program provides the foundation for the ability to provide that intelligence.’ The change is subtle but important as it strengthens and focuses the very purpose of the BSA. Providing actionable, timely intelligence to law enforcement, while maintaining sound but rational programs, should be the new goal.”

I believe that a financial institution should be supervised, examined, and judged first and foremost on whether it is providing timely, actionable intelligence to law enforcement over whether the hundreds or even thousands of BSA compliance program requirements are ticked and tied and documented. Having an effective – or to use the new adjective in the just-released update – “adequate” BSA/AML compliance program is critically important, but it shouldn’t be the only defense, or even the primary defense from money laundering, terrorist financing, or other illicit financial activity.

So my suggestion to the FFIEC is this: on page 7 of the current Introduction section, replace:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.

With:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. Providing timely and actionable intelligence to law enforcement is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions, and a sound BSA/AML compliance program provides the foundation for the ability to provide that intelligence.”

Dusting off the Congressional Version of an “Aged Shelf Company”

On April 21, 2020, the United States Senate resolvedthat the bill from the House of Representatives (H.R. 266) entitled ‘An Act making appropriations for the Department of the Interior, environment, and related agencies for the fiscal year ending September 30, 2019, and for other purposes’, do pass with the following AMENDMENT: Strike all after the enacting clause and insert …” the “Paycheck Protection Program and Health Care Enhancement Act”.

Apparently, in order to extend the Paycheck Protection Program quickly, Congress needed a bill that had been sitting around waiting to be amended and passed in a jiffy. They found it in a bill introduced by Representative Betty McCollum (D. MN. – 4th) on January 8, 2019 for appropriations for the Department of the Interior for 2019. They took that aged bill off the congressional shelf, stripped it of everything but its existence and history, and have re-purposed it for the PPP and healthcare funding for the coronavirus emergency.

What Congress found was the congressional equivalent of an aged shelf company. What is an “aged shelf company”? Apparently, a leading authority on aged shelf companies seems to be Wyoming Corporate Services Inc., which provides some top-shelf information on aged shelf companies.

https://wyomingcompany.com/aged-corporation/ has the following:

What exactly are Shelf Companies & Shell Companies? What are the differences?

A Shell company defined by Wikipedia: “A shell corporation is a company which serves as a vehicle for business transactions without itself having any significant assets or operations … Shell corporations are not in themselves illegal, and they do have legitimate business purposes.”

A Shelf company defined by Wikipedia: “A shelf corporation, shelf company, or aged corporation is a company or corporation that has had no activity.  It was created and left with no activity – metaphorically put on the “shelf” to “age”.  The company can then be sold to a person or group of persons who wish to start a company without going through all the procedures of creating a new one.”

Here at Wyoming Corporate Services, Inc. we do not offer, nor have we ever offered Shell companies, so we are not going to spend additional time discussing them.

We do offer Aged Shelf Companies.  Companies that we formed ourselves, placed up on the shelf and have maintained all the State required records and fees.  We guarantee in writing that they are all clean and pristine.  They do not have EIN#, bank accounts, trade lines, D&B credit scores.  They have never been used and this is the reason we can make such a guarantee. Visit our aged shelf companies page to browse a partial list of our current inventory.

Who uses Shelf Companies and why?

    • To save the time and effort involved in creating a new company.  Let’s say you have a real estate closing or transaction and would like to use a Corporation or LLC and need it right away.  In most cases, our shelf companies will come with a PDF copy of all your Articles the same day you order, and you can utilize them that same day. In many cases a bank account can be established for the entity the same day.
      • To have the ability to bid on contracts.  Some jurisdictions require a company to be in business for a certain length of time in order to bid or qualify for consideration.
      • Leasing equipment.  Often leasing companies don’t like to lease to companies that are less than six month old.
      • Perception in the market place that the company has a longevity.  Maybe you have been a sole proprietor for many years and now have decided to incorporate.  You don’t want to appear to new or potential customers that you “just started”, but rather have been in business for awhile.
      • Privacy.  The reality of the world we all now live in is there is very little privacy or the ability to have privacy.  We are often lead to believe that anyone seeking privacy must be “trying to hid something” or they are “doing something illegal”.   Therefore, if we have “nothing to hide” we should filet and display all of our personal and business dealings for public review, approval and consumption.  This is simply not true.  There are many legitimate, legal and varied reasons for one wishing to keep ones personal and business dealing out of the prying public eye.  Fortunately Wyoming is a State that still believes citizens can and most importantly still have a RIGHT to do so.  Wyoming still has the Old West mind set that if you want privacy, you have a right to it.

Please don’t be misled or misinformed by the current furor over the “Panama Papers” and role of shell vs shelf companies. Do your own research – there is a lot of great, informative and accurate information out there.

Apparently, Mitch McConnell uses aged shelf bills to save the time and effort involved in creating a new bill.

Wyoming Corporate Services Inc. is offering its 245 aged shelf companies for $645 for a company aged less than a month all the way to $5,895 for its oldest vintage – July 2006. And aged shelf companies created in January 2019 – like the bill introduced by Representative McCollum that Senator McConnell has dusted off – are going for $995. Mitch may have saved American taxpayers some money!

“Money Laundering/Terrorist Financing and Other Illicit Financial Activity” – a New BSA/AML Focus?

If this is, in fact, a new standard for the assessment of U.S. financial institutions’ BSA/AML compliance programs, then I believe it is a positive development.

The April 15, 2020 revision of four of the five introductory sections of the FFIEC BSA/AML Examination Manual is 43 pages long. It begins with “Scoping and Planning” a BSA/AML examination. In the just-replaced section from the 2014 Manual, the objective of scoping and planning was to “identify the bank’s BSA/AML risks”. The new objective is to “develop an understanding of the bank’s money laundering, terrorist financing (ML/TF) and other illicit financial activity risk profile.”

In fact, the phrase “money laundering, terrorist financing and other illicit financial activity risk” or “ML/TF and other illicit financial activity risk” appears fifty-three (53) times in forty-three (43) pages in this April 2020 update.

The phrase “money laundering or terrorist financing risk” appears three (3) times in the current Manual (twice in the CDD section, once in the MSB section), but the phrase “ML/TF and other illicit financial activity” appears exactly zero (0) times in 442 pages of the 2014 BSA/AML Examination Manual.[1]

It appears, then, that the regulatory agencies have replaced the term “BSA/AML risk” and “BSA/AML risk profile” with the phrase “ML/TF risk” and “ML/TF risk profile.”

What are the practical impacts, if any, with the regulators’ shift from examining a bank’s “BSA/AML risk profile” to examining a bank’s “ML/TF risk profile”?

Without guidance from the regulators, without knowing their intent, it’s impossible to say what, if any, practical difference there is.

What the regulators haven’t yet touched is the Introduction section of the Manual, which precedes the four sections they have updated. So, the 2014 Introduction remains. Among other things, the Introduction includes some discussion of money laundering and terrorist financing. At page 7:

Money Laundering and Terrorist Financing

The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions.  Money laundering and terrorist financing are financial crimes with potentially devastating social and financial effects.  From the profits of the narcotics trafficker to the assets looted from government coffers by dishonest foreign officials, criminal proceeds have the power to corrupt and ultimately destabilize communities or entire economies.  Terrorist networks are able to facilitate their activities if they have financial means and access to the financial system.  In both money laundering and terrorist financing, criminals can exploit loopholes and other weaknesses in the legitimate financial system to launder criminal proceeds, finance terrorism, or conduct other illegal activities, and, ultimately, hide the actual purpose of their activity.

Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system.  A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.

At page 8:

Terrorist Financing

The motivation behind terrorist financing is ideological as opposed to profit-seeking, which is generally the motivation for most crimes associated with money laundering.  Terrorism is intended to intimidate a population or to compel a government or an international organization to do or abstain from doing any specific act through the threat of violence.  An effective financial infrastructure is critical to terrorist operations.  Terrorist groups develop sources of funding that are relatively mobile to ensure that funds can be used to obtain material and other logistical items needed to commit terrorist acts.  Thus, money laundering is often a vital component of terrorist financing.

It appears, then, that the 2014 Introduction remains and provides clear direction that a sound BSA/AML compliance program is critical in deterring and preventing money laundering and terrorist financing at, or through, banks and other financial institutions. And it appears also that the 2020 updates have further emphasized the importance of focusing on ML/TF and other illicit financing activity risks as this phrase doesn’t appear at all in the old/existing Manual.

In this article I will make three observations about money laundering and terrorist financing, and all three come from a Congressional hearing that occurred almost seventeen (17) years ago – a year before the first BSA/AML Examination Manual was published – that was held by the House Financial Services Subcommittee on Oversight and Investigations. That hearing was titled “Improving Financial Oversight: A Private Sector View of Anti-Money Laundering Efforts”. It was held on May 18, 2004. The hearing transcript is available at Congressional Hearing May 2004. In full disclosure, I was one of five witnesses to appear before the Sub-Committee. The others were David Aufhauser (then a Senior Counsel, Center for Strategic and International Studies and Counsel, Williams & Connolly LLP, and previously General Counsel at the Treasury Department); John Byrne, at the time the Director of Center for Regulatory Compliance, American Bankers Association; Joe Cachey, then the Vice President, Global Compliance and Chief Compliance Officer and Counsel, Western Union Financial Services; and Steve Emerson, Executive Director, The Investigative Project.

1. From an operational point of view, money laundering and terrorist financing are different problems

“From a purely operational point of view, money laundering and terrorist financing are two, very, very different problems. Traditional money laundering prevention is a transaction-focused internally sourced issue where transactions lead to relational links. Terrorist financing prevention is very different. It is a relationship-focused, externally sourced issue where relational links lead to transactions.” – written testimony of Jim Richards, Operations Executive for Global Anti-Money Laundering, Bank of America, footnote 10 on page 13.

Seventeen years later, I wish I had taken a page from the FFIEC manual and added something about “money laundering is often a vital component of terrorist financing.” But in the immediate post-9/11 environment, most of our success in finding terrorist financing or the funding of terrorist operations came from getting names or other leads from law enforcement. That said, Sub-Committee Chairwoman Sue Kelly (D. NY) asked me “[c]an you identify any particular case in which your companies worked with law enforcement to stop the flow of funds to a terrorist group or an activity of some sort?” I replied:

“Madam Chairman, off the top of my head, I can think at least two particular cases: One prior to September 11 and one after September 11. In both cases, we identified what we thought was suspicious activity. Again, we are not required to detect money laundering or terrorist financing, we are required to detect and report suspicious activity. We did that. In both cases, we felt it was significant enough that we immediately contacted law enforcement, which we are entitled and indeed perhaps required to do if it is an ongoing, serious matter. And in this case, it was the Boston U.S. Attorney’s Office, and they immediately contacted us and sought the underlying records that were the basis of our suspicious activity reports. Subsequent news events confirmed that what we had reported was indeed tied to potential terrorist financing.”

So I actually contradicted myself: we reported what we thought was money laundering or suspicious activity, and subsequent events revealed that what we had actually reported was terrorist financing or the funding of terrorist activity. The FFIEC is correct: money laundering is often a vital component of terrorist financing.

2. Money laundering and terrorist financing should not just be viewed as problems, but as symptoms of problems

“… from the perspective of a bank’s risk officer, money laundering or terrorist financing is not a problem, but a symptom of an underlying operational or control problem.  When looked at from this perspective, the risk officer is able to look at the filing of a SAR or the activity represented in the SAR as a symptom of an underlying problem with account opening procedures, document collection and verification procedures, branch AML training, or the monitoring or surveillance functions.  Looking at money laundering or terrorist financing as a symptom rather than a problem can be an effective way to focus on and eliminate or mitigate the underlying causes.” – Written testimony of Jim Richards, page 13, footnote 10.

Seventeen years later, I wish I had written “from the perspective of a bank’s risk officer, money laundering or terrorist financing is not just a problem, but also a symptom of an underlying operational or control problem …”. Obviously, money laundering is a problem. As is terrorist financing. But the important point I was trying to make is that identifying and reporting the suspicious activity – whether related to money laundering or terrorist financing, or both – is not the end-game for the reporting financial institution. It’s equally important to take those reports – to take the problems that you’ve identified and reported – and view them as symptoms of possible problems or issues with your underlying operational controls, or policies and procedures, or training, or even auditing or independent testing, and to correct those problems. Being able to prevent money laundering or terrorist financing is the ultimate goal.

I attempted to explain this notion of symptom versus problem in answering a question from Congressman Jeb Hensarling (R. TX 5th):

Mr. Hensarling. Thank you, Madam Chair. Mr. Richards, I believe in your testimony you stated that money laundering or terrorist financing is not a problem but a symptom of a problem. Could you elaborate and explain that statement?

Mr. Richards. Yes. We believe that within the context of the total issue of operating risk, that the act of filing a suspicious activity report is not the end of your duty but indeed you take the suspicious activity reports and then you go back and look at the commonalities between them to determine whether the money laundering that you have reported or suspicious activity you are reported is caused by issues relating to account opening, failure to collect the proper identification, it might be a branch training issue where you have to train the people in the branch environment, something like that.

So that rather than looking at the end game being the filing of a suspicious activity report, you look at it as just the beginning of trying to see if there is an underlying operational issue in the bank. If you address the underlying operational issue, you may resolve the suspicious activity that is occurring in your bank. So, again, if you look at it as not a problem but a symptom, you can then drill down and see what the real underlying operational problem may be.

Mr. Hensarling. Thank you.

3. Managing money laundering and terrorist financing risks can only be done with creative, committed, and courageous professionals in the public and private sectors, working together

“The success of the financial sector’s anti-money laundering and terrorist financing prevention efforts is entirely dependent on two things: First, cooperation between and coordination by all of the parties involved: the law enforcement and intelligence communities, the regulatory community, the private sector, our trade associations, such as the ABA, and others; and, second, creative, committed professionals dedicated to this task. In my experience, Madam Chairman, the American financial sector has both.” – written testimony of Jim Richards

Just as I wish I had written “money laundering or terrorist financing is not just a problem, but also a symptom …”, seventeen years later I wish I had added “courageous” to my description of the type of professional that are dedicated to fighting money laundering, terrorist financing, and other illicit financial activity.

Since my Congressional testimony in 2004, I’ve come to realize that Winston Churchill was right when it comes to courage: “Courage is the single attribute upon which all other attributes depend”.

In an article I published in December 2018 titled “Rules-Based Monitoring, Alert-to-SAR Ratios, and False Positive Rates: Are We Having the Right Conversations?”  I wrote this about the importance of courage:

“After 20+ years in the AML/CTF field – designing, building, running, tuning, and revising programs in multiple global banks – I am convinced that rules-based interaction monitoring and customer surveillance systems, running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts, can result in an effective, efficient, proactive program that both provides timely, actionable intelligence to law enforcement and meets and exceeds all regulatory obligations. Can cloud-based, cross-institutional, machine learning-based technologies assist in those efforts? Yes! If properly deployed and if running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts.”

And in a March 2019 article titled “Lessons Learned as a BSA Officer 1998-2018” , one of the nine lessons I described was on the importance of courage. After quoting Winston Churchill (“Courage is the single attribute upon which all other attributes depend”), I wrote:

“After the September 2001 terrorist attacks, the 9/11 Commission was set up to look at what happened, and why. In its final report issued in 2004, they concluded that the US government’s failures could be grouped into four major categories: failure of policy, failure of capabilities, failure of management, and failure of imagination. And they concluded that the “most important failure” was a lack of imagination. I believe that all four of those failures – of policy, of capabilities, of management, and of imagination – have one thing in common. A failure of courage. What do I mean by courage? Courage to speak freely – but respectfully and fairly. Courage to walk away when your principles are compromised. Courage to change. Courage to listen. Courage to compromise.”

Finally, I apparently used the word “courage” six times in a podcast I did with the esteemed Jo Ann Barefoot in April 2018, just weeks after I retired from Wells Fargo. In the show notes, Jo Ann wrote, in part, that “executing the transformation [to digitally-enabled regulation] will take imagination, vision, wisdom and even courage, which is why I invited today’s guest to join us.  He is Jim Richards, founder of the new firm, RegTech Consulting, and I think he used the word “courage” six times, in our talk.”[2]

Conclusion

I don’t believe there are any practical differences between BSA/AML risks, on the one hand, and money laundering, terrorist financing (ML/TF) and other illicit financial activity risks, on the other hand. But if there are differences, then a greater focus on managing – and being examined on how financial institutions manage – ML/TF and other illicit financial activity risks is a positive thing.

It will take cooperation between, coordination by, and the courage of all of the parties involved in the fight against money laundering and terrorist financing: the law enforcement and intelligence communities, the regulatory communities, private sector financial institutions, fintech disrupters and vendors of financial crimes systems, trade associations, and others. In my experience, the American financial sector has what it takes to effectively manage money laundering and terrorist financing and other illicit financial activity risks.

[1] In fairness, the phrase “money laundering, terrorist financing, and other illicit financial transactions” appears in the current Introduction section (page 7).

[2] https://www.jsbarefoot.com/podcasts/2018/5/14/the-courage-to-change-former-wells-fargo-bsa-officer-jim-richards

The US BSA/AML Regime – Have We Just Gone From Aspiring to be “Effective” to Merely Being “Adequate”?

On April 15, 2020, federal and state banking agencies updated parts of the BSA/AML Examination Manual (“Manual”), a document that was first published in 2005 and has been revised and re-published four times since, with the last full edition published in November 2014. The Manual provides what and how examiners examine banks and other financial institutions (collectively, “banks”) for compliance with BSA/AML laws and regulations. Just as important, the Manual is the blueprint that allows banks to build and maintain their programs, and for bank auditors to audit those programs, with some confidence that they’re meeting regulatory requirements and their regulators’ expectations.

OCC Comptroller Otting’s statement on the release of the revisions to the Manual included the following statement:

Today, the FFIEC agencies published updates to the BSA/AML Examination Manual that represent a significant step forward in our efforts to improve how we ensure banks have effective programs to safeguard the banking system against financial crime, particularly money laundering and terrorist financing.[1](emphasis added)

Ensuring that banks have effective programs is critical. This “effectiveness” standard is how the United States itself is judged by the Financial Action Task Force, or FATF, which rates its member countries’ technical compliance with its Recommendations as well as how effective their BSA/AML regimes are in fighting financial crime.

“Effectiveness” is a hot topic in financial crimes risk management. Just last December, the Wolfsberg Group issued its statement on effectiveness.[2] The opening paragraphs of that statement are instructive:

The Wolfsberg Group – Statement on Effectiveness

Making AML/CTF Programmes more effective

The Wolfsberg Group (the Group) is an association of thirteen global banks, founded in 2000, which aims to develop frameworks and guidance for the management of financial crime risk in general, with a more recent and strategic focus on enhancing the effectiveness of global Anti-Money Laundering/Counter Terrorist Financing (AML/CTF) programmes. The topic of effectiveness has also been more widely discussed across the AML/CTF community in recent years.

In 2013, the Financial Action Task Force (FATF) determined that jurisdictions simply having reasonable legal frameworks in place for financial crime prevention was no longer sufficient.  FATF stated that “each country must enforce these measures, and ensure that the operational, law enforcement and legal components of an AML/CFT system work together effectively to deliver results: the 11 immediate outcomes.”  As a result, FATF changed the way it conducted mutual evaluations of its member states, no longer focusing solely on technical compliance with its 40 Recommendations, but also evaluating the overall effectiveness of the AML/CTF regime based on evidence that the outcomes were being achieved.

Notwithstanding FATF’s approach, Financial Institutions (FIs) still tend to be examined by national supervisors almost exclusively on the basis of technical compliance rather than focussing on the practical element of whether AML/CTF programmes are really making a difference in the fight against financial crime.  The Group believes that, in practice, there is as yet insufficient consideration of whether an FI’s AML/CTF programme is effective in achieving the overall goals of the AML/CTF regime which go beyond technical compliance. As a result, FIs devote a significant amount of resources to practices designed to maximise technical compliance, while not necessarily optimising the detection or deterrence of illicit activity.  The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements:

    1. Comply with AML/CTF laws and regulations
    2. Provide highly useful information to relevant government agencies in defined priority areas
    3. Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

This certainly seems in line with Comptroller Otting’s statement that these new BSA Exam Manual updates will help “ensure banks have effective programs to safeguard the banking system against financial crime”.

So if these updates are, in fact, a significant step forward to improve how the OCC ensures banks have effective BSA/AML programs, how come the OCC – and the other federal and state examiners – seem to have lowered their examination standards from assessing whether banks have effective programs, to assessing whether banks have adequate programs?

First, since I’m making a stink about the difference between effective and adequate, I’ll pause and offer some definitions. I went to one source only: Merriam-Webster. Here’s what I found:

Effective – producing a decided, decisive, or desired effect: as in an effective policy.

Adequate – sufficient for a specific need or requirement; as in adequate time. Also, good enough, or of a quality that is acceptable but not better than acceptable: as in a machine that does an adequate job[3]

These seem in line with what we expect: effective is a higher standard than adequate. Being an effective leader is better than being an adequate leader. And having an effective program is better than having an adequate program.

The FFIEC BSA/AML Examination Manual

Let’s first take a look at the language from the existing Manual, or rather the parts of the Manual that were just changed. As explained in the “Introduction” section of the 2014 Manual (which is over 440 pages long, by the way):

“… the manual is structured to allow examiners to tailor the BSA/AML examination scope and procedures to the specific risk profile of the banking organization.  The manual consists of the following sections:

    • Introduction
    • Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program
    • Core Examination Overview and Procedures for Regulatory Requirements and Related Topics
    • Expanded Examination Overview and Procedures for Consolidated and Other Types of BSA/AML Compliance Program Structures
    • Expanded Examination Overview and Procedures for Products and Services
    • Expanded Examination Overview and Procedures for Persons and Entities
    • Appendixes

The core and expanded overview sections provide narrative guidance and background information on each topic; each overview is followed by examination procedures.  The “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” and the “Core Examination Overview and Procedures for Regulatory Requirements and Related Topics” (core) sections serve as a platform for the BSA/AML examination and, for the most part, address legal and regulatory requirements of the BSA/AML compliance program.  The “Scoping and Planning” and the “BSA/AML Risk Assessment” sections help the examiner develop an appropriate examination plan based on the risk profile of the bank.  There may be instances where a topic is covered in both the core and expanded sections (e.g., funds transfers and foreign correspondent banking).  In such instances, the core overview and examination procedures address the BSA requirements while the expanded overview and examination procedures address the AML risks of the specific activity.

At a minimum, examiners should use the following examination procedures included within the “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” section of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile:

    • Scoping and Planning (refer to page 11)
    • BSA/AML Risk Assessment (refer to page 18)
    • BSA/AML Compliance Program (refer to page 28)
    • Developing Conclusions and Finalizing the Examination (refer to page 40)”

It is these last four bulleted sections that form the basis for all exams of banks’ BSA programs. And it is these four bulleted sections that were updated on April 15, 2020. A side-by-side comparison of the 2014 BSA Exam Manual (partial) table of contents and the April 2020 updates (complete) shows clearly what the regulators have focused on:

The regulatory agencies didn’t touch the 2014 Manual’s Introduction section. What they focused on are the sections on the four “pillars” of a BSA/AML compliance program. Where the 2014 Manual goes through each of the four pillars in a total of five pages, and then includes examination procedures for the overall compliance program at the end, the new 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each. It is a more detailed and comprehensive approach.

So the 2014 Introduction section remains in place. That section uses three different adjectives in describing bank’s programs:

  • Page 1: “An effective BSA/AML compliance program requires sound risk management …”
  • Page 2: “… ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile”
  • Page 6: “The federal banking agencies work to ensure that the organizations they supervise understand the importance of having an effective BSA/AML compliance program in place.”
  • Page 7: “Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system.  A sound BSA/AML compliance program is critical in deterring and preventing [money laundering, terrorist financing, and other illicit financial transactions] at, or through, banks and other financial institutions.”

In the four “pillar” sections that were updated in 2020, the words “effective” or “effectiveness” appear four times in forty-three pages. Those words appeared seventeen times in the old 2014 version.

Let’s go through those sections, with a focus on the differences in the use of the words “effective” and “adequate”.

Scoping & Planning

The 2014 “Scoping and Planning” section begins on page 11 with “The BSA/AML examination is intended to assess the effectiveness of the bank’s BSA/AML compliance program and the bank’s compliance with the regulatory requirements pertaining to the BSA, including a review of risk management practices.”

The 2020 “Scoping and Planning” section begins on page 1 with: “Examiners assess whether the bank has developed and implemented adequate processes to identify, measure, monitor, and control those risks and comply with BSA regulatory requirements.”

So the regulators have shifted from effective to adequate.

The 2014 “Scoping and Planning” section then continues with a reference to risk assessment. At page 11: “risk assessment has been given its own section to emphasize its importance in the examination process and in the bank’s design of effective risk-based controls.”

The 2020 update provides, on page 4: “The BSA/AML Risk Assessment section provides information and procedures for examiners in determining whether the bank has developed a risk assessment process that adequately identifies the ML/TF and other illicit financial activity risks within its banking operations.”

So the regulators will determine whether the risk assessment adequately identifies risks: not whether it effectively identifies risks.

The 2014 edition does use the term “adequate in a few places. At page 12 is a reference to the Examination Plan: “At a minimum, examiners should conduct the examination procedures included in the following sections of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile.” And in a mixed message, under the heading “Transaction Testing” is: “Examiners perform transaction testing to evaluate the adequacy of the bank’s compliance with regulatory requirements, determine the effectiveness of its policies, procedures, and processes, and evaluate suspicious activity monitoring systems.”

There’s no mixed message in the 2020 update, though. Under the heading “Risk-Focused Testing” on page 6 is: “Examiners perform testing to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.” And at page 8 is the new objective for risk-focused BSA/AML supervision examination procedures: “Determine the examination activities necessary to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.”

So again, it’s fair to say (write) that the regulators have shifted from effective/effectiveness to adequate/adequacy.

Page 34 of the 2014 Manual sets out the objectives of the exam procedures: “Assess the adequacy of the bank’s BSA/AML compliance program. Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.”

Page 18 of the 2020 update sets out the objective when assessing the BSA/AML compliance program: “Assess whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.” And at page 20: the objective of “assessing the BSA/AML compliance program examination procedures” is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.”

Internal Controls

There are some interesting differences in the main section on the system of internal controls – one of the four pillars of a BSA/AML compliance program.[4]

The 2014 Manual sets out the objectives for the overall BSA/AML compliance program: “Assess the adequacy of the bank’s BSA/AML compliance program.  Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.” (page 28). The 2014 Manual then goes through each of the four pillars, and does so in five pages, then includes examination procedures for the overall compliance program. The 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each.

The 2020 update doesn’t use the terms effective or adequate in the Internal Controls section. Rather, it refers to “ongoing” compliance (“[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains a system of internal controls to assure ongoing compliance with BSA regulatory requirements.”).

Independent Testing

As to independent testing, the 2020 update includes an Objective: “Assess the adequacy of the bank’s independent testing program” (page 24). The objective of the exam procedures is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML independent testing program for compliance with BSA regulatory requirements”. There isn’t similar language or detail in the 2014 Manual.

BSA Compliance Officer

The changes to the BSA Compliance Officer pillar are extensive. The 2020 update includes an objective: to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements. Assess whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties.” (page 29). In this section is the following: ” The board of directors is responsible for ensuring that the BSA compliance officer has appropriate authority, independence, and access to resources to administer an adequate BSA/AML compliance program based on the bank’s ML/TF and other illicit financial activity risk profile.”

The objective of the exam procedures for this pillar is to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements.  Determine whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties”.

The 2014 Manual provides that “[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (page 29). And at page 32: “[t]he board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.”

To summarize: the 2014 Manual provided that the board is responsible for ensuring the BSA Compliance Officer has sufficient authority and resources to administer an effective program. The 2020 updates provide that the board is now responsible for ensuring the BSA Compliance Officer has appropriate authority and resources to administer an adequate program. What has not changed, though, with the 2020 update is this: “the board of directors is ultimately responsible for the bank’s BSA/AML compliance.”

Training

The standards for BSA/AML training seem to have dropped, also. The 2014 Manual provided that “[t]he training program should reinforce the importance that the board and senior management place on the bank’s compliance with the BSA and ensure that all employees understand their role in maintaining an effective BSA/AML compliance program.” (page 33).

The 2020 update provides: “The training program may be used to reinforce the importance that the board of directors and senior management place on the bank’s compliance with the BSA and that all employees understand their role in maintaining an adequate BSA/AML compliance program.” (page 32).

Conclusion

The Wolfsberg Group’s December 2019 Statement on Effectiveness ended with this:

The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements: (1) Comply with AML/CTF laws and regulations; (2) Provide highly useful information to relevant government agencies in defined priority areas; and (3) Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

Starting in 2005 with the first FFIEC BSA/AML Examination Manual, and continuing to the last full publication in 2014, the purpose of a BSA/AML regulatory exam was to determine whether banks had an effective BSA/AML compliance program, and the directors of those banks, who were ultimately responsible for their bank’s BSA/AML compliance, were to ensure the BSA Compliance Officer had sufficient authority and resources to administer an effective program. The 2020 update appears to have lowered those bars: going forward, the purpose of a BSA/AML regulatory exam is to determine whether banks have an adequate BSA/AML compliance program, and the directors of those banks, who remain ultimately responsible for their bank’s BSA/AML compliance, are now to ensure the BSA Compliance Officer has appropriate authority and resources to administer an adequate program.

It will be interesting to see what, if any, differences this new adequate standard will bring as regulatory examiners across America will be walking into banks and credit unions and announcing, “hello, we’re here to determine whether you have an adequate program.” That is a very different greeting, and a very different exam, and possibly a very different result, than if that examiner walked in and announced, “hello, we’re here to determine whether you have an effective BSA/AML compliance program.”

Post Script

In an article I wrote in August 2019 titled  “Lessons Learned as a BSA Officer – 1998 to 2018” one of the nine lessons was that words and punctuation matter. I wrote that one should use adjectives and adverbs sparingly, if at all:

Most modifiers are unnecessary. Whether necessary or not, as a risk professional you should be aware of both your use of adjectives and adverbs, and when reading others’ use of adjectives and adverbs. When confronted with any modifier, ask yourself (i) why is that modifier being used? (ii) is it being used correctly? (iii) does it change the meaning of the sentence in a way that is unintended? (iv) is it being used consistently with other modifiers? And (v) could it limit or prevent us in the future?

In this case the state and federal banking agencies changed the adjective “effective” to “adequate” to describe the quality of the BSA/AML program they will expect to see and will examine to. I hope that this was unintended, or else five to ten years from now, after a long-held standard of effectiveness is replaced by one of mere adequacy, we could be limited in our ability to fight financial crime.

Endnotes

[1] https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-55.html

[2] https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Effectiveness%201%20pager%20Wolfsberg%20Group%202019%20FINAL_Publication.pdf

[3] https://www.merriam-webster.com/

[4] The 2014 FFIEC Exam Manual “was a collaborative effort of the federal and state banking agencies” and FinCEN (2014 Manual, page 1). The Interagency Statement accompanying the 2020 update provided “The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee (Agencies) revised the sections in close collaboration with Treasury’s Financial Crimes Enforcement Network.” And FinCEN hasn’t (yet) issued a press release or otherwise publicly acknowledged the 2020 updates. Regardless, the agencies’ Title 12 BSA/AML compliance program includes four pillars, and FinCEN’s Title 31 BSA/AML compliance program includes five pillars.

CARES Act and PPP Loans – Has the SBA Actually “Approved” Any PPP Loans? Or Are Its Deputies Doin’ All the Approvin’?

The Small Business Administration (SBA) has announced that as of April 15th it had “approved” about 1,300,000 Paycheck Protection Program (PPP) loans for about $289 billion (that’s just over $220,000 per loan, on average). The program kicked off on April 3rd: so that’s 1,300,000 approvals in 13 days, or 100,000 approvals every day, including weekends.

That’s a marked improvement over the SBA’s 2019 daily approval rate of about 160 loan approvals every day.

In 2019 the SBA approved a total of just under 59,000 loans totaling about $30 billion. In 2020, through March 20th, the SBA approved 24,745 loans for ~$12.5 billion. According to the SBA’s last congressional report (Fiscal 2021 Congressional Justification & Fiscal 2019 Performance Report), it noted that “The time to process a 7(a) non-delegated loan greater than $350,000 decreased from 15 days to 9 days (40 percent efficiency gain) [from FY 2017] and for loans under $350,000, from 6 to 2 days (67 percent efficiency gain).” So in fiscal 2019, the SBA approved about 46,100 7(a) loans totaling $23.2 billion. Each of those took between 2 and 9 days. And based on SBA’s data, about 20% of its 7(a) loans are under $350,000, and 80% are over $350,000.

So when faced with a volume of 59,000 loans in a year, it takes the SBA about two days to process the smaller loans, and nine days to approve the bigger loans.

So how did the SBA go from approving 160 7(a) loans per day in 2019 to approving 100,000 PPP loans per day in 2020? They deputized the lenders!

The CARES Act Has Deputized PPP Lenders – They Get to Approve the Loans They Make!

Section 1102 of the CARES Act creates the PPP and sets out the “what” that needs to be done (the “how” is reserved to the regulations). Section 1102(a) amends the existing section 7(a) of the Small Business Act (15 U.S.C. 636(a)) to add the PPP provisions in subsection 36 of section 7(a). The key is paragraph (F), titled “Delegated Authority”. It provides:

“(ii) DELEGATED AUTHORITY. (I) IN GENERAL.—For purposes of making covered loans for the purposes described in clause (i), a lender approved to make loans under this subsection shall be deemed to have been delegated authority by the Administrator to make and approve covered loans, subject to the provisions of this paragraph.”

That seems pretty clear: the SBA has deputized the lenders, and its the lenders that will make AND approve PPP loans, not the SBA. Is there anything different in the Interim Final Rule, or regulations? No. In fact, the Interim Final Rule refers to lenders making PPP loans, but is silent on lenders approving loans – even the law now gives lenders delegated authority to make and approve PPP loans. The phrase “make and approve” or “making and approving” doesn’t appear in the final rule.

So when the SBA announces that it has approved 1.3 million PPP loans in the first thirteen days of the PPP, what it really means is that its deputies – the roughly 5,000 banks, credit unions, and other lenders that have signed up for the PPP – have made 1.3 million PPP loans and, through the delegation powers in the statute, approved them. But one needs to question whether those 5,000 lenders have actually approved that many PPP loans, or whether they have simply submitted the electronic paperwork to the SBA’s E-Tran system and the SBA has returned 1.3 million PPP Loan Numbers back to those lenders, and are slowly working through the underwriting requirements and approving PPP loans methodically and carefully. It’s likely the latter.

5 + 4 = 6 … Treasury’s New PPP Math Is Creating Unnecessary Confusion, & Here’s a Proposed Solution

I’ve written two articles on the CARES Act’s Paycheck Protection Program (PPP) – the $350 billion, or $350,000,000,000, pot of federal money available for the lucky few hundred thousand or so of the roughly thirty million American small businesses that can navigate the labyrinth of regulatory requirements to apply for and be approved to get a loan that is intended to cover their payroll for 8 weeks or so. See The CARES Act and the PPP – We Know A Surge of Fraud is Coming

On April 13th the Treasury Department issued some guidance intended to clarify how the PPP lenders – mostly banks and credit unions – can satisfy some of their regulatory requirements around identifying the beneficial owners of the small businesses they’ll be lending to. In some of the more creative math I’ve seen in a while, they were somehow able to take the 5 things required under one set of regulations, combine them with the 4 things required under another set of regulations, and come up with 6 things. Instead of speeding up the delivery of the much-needed assistance to small businesses across America, their math may have the opposite effect.

Title 15 Small Business Administration (SBA) requirements

On April 2nd the SBA rolled out its requirements. Among other things, the two-page Borrower Form requires the “authorized representative” of the small business to certify a number of things, notably (for purposes of this labyrinth) five pieces of information – name, SSN/TIN, Address, Title, and Ownership Percentage – of up to five people that own 20 percent or more of the small business. And, according to the Interim Final Rule published on April 2nd, the lender (bank or credit union) can rely on that certification. And the authorized representative has to provide their name, title, and a signature.

So to summarize – for Title 15 SBA purposes, the borrower’s authorized representative needs to certify five pieces of information on as many as five legal owners of the borrower, and the bank lender can rely on that certification.

Title 31 Bank Secrecy Act (BSA) requirements

In May 2018 the federal anti-money laundering regulations were changed to add a requirement that financial institutions collect and verify “beneficial ownership” information of legal entity customers. Beneficial ownership was made up of what is called the “ownership prong” – a natural person owning twenty-five percent or more of the legal entity – and the “control prong” – one person who controlled the legal entity. The regulation also provided a Beneficial Ownership Certification form. The result was that the person opening the account had to certify a number of things, notably (for purposes of this labyrinth) four pieces of information – name, SSN/TIN, address, and Date of Birth (DOB) – of up to five people: up to four that own twenty-five percent or more of the legal entity and the single “control” person. According to the regulation, the bank can rely on that certification ““provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.” And the account opener has to provide their name, title, and a signature. And the bank is required to verify that beneficial ownership information: not that the persons are the beneficial owners, because that can’t reasonably be done, but that the persons are … persons. And that verification needs to be done within a reasonable time after the account is opened.

And there are some complications in the BSA rule around existing customers opening new accounts, and whether the bank can rely on existing beneficial ownership information or not. Essentially, a bank needs to document whether and when and how it will it can rely on existing information, and that documentation is part of what is known as its “risk-based BSA compliance program”.

So to summarize – for Title 31 BSA purposes, the legal entity’s account opener needs to certify four pieces of information on as many as four legal owners and one control person, and the bank can rely on that certification unless it knows of something that calls into question the reliability of the information, and the bank needs to verify that the persons are, in fact, persons.

Title 31 BSA requirements for Title 15 SBA PPP Loans

On April 13 Treasury and the SBA revised previously published FAQs to add a question and answer relating to how the Title 31 BSA requirements relating to collection (and verification) of beneficial ownership information would be applied to the Title 15 SBA PPP loans. And FinCEN issued, for the first time, the same question and answer. These are summarized below:

Treasury FAQ:  Does the information lenders are required to collect from PPP applicants regarding every owner who has a 20% or greater ownership stake in the applicant business (i.e., owner name, title, ownership %, TIN, and address) satisfy a lender’s obligation to collect beneficial ownership information (which has a 25% ownership threshold) under the BSA?

Existing customers:  if the PPP loan is being made to an existing customer and the lender previously verified the necessary information, the lender does not need to re-verify the information.  Furthermore, if federally insured banks and credit unions have not yet collected such beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.

New customers: the lender’s collection of SIX THINGS – owner name, title, ownership %, TIN, address, and date of birth – from as many as 5 natural persons with a 20% or greater ownership stake in the applicant business will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information. Decisions regarding further verification of beneficial ownership information collected from new customers should be made pursuant to the lender’s risk-based approach to BSA compliance.

Leaving aside (for the moment) the vexing issue of what a bank’s risk-based BSA compliance program requires it to do for existing high risk customers applying for PPP loans, the most elaborate labyrinth the government has created is for new customers. For these new-to-the-lender customers, there appears to be a trade-off. Purely for SBA purposes, PPP lenders need to collect but perhaps not verify SIX things – the name, TIN, DOB, address, title, and ownership percentage – one of which (DOB) isn’t on the PPP Form, for up to 5 natural persons as legal owners. The April 13th guidance doesn’t say anything about the BSA “control” person – nor does it say whether the SBA Authorized Representative can be that control person. And because a lender’s risk-based BSA compliance program requires it to verify beneficial owners, the PPP lender still needs to verify that the Beneficial Owners are, in fact, human beings … not that they are, in fact, the Beneficial Owners of the Applicant Borrower. Also, for both the BSA’s “person opening the account” and the SBA’s “Authorized Representative”, the financial institution must collect the person’s name, title, and signature.

A Possible Solution to Treasury’s Math Problem

The likelihood of rampant money laundering through PPP loans is pretty slim. The likelihood of fraud, though, is 100%. How much fraud is dependent on a lot of factors, but banks are adept at lending money and keeping fraud rates down. In normal times. These are not normal times. But everyone involved in this effort wants to get the $350,000,000,000 into the hands of deserving American small businesses as soon as possible, knowing that there will be some abuses, frauds, mistakes, corruption, laziness, willful blindness, etc., etc. in the process.

But making the lenders collect six pieces of information on the owners of small businesses when neither of the applicable regulatory regimes require them to collect more than five seems to add a layer of unnecessary complexity and can only slow down the lending process.

Having to collect 5 pieces of information (but not DOB) from as many as five legal owners for SBA purposes, and to collect four pieces of information (including DOB) from as many as four legal owners AND one control person for BSA purposes, and now to have to collect SIX pieces of information (including DOB) from five persons for SBA/BSA purposes creates confusion. Treasury needs to take its own risk-based approach: satisfy SBA requirements today, BSA requirements before you forgive the loan.

So here’s my suggestion to Treasury (and the regulatory agencies): PPP lenders can rely on the certifications in the Form 2483 PPP Borrower form. Those lenders can satisfy their BSA-related beneficial ownership requirements by the earlier of (i) September 30, 2020, or (ii) before the PPP loan is forgiven. In other words, focus on the PPP borrowers and requirements today, and worry about the BSA requirements later this summer. Full stop.

CARES Act PPP Loans – Is There A Loan “Dead Zone”?

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law by the President on March 27, 2020. It is a stunning piece of legislation meant to support our first responders and medical personnel treating those that are stricken, and to provide emergency economic relief to individuals, small businesses, and even large corporations that have been so adversely impacted by the pandemic.

The ink was barely dry on the CARES Act (enacted March 27th), which created the $349 billion Small Business Administration’s Paycheck Protection Program loan program, when the Interim Final Rules were published (April 3rd). Those PPP loans will be doled out by qualified lenders to qualified Applicants, in increments of up to $10 million per Applicant (limit of one per Applicant). Those loans will bear interest at 1% per year, with interest and principle payments deferred for six months and – here’s the best part – the Government will forgive “qualifying” loans.

As of 7:00 am PST on April 7th, there were about 1,800 lenders that had previously been approved, and another 600 or so that have only recently been approved, to act as SBA PPP lenders. How will they be compensated?

According to the Treasury Department’s Treasury PPP Fact Sheet there is a simple fee schedule:

The SBA – not the small business borrower – will pay the lender a processing fee based on the balance of the financing outstanding at the time of final disbursement in the following amounts:

  • five percent for loans of not more than $350,000;
  • three percent for loans of more than $350,000 and less than $2,000,000; and
  • one percent for loans of at least $2,000,000

(see 15 USC s. 636(a)(36)(P)).

And the SBA Interim Final Rule has similar language to the Treasury Fact Sheet. At page 24 of the  Interim Final Rule is this:

What fees will lenders be paid? SBA will pay lenders fees for processing PPP loans in the following amounts:

i. Five (5) percent for loans of not more than $350,000;

ii. Three (3) percent for loans of more than $350,000 and less than $2,000,000; and

iii. One (1) percent for loans of at least $2,000,000.

So this appears to be pretty simple: a loan up to $350,000 gets the lender a fee of 5% of the amount of the loan. A loan of more than $350,000 and less than $2,000,000 gets the lender a fee of 3%. And a loan of $2,000,000 or more gets the lender a fee of 1%.

Was that the intent?

So a PPP loan of, say, $350,000 gets the lender a fee of $17,500 (at 5%) and a loan of, say, $400,000 gets the lender a fee of $12,000 (at 3%)? Or did Treasury intend that a loan of, say, $500,000, would get the lender a fee of 5% on the first $350,000 and 3% on the next $150,000? Or for loans of, say, $4,000,000, the lender would get a fee of 5% on the first $350,000, 3% on the next $1,650,000, and 1% on the balance? If that was the intent, why didn’t Treasury write something like it had in 13 CFR §120.220, but for PPP loans:

  • for loans up to $350,000, five percent of the loan amount;
  • for loans from $350,000 up to $2,000,000, $17,500 on the first $350,000 and 3% on the balance of the loan amount; and
  • for loans of $2,000,000 up to $10,000,000 (the maximum PPP loan), $60,000 on the first $2,000,000 and 1% on the balance of the loan amount

I did some calculations, and something interesting occurs. We get a range of loans where a lender will make less in fees even when lending out more money. Here’s what it looks like: for loan amounts up to $350,000, the lender gets a fee that goes up to $17,500. But for a loan just over $350,000 – and in this example I went up $25,000 – the lender makes over $6,000 less in fees. As can be seen, there is a “Dead Zone” of PPP loans between $350,000 and $600,000 where the lender makes less in fees than if it loaned $350,000 or less. And the PPP Loan Dead Zone is even broader for Agents: that zone extends from $350,000 to $700,000.

(there is also an Agent fee that follows the same ranges as the lender fee, only in amounts of 1%, 0.5%, and 0.25%).

And a similar PPP Loan Dead Zone occurs at the next step-drop in fees – for loans of $2,000,000 or more, the lender fee is 1%. So a lender will make less on a $6,000,000 PPP loan than it would make on a $1,950,000 loan. The high dollar PPP Loan Dead Zone for Agents is $2,000,000 to $4,000,000.

Could this fee structure create some misaligned incentives for lenders? Could a lender somehow “encourage” those $575,000 loans to become $650,000 loans, even if the borrower has only applied for $575,000? Could a lender process a $350,000 loan – with a $17,500 fee – before it processes a $400,000 loan – with a $12,000 fee?

So where does that leave us? As I wrote in my last article, nobody knows. As Yogi Berra once said,

It’s tough to make predictions, especially about the future.

So how can Treasury eliminate the PPP Loan Dead Zone?

Treasury can change the fee structure to something like this:

  • for loans up to $350,000, five percent of the loan amount;
  • for loans from $350,000 up to $2,000,000, $17,500 on the first $350,000 and 3% on the balance of the loan amount; and
  • for loans of $2,000,000 up to $10,000,000 (the maximum PPP loan), $60,000 on the first $2,000,000 and 1% on the balance of the loan amount

With that, there are no PPP Loan Dead Zones … the larger the loan, the greater the fee. Fair enough, let’s get these loans processed!