Loading…

Capital One’s $390,000,000 BSA/AML Penalty – Are We Asking the Right Questions?

Supervision [of banks] happens behind closed doors. It relies upon secrecy and involves a system of discretionary actions by supervisory staff. This zone of secrecy is traditionally justified for the sake of financial stability and bank safety and soundness. There has long been an uneasy truce between the transparency and accountability required by the rule of law and the secrecy and discretion of supervision. That uneasy truce has become untenable.[1]

I was reminded of this statement by the brilliant banking attorney Meg Tahyar as I read that the OCC (and other federal financial regulators) had finalized a proposed rule that clarified the role of supervisory guidance, notably that agencies do not take enforcement actions based on supervisory guidance.[2] And this final rule on enforcement actions came just a few days after FinCEN – the primary anti-money laundering regulator – imposed a $390,000,000 penalty against Capital One for BSA violations that occurred from 2008 to 2014.

But wait: hadn’t Capital One already been fined by the OCC, its primary banking regulator, in 2018 for BSA violations that occurred during this same 2008-2014 period? Perhaps not. So what happened? Does the zone of secrecy and closed door of bank supervision allow us to determine what happened? Let’s take a look.

“Capital One Fined $390M For Violating Bank Secrecy Act”. “FinCEN Hits Capital One For $390 Million; Says Bank Violated Bank Secrecy Act”. “FinCEN Fines Capital One $390M Over AML Violations”.

These were just some of the headlines on January 15, 2021 when the Financial Crimes Enforcement Network, or FinCEN, the branch of the Treasury Department that is responsible for regulating and enforcing the anti-money laundering laws and regulations did, in fact, fine Capital One, NA $390,000,000 for “both willful and negligent violations of the Bank Secrecy Act (BSA) and its implementing regulations.” (quoting FinCEN’s press release at FinCEN Announces $390,000,000 Enforcement Action Against Capital One, National Association for Violations of the Bank Secrecy Act | FinCEN.gov). That press release spawned articles in the mainstream media, social media, within the BSA/AML community on LinkedIn, and in the banking trade publications. Everyone was focused on (1) what Capital One did or didn’t do over the seven-year period (2008-2014) of its “egregious” failures, and (2) on the staggering amount of the penalty. No one that I read was asking “where was Capital One’s regulator this whole time, and why did it take FinCEN so long to bring its action?”

But I’m asking. And after looking at what is in the public realm – what is not behind the zone of secrecy – I don’t have any answers. Let’s take a look.

FinCEN’s January 2021 Enforcement Action Against Capital One

The FinCEN press release continues with a good summary of what Capital One did, or didn’t do, to merit a fine. Warning: this is a lengthy press release! And I have highlighted some words and phrases that I’ll focus on later …

Specifically, FinCEN determined and Capital One admitted to willfully failing to implement and maintain an effective Anti-Money Laundering (AML) program to guard against money laundering.  Capital One also admitted that it willfully failed to file thousands of suspicious activity reports (SARs), and negligently failed to file thousands of Currency Transaction Reports (CTRs), with respect to a particular business unit known as the Check Cashing Group.  The violations occurred from at least 2008 through 2014, and caused millions of dollars in suspicious transactions to go unreported in a timely and accurate manner, including proceeds connected to organized crime, tax evasion, fraud, and other financial crimes laundered through the bank into the U.S. financial system.  As stated in the Assessment of Civil Money Penalty, Capital One admitted to the facts set forth by FinCEN and acknowledged that its conduct violated the BSA and regulations codified at 31 C.F.R. Chapter X.

“The failures outlined in this enforcement action are egregious,” said FinCEN’s Director Kenneth A. Blanco.  “Capital One willfully disregarded its obligations under the law in a high-risk business unit.  Information received from financial institutions through the Bank Secrecy Act plays a critical role in protecting our national security, and depriving law enforcement of this information puts our nation and our people at risk.  Capital One’s failures did just that. Capital One’s egregious failures allowed known criminals to use and abuse our nation’s financial system unchecked, fostering criminal activity and allowing it to continue and flourish at the expense of victims and other citizens.  These kinds of failures by financial institutions, regardless of their size and believed influence, will not be tolerated.  Today’s action should serve as a reminder to other financial institutions that FinCEN is committed to protecting our national security and the American people from harm and we will bring appropriate enforcement actions where we identify violations.”

As outlined in the Assessment, in 2008, after Capital One acquired several other regional banks, Capital One established the Check Cashing Group as a business unit within its commercial bank.  The group was comprised of between approximately 90 and 150 check cashers in the New York- and New Jersey-area.  Capital One provided banking services to the Check Cashing Group, including providing armored car cash shipments and processing checks deposited by Check Cashing Group customers.  During the course of establishing the Check Cashing Group and banking these customers, Capital One was aware of several compliance and money laundering risks associated with banking this particular group, including warnings by regulators, criminal charges against some of the customers, and internal assessments that ranked most of the customers in the top 100 of the bank’s highest risk customers for money laundering.

Despite the warnings and internal assessments, Capital One willfully failed to implement and maintain an effective AML program in many ways.  Capital One’s process for investigating suspicious transactions was weak and resulted in the failure to fully investigate and report suspicious activity to FinCEN.  Capital One often failed to detect and report suspicious activity by the check cashers themselves, even as it detected and reported activity by the check casher’s customers.  And Capital One’s implementation of a specialized report to provide insight into larger checks cashed by the Check Cashing Group customers’ customers (the check cashers’ patrons) failed to properly connect and report suspicious banking activity by certain check cashers.

Capital One also acknowledged failing to file SARs even when it had actual knowledge of criminal charges against specific customers, including Domenick Pucillo, a convicted associate of the Genovese organized crime family.  Pucillo was one of the largest check cashers in the New York-New Jersey area, and one of the highest-risk Check Cashing Group customers.  Capital One was made aware of Pucillo’s participation in potential criminal activity and other risks on several occasions, including learning in early 2013 about potential criminal charges in two different jurisdictions.  Despite this information, Capital One failed to timely file SARs on suspicious activity by Pucillo’s check cashing businesses, and continued to process over 20,000 transactions valued at approximately $160 million, including cash withdrawals, for Pucillo’s businesses.  According to public sources, in May 2019 Pucillo pleaded guilty to conspiring to commit money laundering in connection with loan sharking and illegal gambling proceeds that flowed through his Capital One accounts.

Capital One also admitted to negligently failing to file CTRs on approximately 50,000 reportable cash transactions representing over $16 billion in cash handled by its Check Cashing Group customers.  Specifically, Capital One utilized an internal system that assigned a “cash” code for customer withdrawals to trigger CTR filings.  In designing its system, Capital One failed to assign this “cash” code to armored car cash shipments for a number of Check Cashing Group customers.  Accordingly, these transactions were not identified as customer cash withdrawals and were not reported to FinCEN through Capital One’s CTR reporting systems.

In determining the final amount of the civil money penalty, FinCEN considered Capital One’s significant remediation and cooperation with FinCEN’s investigation.  In addition to exiting the Check Cashing Group and taking specific remedial efforts related to its SAR and CTR filing systems, Capital One has made significant investments in and improvements to its AML program over the past several years.  The bank also provided FinCEN with voluminous and well-organized documents, made several presentations of its findings, and signed several agreements tolling the statute of limitations during this investigation.  FinCEN strongly encourages financial institutions and other businesses and individuals subject to the BSA to self-disclose any violations of FinCEN’s regulations and cooperate with its enforcement investigations.

To recap … from at least 2008 through 2014, a span of seven years, Capital One willfully failed to file thousands of suspicious activity reports (SARs), and negligently failed to file thousands of Currency Transaction Reports (CTRs). These egregious failures allowed known criminals to use and abuse the US financial system unchecked, fostering criminal activity and allowing it to continue and flourish at the expense of victims and other citizens. And although there were warnings by regulators, those warnings apparently occurred behind closed doors and in the supervisory “zone of secrecy”.

Warnings by Regulators?

As one of the largest national banks in the country, Capital One’s primary regulator is the Office of the Comptroller of the Currency, or OCC. The OCC is the primary regulator of about 820 national banks, 280 federal savings associations, and 50 federal branches and agencies of foreign banks. The OCC is organized into four geographic regions, a headquarters region, and a “Large Bank” group. Capital One, and thirty-seven of the other largest national banks, are part of this Large Bank group. The OCC has full-time examiners dedicated to most, if not all, of those large banks (in some of the largest banks like Capital One, the OCC may have as many as 100 full-time examiners). In other words, OCC large bank examiners don’t drop in every year or so, conduct an examination, and leave: they’re essentially embedded in and are continually examining and supervising the operations of these large banks.

And for banks like Capital One, the Federal Reserve and the FDIC have jurisdiction and will conduct their own exams, either on their own or as part of a multi-agency examination. Specifically for BSA, the OCC will conduct multiple exams every year on a risk-basis: they will examine higher risk business lines, delivery channels, customer segments, products and services, and geographies. And every year the OCC will examine the bank’s over-all BSA compliance program. The examinations are ongoing, constant, and all-encompassing. And if those exams don’t go well, the OCC has an escalating path of actions it can take, from private actions such as Matters Requiring Attention, or MRAs, and Part 30 actions (those are the actions that occur behind closed doors in the zone of secrecy), to public enforcement actions such as Cease & Desist Orders and orders for Civil Money Penalties.

As the primary regulator to Capital One, NA, surely the OCC must have been the agency that first discovered all of the egregious violations that FinCEN cited in its January 2021 enforcement action: the willful failure to file thousands of SARs in its Check Cashing Group from 2008 to 2014, and the negligent failure to file $16 billion in CTRs in 2011. The answer to whether the OCC was the agency that discovered these egregious failures should be found in its public enforcement action …

The OCC’s July 2015 Consent Order Against Capital One

The OCC issued a Cease & Desist Order against Capital One (with the consent of Capital One; thus the term “Consent Order”) for multiple failures of Capital One’s BSA/AML program from 2008 through 2014.[3] The OCC found that two of the four required program components were lacking – the system of internal controls and independent testing – that Capital One had a full program violation (12 CFR 21.21) a SAR filing violation (12 CFR 21.11), and had critical deficiencies in its enterprise-wide risk assessment, its Remote Deposit Capture product and program, its Correspondent Banking business and program, and did not have a process to escalate BSA/AML control decisions to the Risk Management group. The OCC also noted that Capital One “failed to identify significant volumes of suspicious activity”, but didn’t identify that activity. The OCC ordered Capital One to reform its program and conduct a lookback of potential suspicious activity.

The Consent Order did not mention the CCG business or the late-filed CTRs.[4] There was nothing in the Order that spoke of MRAs or other informal or formal warnings. There was nothing about failed exams, or even whether any exams were done. Perhaps the follow up exam (done behind closed doors) that must have been done (something must have led to a second public order in 2018) provides more information …

The OCC’s October 2018 Civil Money Penalty

After Capital One determined that it had completed its remediation of the issues found in the 2015 Consent Order, the OCC found that it had actually violated the terms of that Order by failing to complete the remediation in a timely fashion. The OCC also found that Capital One had still missed filing some SARs after 2015, had back-filed other SARs because of suspicious activity found during the lookback, and had violated some funds transfer recordkeeping requirements (the so-called “Travel Rule”). As a result, in October 2018 the OCC fined Capital One $100 million. That Civil Money Penalty order did not mention the CCG business or the late-filed CTRs.[5]

Summary of the Three Orders

  • FinCEN found that from 2008 to 2014 the Check Cashing Group (CCG) of Capital One willfully failed to maintain a BSA program and willfully failed to accurately and timely file SARs, and that Capital One otherwise failed to file CTRs until 2011 when it voluntarily backfiled 50,000 CTRs for $16,000,000,000.
  • The OCC’s July 2015 Consent Order – no civil penalty – made no mention of CCG, no mention of CTRs, and instead referred to Remote Deposit Capture and Correspondent Banking.
  • The OCC’s October 2018 civil penalty of $100,000,000 provided that the July 2015 Order had been violated because they were a year late in doing the remediation, that there were additional violations – missed SARs after 2015, more SARs from a lookback, and a Travel Rule violation on wires … but again, no mention of CCG and late CTRs.

Sed quis custodiet Ipsos Custodes – but who will guard the guards themselves? Juvenal, c. 100 A.D.

The OCC examined Capital One every year for BSA … but missed what FinCEN found? How can this CCG activity have gone on for seven years without the OCC (apparently) doing anything about it? Or perhaps the OCC did do something about it, but whatever it did was behind the zone of secrecy.

So we’re left with three questions that need to be asked that currently aren’t being asked and, because of the zone of secrecy, probably cannot or will not be answered.

Q1 – Why did the OCC’s 2018 penalty of $100 million not mention the 2008-2014 willful failures that FinCEN relied on for its 2021 $290 million penalty?

Q2 – Why did it take FinCEN six years (since the OCC’s original 2015 Consent Order) to resolve violations that occurred from 2008 to 2014?

Q3 – How did FinCEN settle on a fine of $390,000,000? FinCEN’s regulations have section-by-section penalty amounts in its regulations, and even mentioned these in its Enforcement Action. But it didn’t provide any detail on how it reached its penalty figures or why it gave credit for the $100,000,000 paid to the OCC if, as it appears, the OCC order covered different activity.

Which leads me to end where I began:

Supervision [of banks] happens behind closed doors. It relies upon secrecy and involves a system of discretionary actions by supervisory staff. This zone of secrecy is traditionally justified for the sake of financial stability and bank safety and soundness. There has long been an uneasy truce between the transparency and accountability required by the rule of law and the secrecy and discretion of supervision. That uneasy truce has become untenable.

[1] Statement of Margaret E. Tahyar, Guidance, Supervisory Expectations, and the Rule of Law: How Do the Banking Agencies Regulate and Supervise Institutions?, Hearing Before the Senate Committee on Banking, Housing, and Urban Affairs (Apr. 30, 2019) Tahyar Testimony 4-30-19.pdf (senate.gov)

[2] The agencies first issued a statement in September 2018. On November 5, 2020 the agencies published a proposed rule to codify that statement. On January 19, 2021 the OCC issued a press release that it had finalized the rule. IT will become final once published in the Federal Register. The OCC press release is at OCC Approves Final Rule on Supervisory Guidance | OCC

[3] Consent Order 2015-081 (occ.gov)

[4] The 2015 Consent Order was terminated on November 4, 2019. See Terminates #2015-081 (occ.gov)

[5] The Civil Money Penalty is at EA 2018-080 (occ.gov). The press release is at OCC Assesses $100 Million Civil Money Penalty Against Capital One | OCC

The Corporate Transparency Act of 2020 … The Good, The Bad, and the Ugly

Corporate Transparency Act – There’s much that is Good, but there’s also some things that are Bad and other things that are downright Ugly

Many people are touting the proposed Anti-Money Laundering Act of 2020 (“AMLA2020”) and one of the titles of that Act, the Corporate Transparency Act, as the biggest change to American efforts to fight crime and corruption since the USA PATRIOT Act of 2001.

And they’re right. As a whole, the AMLA2020 will ultimately have the effect of shifting the US AML/CFT regime from a domestic-focused, regulator-versus-regulated, compliance inputs-based regime to an international, collaborative public/private sector, threat-focused, outputs-driven regime.

Just like Clint Eastwood in the classic Western “The Good, the Bad, and the Ugly”, that is all Good.

But like Lee Van Cleef, there is also some Bad, and unfortunately for the AMLA2020 (but fortunately for Eli Wallach) there is also some Ugly things that will reduce the impact and effectiveness of this new AML law. In fairness, regulations have yet to be issued, and regulations often address some of the bad and even ugly things in statutes.

This article looks at all aspects of the Corporate Transparency Act of 2020: the concept of “ultimate beneficial owner” and the so-called “Matryoshka doll” problem; the definitions of beneficial owner, applicant, and reporting company, and how those definitions differ from the current beneficial ownership rule; the new FinCEN identifier; the time that reporting companies have to report to FinCEN’s new database; the required information for beneficial owners and applicants; and who has access to the database.

The Good – the US gets a centralized, national registry of beneficial ownership information

Advocates celebrate major US anti-money laundering victory

This headline from a December 11, 2020 International Consortium of Investigative Journalists (ICIJ) Article is a good example of the Good of the Corporate Transparency Act. That article describes it well:

The long-sought reforms, effectively ending anonymous shell companies, were included in an annual defense spending bill approved by both houses of Congress with veto-proof margins. Landmark laws to thwart the use of U.S. shell companies by terrorists, human traffickers, arms dealers and kleptocrats are set to be enacted after more than a decade of lobbying and politicking with rare bipartisan support. The sweeping anti-money laundering reforms hitched a lift in the annual defense spending bill that passed the Senate 84-13 today, and was approved by the House 355-78 earlier this week. The Corporate Transparency Act requires U.S. companies to report their true owners to the Treasury Department’s Financial Crimes Enforcement Network, known as FinCEN — largely ending anonymous shell companies in the country.

Welcoming the clampdown, Transparency International’s U.S. director Gary Kalman said, “It is rare for such a simple measure to promise such an enormous impact.” Kalman added that the long sought anti-corruption reforms would “move us into a new era of enforcement.” The new legislation will allow law enforcement agencies and financial institutions to request company ownership information from FinCEN. The data will not be publicly available.

The Bad – Why exclude Money Transmitters and “Tall, Dark, and Handsome” Companies?

Under this new law, money transmitters have been added to the list of exempt entities (up to twenty-four from the current sixteen) that do not have to report their beneficial owner(s) or applicant. The rationale seems to be that they have to register with FinCEN already, so why register again? I discuss below why this doesn’t make sense and may create a loophole a money launderer can drive a truck through.

“Tall, Dark, and Handsome” is a reference to another new exception created by this law: a corporation or LLC that has 20 or more employees and more than $5 million in revenues and a physical office in the United States. These (very few, as it turns out) companies are the legal entity equivalent of (very rare!) men who are tall, dark, and handsome. Why they are not required to disclose their ultimate beneficial owners isn’t obvious to me: it’s discussed below.

(This is the second article I’ve written that includes the phrase “Tall, Dark, and Handsome” (see https://regtechconsulting.net/uncategorized/tall-dark-or-handsome-the-new-special-inspector-general-for-pandemic-recovery/). And this phrase, with its two commas, is an example of the use of the “Oxford comma”: the comma used after the penultimate item in a list of three or more items, before ‘and’ or ‘or’, to clearly indicate three items rather than two. I’ve also written an article on Oxford commas, see https://regtechconsulting.net/uncategorized/grave-danger-and-oxford-commas-words-and-punctuation-matter/).

The Ugly – There is very limited, and difficult, access to the central registry

Even if money transmitters and the “Tall, Dark, and Handsome” companies had to report their beneficial owners and applicant, there would still be very little transparency into those owners, or any other beneficial owners in the proposed FinCEN database. Financial institutions’ access to the database is severely restricted, and the punishing requirements imposed on federal, State, and Tribal government agencies to gain access to the information in the database may dissuade many of them from using it at all. Also ugly is the creation of the FinCEN identifier as a replacement for a Social Security Number, Drivers License number, or Passport number. I’m hedging on how ugly this actually is, though: regulations may turn what appears to be ugly into something pretty attractive.

Caution – the AMLA2020 Hasn’t Been Enacted Yet

The Corporate Transparency Act is one title (of five) within the AMLA2020, the AMLA2020 is one division (of seven) of the National Defense Authorization Act for Fiscal Year 2021 (the “NDAA”). The NDAA has been passed by the House and Senate with veto-proof majorities, and was sent to the President for his consideration on December 11th. As of this writing (December 20th) the President has not signed the NDAA and continues to indicate he will veto it. If he does veto it, it’s not known whether the House and Senate will have the votes or the time to override the veto.

Note: This article focuses only on the beneficial ownership or corporate transparency title of the AMLA2020. I have written an article describing all other aspects of the AMLA2020 (with a short section on beneficial ownership: see https://regtechconsulting.net/aml-regulations-and-enforcement-actions/aml-act-of-2020-renewing-americas-aml-cft-regime/).

Introduction to the Corporate Transparency Act – Title LXIV of the AMLA2020 adding 31 USC s. 5336

Section 6401 simply states “this title may be cited as the ‘Corporate Transparency Act’.” The comments to the conference report provide that “Division F is substantially similar to H.R. 2513, the Corporate Transparency Act of 2019, introduced by Representative [Carolyn] Maloney [Democrat] of New York.” In fact, Rep. Maloney has introduced a corporate transparency bill in every Congress since 2009: HR 6098 (111th Congress), HR 3416 (112th Congress), HR 3331 (113th Congress), HR 4450 (114th Congress), HR 2089 (115th Congress), and HR 2513 (116th Congress). Our collective thanks to Representative Maloney and her staff for their courage and perseverance.

Why has Rep. Maloney, and so many others, been pushing for corporate transparency? Among other reasons, Recommendation 24 of the Financial Action Task Force (FATF) requires legal entity transparency, including the disclosure of beneficial ownership. Since its first FATF Mutual Evaluation in 1996, and in every subsequent evaluation (2006 and 2016), the United States has been criticized for failing to meet this recommendation. Since at least 2008, with Senator Carl Levin’s (D. MI) Incorporation Transparency and Law Enforcement Assistance Act (S. 2956), corporate transparency bills have been introduced in Congress seeking to satisfy the FATF recommendations. They have all failed – until now. A good summary of why they’ve failed, and why this version of the Corporate Transparency Act is still quite limited in its scope and will be quite limited in its impact, is included in the comments of Congressman Patrick McHenry in Appendix A, below.

Section 6402 is the “Sense of Congress” section. This section provides, in part, that “most or all” of the 50 states that create about 2 million corporations and LLCs each year “do not require information about the beneficial owners”, that “malign actors seek to conceal their ownership” and that money launderers layer corporate structures across various secretive jurisdictions “much like Russian nesting ‘Matryoshka’ dolls.” With that ominous beginning, the section then continues with a statement that the beneficial ownership information “will be directly available only to authorized government authorities” and the database is intended to be “highly useful to national security, intelligence, and law enforcement agencies and Federal functional regulators”. There is no mention of making the information directly available to financial institutions or even having it benefit financial institutions.

The result is a national, centralized registry that is not accessible to the public and has limited value to financial institutions. The table to the right summarizes a review done by Transparency International on the types of national registries, as of October 2020: those with a central registry that is publicly accessible with no restrictions (green); central registry that is publicly accessible but is behind a paywall or with other restrictions (yellow); central registry that is not publicly accessible (yellow); no central registry but concrete steps are being taken to develop one (orange); and no central registry (red). I did not include all the countries listed in the “nothing” category as there are more than 150 that do not have such a registry. Currently, the United States is one of those lagging countries. With the AMLA2020 it will move form the lowest (red) tier up to the category of having a central registry that is not publicly accessible (yellow).

Ultimate Beneficial Owner – The Matryoshka Doll Problem

As Congress noted in section 6402 (above), most or all of the 50 states do not require information about the beneficial owners of the corporations and LLCs they create and register. So it currently isn’t difficult to mask the beneficial owner of a US-created or US-registered legal entity. But skilled and experienced money launderers and other criminal actors will create many layers that cross multiple jurisdictions in a bid to mask the true owners as much as possible. This is the “Matryoshka” doll visual – as seen by the (actual) Russian Matryoshka doll I have on my office bookshelf. In this visual, the “reporting company” is the largest doll on the left; the legal owner is the doll immediately to its right; and the ultimate beneficial owner, or UBO, is the smallest doll on the far right:

Figure 1 is taken from a March 2019 OECD “Beneficial Ownership Toolkit”. That toolkit provides “beneficial owners are always natural persons who ultimately own or control a legal entity or arrangement, such as a company, a trust, a foundation, etc. Figure 1 demonstrates how the use of a legal entity or arrangement can obscure the identity of a beneficial owner.” Figure 2 of the OECD toolkit show a more complex, nested series of arrangements that further distance the ultimate beneficial owner from the legal entity.

As Congress did in the Corporate Transparency Act, the OECD has identified these “nested” layers of entities that make it very difficult to identify the ultimate beneficial owner of a legal entity.[1] As explained below, however, Congress may have missed addressing this problem, or even made it worse by allowing ultimate beneficial owners of certain companies and money transmitters to be masked by intervening corporate entities. 

Beneficial Owner

The FATF has established the following definition of beneficial ownership:

“Beneficial owner refers to the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.”

The proposed definition of Beneficial Owner is in 31 USC s. 5336(a)(3). It defines Beneficial Owner as an individual who “directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, (i) exercises substantial control or (ii) owns or controls not less than 25 percent of the ownership interests”. This is slightly different than the definition of beneficial owner in 31 CFR 1010.540(d), which begins with the so-called ownership prong, which is “25 percent or more of the equity interests of a legal entity customer” and then follows with the control prong: “a single individual with significant responsibility to control, manage, or direct a legal entity customer” including a CEO, CFO, or similar position. In addition, the current regulation includes the trustee of a trust that is a legal owner: the AMLA2020 does not include a trustee. Regulations to be promulgated within one year will need to reconcile these different definitions.

And both the existing regulation – 31 CFR section 1010.230(d)(3) – and the new law – 31 USC section 5336(b)(2)(B) – exempt certain types of legal entities from having to provide beneficial ownership information (these are discussed below). If any of these exempt entities directly or indirectly own 25 percent or more of the equity interests of a legal entity customer or reporting company, respectively, they are not required to identify their owners. The current regulation exempts sixteen categories of entities from providing any beneficial ownership information, and two categories of entities only need to provide the name of one “control” person. The proposed law exempts twenty-four categories of entities from providing any beneficial ownership information. As mentioned above and described in more detail below, the addition of money transmitters and the “Tall, Dark, and Handsome” companies to the list of exempt entities will mask the beneficial owners of some potentially high risk entities. 

Applicant

The current beneficial ownership regulation does not include an “applicant”; rather, it includes the individual providing the beneficial ownership information to the financial institution and certifying that the information is complete and accurate. And that individual is only required to provide their name and position with the legal entity customer.

Subsection 5336(a)(2) defines an applicant as an individual who files an application to form a corporation, LLC, or similar entity with a State or Indian Tribe, or to register a foreign corporation, LLC, or similar entity with a State or Indian Tribe. Most states allow a “registered agent” to file the formation/registration documents, and most registered agents are companies. The individual is often a clerk working for that registered agent. Like the beneficial owner(s), the individual applicant must provide their full legal name, date of birth, current residential or street address, and either an identifying number like a SSN or a FinCEN identifier.

These differences must be reconciled in the new regulations.

Reporting Company

The definition of Reporting Company in 31 USC s. 5336(a)(11) is the same as the definition of “legal entity customer” in the current regulation. However, the exceptions (and, in the case of legal entity customers, the exemptions) are different, and, in some cases, materially different. A side-by-side comparison is set out in an Appendix B to this article, but the notable differences are the AMLA2020’s exceptions for (1) the Tall, Dark, and Handsome companies and LLCs – those with more than 20 FTE, more than $5 million in gross revenues (as reported to the IRS in the previous year), and with an operating presence in the United States (section 5336(a)(II)(B)(xxi))[2]; and (2) money transmitters registered with FinCEN (section 5336(a)(II)(B)(vi)), which include virtual currency exchanges.

Why did Congress carve out larger companies and money transmitters? Congressional staffers have told me that their primary focus was on the types of privately-held companies that can be used as shell companies: new companies without employees, with little or no revenue, and without a physical presence or office. That makes sense – if legal vehicles used to launder money were only shell companies. But larger companies with actual employees, revenue, and physical locations are also perfectly suited to generate, hide, and move illicit proceeds. And now with these companies being exempt from providing beneficial ownership information, they will be used to layer and hide the ownership of otherwise transparent shell companies. It would have been simpler and more effective to include all privately-held, non-financial institution companies and LLCs in the definition of “reporting company”. 

A similar reason was given for money transmitters (a form of Money Services Business, or MSB, and which include virtual currency exchanges): they are required to register with FinCEN (using Form 107) and as part of that registration, disclose their owner. Some of those who have commented on this, such as the pre-eminent law firm Sullivan & Cromwell, have noted that money transmitters “are already required to disclose beneficial ownership information publicly or to federal regulators … and exempting them from the reporting requirement does not appear to represent a gap in coverage.” See https://www.sullcrom.com/files/upload/sc-publication-anti-money-laundering-act-2020.pdf at page 7.

I disagree. First, there is nothing in the AMLA2020 that ties the ownership information contained in the Form 107 (MSB registration form) to the new beneficial ownership information. Second, MSBs do not have to disclose up to four legal owners and one control person – they only need to disclose one owner or controlling person – so FinCEN will not have complete beneficial ownership information on one of the highest risk business types. The instructions to the MSB registration form require that an “Owner or Controlling Person” submit the form, and that person is described in the instructions to the form as:

Any person who owns or controls a money services business is responsible for registering the MSB. Only one registration form is required for any business in any registration period. If more than one person owns or controls the business, they may enter into an agreement designating one of them to register the business. The designated owner or controlling person must complete Part III and provide the requested information [full name, date of birth, address, and identifying number]. In addition, that person must sign and date the form as indicated in Part VII … An “Owner or Controlling Person” includes the following: Sole Proprietorship – the individual who owns the business; Partnership – a general partner; Trust – a trustee; Corporation – the largest single shareholder. If two or more persons own equal numbers of shares of a corporation, those persons may enter into an agreement as explained above that one of those persons may register the business. If the owner or controlling person is a corporation, a duly authorized officer of the owner-corporation may execute the form on behalf of the owner-corporation.[3]

The Act includes a provision that this list of exemptions is subject to ongoing review by Treasury and, if a determination is made that an exempted category is being used to facilitate financial crime, Treasury may remove it from the list or impose other administrative actions. I hope that both money transmitters and “Tall, Dark, and Handsome” companies and LLCs are eventually remoted from the list of exempt entities. The loopholes they create are too tempting for professional money launderers and the gatekeepers (lawyers and accountants) who facilitate so much financial crime.

Time to Report

There are three time frames for reporting companies to report to FinCEN. All three begin when the regulations for this section are promulgated, which must be within one year of the passage of the Act. Companies in existence at the time of the regulations have (a very generous) two years to report. New companies created or registered after the regulations shall report at the time of formation (that is aggressive: money services businesses have 180 days from formation to register with FinCEN under 31 USC s. 5330(a)(1)). Changes in beneficial ownership must be reported within a year of the change.

How Many Companies Will Need to Report?

How many reporting companies will need to register their beneficial ownership information, and when? The most recent US Census Bureau data (2017) suggests there are 6 million businesses in the United States.[4] When adding in sole proprietorships and other single-persons doing business, other data suggests ~30 million businesses. This Act indicates that 2 million new companies and LLCs are being formed every year. There are ~3,000 publicly-traded companies, and ~100,000 regulated financial institutions, public accounting firms, etc., that are excluded from the definition of reporting company.

This leaves the “Tall, Dark, and Handsome” companies that will be excluded: those with more than 20 FTE, more than $5 million in gross revenues (as reported to the IRS in the previous year), and with an operating presence in the United States. Using Census Bureau information that suggests the average small business generates $100,000 in revenue per employee, the ~650,000 businesses the Census Bureau’s SUSB has identified, and analyzing the 5.2 million PPP loan recipients, it appears that approximately 2% of privately-owned small businesses have more than 20 employees, more than $5 million in annual revenue, and have a physical office in the United States (leaving 98% as “reporting companies”). The result is likely:

  • At least 5 million and as many as 20-30 million existing companies and LLCs will need to report their beneficial ownership information to FinCEN from January 2021 to January 2023; and
  • 2 million companies and LLCs per year will need to report their beneficial ownership information to FinCEN when they are created, beginning in January 2021.

The regulations for the FinCEN database of beneficial ownership information that will need to be issued, and the systems and procedures that will need to be designed, need to take into account the initial surge in reporting, as well as the 2 million or more new reports filed each year, and the revisions to existing reporting company records.

Required Information for Beneficial Owners and Applicants

Section 6403 is the main section for the new beneficial ownership information reporting requirements. It creates a new section in title 31 – section 5336. Subsection 5336(2) sets out the required information. There are some interesting, and perhaps some confusing, aspects about this subsection.

First is subsection 5336(2)(A). It provides:

(A) IN GENERAL.—In accordance with regulations prescribed by the Secretary of the Treasury, a report delivered under paragraph (1) shall, except as provided in subparagraph (B), identify each beneficial owner of the applicable reporting company and each applicant with respect to that reporting company by – (i) full legal name; (ii) date of birth; (iii) current, as of the date on which the report is delivered, residential or business street address; and (iv)(I) unique identifying number from an acceptable identification document; or (II) FinCEN identifier in accordance with requirements in paragraph (3).

With this, the report submitted to FinCEN shall identify from one to five beneficial owners and each applicant (defined as the individual who filed the application to create or register the reporting company with the state or Indian Tribe) by their full name, date of birth, address, and either their SSN or driver’s license number or Passport number or a FinCEN identifier. Allowing beneficial owners and applicants to be identified by the FinCEN identifier, and not by the commonly used SSN, drivers license, or passport number, could make the registry effectively unusable and/or ineffective (as explained below).

Subparagraph 5336(b)(2)(B) is the exception set out in (A), above, to providing a report that identifies the beneficial owner(s) and applicants of a reporting company. It provides:

(B) REPORTING REQUIREMENT FOR EXEMPT ENTITIES HAVING AN OWNERSHIP INTEREST. If an exempt entity described in subsection (a)(11)(B) has or will have a direct or indirect ownership interest in a reporting company, the reporting company or the applicant – (i) shall, with respect to the exempt entity, only list the name of the exempt entity; and (ii) shall not be required to report the information with respect to the exempt entity otherwise required under subparagraph (A).

This section mirrors the current regulation at 31 CFR s. 1010.230(d)(3). But the addition of money transmitters and “Tall, Dark, and Handsome” companies and LLCs to the list of exempt entities creates an interesting result. The box to the right shows an example of two of the listed exempt entity types: the so-called “Tall, Dark, and Handsome” companies, and money transmitters that are registered with FinCEN. The effect of this subsection, and subsection 5336(b)(3)(C), described below, may be that the Reporting Company must still disclose the Applicant (the person who filed the registration papers with the State or Indian Tribe that created the entity or registered it, if a foreign company, to do business in the State or Indian Tribe), but need not disclose the individuals that own or control the exempt company that owns the Reporting Company. In the example above, a reporting company owned by a money transmitting business only needs to list the name of the Applicant and the name of the money transmitting company as its beneficial owner: there is no “drill down” requirement as there is in the current beneficial ownership regulation. And because of the Form 107 limitation of listing only one person who own or controls the money transmitter, FinCEN has little information on one of the riskiest business types. One of the stated purposes of this new section was to address layered corporate structures “much like Russian nesting ‘Matryoshka’ dolls …” (section 6402(4)). This appears to be exactly that – a layered corporate structure involving money transmitters and privately-owned companies – which the law should have included.[5]

FinCEN Identifier

Section 5336(b)(3) is the FinCEN Identifier subsection. It provides:

(3) FINCEN IDENTIFIER. (A) ISSUANCE OF FINCEN IDENTIFIER. –

(i) IN GENERAL. – Upon request by an individual who has provided FinCEN with the information described in paragraph (2)(A) pertaining to the individual, or by an entity that has reported its beneficial ownership information to FinCEN in accordance with this section, FinCEN shall issue a FinCEN identifier to such individual or entity.

(ii) UPDATING OF INFORMATION. – An individual or entity with a FinCEN identifier shall submit filings with FinCEN pursuant to paragraph (1) updating any information described in paragraph (2) in a timely manner consistent with paragraph (1)(D).

(iii) EXCLUSIVE IDENTIFIER. – FinCEN shall not issue more than 1 FinCEN identifier to the same individual or to the same entity (including any successor entity).

From this, it appears that once an individual or reporting entity is named in a Beneficial Owner Information Report, they/it can request to have issued to them/it a unique FinCEN Identifier. The required information from subsection (2) – for individuals, that is their full legal name, DOB, current residential or business street address – will remain, but their identifying number, such as SSN, will be replaced by the FinCEN Identifier. This either/or approach is clear from the “required information” section[6] as well as subsection 5336(b)(3)(B): “USE OF FINCEN IDENTIFIER FOR INDIVIDUALS. – Any person required to report the information described in paragraph (2) with respect to an individual may instead report the FinCEN identifier of the individual.”

Like the money transmitter example above (the exception in 5336(b)(2)(B)) and subsection 5336(b)(3)(C)), this appears to allow an opaque “Matryoshka doll” of layered corporate entities. It provides:

(C) USE OF FINCEN IDENTIFIER FOR ENTITIES. – If an individual is or may be a beneficial owner of a reporting company by an interest held by the individual in an entity that, directly or indirectly, holds an interest in the reporting company, the reporting company may report the FinCEN identifier of the entity in lieu of providing the information required by paragraph (2)(A) with respect to the individual.

Once a beneficial owner and/or a reporting company obtains a FinCEN identifier, they/it can update any existing report or submit any new report using that FinCEN Identifier instead of the beneficial owner’s SSN or drivers license number or passport number and not even identify the actual beneficial owners going forward. Are those individuals thereafter “masked” from law enforcement unless FinCEN also maintains the SSN or other identifying number that would be known to law enforcement, and can cross-reference the law enforcement request? In the example above, as long as Reporting Company C has a FinCEN identifier, Reporting Company A may report that FinCEN identifier in lieu of providing the names and information of the beneficial owners (in this example, Messrs. Mossack and Fonseca).

Also, it is unclear how law enforcement will query, and how FinCEN will search, the beneficial ownership information database using FinCEN identifiers. For example, assume Al Capone is named as a beneficial owner of Reporting Company A. He provides his full name, SSN, etc. He then requests a FinCEN Identifier, and updates that report with his Identifier. Later, Reporting Company B submits a report and lists Al Capone with Al’s Identifier, but not his SSN. Law enforcement is later interested in Al Capone and queries FinCEN with “do you have Al Capone, SSN 010-56-1234?” and FinCEN replies “nope, nobody with that name matching that SSN. We’ve got 7 other ‘Al Capones’ with different SSNs or FinCEN identifiers.”

Access to the Database – None for the Public, Limited for Financial Institutions, Difficult for Law Enforcement

Subsection 5336(c) provides for the retention and disclosure of beneficial ownership information. The key is the disclosure provisions. The new FinCEN central registry of beneficial ownership information is not publicly accessible. Financial institutions can only query the database “with the consent of the reporting company to facilitate compliance … with CDD requirements”. And the procedures for law enforcement and other federal agencies are daunting enough that they may be discouraged from accessing the database.

Subsection 5336(c)(2)(B) lists five situations where FinCEN may disclose beneficial ownership information:

(i)(I) upon receipt of a request from “a federal agency engaged in national security, intelligence, or law enforcement activity, for use in furtherance of such activity”;

(i)(II) upon receipt of a request from a State, Tribal, or local law enforcement agency with a court order;

(ii) a request from a federal agency on behalf of a foreign government pursuant to a treaty, mutual legal assistance treaty, etc.;

(iii) upon receipt of “a request made by a financial institution subject to customer due diligence requirements, with the consent of the reporting company, to facilitate the compliance of the financial institution with customer due diligence requirements under applicable law”; and

(iv) upon receipt of a request from a Federal functional regulator.

And the “appropriate protocols” for requesting and releasing beneficial ownership information, set out in subsection 5336(c)(2)(C) are daunting: each request by a federal agency must include “the specific reason or reasons why the beneficial ownership information is relevant” to the investigation; the agency must have procedures and training in place to handle and restrict the information, the agency must keep auditable records, and be audited by the agency and annually by Treasury.

The biggest issue with the central registry of beneficial ownership information may be the limitations placed on financial institutions’ access and use. Examples of these limitations are:

  1. By limiting requests to those made with the consent of the reporting company, financial institutions cannot query the database without “tipping off” the reporting company, so financial institutions may only be able to use the database for onboarding due diligence or updating general due diligence, and not for investigations of unusual or possible suspicious activity;
  2. It is not clear whether financial institutions can perform due diligence on individuals by querying the database to determine if an individual customer is a beneficial owner of the institution’s new or proposed customer (a legal entity customer under the current rules, or a reporting company under the AMLA2020). In the example of Al Capone, above, it does not appear that a financial institution can submit a request to FinCEN to search the database for “Al Capone”;
  3. It is not clear what information FinCEN will return in response to a request for beneficial ownership information: will it release the PII of the applicant and beneficial owner(s), or just the name(s) and address(es)? What utility, if any, will FinCEN identifiers be to financial institutions?
  4. The database won’t be fully populated with the ~5-30 million existing reporting companies until 2023: what will financial institutions do if they get a “null return” from FinCEN for a company the financial institution knows should be registered? What will financial institutions be expected to do when the information they have in their files is different than what is returned by FinCEN?

Why was access to the beneficial ownership registry limited to the extent it was? The answer to that question could be found in comments made by Congressman Patrick McHenry, (R. NC 10). His floor comments from December 8, 2020, as captured in the House Congressional Record, are included in Appendix A, below. His comments bear particular weight, as Congressman McHenry is the Ranking Member on the House Financial Services Committee.

Only Part of the Current Beneficial Ownership Rule Remains

Congressman McHenry commented that this new reporting rule “rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses.” However, it may not be as cut-and-dried as he states. The section that Rep. McHenry is referring to is 6403(d). That section provides:

Section 6403(d) REVISED DUE DILIGENCE RULEMAKING.

(1) IN GENERAL. – Not later than 1 year after the effective date of the regulations promulgated under section 5336(b)(4) of title 31, United States Code, as added by subsection (a) of this section, the Secretary of the Treasury shall revise the final rule entitled “Customer Due Diligence Requirements for Financial Institutions” (81 Fed. Reg. 29397 (May 11, 2016)) to –

(A) bring the rule into conformance with this division and the amendments made by this division;

(B) account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336, and provided in the form and manner prescribed by the Secretary, in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law; and

(C) reduce any burdens on financial institutions and legal entity customers that are, in light of the enactment of this division and the amendments made by this division, unnecessary or duplicative.

(2) CONFORMANCE.

(A) IN GENERAL. – In carrying out paragraph (1), the Secretary of the Treasury shall rescind paragraphs (b) through (j) of section 1010.230 of title 31, Code of Federal Regulations upon the effective date of the revised rule promulgated under this subsection.

(B) RULE OF CONSTRUCTION. – Nothing in this section may be construed to authorize the Secretary of the Treasury to repeal the requirement that financial institutions identify and verify beneficial owners of legal entity customers under section 1010.230(a) of title 31, Code of Federal Regulations.

(3) CONSIDERATIONS. – In fulfilling the requirements under this subsection, the Secretary of the Treasury shall consider—

(A) the use of risk-based principles for requiring reports of beneficial ownership information;

(B) the degree of reliance by financial institutions on information provided by FinCEN for purposes of obtaining and updating beneficial ownership information;

(C) strategies to improve the accuracy, completeness, and timeliness of the beneficial ownership information reported to the Secretary; and

(D) any other matter that the Secretary determines is appropriate.

Some, But Not All, of the Current Beneficial Ownership Rule Will Change

The current Beneficial Ownership rule is set out in 31 CFR section 1010.540(a) – (j):

(a) “Covered financial institutions are required to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of legal entity customers” and to include those procedures in their overall 31 USC s. 5318(h) programs

(b) Identification and verification of beneficial owners when a new account is opened unless excluded pursuant to (e) or exempt pursuant to (h)

(c) Definition of “account”

(d) Definition of “beneficial owner” to be (1) each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, owns 25 percent or more of the equity interest of a legal entity customer [the so-called “ownership prong”]; and (2) a single individual with significant responsibility to control, manage, or direct a legal entity customer (including CEO, CFO, etc.) [the so-called “control prong”]; and (3) if a trust is the legal owner, the trustee.

(e) Definition of Legal Entity Customer – includes a list of exceptions and entities subject to only the control prong

(f) Definition of “Covered Financial Institution”

(g) Definition of “New Account”

(h) Exemptions

(i) Recordkeeping requirements

(j) Reliance on other financial institutions

The AML Act provides that “the Secretary of the Treasury shall rescind paragraphs (b) through (j) of section 1010.230 of title 31, Code of Federal Regulations upon the effective date of the revised rule promulgated under this subsection”. The result is that financial institutions will still be required to have procedures to identify and verify beneficial owners, but how that is done will be determined by new rules and regulations. So the new rules will be similar to the current beneficial ownership rule.

The current beneficial ownership rule provides financial institutions with more information on more legal entities sooner and requires them to use that information for not only onboarding due diligence, including customer risk rating, but ongoing due diligence (investigations of potential suspicious activity). It also gives financial institutions immediate access to existing legal entities’ beneficial ownership information where those entities open new accounts.

The new beneficial ownership information registration requirement only includes the smallest legal entities, existing legal entities have two years to provide their owners’ information, and, most importantly, financial institutions have limited access to the registry as they need their customer’s approval to access the customer’s information. The differences between the existing rule and new law are recognized in subsection (B), which directs the Secretary to “account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336 … in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with” AML, CFT, and CDD requirements.

Conclusion

There is so much that is good about the Corporate Transparency Act. I’m hoping that by raising what appear to be, but may not be, bad and even ugly things about the Act, we will have more transparency into those aspects of the Act and we will be able to address them in regulations or even amendments to the Act itself.

 

Appendix A – Corporate Transparency Act – Congressional Comments

House Congressional Record from December 8, 2020 CREC-2020-12-08-pt1-PgH6919-3.pdf (congress.gov) at pages H6932-6933 (bold red font has been added for emphasis, and the footnote has been added from the original text):

Mr. MCHENRY. Mr. Speaker, I rise in support of the conference report to the National Defense Authorization Act for fiscal year 2021. Combating illicit finance and targeting bad actors is a nonpartisan issue. However, Congress’ actions must be thoughtful and data driven. An example of this is H.R. 2514, the COUNTER Act, which is included in this conference report. Division G is a compilation of bipartisan policies that will modernize and reform the Bank Secrecy Act and anti-money laundering regimes. These policies will strengthen the Department of Treasury’s financial intelligence, anti-money laundering, and counter terrorism programs.

I would like to thank Chairman CLEAVER and Ranking Member STIVERS for their work on this bill and the language included in Division G. In addition to Division G, the conference report contains an amendment replacing the text of H.R. 2513, the Corporate Transparency Act, with new legislation. H.R. 2513, which passed the House on October 22, 2019, and again as an amendment to H.R. 6395 on July 21, 2020, attempted to establish a new beneficial ownership information reporting regime to assist law enforcement in tracking down terrorists and other bad actors who finance terrorism and illicit activities. But, it did so to the detriment of America’s small businesses.

Beneficial ownership information is the personally identifiable information (PII) on a company’s beneficial owners. This information is currently collected and held by financial institutions prior to a company gaining access to our financial system.

However, bad actors and nation states, such as China and Russia, are becoming more proficient in using our financial system to support illicit activity. As bad actors become more sophisticated, so to must our tools to deter and catch them. One such tool is identifying the beneficial owners of shell companies, which are used as fronts to launder money and finance terrorism or other illicit activity. Beneficial ownership information assists law enforcement to better target these bad actors.

Although well-intentioned, H.R. 2513 had numerous deficiencies in its reporting regime. First, H.R. 2513 placed numerous reporting and costly reporting requirements on small businesses. It lacked protections to properly protect small businesses’ personal information stored with a little-known government office within the Department of Treasury—known as FinCEN. The bill authorized access to this sensitive information without any limitation on who could access the information and when it could be accessed. Finally, it failed to hold FinCEN accountable for its actions.

The text of H.R. 2513 is replaced with new language that I negotiated, along with Senate Banking Committee Chairman CRAPO. This substitute, which is reflected in Division F of the conference report, is a significant improvement over the House-passed bill in three key areas.

First, Division F limits the burdens on small businesses. Unlike H.R. 2513, the language included in the conference report protects our nation’s small businesses. It prevents duplicative, burdensome, and costly reporting requirements for beneficial ownership data from being imposed in two ways. It rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses. Rescinding these provisions ensures that it cannot be used in a future rule to impose another duplicative, reporting regime on America’s small businesses. In addition, Division F requires the Department of Treasury to minimize the burdens the new reporting regime will have on small businesses, including eliminating any duplicative requirements.

House Republicans ensured the directive to minimize burdens on small businesses is fulfilled. Division F directs the Secretary of the Treasury to report to the House Committee on Financial Services and the Senate Committee on Banking annually for the first three years after the new rule is promulgated. The report must assess: the effectiveness of the new rule; the steps the Department of Treasury took to minimize the reporting burdens on reporting entities, including eliminating duplicative reporting requirements, and the accuracy of the new rule in targeting bad actors. The Department of Treasury is also required to identify the alternate procedures and standards that were considered and rejected in developing its new reporting regime. This report will help the Committees understand the effectiveness of the new rule in identifying and prosecuting bad actors. Moreover, it will give the Committees the data needed to understand whether the reporting threshold is sufficient or should be revised.

Second, Division F includes the strongest privacy and disclosure protections for America’s small businesses as it relates to the collection, maintenance, and disclosure of beneficial ownership information. The new protections set out in Division F ensure that small business beneficial ownership information will be protected just like an individual’s tax return information. The protections in Division F mirror or exceed the protections set out in 26 U.S.C. 6103, including:

  1. Agency Head Certification. Division F requires an agency head or designee to certify that an investigation or law enforcement, national security or intelligence activity is authorized and necessitates access to the database. Designees may only be identified through a process that mirrors the process followed by the Department of Treasury for those designations set out in 26 U.S.C. 6103.
  2. Semi-annual Certification of Protocols. Division F requires an Agency head to make a semi-annual certification to the Secretary of the Treasury that the protocols for accessing small business ownership data ensure maximum protection of this critically important information. This requirement is non-delegable.
  3. Court authorization of State, Local and Tribal law enforcement requests. Division F requires state, local and tribal law enforcement officials to obtain a court authorization from the court system in the local jurisdiction. Obtaining a court authorization is the first of two steps state, local and tribal governments must take prior to accessing the database. Separately, state, local and tribal law enforcement agencies must comply with the protocols and safeguards established by the Department of Treasury.
  4. Limited Disclosure of Beneficial Ownership Information. Division F prohibits the Secretary of Treasury from disclosing the requested beneficial ownership information to anyone other than a law enforcement or national security official who is directly engaged in the investigation.
  5. System of Records. Division F requires any requesting agency to establish and maintain a system of records to store beneficial ownership information provided directly by the Secretary of the Treasury.
  6. Penalties for Unauthorized Disclosure. Division F prohibits unauthorized disclosures. Specifically, the agreement reiterates that a violation of appropriate protocols, including unauthorized disclosure or use, is subject to criminal and civil penalties (up to five years in prison and $250,000 fine).

Third, Division F contains the necessary transparency, accountability and oversight provisions to ensure that the Department of Treasury promulgates and implements the new beneficial ownership reporting regime as intended by Congress. Specifically, Division F requires each requesting agency to establish and maintain a permanent, auditable system of records describing: each request, how the information is used, and how the beneficial ownership information is secured. It requires requesting agencies to furnish a report to the Department of Treasury describing the procedures in place to ensure the confidentiality of the beneficial ownership information provided directly by the Secretary of the Treasury.

Separately, Division F requires two additional audits. First, it directs the Secretary of Treasury to conduct an annual audit to determine whether beneficial ownership information is being collected, stored and used as intended by Congress. Separately, Division F directs the Government Accountability Office to conduct an audit for five years to ensure that the Department of Treasury and requesting agencies are using the beneficial ownership information as set out in Division F. This is the same audit that GAO conducts as it relates to the Department of Treasury’s collection, maintenance and protection of tax return information. This information will ensure that Congress has independent data on the efficacy of the reporting regime and whether confidentiality is being maintained.

Division F also requires the Department of Treasury to issue an annual report on the total number of court authorized requests received by the Secretary to access the database. The report must detail the total number of court authorized requests approved and rejected and a summary justifying the action. This report to Congress will ensure the Department of Treasury does not misuse its authority to either approve or reject court authorized requests.

Finally, Division F requires the Director of FinCEN, who is responsible for implementing this reporting regime, to testify annually for five years. This testimony is critical. For far too long FinCEN has evaded any type of congressional check on its activities. Yet, it has amassed a great deal of authority. Now, Congress will shine a light on its operations. It is my expectation that FinCEN will provide Congress with hard data on its effectiveness in targeting bad actors, including the effectiveness of this new authority to collect, maintain, and use beneficial ownership information.

One final comment about the importance of FinCEN’s annual testimony. In the months leading up to the House’s consideration of H.R. 2513 last October, I sought data from FinCEN and from the Treasury Department, along with the Department of Justice, to better understand the need for this legislation. No such data was forthcoming. Rather, FinCEN gave anecdotes of very scary stories to justify the need for a new reporting regime. It is my expectation that FinCEN will provide Congress with the necessary data to justify this new reporting regime and the burdens it is placing on legitimate companies. I will conclude by thanking Chairwoman MALONEY for her work over the last twelve years on this issue and her willingness to work with me to strengthen this bill. I believe we have a better product. I urge my colleagues to support the conference agreement.

[1] Beneficial Ownership Toolkit (oecd.org)

[2] With the Oxford comma separating the three attributes, it is clear that these companies must have all three attributes. And there are very few companies or LLCs in the United States that have all three. They are in fact the corporate equivalent of a man who is tall, dark, and handsome – very rare.

[3] FinCEN FORM 107 (Rev. 8-2008) (irs.gov)

[4] The US Census Bureau’s Statistics of US Businesses, or SUSB, data available at 2017 SUSB Annual Data Tables by Establishment Industry (census.gov). This shows ~5.35 million businesses with 20 or fewer employees; ~550,000 with 20-99 employees; ~100,000 with 100-499 employees (these ~5,990,000 businesses are all “small businesses”. Note that the Paycheck Protection Program, limited to small businesses with 500 or fewer employees, resulted in ~5.2 million loans); and ~10,000 businesses with more than 500 employees.

[5] All money transmitters must register with FinCEN: it is a federal criminal offense for a licensed money transmitter not to be registered with FinCEN. See 31 USC s. 5330 and 18 USC s. 1960.

[6] This is clear from subsection 5336(b)(2)(A) which provides that each beneficial owner and applicant shall be identified by their full legal name, date of birth, current residential or business street address, and either an identifying number from an acceptable form of identification such as a SSN or drivers license or passport, or a FinCEN identifier.

Appendix B – Comparison of Legal Entities Subject to Beneficial Ownership

31 CFR s. 1010.230(e)(2) and (3) Legal Entity Customer ExceptionsProposed 31 USC s. 5336(a)(II)(B) Reporting Company Exceptions
(2)(i) financial institution with a federal functional regulator, or a state-regulated bank(iii) financial institution with a federal functional regulator
 (iv) federal or state credit union
(2) (ii) entity described in 31 CFR 1020.315(b)(2)-(5):     (2) department or agency of the US, state, or           subdivision thereof     (3) entity with governmental authority     (4) entity listed on the NYSE, NASDAQ, ASE     (5) subsidiary owned 51% or more of (4)(ii) same, but also includes Indian Tribe
(2) (iii) issuer of securities under sections 12 and 15(d) of the Securities Exchange Act(i) same
(2) (iv) SEC-registered investment company(x) same
(2) (v) SEC-registered investment advisor(x) same and (xi) same
(2) (vi) SEC-registered exchange or clearing agency(viii) same
(2) (vii) any other SEC-registered entity(vii) for broker dealers, and (ix) same
(2) (viii) CFTC-registered entity(xiv) same
(2) (ix) Sarbanes-Oxley registered Public Accounting Firm(xv) same
(2) (x) Bank or Savings & Loan Holding Company(v) same
(2) (xi) pooled investment vehicle operated by a financial institution(xviii) same
(2) (xii) insurance company(xii) same
(2) (xiii) Dodd-Frank financial market company(xvii) same
(2) (xiv) foreign financial institution (FFI) with a regulator that has a beneficial ownership information requirement for that FFI 
(2) (xv) Noon-US government agency that does only government-related work and no commercial activity 
(2) (xvi) any private banking legal entity customer that has an existing requirement to identify beneficial owners under 31 CFR 1010.620 
(3)(i) control prong only for a pooled investment vehicle other than (e)(xi) 
(3)(ii) control prong only for non-profit entities(xix) similar but also includes political organizations and non-profit trusts
 (vi) money transmitting businesses that are registered under 31 USC s. 5330
 (xiii) US-owned insurance producers
 (xvi) public utilities
 (xxi) any entity that (I) employs more than 20 employees on a full-time basis in the United States; (II) filed in the previous year Federal income tax returns in the United States demonstrating more than $5,000,000 in gross receipts or sales in the aggregate, including the receipts or sales of (aa) other entities owned by the entity; and (bb) other entities through which the entity operates; and (III) has an operating presence at a physical office within the United States
 (xxii) any subsidiary of (i) to (xxi) except (xvi) money transmitters
 (xxiii) any dormant (defined) entity not owned directly or indirectly by a foreign person
 (xxiv) any other entity determined by the Secretary

314(b) Information Sharing – a Valuable, but Underutilized Tool

The AML Act of 2020 doesn’t directly change the voluntary information sharing provisions set out in section 314(b) of the USA PATRIOT Act or 31 CFR section 1010.540, but there are provisions in the AML Act that could be used to actively encourage more financial institutions to share information.

On December 10, 2020, FinCEN Director Ken Blanco delivered prepared remarks at the American Bankers Association/American Bar Association Financial Crimes Compliance Conference. Blanco ABA Remarks 12-10-20. Director  Blanco’s remarks were wide-ranging, from COVID-19 frauds to cybercrime to business e-mail compromises. He opened his remarks, though, with a lengthy discussion of the private sector voluntary information sharing program under section 314(b) of the USA PATRIOT Act. At a very high level, section 314(b) allows two or more financial institutions and any association of financial institutions, on a voluntary basis and after giving notice to FinCEN of their participation in the 314(b) program, to share information with one another regarding individuals, entities, organizations, and countries suspected of possible terrorist or money laundering activities for the purposes of identifying and reporting activities that may involve terrorist acts or money laundering activities. Since the passage of the Patriot Act in October 2001, and the publication of the final rules for information sharing in September 2002 (those rules are now at 31 CFR 1010.540), there have been a number of guidance documents, fact sheets, and administrative rulings that have sought to clarify some of the aspects of 314(b), such as the form of an association, whether 314(b) provides a safe harbor for sharing information related to fraud or other underlying criminal activities, and what type of customer information can be shared.

Director Blanco’s prepared remarks coincided with the release of a revised FinCEN 314(b) Fact Sheet (Director Blanco called it “important guidance that FinCEN is issuing today which represents much needed clarity regarding how financial institutions may fully utilize FinCEN’s 314(b) information sharing program.”). That guidance, the 314(b) Fact Sheet rescinded three 314(b)-related documents: June 16, 2009 guidance (FIN-2009-G002), a July 25, 2012 administrative ruling, and a November 2016 314(b) Fact Sheet.

(Note: the Fact Sheet is “guidance” and not a regulation or rule, so it does not have the force and effect of law or regulation, and does not bind FinCEN nor any of the Federal functional regulators.)

The main themes of this new 314(b) Fact Sheet are as follows:

  1. Financial institutions may share under Section 314(b) information relating to activities that they suspect may involve possible terrorist financing or money laundering.  This includes, but is not limited to, information about activities they suspect involve the proceeds of a specified unlawful activity (SUA).  Importantly, our guidance clarifies that:
    • Financial institutions do not need to have specific information that these activities directly relate to proceeds of an SUA, or to have identified specific proceeds of an SUA being laundered.
    • Financial institutions do not need to have made a conclusive determination that the activity is suspicious.
    • Financial institutions may share information about activities as described, even if such activities do not constitute a “transaction.”  This includes, for example, an attempted transaction, or an attempt to induce others to engage in a transaction.  This clarification is significant and addresses some uncertainty with sharing incidents involving possible fraud, cybercrime, and other predicate offenses when financial institutions suspect those offenses may involve terrorist acts or money laundering activities.
    • In addition, the guidance notes that there is no limitation under Section 314(b) on the sharing of personally identifiable information, or the type or medium of information that can be shared (to include sharing information verbally).
  1. An entity that is not itself a financial institution may form and operate an association of financial institutions whose members can use 314(b).  Notably, this includes compliance service providers; and
  1. An unincorporated association of financial institutions, governed by a contract between its financial institutions’ members, may engage in information sharing under Section 314(b).

Director Blanco also stated that “information sharing among financial institutions through 314(b) is critical to identifying, reporting, and preventing crime and bad acts.  It is an important part of how we protect our national security.  It can also help financial institutions enhance compliance with their AML/CFT requirements.”

How widely used is the 314(b) voluntary information sharing regime? And how critical is it in identifying, reporting, and preventing crime and bad acts?

The data suggests that 314(b) is not widely used and may not be as critical to identifying and reporting crime and bad acts. That data is from two main reports: (i) an April 2020 FinCEN 314(b) Infographic that provides information on financial institutions participating in the 314(b) program, the number of SAR narratives referencing 314(b), and the number of financial institutions filing SARs referencing 314(b); and (ii) a May 26, 2020 FinCEN notice regarding the costs and burden of filing SARs, described in detail in my June 2, 2020 article, Costs & Burdens of Filing SARs.

Very Few Financial Institutions Participate in the Voluntary 314(b) Information Sharing Program

The April 2020 Infographic provides that over 7,000 financial institutions (actually, 7,199) are participating in the 314(b) program. But what the Infographic doesn’t show is the percentage of financial institutions that are participating. For that comparison, we can turn to the Costs & Burdens article, which gives us two figures for each of the eleven types of financial institutions that have mandatory SAR filing requirements. The first is the total number of each category of institution (if known), the second is the number of each category that filed SARs in 2019.

Looking first at the participation in the SAR filing, FinCEN reported in its May 26, 2020 Notice that 12,148 financial institutions filed SARs in 2019. Using either FinCEN data (from other publications) or various industry sources, there are approximately 58,540 financial institutions in the eleven categories of financial institutions that have BSA program and mandatory SAR filing requirements. As can be seen here, overall about 21% of the regulated financial institutions are filing SARs, ranging from 2% of insurance companies to 78% of banks and credit unions.

The FinCEN Infographic shows that 7,199 financial institutions are participating in the voluntary 314(b) information sharing program. The chart shows that is an overall participation rate of 12.3%, or one of every eight regulated financial institutions is participating, ranging from about 2% for MSBs to over 40% for bank and credit unions and broker dealers.

Why is the 314(b) participation rate so low?

There are a number of reasons. First, the vast majority of financial institutions in the United States are very small, have few customers, and file very few SARs. Their resources are already stretched thin complying with the mandatory requirements of a BSA/AML program: risk assessments, establishing and documenting policies and procedures, keeping the required records, monitoring for unusual activity and investigating and reporting suspicious activity, managing audits and exams, etc. So participation in – and spending resources on – a purely voluntary program such as 314(b) is often not commercially and practically feasible. Also, many smaller institutions complain that most 314(b) requests they send to larger institutions are ignored. And the Federal functional regulators have been reluctant to criticize a financial institution for not participating in a voluntary program but can criticize a participating institution for any failures in doing so. As a result, many institutions simply decide to save themselves from regulatory issues by not participating in an otherwise valuable program. Finally, the process of sending and receiving information is manual and inefficient and as a result can impact your SAR filing obligations: Bank A may request certain information from Bank B in order to gain information needed to complete a SAR. Bank A must complete its review of whether activity is suspicious or not within a reasonable period of time, then, once a determination is made that the activity is in fact suspicious, it has 30 days to file a SAR. Often, Bank B doesn’t respond in a timely manner, and Bank A spends valuable investigative time trying to cajole Bank B to respond. This back-and-forth, often to no avail, creates a level of complexity that not many financial institutions want to deal with. So they don’t participate in the 314(b) program at all. In fact, the April 2020 Infographic refers to situations where the SAR filer sent a 314(b) request: “The SAR filer sent a 314(b) request to another financial institution in support of an investigation into suspicious activity. Either the information received was used to further its investigation, ultimately contributing to the filing of the SAR, or the receiving financial institution was unresponsive and the sending financial institution filed a SAR based on their own assessment of the activity.”

(Note: Verafin has an automated 314(b) program that automates the communications and facilitates cross-institutional collaboration on cases. See https://verafin.com/product/314b-information-sharing/)

The Number of SARs Referencing 314(b) is Increasing, But the Percentage of Total SARs Remains Very Low

The April 2020 Infographic included some data on the number of SARs that reference 314(b) in the narrative for 2017, 2018, and 2019. That is the top row (in yellow) on the chart below. The Infographic also included some data on the number of financial institutions that filed SARs referencing 314(b) in the narrative: that is the first row in the green section of the chart below.

I have added the other data. The total number of SARs filed in those three years is taken from the FinCEN SAR Stats site: FinCEN SAR Stats. As can be seen from the yellow section of the chart, less than 1 percent of SARs reference 314(b). Arguably, many institutions are utilizing 314(b) but may not refer to it in the SAR narrative. Even if that was the case, and twice as many investigations that led to SARs utilized 314(b), that would still mean that less than 2 percent of all SARs came from investigations involving information shared between financial institutions.

The Infographic also mentioned that “the number of SARs indicating terrorist financing and referencing 314(b) has remained consistent during this three-year period.” So I included FinCEN SAR Stats and we can see, from the blue section of the chart, that about 2.7 percent of all SARs indicating terrorist financing also indicated that the institution utilized the voluntary 314(b) information sharing.

Finally, the Infographic provided that “the number of financial institutions filing SARs referencing 314(b) in the narrative has steadily increased during the past three years, with an increase of 19.7% in 2019”, and it included a chart showing the number of institutions (the top row in the green section). I used the May 26, 2020 FinCEN notice that had 12,148 institutions filing SARs in 2019, then assumed that the number was the same in 2017 and 2018. Even ignoring those two years, the 2019 numbers show that about 10 percent of financial institutions that did file a SAR in 2019, filed a SAR that referenced 314(b).

Encouraging Information Sharing – the AML Act of 2020 is a Good Start

If enacted into law, the Anti-Money Laundering Act of 2020 (AMLA2020), Division F of the National Defense Authorization Act of Fiscal Year 2021, will usher in the biggest changes to the American – and by extension, global – AML/CFT regime since the Patriot Act of 2001. And although information sharing is a feature of the AML Act, section 314(b) is not directly impacted.

Section 6002 of the AML Act describes the six purposes of the Act.  The first is “to improve coordination and information sharing among the agencies tasked with administering anti-money laundering and countering the financing of terrorism requirements, the agencies that examine financial institutions for compliance with those requirements, Federal law enforcement agencies, national security agencies, the intelligence community, and financial institutions”.

Section 6101 of the AML Act greatly expands the “purpose” section (section 5311) of the BSA from a single purpose – requiring records and reports where they have a high degree of usefulness to government authorities – to five purposes, including to “establish appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities to identify, stop, and apprehend money launderers and those who finance terrorists”.

And section 6214 encourages information sharing and Public-Private Partnerships, and requires the Secretary to convene a supervisory team of agencies, private sector experts, etc., to examine strategies to increase such cooperation.

Reforming the Voluntary 314(b) Private Sector Information Sharing Program

This supervisory team will likely come up with many strategies to increase information sharing. I would start with what may be a bold idea: make 314(b) information sharing mandatory for the largest banks operating in the United States. The Financial Stability Board (FSB) has identified the 2020 list of thirty global systemically important banks (G-SIBs): 314(b) could be amended to make participation mandatory for the G-SIBs and to call for a study of the effective of the mandatory use after two years, and 31 CFR 1010.540 could be revised to require those G-SIBs to demonstrate active participation, both sending requests to other G-SIBs and responding to requests from other G-SIBs. Since the G-SIBs account for most SARs filed (a list of the G-SIBs is available at https://www.fsb.org/wp-content/uploads/P111120.pdf and it includes JPMorgan, Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, and Toronto Dominion, among others), this approach could result in greater participation and use by the voluntary users.

Although the Exam Manual provides that “section 314(b) encourages financial institutions and associations of financial institutions located in the United States to share information …” (page 95), section 314(b) does not, in fact, provide that: there is nothing in the section that provides encouragement. And the Exam Manual’s exam procedures for 314(b) do not encourage participation. I would revise 31 CFR 1010.540 and the BSA/AML Exam Manual to actively encourage 314(b) information sharing.

A Better Approach – Combining Sections 314(a) and 314(b) for a True Public-Private Partnership to Fight Financial Crime

In an article posted February 16, 2019 I discussed how a 314(b) association of financial institutions can work directly with law enforcement through the 314(a) public to private sector sharing provisions. Richards on Public-Private Sector Sharing. That article provided, in part:

In Congressional testimony earlier this year, a witness testified that “of the roughly one million SARs filed annually by depository institutions (banks and credit unions), approximately half are filed by only four banks.” What if FinCEN and these four largest financial institutions worked together to share information? And what if they did that with tools already in the anti-money laundering (AML) toolbox?

Here’s how. Remember the language we emphasized above in Section 314(b)? Financial institutions and any association of financial institutions? An “association” can be a tremendously powerful tool when coupled with Section 314(a). Richards describes a scenario where these largest FIs get together to form an information sharing association under 314(b), which not only allows them to share certain information but provides legal protections when doing so, and then the association can work proactively with FinCEN and law enforcement to receive and send names of known targets under 314(a).

“I see this as the wave of the future,” Richards explained. “Otherwise, each individual FI is limited in what it can see and more importantly, what it can understand.” More importantly, he said, it allows FinCEN and FIs to take existing tools and use them “in a more efficient way to solve big problems like human trafficking, contraband smuggling, the opioid crisis, the fentanyl crisis, and other societal problems.”

“Information sharing associations shouldn’t be limited to the biggest FIs, although Greg Baer’s testimony about the largest four FIs, out of about 12,000 in the US, filing 60% of SARs illustrates how powerful such an association could be,” Richards noted. “This association approach, even with smaller institutions, allows law enforcement to target the worst offenders and allow those FIs to better identify those targets and share information between themselves and with the government. “I think it is really positive,” he added, “but it will only work if the regulatory agencies are fully on board and encourage FIs to participate. If there is no regulatory upside for financial institutions, even the best-intentioned of them will think twice before participating in what is otherwise the right thing to do for our communities and country.”

The financial crimes software company Verafin is the technology behind a formal 314(b) association, The Consortium LLC, made up of the five largest US banks and the US branches of two of the largest UK banks (see notices published in the Federal Register on August 9, 2018 for Standard Chartered (83 FR 39440) and on October 5, 2018 for HSBC (83 FR 50371) “to engage de novo through a newly formed entity, The Consortium, LLC, in data processing activities”. Through a formal process pursuant to and in compliance with 314(a), The Consortium members receive the names of entities that a federal law enforcement agency has identified as being engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering.

The multiplier effect of a 314(b) association of institutions working together is quite remarkable. To illustrate, assume the FBI submitted 10 names of known targets to FinCEN, which then forwarded those names to each of the seven Consortium member institutions. Those seven then each review their records to determine whether they maintain or have maintained accounts for, or have engaged in transactions with, any of those 10 entities. Those accounts may have related parties, and the transactions will have sending or receiving parties. And each member may have filed SARs on some or all of the entities. Assume that each member identifies an additional 5 “suspects”.

The results – now 10 targets and 35 new suspects – are then shared between the members of The Consortium (again, as a 314(b) association of financial institutions) and, using the Verafin technology, the members can then conduct a joint investigation. This joint investigation may reveal another 15 suspects. The Consortium shares these 60 names with the FBI and FinCEN, which may have identified 10 of the suspects but not linked them to the original case, or may not have known about the other 40 “new” suspects.

The ultimate output is individual SARs filed by the individual member institutions (a joint SAR or joint SARs remain legally impractical) supported by a joint intelligence memo for law enforcement.

Conclusion

One of the main purposes of the AML Act of 2020 is to improve coordination and information sharing among and between the public sector and private sector. In order to do that, the voluntary sharing of information between financial institutions – created by section 314(b) of the USA PATRIOT Act and administered by regulations set out in 31 CFR section 1010.540 – should become mandatory for the largest financial institutions (the thirty global systemically important banks, or G-SIBs) and should be actively encouraged by FinCEN and the Federal functional regulators. And associations of financial institutions, like The Consortium, LLC, should also be encouraged to be formed and work with the public sector to share information and perform cross-institutional, collaborative investigations and reports.

AML Act of 2020: Renewing America’s AML/CFT Regime

Executive Summary of the AML Act of 2020

On December 3, 2020 the Senate and House jointly issued a Conference Report on the National Defense Authorization Act for Fiscal Year 2021 (the “NDAA”). The Conference Report is 4,517 pages long.[1] The NDAA contains eight divisions – Division F is the Anti-Money Laundering Act of 2020 (the “AML Act of 2020”). The House passed the NDAA on December 8th with a vote of 335-78 (out of 435 Members): the Senate passed the NDAA on December 11th with a vote of 84-13 (out of 100 Senators). The NDAA will be headed to the President’s desk, where he can sign it into law or veto it. If vetoed, both chambers have veto-proof majorities (two-thirds) and can over-ride the veto, if they choose to exercise those powers.

If signed by the President, or Congress over-rides a Presidential veto, the AML Act of 2020 will usher in the most profound changes to the U.S. anti-money laundering regime since the USA PATRIOT Act of 2001.[2] As described in more detail below, the AML Act of 2020 broadens the mission or purpose of the Bank Secrecy Act (“BSA”) to include national security; formalizes the risk-based approach for financial institutions’ compliance programs; greatly expands the duties, powers, and functions of FinCEN; aligns the regulatory agencies’ supervision and examination priorities with the expanded purposes of the BSA; increases civil and criminal penalties for violations of the BSA; calls for multiple studies and reports; and establishes a beneficial ownership information reporting regime. The result is that the US is moving from a US-focused, regulator-versus-regulated, compliance-focused regime to a global, public/private partnership focused on fighting all financial crimes.

Of note is what is not in the AML Act that should be there. What is not in the AML Act are any references to, or changes to, the laws that give duties and powers to the Federal functional regulators. What we call the Bank Secrecy Act is actually three different laws, or parts of the US Code: 12 USC s. 1829b (“retention of records by insured depository institutions”), 12 USC Part 21 (“financial recordkeeping”, sections 1951-1959), and 31 USC subchapter II (“ records and reports on monetary instruments and transactions”, sections 5311-5314, 5316-5322). As explained in the following section, title 12 is “Banks & Banking” and includes the laws relating to the Federal functional regulators, and title 31 is “Money & Finance” and includes the laws relating to Treasury and FinCEN. The AML Act changes the title 31 laws (and regulations) but not the title 12 laws (and regulations) that collectively make up the BSA.[3] It remains to be seen how the title 12 regulators will be impacted, and how willing they will be to being impacted, by the title 31 changes.

Finally, whatever the impacts of the AML Act will be may not be fully realized for years. For example, the USA PATRIOT Act, which included Title III, the International Counter-Money Laundering and Anti-Terrorist Financing Act of 2001, was passed in October 2001; regulations implementing the Act were issued in 2002 and 2003; and regulatory guidance, in the form of the first FFIEC BSA/AML Exam Manual, wasn’t published until April 2005 (and that Manual was revised in 2006, 2007, 2010, and 2014 to reflect changing regulatory guidance). We can expect something similar with the AML Act of 2020: it calls for multiple studies and reports to Congress over the next two years; regulations will need to be issued over the next year to three years; the Exam Manual will need to be revised; regulators will need to be trained; and regulatory guidance will evolve.

I was pleased to see that many of the things I’ve been calling for over the years have been included in the AML Act. Most notably are the provisions relating to – even requiring – the public sector consumers of BSA reports to provide feedback to the private sector producers of BSA reports. My most recent article on what I’ve called “TSV SARs” or Tactical or Strategic Value SARs, is from October 1, 2020: Reforming the AML Regime Through TSV SARs

Background on the US Code, Code of Federal Regulations, and Regulatory Guidance

For those not familiar with how US laws and regulations work, a short primer is in order.

The Conference Report and AML Act of 2020 contain references to the United States Code (“USC”), the Code of Federal Regulations (“CFR”), and regulatory guidance such as the FFIEC BSA/AML Examination Manual.

Legislation, or laws, are set out in the United States Code, the codification by subject matter of the general and permanent laws of the United States. The U.S. Code is divided by broad subjects into 53 titles and published by the Office of the Law Revision Counsel of the U.S. House of Representatives.[4] The first six titles set out the laws relating to the functioning of the government generally. Titles 7 through 50 are alphabetical: title 7 is Agriculture, title 50 is War & National Defense. The main titles relating to anti-money laundering (AML) and countering the financing of terrorism (CFT) are:

  • Title 12 Banks & Banking – laws relating to the Federal financial regulatory agencies such as the Federal Reserve, FDIC, OCC
  • Title 18 Crimes & Criminal Procedure – criminal laws such as structuring and operating an unlicensed money transmitter
  • Title 26 – Internal Revenue Code – tax-related crimes and some BSA-related forms such as the Form 8300 (reporting cash received by a trade or business)
  • Title 31 Money & Finance – the Bank Secrecy Act is part of title 31: subchapter II, sections 5311 – 5322. The AML Act of 2020 adds sections 5333-5336 to subchapter II
  • Title 50 War & National Defense – U.S. sanctions laws administered by OFAC are in this title.[5]

Laws are described by the title and the section: 31 USC s. 5311, for example, is the “purpose” section of the laws known as the BSA that are codified in title 31.

Where laws generally describe “what” Congress has enacted, how those laws are implemented and enforced are set out in regulations issued by the appropriate executive branch agency or department, such as the Treasury Department and the Federal financial regulators. Regulations are set out in the Code of Federal Regulations. The OCC’s regulations are set out in Part 21 of title 12 of the Code ofFederal Regulations – 12 CFR Part 21 – while FinCEN’s regulations are set out in Part X of title 31 of the Code of Federal Regulations – 31 CFR Part X.[6]

Regulations provide the “how” and follow the “what of the law: an example of laws and corresponding regulations is 31 USC s. 5318(h), the law that requires all financial institutions to have AML/CFT programs, and its implementing regulation at 31 CFR s. 1020.200, the general program requirements for banks.

All of the Federal functional regulators and FinCEN issue what is called “supervisory guidance” to set out their expectations or priorities. For AML and CFT purposes, this supervisory guidance has been collected and compiled by the Federal Financial Institutions Examination Council, or FFIEC, into an examination manual that includes their collective guidance to their examiners on AML and CFT laws, regulations, and expectations. It is available at https://bsaaml.ffiec.gov. Although this guidance does not create enforceable requirements – those requirements are in the laws and regulations – the guidance does shape how financial institutions design, build, maintain, and update their programs, and how auditors and examiners test and examine those programs.

Explanation of this Summary of the AML Act of 2020

As set out above, the Conference Report for the NDAA is over 4,500 pages long. The AML Act of 2020, Division F of the NDAA, is at pages 2,843 – 3,078 (it is 235 pages long). The AML Act of 2020 is made up of 56 sections in five titles.[7] Sections 6001-6003 set out the title of the act, its purposes, and definitions of key terms. Following those three introductory sections are the five titles:

  • Title LXI – Strengthening Treasury Financial Intelligence, Anti-Money Laundering, and Countering the Financing of Terrorism Programs (sections 6101-6112)
  • Title LXII – Modernizing the Anti-Money Laundering and Countering the Financing of Terrorism System (sections 6201-6216)
  • Title LXIII – Improving Anti-Money Laundering and Countering the Financing of Terrorism Communication, Oversight, and Processes (sections 6301-6314)
  • Title LXIV – Establishing Beneficial Ownership Information Reporting Requirements (sections 6401-6403)
  • Title LXV – Miscellaneous (sections 6501-6511)

Scattered throughout many of the titles and sections are changes to particular aspects of, or themes of, the current AML/CFT regime. This summary, therefore, is arranged by those aspects or themes rather than going through the fifty-six sections and five titles in order. Text appearing in red font indicates a change or addition to language in laws or regulations: the intent is for the reader to see what has been added (or, in one case, taken away) from existing laws or regulations.

This is by no means a complete review, assessment, analysis, and commentary on the AML Act of 2020. However, I trust it is a good primer for those interested in contributing to the discussion around, and efforts to promote, a more effective, efficient, courageous, compassionate, and inclusive public and private sector effort at mitigating and, to the extent possible, eliminating money laundering ,terrorist financing, and other financial crimes.

Purposes of the Anti-Money Laundering Act of 2020

Section 6202 of the AML Act describes the purposes of the Act.  The full text of this section is set out below:

  • to improve coordination and information sharing among the agencies tasked with administering anti-money laundering and countering the financing of terrorism requirements, the agencies that examine financial institutions for compliance with those requirements, Federal law enforcement agencies, national security agencies, the intelligence community, and financial institutions;
  • to modernize anti-money laundering and countering the financing of terrorism laws to adapt the government and private sector response to new and emerging threats;
  • to encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism;
  • to reinforce that the anti-money laundering and countering the financing of terrorism policies, procedures, and controls of financial institutions shall be risk-based;
  • to establish uniform beneficial ownership in formation reporting requirements to (A) improve transparency for national security, intelligence, and law enforcement agencies and financial institutions concerning corporate structures and insight into the flow of illicit funds through those structures; (B) discourage the use of shell corporations as a tool to disguise and move illicit funds; (C) assist national security, intelligence, and law enforcement agencies with the pursuit of crimes; and (D) protect the national security of the United States; and
  • to establish a secure, nonpublic database at FinCEN for beneficial ownership information.

The Conference Report (at page 4,456 of the 4,517-page report) included some interesting language on the purposes of the Act:

“One overarching improvement now included in the conference agreement is to broaden the mission of the BSA to specifically safeguard national security as well as the more traditional investigatory pursuits of law enforcement … Currently, there is no clear statutory mandate for BSA stakeholders – law enforcement, financial regulators, and financial institutions – to provide routine, standardized feedback to one another for the purpose of improving the effectiveness of BSA AML programs … [and there is a] clear mandate for innovation.”

Changes to the Purpose of the Bank Secrecy Act – 31 USC s. 5311

The additions to the “purpose” section of the BSA may be the single biggest change to the current AML/CFT regime. As set out below, section 5311 of title 31 is the declaration of purpose. From 1970 through 2001, that purpose was simply “to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations, or proceedings.” The USA PATRIOT Act of 2001 added a clause relating to international terrorism: the amended section provided that the purpose was “to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations, or proceedings, or intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”

As can be seen below, the original (post-2001) purpose has been changed in three ways. First, changing reports “where they have a high degree of usefulness” to reports “that are highly useful”. [8] Second, those reports are now to be used in regulatory risk assessments. And third, it appears that BSA reports are intended for all terrorism purposes, not just international terrorism (domestic and international). The new section 5311 declaration adds four new purposes: strong private sector programs, tracking dirty money, conduct national risk assessments to protect the financial system and national security generally, and to encourage public private sector information sharing. And note the language in subsection (5) where “service providers” has been added, a recognition of the growing regtech/fintech industry. The Declaration of Purpose now provides that:

It is the purpose of this subchapter (except section 5315) to –

  1. require certain reports or records where they have a high degree of usefulness that are highly useful in – (A) criminal, tax, or regulatory investigations, risk assessments, or proceedings; or (B) intelligence or counterintelligence activities, including analysis, to protect against international terrorism;
  2. prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk based programs to combat money laundering and the financing of terrorism;
  3. facilitate the tracking of money that has been sourced through criminal activity or is intended to promote criminal or terrorist activity;
  4. assess the money laundering, terrorism finance, tax evasion, and fraud risks to financial institutions, products, or services to – (A) protect the financial system of the United States from criminal abuse; and (B) safeguard the national security of the United States; and
  5. establish appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities to identify, stop, and apprehend money launderers and those who finance terrorists.

Changes to the AML/CFT Program Requirements – 31 USC s. 5318(h)

Section 5318 of title 31 is the catch-all “compliance” section of the BSA. In addition to the SAR reporting requirements in subsection 5318(g), and the Customer Identification Program requirements in subsection 5318(l), this section has the requirements for financial institutions’ AML/CFT programs in subsection 5318(h).

Subsection (h)(1) is the so-called “four pillars” or minimum requirements of a program: “In order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs, including, at a minimum –

(A) the development of internal policies, procedures, and controls;

(B) the designation of a compliance officer;

(C) an ongoing employee training program; and

(D) an independent audit function to test programs.

Subsection (h)(1) is changed to reflect the CFT aspects of the regime. It now requires financial institutions to “establish AML and countering the financing of terrorism programs in order to guard against money laundering and the financing of terrorism”. The minimum standards, or “four pillars”, did not change.

Perhaps this was a lost opportunity to reconcile the four pillar program requirements in 31 USC s. 5318(h) with the five pillar program requirements in 31 CFR s. 1010.210 and with the four pillar program requirements in 12 CFR s. 21.21.[9]

Subsection (h)(2) gives the Treasury Secretary the power to prescribe rules (regulations) for the AML program standards. This subsection is dramatically altered with the addition of factors that the Secretary shall take into consideration. And a new subsection, (h)(4), is added that sets out a new requirement that the Government shall establish national priorities, updated every four years, that need to be incorporated into institutions’ AML/CFT programs and, notably, how those national priorities are incorporated will be examined by the regulatory agencies:

(h)(2)(B) – Factors that the Secretary shall take into account when prescribing minimum standards and regulators shall take into account in supervising and examining: (i) financial institutions are spending private funds for public and private benefit; (ii) key policy goals of the US are extending financial services to the underbanked and facilitating global remittances while preventing criminals from abusing the system; (iii) effective AML and CFT programs safeguard national security and generate public benefit; (iv) AML and CFT programs should be (I) “reasonably designed to assure and monitor compliance with the requirements of this subchapter and regulations promulgated under this subchapter; and (II) risk-based, including that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.”

(h)(4) – Priorities: (A) within 180 days the Government shall establish AML And CFT priorities; (B) those priorities will be renewed every 4 years; (C) these priorities will be aligned with national security priorities; (D) FinCEN will promulgate regulations within 180 days of (A); (E) financial institutions shall incorporate those priorities into their AML/CFT programs and will be supervised and examined thereon.

Changes to FinCEN’s Duties, Powers, and Scope – 31 USC s. 310

Part 3 of title 31 sets out the organization, function, powers, and duties of the Treasury Department generally, and each of the bureaus or divisions within the Treasury Department. Section 310 of Part 3 is the section for the Financial Crimes Enforcement Network, or FinCEN.

As can be seen below, the duties and powers of the FinCEN director set out in section 310(b) have been greatly expanded. The current subsection has nine duties – (A) through (I) – and a catch-all (J). That catch-all has been moved down to (O) as five new duties and powers have been added – (J) through (N):

(A) Provide advice and make recommendations to the Under Secretary for Enforcement

(B) Maintain a government-wide database of BSA reports

(C) Analyze and disseminate intel from that database

(D) Maintain a communications center for law enforcement

(E) Furnish research, analytical, and informational services to the private and public sectors

(F) Assist law enforcement and regulators in combatting informal value transfer systems

(G) Support the tracking of foreign assets

(H) Coordinate with foreign FIUs

(I) Administer the requirements of the BSA

(J) Promulgate regulations to implement the exam and supervision priorities of BSA/AML programs

(K) Communicate regularly with the private sector, regulators, and law enforcement to explain the Government’s AML/CFT exam and supervision priorities

(L) Give and receive feedback to and from the private sector and State bank and credit union supervisors

(M) Maintain money laundering and terrorist financing experts to support federal civil and criminal investigations

(N) Maintain emerging technology experts

(O) Such other duties and powers as the Secretary may delegate

Subsection 310(c) on FinCEN’s requirements relating to maintenance and use of its data banks, did not change. However, the AML Act added seven new subsections that greatly expand FinCEN’s purpose, reach, authority, and staffing/budget:

  • 310(d) – FinCEN Exchange (added by s. 6103, which (i) codifies in the statute the Exchange that FinCEN established two years ago; and (ii) requires FinCEN to report to Congress on the effectiveness of the Exchange within one year then once every two years for five years)
  • 310(e) – Special hiring authority for terrorism and intel (added by s. 6105, this gives both FinCEN and its parent agency, the Office of Terrorism and Financial Intelligence, or OTFI, the ability to makes certain hires without going through the usual federal government steps. Like section 6305, FinCEN and OTFI must report to Congress within a year)
  • 310(f) – adds at least 6 FinCEN Domestic Liaisons (added by s. 6107)
  • 310(g) – adds Chief of Domestic Liaison (added by s. 6107, which creates a Deputy Director of Domestic Liaison reporting to the FinCEN Director, with an Office of Domestic Liaison located in Washington DC. The six Domestic Liaisons will report regionally, and can be co-located with Federal Reserve offices, as needed. Same requirements to report to Congress.)
  • 310(h) – adds at least 6 Foreign FIU Liaisons (added by s. 6108, these positions will be similar to Treasury attaches and will work with Egmont and FATF)
  • 310(i) – FOIA protection of information shared with international FIUs (added by s. 6109)
  • 310(j) – requires analytical experts for FinCEN’s “Analytical Hub” (added by s. 6304)
  • 310(l) – Appropriation for FY2021 of $136 million, adding $10 million by s. 6509

In addition to the changes set out in 31 USC s. 310, the AML Act added some general provisions. Section 6203(a) of the AML Act provides that FinCEN shall solicit feedback from a cross section of BSA Officers on their financial institution’s SARs and trends observed by FinCEN, and FinCEN will provide that information to the institution’s regulator. Section 6203(b) of the AML Act requires that FinCEN shall periodically disclose to each financial institution, in summary form, information on SARs filed that proved useful to law enforcement and to DOJ. And section 6208 creates a new position of BSA Innovation Officer reporting directly to Director of FinCEN (similar positions for the Federal functional regulators).

Other Changes to the Bank Secrecy Act – 31 USC Subchapter II, ss. 5311 – 5322

31 USC s. 5321 Civil Penalties – section 6309 adds new subsection 31 USC 5321(f) and provides for enhanced or additional penalties for repeat offenders of 3x the profit gained or loss avoided as a result of the violation or 2x the maximum penalty. Section 6310 adds new subsection 31 USC 5321(g) and bans those who have committed “egregious violations”, defined as criminal convictions where the maximum sentence is more than one year and civil violations where the individual willfully committed the violation and the violation facilitated money laundering or terrorist financing, from serving on a financial institution board for ten years.

Section 6312 adds subsection 31 USC s. 5322(e) to the criminal penalties section. It requires the return of any profit gained by reason of the criminal violation and, if the offender was a partner, director, officer, or employee, they must repay the institution any bonus paid during the calendar year in which the violation occurred or the year thereafter. I expect there to be some questions raised about this subsection around why the offending institution is re-paid bonuses, and situations where directors are not paid bonuses (they rarely are).

Expanded Whistleblower Awards and Protections – 31 USC s. 5323

Section 6314 extensively altered and expanded the whistleblower section of title 31. The current section only allows for “informants” to receive rewards of between $12,500 and $150,000, and there is nothing in the section about protecting informants (whistleblowers) from retaliation. This new section increases the rewards to up to 30% of the penalty, and includes detailed provisions on protecting whistleblowers.

Modernizing the AML/CFT System Generally

Title LXII (sections 6201 – 6216) and title LXV (sections 6502 – 6508) collectively are intended to, and do, modernize the AML/CFT system.

  • 6201 – The Attorney General shall report annually on the use of BSA reports, including whether the reports contain “actionable information” that leads to further proceedings by law enforcement, intelligence community, or national security; and extent to which arrests, indictments, convictions result. Note the term “actional information”: is it different from information that provides a “high degree of usefulness” (the current language of section 5311) or is “highly useful” (the new language of section 5311)?
  • Sections 6204, 6205 call for a review of the contents, forms, and thresholds of CTRs and SARs. I have argued against raising the SAR or CTR thresholds[10]
  • Section 6209 adds 31 USC 5318(o) – a review of whether and how Model Validation applies to AML/CFT. Following that review, the new standards would be put into a regulation and incorporated in the FFIEC BSA/AML Examination Manual. This could be an impactful change: the current pedantic application of strict model validation requirements is a drain and distraction on effective financial crime programs. As I recently wrote:

Revising existing model-risk-management guidance to AML systems assumes there is existing model-risk-management guidance to AML systems. But there isn’t any such guidance. The model risk management guidance – from 2000 and revised in 2011 – was never intended to be applied against AML systems. None of the five editions of the FFIEC Exam Manual, the four after the original 2000 guidance and the one following the 2011 revision of the guidance, make any reference to the model risk management guidance. If AML systems are to be subject to strict model governance, then that governance must be set out in binding regulation subject to public review and comment. And AML systems should not be subject to the same strict model governance requirements as Value-At-Risk models, liquidity models, or even consumer lending models. Nothing has more adversely impacted the ability of large financial institutions to fight financial crime, human trafficking, kleptocracy, nuclear proliferation, etc., as the strict, pedantic, dogmatic application of model risk governance. [11]

  • Section 6213 adds 31 USC s. 5318(p), thereby codifying the October 2018 interagency statement on sharing BSA resources
  • Section 6214 encourages information sharing and Public/Private Partnerships, and requires the Secretary to convene a supervisory team of agencies, private sector experts, etc., to examine strategies to increase such cooperation.
  • Section 6215 requires the GAO to publish a de-risking analysis within one year, followed by a strategy from the Secretary one year thereafter. This section includes a definition of de-risking: “actions taken by a financial institution to terminate, fail to initiate, or restrict a business relationship with a customer, or a category of customers, rather than manage the risk associated with that relationship consistent with risk-based supervisory or regulatory requirements, due to drivers such as profitability, reputational risk, lower risk appetites of banks, regulatory burdens or unclear expectations, and sanctions regimes.”
  • Section 6216 requires a review of regulations and guidance within one year.
  • Title LXV calls for multiple GAO and Treasury studies:
    • Study on beneficial ownership information reporting requirements (section 6502 and both GAO and Treasury shall report separately within two years),
    • Study on feedback loops (section 6503 and GAO to report within eighteen months),
    • Study on CTRs (section 6504 and GAO to report no later than December 31, 2025)[12],
    • Study on trafficking networks (section 6505 and GAO to report within one year),
    • Study on trade-based money laundering (TBML) (section 6506 and Treasury to report within one year)[13],
    • Study on money laundering by China (section 6507 and Treasury to report within one year), and
    • Study on the efforts of authoritarian regimes to exploit the financial system of the US (Treasury and Justice to conduct the study within one year and report within two years).
  • Section 6305 is an assessment of (actually, it contemplates the creation of) BSA No-Action Letters. Within 180 days of the passage of the Act, the Director must report to the House Financial Services Committee and the Senate Banking Committee on (i) whether to establish a process to issue no-action letters in response to inquiries on the application of the BSA or any AML/CFT law or regulation to specific conduct, including a request for a statement as to whether FinCEN or any relevant Federal functional regulator intends to take an enforcement action against the person with respect to such conduct. This would be a major change. Since 1987 FinCEN has an “Administrative Ruling” regime, whereby a financial institution may submit an Administrative Ruling request seeking FinCEN’s interpretation of a particular BSA regulation to the facts set out in the request. FinCEN’s response, the Administrative Ruling itself, has precedential value and may be relied upon by others similarly situated only if the ruling is published on FinCEN’s website. According to a notice published in the Federal Register on December 11, 2020, FinCEN received 98 Administrative Ruling requests from 2018-2020. According to FinCEN’s website, it only published 5 of those 98 requests (so 93 of the 98 are not of value to other institutions). And it takes months, sometimes years, for FinCEN to issue these rulings. For all of these reasons, a “No Action Letter” regime may be more effective than the current Administrative Ruling regime.

Changes to the Reporting of Suspicious Transactions – 31 USC s. 5318(g)

Reporting of suspicious transactions, or Suspicious Activity Reports (SARs), is set out in subsection (g) of section 5318. The AML Act changes the SAR regime in a number of ways, including .

5318(g)(1) – gives the Secretary the ability to issue regulations to require financial institutions to report suspicious transactions.

(g)(2) – Notification Prohibited – A filing financial institution and any officer, director, or employee of a filing financial institution cannot notify or disclose to any person involved in a reported suspicious transaction that the transaction has been reported or otherwise reveal any information that would reveal that the transaction has been reported (this language was added by section 6212 and codifies what was in the regulation and regulatory guidance).

(g)(3) – Liability for disclosure of SAR

(g)(4) – Single designee for SARs (FinCEN)

(g)(5) – Establish streamlined, including automated, processes to, as appropriate, permit the filing of noncomplex categories of SARs (added by section 6202, this is similar to provisions that were in FinCEN’s September 16, 2020 Advance Notice of Proposed Rulemaking)

(g)(6) – FinCEN shall share threat pattern and trend information at least semiannually to provide meaningful information about the preparation, use, and value of BSA reports. It shall include typologies, including data that can be adapted in algorithms, if appropriate on emerging money laundering and terrorist financing threat patterns and trends (added by s. 6206, this appears to compel FinCEN to go back to its semi-annual SAR Activity Reports, which were discontinued in 2013)

(g)(7) – Rules of construction (added by s. 6206)

(g)(8) – Pilot program within one year to allow a US financial institution to share SAR-related information with its foreign branches and affiliates (added by s. 6212, this would close an anomaly in the law and regulation, where foreign banks operating in the United States could share SAR information with their home-country head office, but US banks could not share SAR information with their foreign branches and affiliates. There was an exception: prohibited jurisdictions are China and Russia, any state sponsor of terrorism, any jurisdiction subject to sanctions, and any jurisdiction determined by the Secretary that cannot reasonably protect the security and confidentiality of such information).

New Sections Have Been Added to the BSA (subchapter II of Title 31)

  1. 5333 – Safe harbor for “Keep Open Directives” (added by s. 6306, this section would require law enforcement to notify FinCEN of any “keep open request” made of a financial institution to keep an account “or transaction” open. Financial institutions are not required to comply)
  2. 5334 – Required annual training for Federal financial regulators’ examiners (added by s. 6307, one would have assumed that examiners would be required to be trained on the regulatory requirements they are examining. This new section requires annual training, and the training is to be done in consultation with FinCEN and all levels of law enforcement – federal, state, tribal, and local.)
  3. 5335 – Penalties for concealing PEPs’ source of funds (added by s. 6313, this new section applies to PEPs or Senior Foreign Political Figures where the aggregate value of monetary transactions is not less than $1 million and the transaction(s) affect(s) interstate or foreign commerce. It provides that no person shall knowingly conceal, falsify, or misrepresent, ot attempt to do so, a material fact concerning the ownership or control of assets involved in a monetary transactions. And, if the transaction(s) involve(s) an entity found to be of primary money laundering concern under section 5318A, the same person cannot conceal the source of funds. This section will be complex to administer.)
  4. 5336 – Beneficial Ownership Information Reporting requirements (added by s. 6403 – see below)

Two New BSAAG Subcommittees

Section 1564 of the Annunzio-Wylie AML Act of 1992 created the BSA Advisory Group (BSAAG). The AML Act of 2020 adds two subcommittees: the Subcommittee on Innovation and Technology added by s. 6207 (adding subsection 1564(d)) and the Subcommittee on Information Security & Confidentiality added by s. 6302 (adding subsection 1564(e)). Both subcommittees have a five-year “sunset” clause, or terminate in five years, unless the Secretary renews them for as many one-year terms as the Secretary chooses. The mandate of the Subcommittee on Innovation and Technology is to study and make recommendations on how to “most effectively encourage and support technological innovation [and reduce] obstacles to innovation that may arise from existing regulations, guidance, and examination practices.” This subcommittee will also include the BSA Innovation Officers authorized by section 6208.

New Beneficial Ownership Information Reporting Requirements

The New Requirements

Title LXIV – sections 6401-6403 adds 31 USC s. 5336

Section 6402 is the “Sense of Congress” section. That section provides, in part, that the beneficial ownership information “will be directly available only to authorized government authorities” and the database is intended to be “highly useful to national security, intelligence, and law enforcement agencies and Federal functional regulators”. There is no mention of making the information directly available to financial information or even having it benefit financial institutions. As seen from Congressman McHenry’s comments (see Appendix A), that was the intent: the registry is quite limited.

Under the AML Act:

  • Beneficial Owner is defined as an individual who directly or indirectly exercises substantial control or owns or controls not less than 25%.
  • Reporting Company is defined as not including companies with more than 20 FTE, more than $5 million in gross revenues, and with an operating presence in the United States.
  • Existing companies have two years to report. New companies shall report at the time of formation. Changes in beneficial ownership must be reported within a year.
  • Financial institutions can only query the database about a company with the consent of that company. The existing beneficial ownership rule of May 11, 2016 will be brought into conformance with this section within a year.

Why were the beneficial ownership registry provisions watered down so much? The answer to that question could be found in comments made by Congressman Patrick McHenry, (R. NC 10). His floor comments from December 8, 2020, as captured in the House Congressional Record, are included in Appendix A. His comments bear particular weight, as Congressman McHenry is the Ranking Member on the House Financial Services Committee.

The Impact on the Current Beneficial Ownership Rule

Congressman McHenry commented that this new reporting rule “rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses.” However, it may not be as cut-and-dried as he states. The section that Rep. McHenry is referring to is 6403(d). That section provides:

Section 6403(d) REVISED DUE DILIGENCE RULEMAKING.

(1) IN GENERAL. – Not later than 1 year after the effective date of the regulations promulgated under section 5336(b)(4) of title 31, United States Code, as added by subsection (a) of this section, the Secretary of the Treasury shall revise the final rule entitled “Customer Due Diligence Requirements for Financial Institutions” (81 Fed. Reg. 29397 (May 11, 2016)) to –

(A) bring the rule into conformance with this division and the amendments made by this division;

(B) account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336, and provided in the form and manner prescribed by the Secretary, in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law; and

(C) reduce any burdens on financial institutions and legal entity customers that are, in light of the enactment of this division and the amendments made by this division, unnecessary or duplicative.

(2) CONFORMANCE.

(A) IN GENERAL. – In carrying out paragraph (1), the Secretary of the Treasury shall rescind paragraphs (b) through (j) of section 1010.230 of title 31, Code of Federal Regulations upon the effective date of the revised rule promulgated under this subsection.

(B) RULE OF CONSTRUCTION. – Nothing in this section may be construed to authorize the Secretary of the Treasury to repeal the requirement that financial institutions identify and verify beneficial owners of legal entity customers under section 1010.230(a) of title 31, Code of Federal Regulations.

(3) CONSIDERATIONS. – In fulfilling the requirements under this subsection, the Secretary of the Treasury shall consider—

(A) the use of risk-based principles for requiring reports of beneficial ownership information;

(B) the degree of reliance by financial institutions on information provided by FinCEN for purposes of obtaining and updating beneficial ownership information;

(C) strategies to improve the accuracy, completeness, and timeliness of the beneficial ownership information reported to the Secretary; and

(D) any other matter that the Secretary determines is appropriate.

The result of this is that the Secretary shall rescind the current beneficial ownership rule but can replace it with a rule that is similar, if not identical to the current beneficial ownership rule. The current beneficial ownership rule provides financial institutions with more information on more legal entities sooner and requires them to use that information for not only onboarding due diligence, including customer risk rating, but ongoing due diligence (investigations of potential suspicious activity). It also gives financial institutions immediate access to existing legal entities’ beneficial ownership information where those entities open new accounts. This new beneficial ownership information registration requirement only includes the smallest legal entities, existing legal entities have two years to provide their owners’ information, and, most importantly, financial institutions have limited access to the registry as they need their customer’s approval to access the customer’s information. The differences between the existing rule and new law are recognized in subsection (B), which directs the Secretary to “account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336 … in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with” AML, CFT, and CDD requirements.

Division H – Other Matters, Title XCVII, Subtitles A, B

  • Subtitle A – Kleptocracy Asset Recovery Rewards Act
  • Subtitle B – Combating Russian Money Laundering Act

Appendix A – Corporate Transparency Act – Congressional Comments

House Congressional Record from December 8, 2020 CREC-2020-12-08-pt1-PgH6919-3.pdf (congress.gov) at pages H6932-6933 (bold red font has been added for emphasis, and the footnote has been added from the original text):

Mr. MCHENRY. Mr. Speaker, I rise in support of the conference report to the National Defense Authorization Act for fiscal year 2021. Combating illicit finance and targeting bad actors is a nonpartisan issue. However, Congress’ actions must be thoughtful and data driven. An example of this is H.R. 2514, the COUNTER Act, which is included in this conference report. Division G is a compilation of bipartisan policies that will modernize and reform the Bank Secrecy Act and anti-money laundering regimes. These policies will strengthen the Department of Treasury’s financial intelligence, anti-money laundering, and counter terrorism programs.

I would like to thank Chairman CLEAVER and Ranking Member STIVERS for their work on this bill and the language included in Division G. In addition to Division G, the conference report contains an amendment replacing the text of H.R. 2513, the Corporate Transparency Act, with new legislation. H.R. 2513, which passed the House on October 22, 2019, and again as an amendment to H.R. 6395 on July 21, 2020, attempted to establish a new beneficial ownership information reporting regime to assist law enforcement in tracking down terrorists and other bad actors who finance terrorism and illicit activities. But, it did so to the detriment of America’s small businesses.

Beneficial ownership information is the personally identifiable information (PII) on a company’s beneficial owners. This information is currently collected and held by financial institutions prior to a company gaining access to our financial system.

However, bad actors and nation states, such as China and Russia, are becoming more proficient in using our financial system to support illicit activity. As bad actors become more sophisticated, so to must our tools to deter and catch them. One such tool is identifying the beneficial owners of shell companies, which are used as fronts to launder money and finance terrorism or other illicit activity. Beneficial ownership information assists law enforcement to better target these bad actors.

Although well-intentioned, H.R. 2513 had numerous deficiencies in its reporting regime. First, H.R. 2513 placed numerous reporting and costly reporting requirements on small businesses. It lacked protections to properly protect small businesses’ personal information stored with a little-known government office within the Department of Treasury—known as FinCEN. The bill authorized access to this sensitive information without any limitation on who could access the information and when it could be accessed. Finally, it failed to hold FinCEN accountable for its actions.

The text of H.R. 2513 is replaced with new language that I negotiated, along with Senate Banking Committee Chairman CRAPO. This substitute, which is reflected in Division F of the conference report, is a significant improvement over the House-passed bill in three key areas.

First, Division F limits the burdens on small businesses. Unlike H.R. 2513, the language included in the conference report protects our nation’s small businesses. It prevents duplicative, burdensome, and costly reporting requirements for beneficial ownership data from being imposed in two ways. It rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses. Rescinding these provisions ensures that it cannot be used in a future rule to impose another duplicative, reporting regime on America’s small businesses. In addition, Division F requires the Department of Treasury to minimize the burdens the new reporting regime will have on small businesses, including eliminating any duplicative requirements.

House Republicans ensured the directive to minimize burdens on small businesses is fulfilled. Division F directs the Secretary of the Treasury to report to the House Committee on Financial Services and the Senate Committee on Banking annually for the first three years after the new rule is promulgated. The report must assess: the effectiveness of the new rule; the steps the Department of Treasury took to minimize the reporting burdens on reporting entities, including eliminating duplicative reporting requirements, and the accuracy of the new rule in targeting bad actors. The Department of Treasury is also required to identify the alternate procedures and standards that were considered and rejected in developing its new reporting regime. This report will help the Committees understand the effectiveness of the new rule in identifying and prosecuting bad actors. Moreover, it will give the Committees the data needed to understand whether the reporting threshold is sufficient or should be revised.

Second, Division F includes the strongest privacy and disclosure protections for America’s small businesses as it relates to the collection, maintenance, and disclosure of beneficial ownership information. The new protections set out in Division F ensure that small business beneficial ownership information will be protected just like an individual’s tax return information. The protections in Division F mirror or exceed the protections set out in 26 U.S.C. 6103, including:

  1. Agency Head Certification. Division F requires an agency head or designee to certify that an investigation or law enforcement, national security or intelligence activity is authorized and necessitates access to the database. Designees may only be identified through a process that mirrors the process followed by the Department of Treasury for those designations set out in 26 U.S.C. 6103.
  2. Semi-annual Certification of Protocols. Division F requires an Agency head to make a semi-annual certification to the Secretary of the Treasury that the protocols for accessing small business ownership data ensure maximum protection of this critically important information. This requirement is non-delegable.
  3. Court authorization of State, Local and Tribal law enforcement requests. Division F requires state, local and tribal law enforcement officials to obtain a court authorization from the court system in the local jurisdiction. Obtaining a court authorization is the first of two steps state, local and tribal governments must take prior to accessing the database. Separately, state, local and tribal law enforcement agencies must comply with the protocols and safeguards established by the Department of Treasury.
  4. Limited Disclosure of Beneficial Ownership Information. Division F prohibits the Secretary of Treasury from disclosing the requested beneficial ownership information to anyone other than a law enforcement or national security official who is directly engaged in the investigation.
  5. System of Records. Division F requires any requesting agency to establish and maintain a system of records to store beneficial ownership information provided directly by the Secretary of the Treasury.
  6. Penalties for Unauthorized Disclosure. Division F prohibits unauthorized disclosures. Specifically, the agreement reiterates that a violation of appropriate protocols, including unauthorized disclosure or use, is subject to criminal and civil penalties (up to five years in prison and $250,000 fine).

Third, Division F contains the necessary transparency, accountability and oversight provisions to ensure that the Department of Treasury promulgates and implements the new beneficial ownership reporting regime as intended by Congress. Specifically, Division F requires each requesting agency to establish and maintain a permanent, auditable system of records describing: each request, how the information is used, and how the beneficial ownership information is secured. It requires requesting agencies to furnish a report to the Department of Treasury describing the procedures in place to ensure the confidentiality of the beneficial ownership information provided directly by the Secretary of the Treasury.

Separately, Division F requires two additional audits. First, it directs the Secretary of Treasury to conduct an annual audit to determine whether beneficial ownership information is being collected, stored and used as intended by Congress. Separately, Division F directs the Government Accountability Office to conduct an audit for five years to ensure that the Department of Treasury and requesting agencies are using the beneficial ownership information as set out in Division F. This is the same audit that GAO conducts as it relates to the Department of Treasury’s collection, maintenance and protection of tax return information. This information will ensure that Congress has independent data on the efficacy of the reporting regime and whether confidentiality is being maintained.

Division F also requires the Department of Treasury to issue an annual report on the total number of court authorized requests received by the Secretary to access the database. The report must detail the total number of court authorized requests approved and rejected and a summary justifying the action. This report to Congress will ensure the Department of Treasury does not misuse its authority to either approve or reject court authorized requests.

Finally, Division F requires the Director of FinCEN, who is responsible for implementing this reporting regime, to testify annually for five years. This testimony is critical. For far too long FinCEN has evaded any type of congressional check on its activities. Yet, it has amassed a great deal of authority. Now, Congress will shine a light on its operations. It is my expectation that FinCEN will provide Congress with hard data on its effectiveness in targeting bad actors, including the effectiveness of this new authority to collect, maintain, and use beneficial ownership information.

One final comment about the importance of FinCEN’s annual testimony. In the months leading up to the House’s consideration of H.R. 2513 last October, I sought data from FinCEN and from the Treasury Department, along with the Department of Justice, to better understand the need for this legislation. No such data was forthcoming. Rather, FinCEN gave anecdotes of very scary stories to justify the need for a new reporting regime. It is my expectation that FinCEN will provide Congress with the necessary data to justify this new reporting regime and the burdens it is placing on legitimate companies. I will conclude by thanking Chairwoman MALONEY for her work over the last twelve years on this issue and her willingness to work with me to strengthen this bill. I believe we have a better product. I urge my colleagues to support the conference agreement.

Endnotes

[1] https://docs.house.gov/billsthisweek/20201207/CRPT-116hrpt617.pdf

[2] The NDAA has broad, bipartisan support in both the House and the Senate. If the President vetoes the bill, as he has threatened to do, Congress can override the veto with a two-thirds super-majority vote in both chambers. More than two-thirds of the members of each chamber voted in favor of that chamber’s version of the bill. The Conference Report is the agreed-upon reconciliation of the two versions.

[3] See footnote 7 for an example of this anomaly of changing the title 31 laws and regulations but not the corresponding title 12 laws and regulations.

[4] US laws are available at https://uscode.house.gov

[5] In an article I published on October 28, 2019, I referred to the sometimes conflicting nature of these titles as “the clash of the titles”. See The Current BSA/AML Regime is a Classic Fixer-Upper … and Here’s Seven Things to Fix – RegTech Consulting, LLC

[6] Regulations are available at https://www.govinfo.gov/app/collection/cfr/2020

[7] There are also two titles in Division H (“Other Matters”) that also impact financial crimes, specifically kleptocracy and Russian money laundering. Those are described below.

[8] Records and reports that have a “high degree of usefulness” were also referenced in the two parts of title 12 – 12 USC s. 1829b and 12 USC Part 21, sections 1951-1959 – that, with 31 USC sections 5311-5314, 5316-5332, make up the Bank Secrecy Act. The AML Act is changing “high degree of usefulness” to “highly useful” in title 31, but not in title 12. That may be an oversight.

[9] In addition, Congress could have, but chose not to treat the Customer Identification Program, or CIP requirements, as a new fifth (or sixth) pillar or minimum standard. Subsection 5318(i) is the “customer identification program” section. It requires financial institutions to identify and verify accountholders, and for the Secretary to implement regulations for the minimum standards in doing so. The regulations set out whether and to what extent the eleven different types of financial institutions are to implement a formal customer identification program (for banks, broker dealers, mutual funds, and futures commission merchants in 31 CFR 1020, 1023, 1024, and 1026, respectively), or to implement some form of customer verification as part of their overall AML program (for casinos, MSBs, insurance companies, loan or finance companies, and government supervised entities in 31 CFR 1021, 1022, 1025, 1029, and 1030, respectively). Two of the eleven types of financial institutions, dealers in precious metals and credit card system operators, do not have to identify or verify the identity of customers. The result is that most financial institutions must have both an AML program and a Customer Identification Program: Congress had the opportunity to consolidate these two programs into one overall program but chose not to. It was a lost opportunity to further streamline the regulatory regime.

[10] See FinCEN Files – Reforming AML Regimes Through TSV SARs (Tactical or Strategic Value Suspicious Activity Reports) – RegTech Consulting, LLC

[11] FinCEN’s Proposed AML Program Effectiveness Rule – Comments of RegTech Consulting LLC – RegTech Consulting, LLC

[12] This was an interesting timeline: a GAO study on the effectiveness of the CTR regime, the utility of CTRs, and an analysis of the effects of raising the reporting threshold must begin no later than January 1, 2025 – four years from the passage of the AML Act! – and must be reported no later than December 31, 2025.

[13] Section 6506 is the only “study and report” section that specifically provides that (in this case) the GAO can contract out the study.

FinCEN’s Proposed AML Program Effectiveness Rule – Comments of RegTech Consulting LLC

The following comments to FinCEN’s Advance Notice of Proposed Rule Making (ANPRM) on AML Program Effectiveness were submitted by Jim Richards, founder and principal of RegTech Consulting LLC. The ANPRM was published in the Federal Register on September 17, 2020. It gave the public 60 days to submit comments. These comments were submitted on November 7, 2020.

Background on Jim Richards

Jim Richards is the principal and founder of RegTech Consulting LLC, a private consulting firm focused on providing strategic advice on all aspects of financial crimes risk management to AML software providers, financial technology start-ups, cannabis-related businesses, mid-size banks, and money services businesses. Mr. Richards is also a Senior Advisor to Verafin Inc., the leading provider of fraud detection and BSA/AML collaboration software for financial institutions in North America.

From 2005 through April 2018 Mr. Richards served as the BSA Officer and Director of Global Financial Crimes Risk Management for Wells Fargo & Co. As BSA officer, he was responsible for governance, training, and program oversight for BSA, anti-money laundering (AML), and sanctions for Wells Fargo’s global operations. As Director of Global Financial Crimes Risk Management, he was responsible for BSA, AML, counter-terrorist financing (CTF), external fraud, internal fraud and misconduct, the identity theft prevention program, global sanctions, financial crimes analytics, and high-risk customer due diligence.

Prior to his role with Wells Fargo, Mr. Richards was the AML operations executive at Bank of America. There, he was responsible for the operational aspects of Bank of America’s global AML and CTF monitoring, surveillance, investigations, and related SAR reporting. Mr. Richards represented Bank of America and Wells Fargo as a three-term member of the BSA Advisory Group (BSAAG). Mr. Richards was also a founding board member of ACAMS.

Prior to his 20-year career in banking, Mr. Richards was a prosecutor in Massachusetts, a barrister in Ontario, Canada, and a Special Constable with the Royal Canadian Mounted Police. He is the author of “Transnational Criminal Organizations, Cybercrime, and Money Laundering” (CRC Press 1998) Mr. Richards has a Bachelor of Commerce (BComm.) degree and Juris Doctorate (JD) from the University of British Columbia.

Introduction to the ANPRM

On September 17, 2020, the Financial Crimes Enforcement Network (FinCEN) published an Advance notice of proposed rulemaking (ANPRM) in the Federal Register (85 FR  58023, Docket Number 2020-20527), seeking “public comment on potential regulatory amendments to establish that all covered financial institutions subject to an anti-money laundering program requirement must maintain an ‘effective and reasonably designed’ anti-money laundering program [that] assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN consistent with the proposed amendments; provides for compliance with Bank Secrecy Act requirements; and provides for the reporting of information with a high degree of usefulness to government authorities.”

The BSAAG and AML Effectiveness Working Group Recommendations

The ANPRM noted that the BSAAG created an Anti-Money-Laundering Effectiveness Working Group (AMLE WG) in June 2019 to develop recommendations for strengthening the national AML regime by increasing its effectiveness and efficiency. Apparently the AMLE WG worked to “identify regulatory initiatives that would allow financial institutions to reallocate resources to better focus on national AML priorities set by government authorities, increase information sharing and public-private partnerships, and leverage new technologies and risk-management techniques – and thus increase the efficiency and effectiveness of the nation’s AML regime” and came up with five broad categories of recommendations. These were endorsed by the BSAAG plenary in October 2019 and evaluated by FinCEN, resulting in the September 16, 2020 ANPRM.

I commend FinCEN Director Blanco and his staff, the BSAAG members, and the members of the AML Working Group for their thoughtfulness, hard work, and courage in making these recommendations and publishing the ANPRM.

With the ANPRM, FinCEN is seeking public comments on whether an effective and reasonably designed AML program should have three components:

  1. It assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN consistent with the proposed amendments;
  2. It provides for compliance with Bank Secrecy Act requirements; and
  3. It provides for the reporting of information with a high degree of usefulness to government authorities.”

As the ANPRM noted, the intent of the regulatory amendments under consideration is “to modernize the regulatory regime to address the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.”

The notice has three substantive sections. Section II sets the stage, with a historical look at the BSA/AML laws and regulations, from the first Currency and Foreign Transactions Reporting Act of 1970 through the 2016 changes to the customer due diligence and beneficial ownership regulations. It then goes through the recent efforts of the BSA Advisory Group’s Effectiveness Working Group to modernize the AML regime, which culminated in five recommendations: developing and focusing on AML priorities, reallocating compliance resources, monitoring and reporting changes, enhancing information sharing, and advancing regulatory innovation. Those five recommendations were then taken up by FinCEN and incorporated into its proposed regulatory changes. Section III sets out those proposed changes, framed as the elements of an effective and reasonably designed AML program. The third substantive section, section IV, sets out the issues for comment: eleven questions to be answered.

A Startling Admission: There is no Regulatory Requirement for Financial Institutions to Have an Effective and Reasonably Designed AML Program

Perhaps the single most interesting part of the notice is in section III, where FinCEN writes “after consulting with the staffs of various supervisory agencies, and having considered the BSAAG recommendations and other BSA modernization efforts” FinCEN “is publishing this ANPRM seeking comment on whether it is appropriate to clearly define a requirement for an ‘effective and reasonably designed’ AML program in BSA regulations.” This last statement – whether it is appropriate to clearly define a requirement for an “effective and reasonably designed” AML program in BSA regulations – is, in fact, a startling admission. For years financial institutions have been fined billions of dollars, even charged criminally, for violating BSA regulations by failing to maintain and implement an AML program, and yet those regulations (apparently) do not clearly set out what is required for an effective and reasonably designed AML program.

The Crux of the ANPRM – Refocusing on the Singular Purpose of the BSA/AML Regime

Currently, the federal banking agencies (the Federal Reserve, FDIC, NCUA, and OCC) that supervise and examine approximately 10,000 banks and credit unions for AML program requirements, only look at whether the financial institution “has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.”[1] Those agencies’ field examiners are not instructed to determine whether the institution is providing timely, effective information to government authorities.

It can be fairly argued that parts of the first two components of FinCEN’s proposed requirement for an effective and reasonably designed AML program are already in place and being considered by the regulatory agencies: whether the institution’s program assesses and manages financial crimes risk as informed by its risk assessment and whether it provides for compliance with BSA requirements. It can equally be argued – indeed, it is irrefutable – that the regulatory agencies are not currently considering whether the institution’s program provides for the reporting of information with a high degree of usefulness to government authorities.

This third regulatory focus – whether the program actually provides for the reporting of information with a high degree of usefulness to government authorities – would be new. But this is not a new concept: indeed, the very purpose of the very first BSA/AML law, the Currency and Foreign Transactions Reporting Act of 1970, was to require financial institutions to keep records and file reports that “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings”. This singular purpose, which I refer to as providing timely, effective information to government authorities, remains today: 31 USC section 5311 sets out the declaration of purpose:

It is the purpose of this subchapter (except section 5315) to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.

Over the years, notably with statutory and regulatory changes in 1986 and 1992 (discussed below), the singular purpose of the BSA/AML regime of providing timely, effective information to government authorities, has been overshadowed by, and then lost to, the programmatic compliance-focused regulatory requirements. This proposed change – of adding back the original purpose of the BSA – would bring the focus back, in part, on the very purpose of the BSA/AML regime: to provide timely, actionable information to government authorities.

FinCEN’s Request for Comments and Answers to Eleven Questions

In addition to seeking general comments concerning the potential rulemaking to incorporate a requirement for an “effective and reasonably designed” AML program into AML program regulations and to provide clarity on its application, FinCEN requested comments on eleven questions. I have set out those questions and provided comments (answers) where needed. Following those questions and comments/answers, I have provided a brief conclusion.

Question 1

Does this ANPRM make clear the concept that FinCEN is considering for an “effective and reasonably designed” AML program through regulatory amendments to the AML program rules? If not, how should the concept be modified to provide greater clarity?

The stated purpose of the ANPRM is clear, but operational clarity for financial institutions will only come if it is clear that the regulatory agencies examine to the regulations, and not to the regulatory expectations set out in the FFIEC BSA/AML Examination Manual (the Manual). FinCEN writes that it is “publishing this ANPRM seeking comment on whether it is appropriate to clearly define a requirement for an ‘effective and reasonably designed’ AML program in BSA regulations.” Later, FinCEN clarifies that it is considering regulatory amendments that would explicitly define an “effective and reasonably designed” AML program as one that has three elements:

  • Identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity — including terrorist financing, money laundering, and other related financial crimes — consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities;
  • Assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and
  • Provides information with a high degree of usefulness to government authorities consistent with both the institution’s risk assessment and the risks communicated by relevant government authorities as national AML

The NPRM should make it clear that only the second element currently exists in both Titles 12 and 31 and their respective regulations, and that the first and third elements are new. For example, the purpose of 12 CFR § 21.21 “Procedures for monitoring Bank Secrecy Act (BSA) compliance” is described in 21.21(a):

“This subpart is issued to assure that all national banks and savings associations establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, United States Code, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR Chapter X.”

And subsection 21.21(c) provides, in part, that the bank “shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance” with subchapter II of chapter 53. So although the foundational purpose of the BSA regime – to have private sector financial institutions keep records and provide reports that have a “high degree of usefulness” to government authorities – there is nothing in the regulation(s) that speaks to that purpose. Rather, the purpose is to “assure and monitor compliance” with 31 CFR chapter X. What is the purpose of that regulation; or what does that regulation require?

The regulation, 31 CFR chapter X, provides the “how” to the “what” set out in the legislation, subchapter II of chapter 53 of title 31. Section 5311 is the declaration of purpose: “It is the purpose of this subchapter (except section 5315) to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”

The program requirements are set out in section 5318(a) and (h):

5318. Compliance, exemptions, and summons authority

(a) General power of Secretary. – The Secretary of the Treasury may (except under section 5315 of this title and regulations prescribed under section 5315)

(2) require a class of domestic financial institutions or nonfinancial trades or businesses to maintain appropriate procedures to ensure compliance with this subchapter and regulations prescribed under this subchapter or to guard against money laundering;

*****

(h) Anti-money laundering programs.

(1) In general. – In order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs, including, at a minimum

(A) the development of internal policies, procedures, and controls;

(B) the designation of a compliance officer;

(C) an ongoing employee training program; and

(D) an independent audit function to test programs.

(2) Regulations – The Secretary of the Treasury, after consultation with the appropriate Federal functional regulator (as defined in section 509 of the Gramm-Leach-Bliley Act), may prescribe minimum standards for programs established under paragraph (1) …

So the law provides what Congress intended when it comes to the Bank Secrecy Act: the overall purpose is to require certain reports or records where they have a high degree of usefulness to government authorities, and that purpose is met, in part, by requiring financial institutions to maintain appropriate procedures and establish AML programs to guard against money laundering. The law also provides that minimum standards for these programs are to be prescribed by the Secretary of the Treasury through regulations.

Those regulations are set out at 31 CFR chapter X. Chapter X includes general provisions required of all financial institutions (in section 1010) and then specific provisions for the eleven categories of financial institutions subject to the regulations (in sections 1020-1030) such as banks (1020), casinos (1021), MSBs (1022), etc. None of those sections includes a “purpose” statement, and none of them compel financial institutions to provide reports that have a high degree of usefulness to government authorities. None of them include the phrase “high degree of usefulness”.

Perhaps most important, though, none of the five full editions of the FFIEC BSA/AML Exam Manual, nor the 2016 and 2020 partial amendments, compel examiners to examine financial institutions on whether they provide reports that have a high degree of usefulness to government authorities or even include the phrase “high degree of usefulness”. Put another way, when conducting BSA examinations, neither FinCEN nor any of the financial regulatory agencies consider whether the institution is complying with the very purpose of the BSA.

To put this in perspective, the purpose of the Community Reinvestment Act (CRA) is to encourage financial institutions to help meet the credit needs of the communities in which they do business, including low- and moderate-income (LMI) neighborhoods. When conducting examinations of financial institutions’ CRA compliance, regulators will, in fact, look to whether those institutions are meeting the credit needs of the communities in which they do business, including low- and moderate-income (LMI) neighborhoods. Not so with the BSA: the purpose of the BSA is to require financial institutions to submit certain reports and keep certain records where they have a high degree of usefulness to government authorities, yet those institutions are not examined on whether the reports they submit or the records they keep have a high degree of usefulness to government authorities.

 Question 2

Are this ANPRM’s three proposed core elements and objectives of an “effective and reasonably designed” AML program appropriate? Should FinCEN make any changes to the three proposed elements of an “effective and reasonably designed” AML program in a future notice of proposed rulemaking?

As described above, FinCEN is considering regulatory amendments that would define an “effective and reasonably designed” program as one that:

  • Identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity, including terrorist financing, money laundering, and other related financial crimes, consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities;
  • Assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and
  • Provides information with a high degree of usefulness to government authorities consistent with both the institution’s risk assessment and the risks communicated by relevant government authorities as national AML

The order of the three elements is important, as it suggests a priority. I suggest a reordering, or re-prioritization of the elements. I would begin with the very purpose of the BSA, which is for financial institutions to keep records, and submit reports, that provide a high degree of usefulness to law enforcement.

Also, only two of the three components have a “consistent with” provision. All three components should be risk-based. Also, the two components’ “consistent with” provisions are slightly different. The “identified, assesses, and reasonably mitigates the risks” component is to be consistent with an institution’s risk profile, while the “provides information” component is to be consistent with an institution’s risk assessment. A risk profile is based, in large part, on the assessment of the risks: both (all three) components should be the same, and the consistency should be against the institution’s risk profile rather than its risk assessment. The result would be this:

An “effective and reasonably designed” program as one that:

  • Provides information with a high degree of usefulness to government authorities;
  • Identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity, including terrorist financing, money laundering, and other related financial crimes; and
  • Assures and monitors compliance with the recordkeeping and reporting requirements of the BSA

consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities.

As I wrote above, over the years, notably with statutory and regulatory changes in 1986 and 1992, the singular purpose of the BSA/AML regime of providing timely, effective information to government authorities, has been overshadowed by, and then lost to, the programmatic compliance-focused regulatory requirements. Those changes are worth describing.

The first change came about from the Money Laundering Control Act of 1986 (MLCA), PL 99–570, 100 Stat. 3207 (Oct. 27, 1986) was enacted to essentially solve two problems: customers of banks were avoiding the recordkeeping and reporting requirements by “structuring” their transactions, and financial institutions were ignoring their responsibilities to keep those records and file reports. The MLCA made structuring and money laundering crimes, and it required the federal regulatory agencies (1) to issue regulations for covered financial institutions to “establish and maintain procedures reasonably designed to assure and monitor the compliance” of such institutions with the reporting and some recordkeeping requirements of the BSA; and (2) to issue enforcement actions when those institutions fail to do so.

In its ANPRM, FinCEN writes that the MLCA “amended the BSA, underscoring the importance of reporting information with a high degree of usefulness to government authorities.” In fact, it did not. There is no mention of the importance of reporting information with a high degree of usefulness in the MLCA. And the effect of the new “procedures” regulations – and examination of and enforcement of those new regulations – was to begin the shift away from focusing on providing useful information to meeting regulatory, procedural regulations. The MLCA gave birth to two new industries: the professional money launderer, and the professional AML compliance officer.

The second change came about with the Annunzio-Wylie Anti-Money Laundering Act of 1992 (Annunzio-Wylie), Title XV of PL 102–550, 106 Stat. 3672 (Oct. 28, 1992). Annunzio-Wylie gave the industry the “four pillar program” requirements we are so familiar with today by authorizing Treasury to issue regulations requiring all financial institutions to maintain ‘‘minimum standards’’ of an AML program. The minimum standards, for both FinCEN and the banking agencies, require financial institutions to establish and maintain procedures “reasonably designed” to assure and monitor compliance with the requirements of the BSA and include (1) system of internal controls, (2) a BSA compliance officer, (2) independent testing, and (4) training. Like the MLCA, Annunzio-Wylie did not include references to providing information with a high degree of usefulness to law enforcement.

Title III of the Patriot Act (the International Counter Money Laundering and Anti-Terrorist Financing Act, part of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, PL 107-56, 115 Stat. 272 (Oct. 26, 2001) did remind the industry of the importance of providing information with a high degree of usefulness to government agencies. Since 1970, the purpose of the BSA (set out in 31 USC s. 5311) had been to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings. With the horrific events of 9/11, that purpose was expanded: to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.

But that expanded purpose did not make it into the regulations – either the banking agencies’ regulations in Title 12 or FinCEN’s regulations in Title 31. And notwithstanding that expanded purpose, the Patriot Act added more program requirements, notably the customer identification program (CIP) requirements. Regulations followed roughly two years after the Patriot Act was signed into law; and in April 2005 the first of five FFIEC BSA/AML Examination Manuals was published. You will not find any instructions to regulatory agencies’ examiners in any of the Manuals that tells them to evaluate whether the financial institution is providing information with a high degree of usefulness to law enforcement. In fact, the phrase “high degree of usefulness” does not appear in the Manual, other than in Appendix D which is a list of the twenty-six types of financial institutions that are covered by the BSA and a twenty-seventh type that could be covered: “Any other business designated by the Secretary whose cash transactions have a high degree of usefulness in criminal, tax, or regulatory matters.” The irony, of course, is that if this other business is required to have a BSA program, and to keep records and provide reports on its cash transactions because they would have a high degree of usefulness in criminal, tax, or regulatory matters, it would not be examined on whether it did, in fact, provide reports of information with a high degree of usefulness. (and note to FinCEN: 31 USC 5312(a)(2)(Z) needs to be amended to add “, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”).

Question 3

Are the changes to the AML regulations under consideration in this ANPRM an appropriate mechanism to achieve the objective of increasing the effectiveness of AML programs? If not, what different or additional mechanisms should FinCEN consider?

These proposed changes are an appropriate mechanism, primarily because they would shift the non-binding regulatory expectations from guidance documents and the BSA/AML Examination Manual, which do not have the force of law, to regulations, which do have the force of law and are enforceable. But more can and should be done.

 Question 4

Should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions currently subject to AML program rules? Are there any industry-specific issues that FinCEN should consider in a future notice of proposed rulemaking to further define an “effective and reasonably designed” AML program?

FinCEN notes that, as regulations for different segments of the financial industry have been promulgated at different times in the past, such AML program regulations have evolved and, consequently, contain provisions that differ among the various industries subject to AML program requirements. For example, the AML program requirement for money services businesses (31 CFR 1022.210(a)) already contains an effectiveness component.[2] FinCEN invites comments from all covered industries subject to AML program regulations as to how a requirement for an “effective and reasonably designed” AML program would impact their industry. Furthermore, FinCEN invites comment as to whether any industry-specific modifications would be appropriate to consider in future rulemaking.

Question 5

Would it be appropriate to impose an explicit requirement for a risk-assessment process that identifies, assesses, and reasonably mitigates risks in order to achieve an “effective and reasonably designed” AML program? If not, why? Are there other alternatives that FinCEN should consider? Are there factors unique to how certain institutions or industries develop and apply a risk assessment that FinCEN should consider? Should there be carve-outs or waivers to this requirement, and if so, what factors should FinCEN evaluate to determine the application thereof?

Yes, it would be appropriate to impose a regulatory requirement that an effective and reasonably designed AML program is risk-based, and a formal risk assessment process determines the risks (and corresponding controls and whether those controls are addressing and mitigating those risks).

As the regulatory agencies noted in their September 11, 2018 Interagency Statement Clarifying the Role of Supervisory Guidance, “[u]nlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance. Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate practices for a given subject area.”[3]

As set out above, 31 CFR Part X includes specific requirements for eleven classes of financial institutions. As summarized in the table below, six of the eleven classes already have requirements for risk-based AML programs, while all eleven have either explicit and risk-based Customer Identification Program (CIP) requirements or embed risk-based customer identification requirements in the internal control pillar of the AML program requirement.

A reasonably simple solution is to adopt and, where necessary, adapt the current risk-based program requirements to those financial institution types that currently do not have them.

Question 6

Should FinCEN issue Strategic AML Priorities, and should it do so every two years or at a different interval? Is an explicit requirement that risk assessments consider the Strategic AML Priorities appropriate? If not, why? Are there alternatives that FinCEN should consider?

The only reason a risk assessment would consider strategic AML priorities is for the institution to then adapt its program and underlying controls to those priorities. Programmatic and control changes can take years to design, test, and implement, and perfect. Requiring programs and controls to adapt to bi-annual changes to FinCEN’s strategic AML priorities will never allow an institution to actually implement a program. Any “strategic” priorities have to be priorities over a five year or longer time period; otherwise they are tactical.

And what are these national or strategic priorities? The most recent were set out in Treasury’s 2020 National Strategy for Combating Terrorist and Other Illicit Financing (February 6, 2020). That national strategy described ten vulnerabilities: lack of beneficial ownership requirements at the time of company formation, lack of BSA regulations impacting real estate professionals and key gatekeepers such as attorneys and accountants, correspondent banking, cash, complicit professionals, compliance weaknesses at regulated financial institutions, digital assets, MSBs, securities broker/dealers, and casinos. The national strategy listed three key priorities: (1) increase transparency and close legal framework gaps for beneficial ownership, real estate, and digital assets; (2) continue to improve the efficiency and effectiveness of the regulatory framework; and (3) enhance the current AML/CFT operational framework.

 Question 7

Aside from policies and procedures related to the risk-assessment process, what additional changes to AML program policies, procedures, or processes would financial institutions need to implement if FinCEN implemented regulatory changes to incorporate the requirement for an “effective and reasonably designed” AML program, as described in this ANPRM? Overall, how long of a period should FinCEN provide for implementing such changes?

Any regulatory change requires a financial institution to assess the change, determine the policy, systems/technology, and personnel changes that would need to be made, and determine the costs of and time needed to implement those changes across all of the businesses, delivery channels, and customer groups of the institution. For the very small percentage of financial institutions that have international operations, the non-US jurisdictional regulatory impacts must also be determined, and any changes made.

As FinCEN did with the beneficial ownership rule, I would provide a two-year implementation period.

Question 8

As financial institutions vary widely in business models and risk profiles, even within the same category of financial institution, should FinCEN consider any regulatory changes to appropriately reflect such differences in risk profile? For example, should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions within each industry type, or should this requirement differ based on the size or operational complexity of these financial institutions, or some other factors? Should smaller, less complex financial institutions, or institutions that already maintain effective BSA compliance programs with risk assessments that sufficiently manage and mitigate the risks identified as Strategic AML Priorities, have the ability to “opt in” to making changes to AML programs as described in this ANPRM?

No comments.

Question 9

Are there ways to articulate objective criteria and/or a rubric for examination of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?

In the narrative to this question, FinCEN wrote:

“FinCEN appreciates that, in order for the regulatory proposals as described in this ANPRM to achieve the objective of increased effectiveness of the overall U.S. AML regime, the supervisory process must support and reinforce this objective. Indeed, FinCEN has consulted with the staffs of various Federal supervisory agencies in developing this ANPRM, and FinCEN requests comments on how the supervisory regime could best support the objectives as identified in this ANPRM.”

So we know that FinCEN has consulted with the staffs of various Federal supervisory agencies, but we don’t know the nature of, or results from, those consultations. This question can only be answered by those supervisory agencies: are they going to support and reinforce the objective of increased effectiveness of the overall US AML regime, or keep the status quo?

Question 10

Are there ways to articulate objective criteria and/or a rubric for independent testing of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?

I would defer to auditors on how they can set out objective criteria or a statement of purpose (rubric) on how they would independently test a more formalized, regulatory-driven risk assessment process.

Question 11

A core objective of the incorporation of a requirement for an “effective and reasonably designed” AML program would be to provide financial institutions with greater flexibility to reallocate resources towards Strategic AML Priorities, as appropriate. FinCEN seeks comment on whether such regulatory changes would increase or decrease the regulatory burden on financial institutions. How can FinCEN, through future rulemaking or any other mechanisms, best ensure a clear and shared understanding in the financial industry that AML resources should not merely be reduced as a result of such regulatory amendments, but rather should, as appropriate, be reallocated to higher priority areas?

I first became a BSA Officer at a large bank in the late 1990s, and continued as a BSA Officer until April 2018 at successively large financial institutions. The regulatory burden increased with each year, with each legislative change (there have been only two substantive regulatory changes in the last twenty years – in 2001 and 2004), each regulatory change, with every change in regulatory expectation and guidance (e.g., the five full editions of the BSA Exam Manuals from 2005 through 2014, and the partial changes to the Exam Manual in 2016 and 2020), and with heightened expectations from the increasing number and severity of regulatory sanctions and enforcement actions. The regulatory burden has never decreased. In fact, the single biggest risk a BSA Officer must manage today is regulator risk – managing the management of risk management so as not to incur MRAs, MRIAs, non-public Part 30 orders, or public enforcement actions.

The BSAAG AML Working Group’s first recommendation addresses this issue of how to ensure that resources are effectively allocated. The title of that first recommendation was “Developing and Focusing on AML Priorities”, and the Working Group “recommended that stakeholders refocus the national AML regime to place greater emphasis on providing information with a high degree of usefulness to government authorities based on national AML priorities, in order to promote effective outputs over auditable processes and to ensure clearer standards for measuring effectiveness in evaluating AML programs.”

But there is one critical aspect of this that does not appear to have been assessed, let alone resolved: in order for regulated financial institutions to be examined on how well they are providing information with a high degree of usefulness to government authorities, those government authorities will need to provide feedback on what information does, in fact, have a high degree of usefulness. Currently, there is no systemic way for law enforcement to provide feedback to institutions on whether a particular SAR or CTR (the two primary BSA reports), or any SAR or CTR, or any type of typology of SAR or CTR, provides information with a high degree of usefulness, and what type of use – tactical or strategic – that information has.

I have offered solutions on how law enforcement can (and should) provide feedback, principally through what I have described as “Tactical or Strategic Value” Suspicious Activity Reports, or TSV SARs. See https://regtechconsulting.net/uncategorized/fincen-files-reforming-aml-regimes-through-tsv-sars-tactical-or-strategic-value-suspicious-activity-reports/

The Working Group’s second recommendation dealt with BSA compliance resource reallocation, and recommended reducing or eliminating activities that are not required by law or regulation, make limited contributions to meeting risk-management objectives, and supply less useful information to government authorities. The Working Group concluded that resources freed from these activities could be reallocated to address areas of risk and national AML priorities. The Working Group specifically suggested that the application of existing model-risk-management guidance to AML systems be revised.

Revising existing model-risk-management guidance to AML systems assumes there is existing model-risk-management guidance to AML systems. But there isn’t any such guidance. The model risk management guidance – from 2000 and revised in 2011 – was never intended to be applied against AML systems. None of the five editions of the FFIEC Exam Manual, the four after the original 2000 guidance and the one following the 2011 revision of the guidance, make any reference to the model risk management guidance. If AML systems are to be subject to strict model governance, then that governance must be set out in binding regulation subject to public review and comment. And AML systems should not be subject to the same strict model governance requirements as Value-At-Risk models, liquidity models, or even consumer lending models. Nothing has more adversely impacted the ability of large financial institutions to fight financial crime, human trafficking, kleptocracy, nuclear proliferation, etc., as the strict, pedantic, dogmatic application of model risk governance.

Conclusion

I commend FinCEN, the members of the BSAA Advisory Group – particularly those members that served on the AML Working Group – for the hard work, collaboration, and courage it took to make and accept the recommendations and publish the Advance Notice of Proposed Rule Making.

Everyone in the public- and private-sector AML/CFT communities wants to (in the words of the AML Working Group) “identify regulatory initiatives that would allow financial institutions to reallocate resources to better focus on national AML priorities set by government authorities, increase information sharing and public-private partnerships, and leverage new technologies and risk-management techniques – and thus increase the efficiency and effectiveness of the nation’s AML regime.” As the BSA Exam Manual instructs us (at page 7):

“The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions. Money laundering and terrorist financing are financial crimes with potentially devastating social and financial effects. From the profits of the narcotics trafficker to the assets looted from government coffers by dishonest foreign officials, criminal proceeds have the power to corrupt and ultimately destabilize communities or entire economies. Terrorist networks are able to facilitate their activities if they have financial means and access to the financial system. In both money laundering and terrorist financing, criminals can exploit loopholes and other weaknesses in the legitimate financial system to launder criminal proceeds, finance terrorism, or conduct other illegal activities, and, ultimately, hide the actual purpose of their activity.”

The Exam Manual then continues with this:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.”

This is where I differ, and where I have directed most of my comments. Although a sound BSA/AML compliance program is important in deterring and preventing financial crime at or through banks and other financial institutions, the primary function of a program is providing timely, actionable information to law enforcement. I suggest the following:

“Banking organizations must provide government authorities with timely and effective reports of information that have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism, and in order to be able to do so must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. Providing timely, effective information that has a high degree of usefulness to government authorities is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.”

It is this shift from a inputs- or process-centric regime to an outputs- or results-centric regime that is reflected in the third leg (which I would make the first leg) of FinCEN’s proposed “effective and reasonably designed” AML program requirements.

Requiring financial institutions to provide timely, effective information that has a high degree of usefulness to government authorities is the singular purpose of the BSA.[4] If financial institutions are to be examined for their compliance with the BSA, and held accountable for failing to comply with the BSA, they must be examined on whether they are, in fact, providing timely, effective information that has a high degree of usefulness to government authorities. Today, they are not. Hopefully, in the near future, through the rule-making process that FinCEN has initiated, they will be. The result will be a more efficient and effective US AML regime that is better able to protect and defend individuals, communities, institutions, the financial system, and our homeland.

Thank you for the opportunity to comment.

Jim Richards

November 7, 2020

Endnotes

[1] April 15, 2020 revision to the FFIEC BSA/AML Examination Manual, page 18. This is a change from the 2014 Manual, which instructed examiners to “determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.” Whether the standard is “adequate” or “effective”, examiners are not asked to determine whether the institution is providing timely, effective information to government authorities.

[2] Specifically, it provides that each money services business, as defined by §1010.100(ff), shall develop, implement, and maintain an effective anti-money laundering program. An effective anti-money laundering program is one that is reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities.

[3] On November 5, 2020 those same agencies published a Notice of Proposed Rule Making (85 FR 70512) seeking to codify the September 11, 2018 Interagency Statement.

[4] In fact, the proposed AML Act of 2020, an amendment to the proposed National Defense Authorization Act of Fiscal Year 2021, would amend 31 USC s. 5311 to add four additional “purposes” to the BSA to the current purpose of providing information that is highly useful to government agencies. The first of the four new purposes would be “to prevent the laundering of money and financing of terrorism through the establishment by financial institutions of reasonably designed risk-based programs.” The AML Act (section 5101) would also amend 31 USC s. 5318(h), the AML program requirement to reflect these changes in purpose.

Don’t Blame FinCEN – Congress Has Left it Underfunded for Years

In the last five years, FinCEN’s workload has gone up three times as much as its budget: if we care about preventing terrorist financing, human trafficking, and public corruption, Congress must fund our nation’s financial intelligence unit.

FinCEN is a bureau in the U.S. Department of the Treasury. The Director of FinCEN reports to the Under Secretary for Terrorism and Financial Intelligence (TFI). In carrying out its mission, FinCEN has numerous statutory areas of responsibility:

  1. Developing and issuing regulations under the Bank Secrecy Act (BSA);
  2. Enforcing compliance with the BSA in partnership with law enforcement and other regulatory partners;
  3. Serving as the U.S. Financial Intelligence Unit (FIU) and maintaining a network of information sharing with FIUs in 164 partner countries;
  4. Receiving millions of new financial reports each year;
  5. Securing and maintaining a database of over 300 million reports;
  6. Analyzing and disseminating financial intelligence to federal, state, and local law enforcement, federal and state regulators, foreign FIUs, and industry; and
  7. Bringing together the disparate interests of law enforcement, FIUs, regulatory partners, and industry.

What is FinCEN’s mission? According to its most recent Congressional budget justification and annual performance plan and report (Fiscal Year 2021) submitted earlier this year (see https://home.treasury.gov/system/files/266/12.-FinCEN-FY-2021-CJ.pdf), FinCEN’s mission statement is “to safeguard the financial system from illicit use, combat money laundering, and promote national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence.”

FinCEN has a daunting and important mission – to safeguard the financial system – and Congress has placed upon FinCEN many critical responsibilities in safeguarding the financial system, everything from developing and enforcing the regulations for tens of thousands of private sector entities, receiving millions of reports (actually, more than 20 million) intended to provide a high degree of usefulness to government authorities, safeguarding those reports, and analyzing those reports and getting information back to over 6,700 federal, state, local, and tribal law enforcement agencies (according to an FBI/DOJ notice published in the Federal Register on June 30, 2020).

With this daunting mission, and millions of reports to collect and analyze, tens of thousands of private sector entities to regulate, and thousands of law enforcement agencies to support, FinCEN must be a massive agency with an impressive budget.

Let’s take a look.

The first thing that should jump out at you, and will be a surprise to most people, is how small FinCEN is: less than 300 people and a budget that is eclipsed by many global banks’ financial crimes risk management departments. That aside, and clipped directly from the FY2021 budget request, this table shows FinCEN’s resource levels – people and budget – for six fiscal years and its requested resource levels for 2021. (FinCEN’s fiscal year – the federal government’s fiscal year – runs from October 1 to September 30). This table also shows FinCEN’s “workload output/activity”, or at least three measurable parts of its overall workload: (1) the total number of BSA reports filed each fiscal year, (2) the total number of Suspicious Activity Reports (SARs) each year (a subset of the total number of BSA reports), and (3) the number of people (generally law enforcement) who use, or access, FinCEN’s BSA database. What is not measured and shown here is the other work or output or activities FinCEN is responsible for (developing and enforcing BSA regulations and analyzing BSA reports and getting information back to law enforcement, for example).

A quick glance at this table suggests that the workload is going up: SARs have gone from just over 2 million in FY2015 to an estimated 3 million in FY2021; the total number of BSA reports continues to go up; and the number of BSA users has gone from 10,166 in FY2015 to an estimated 13,589 in FY2021.

Have FinCEN’s resources kept pace with its workload?

This is an important question. The recent “FinCEN Files” release by Buzzfeed News and the International Consortium of Investigative Journalists (ICIJ) has caste a very negative spotlight on some large global banks as being the reason for, or the facilitators of, financial crime and corruption. Those stories have resulted in calls to reform what the media and others are calling a broken, ineffective, and inefficient regime. Although the journalists haven’t focused on FinCEN, it too has been receiving some unwarranted attention. Questions are being asked: banks and other financial institutions are reporting all this suspicious activity, so what is FinCEN doing about it?

FinCEN’s resources are not keeping pace with its workload.

I reformatted FinCEN’s budget numbers in order to better compare the annual resource numbers with the workload numbers. Given the FinCEN Files focus on Suspicious Activity Reports (SARs), I’ve highlighted those:

What appears obvious from this is that the number of SARs has gone up about three times as fast as FinCEN’s resources: SARs are up almost 35% in five years, but FinCEN’s staffing has gone up just 9% and its overall budget has gone up just 12.5%. FinCEN’s resources aren’t keeping pace with its workload.

FinCEN has received more than 2 million SARs in each of the last six years … or has it?

This is not a criticism of FinCEN. But when I saw those numbers in the budget request, I paused. FinCEN has a “SAR Stats” feature that allows the public to access FinCEN’s data on the number of SARs filed, by what type of filers, when, for what kind of suspicious activity, etc. It’s a great resource, and I use it a lot, and didn’t recall seeing more than 2 million SARs as far back as 2015. So I went back into the SAR Stats page …

… and I exported the total number of SARs filed, by month, for the entire period of available data – January 2014 through August 2020. Here’s what FinCEN provided (reformatted):

These are the actual numbers exported from the FinCEN website (with the exception of September 2020, which isn’t yet available: I estimated the number of SARs filed for that one month). At first glance one can see that not all six fiscal years had more than 2 million filed SARs. So I put the two sets of data – the 2021 budget submission and the FinCEN SAR Stats – together for easier comparison:

I can’t explain the differences – there is likely a reason why the two sets of SAR data are different. But both show an increase in the number of SARs filed over the last five fiscal years that is triple the increase in FinCEN’s resources that are available to manage those SARs, analyze them, and disseminate actionable intelligence back to more than 6,000 law enforcement agencies in order to protect our financial system.

Congress must support the fight against financial crime

If Congress is serious about fighting financial crime and protecting our financial system, it must provide FinCEN with the appropriate resources. So far it has failed to do so.

Enforcing AML Laws: Significant Potential for Money Laundering? Or Potential for Significant Money Laundering?

On August 13 the federal banking agencies issued a joint statement on updates to their guidance on enforcing BSA/AML requirements. See https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf. There is some new language that may be relevant for most financial institutions.

The FDIC and OCC press releases provided that the joint statement is:

… updating their existing enforcement guidance to enhance transparency regarding how they evaluate enforcement actions that are required by statute when financial institutions fail to meet Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. The statement clarifies that isolated or technical violations or deficiencies are generally not considered the kinds of problems that would result in an enforcement action. The statement also addresses how the agencies evaluate violations of individual components (known as pillars) of the BSA/AML compliance program. It also describes how the agencies incorporate the customer due diligence regulations and recordkeeping requirements issued by the U.S. Department of the Treasury as part of the internal controls pillar of the financial institution’s BSA/AML compliance program. The statement, issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency, updates and supersedes the Interagency Statement on Enforcement of BSA/AML Requirements issued on July 19, 2007, to promote a consistent approach to the application of Section 8(s) of the Federal Deposit Insurance Act and Section 206(q) of the Federal Credit Union Act. The Financial Crimes Enforcement Network simultaneously issued a “Statement on Enforcement of the Bank Secrecy Act” that sets forth its approach to enforcement in circumstances of non-compliance with the BSA.

In fact, FinCEN didn’t issue its statement until August 18th. The FinCEN press release provides:

As the primary regulator and administrator of the Bank Secrecy Act (BSA), the Financial Crimes Enforcement Network (FinCEN) today issued a statement that sets forth its approach to enforcing the rules and regulations within the BSA. Through this statement, FinCEN aims to provide clarity and transparency to its approach when contemplating compliance or enforcement actions against covered financial institutions that violate the BSA.  Today’s statement outlines the administrative actions available to FinCEN, and provides an overview of the information FinCEN analyzes in order to determine the appropriate outcome to violations of the BSA.  FinCEN also encourages financial institutions to voluntarily and promptly report violations, and to candidly and completely cooperate with any investigation. “FinCEN is committed to being transparent about its approach to BSA enforcement.  It is not a ‘gotcha’ game,” said FinCEN Director Kenneth A. Blanco.  “The information required by the BSA saves lives, and protects our communities and people from harm.  It is a national security issue.” The statement describes FinCEN’s enforcement authorities, dispositions, and the factors it evaluates in determining the appropriate response and enforcement of BSA violations.

FinCEN’s statement is very different than the prudential regulators’ statement. FinCEN sets out the six possible actions it can take – from no action, to a civil money penalty, to referring a matter for criminal prosecution – and the ten factors it will take into consideration when assessing possible violations. The key factors are:

  1. Nature and seriousness of the violations;
  2. Pervasiveness of wrongdoing within an entity, including management’s complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations;
  3. History of similar violations, or misconduct in general, including prior criminal, civil, and regulatory enforcement actions;
  4. Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures;
  5. Timely and voluntary disclosure of the violations to FinCEN;
  6. Quality and extent of cooperation with FinCEN and other relevant agencies, including as to potential wrongdoing by its directors, officers, employees, agents, and counterparties.

Number 6 is important: FinCEN expects that institutions’ cooperation includes identifying potential individual wrongdoers. This is consistent with federal criminal prosecution. The Department of Justice Manual includes a lengthy section on the criminal prosecution of companies, and that (i) prosecutors should first consider the criminal liability of those involved in or responsible for the criminal activity of the company; and (ii) a company cannot get “cooperation credit” without providing to the DOJ the names and particulars of all those employees (or directors) involved in or responsible for the conduct in question. So here, FinCEN is letting financial institutions know that for those institutions to get cooperation credit they need to provide the names and particulars of the people involved in the regulatory violations.

But back to the prudential regulators’ updated and clarified guidance.

First, the prudential regulators did not include anything about the liability of directors, officers, or employees in their joint statement. They could have, as the statutory provision the agencies rely on – section 8(s) of the FDI Act, codified at 12 USC s. 1818(s) – allows for cease and desist orders, and civil money penalties, against institutions and against institution-affiliated parties.

Second, although the interagency statement indicated that it “updates and supersedes the Interagency Statement on Enforcement of BSA/AML Requirements issued on July 19, 2007”, it did not indicate that the 2007 statement has been part of the FFIEC BSA/AML Exam Manual since 2007. It is the current Appendix R in the 2014 edition of the Exam Manual.

Since the agencies indicated that the August 2020 statement updates and supersedes the 2007 statement, which is set out in Appendix R, I compared the August 2020 joint statement with Appendix R to see what differences there were (it’s pretty common for the agencies to publish a new statement or rule that is purported to simply update or clarify an existing statement or rule, when in fact there are substantive changes). There were many small changes in wording, and the 2020 joint statement incorporates the new customer due diligence and beneficial ownership rules that were issued in May 2016. The 2020 joint statement included two new examples of when a mandatory cease and desist order would issue: both of those are particularly relevant to financial institutions.

The first addition relates to rapid foreign expansion. The second addition relates to a failure to resolve issues relating to customer risk rating. What is important is that these are additions to the existing language, which means they are key or at least current concerns of the regulators.

Rapid Foreign Expansion

“An institution would also be subject to a cease and desist order if the institution fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars. For example, an institution rapidly expands its business relationships through its foreign affiliates and businesses:

  • without identifying its money laundering and other illicit financial transaction risks;
  • without an appropriate system of internal controls to verify customers’ identities, conduct customer due diligence, or monitor for suspicious activity related to its products and services;
  • without providing sufficient authority, resources, or staffing to its designated BSA officer to properly oversee its BSA/AML compliance program;
  • with deficiencies in independent testing that caused it to fail to identify problems; and
  • with inadequate training exemplified by relevant personnel not understanding their BSA/AML responsibilities.

Although these bullets are framed as failures (in the negative), they can be turned around and framed positively to provide a roadmap or checklist for an institution’s foreign expansion plans:

“For BANK NAME to continue to expand its business relationships through its foreign affiliates and businesses, it must implement a BSA/AML compliance program that adequately covers the required program components or pillars, including:

  • identifying its money laundering and other illicit financial transaction risks;
  • implementing an appropriate system of internal controls to verify customers’ identities, conduct customer due diligence; and monitor for suspicious activity related to the products and services;
  • providing sufficient authority, resources, and staffing to its designated BSA officer to properly oversee BANK NAME’s in-country and in-region BSA/AML compliance programs;
  • independent testing; and
  • adequate training exemplified by relevant personnel understanding their BSA/AML responsibilities.”

Failure to Resolve Issues Relating to Customer Risk Profiles

The joint statement provides:

“An Agency will ordinarily not issue a cease and desist order under sections 8(s) or 206(q) for failure to correct a BSA/AML compliance program problem unless the problems subsequently found by the Agency are substantially the same as those previously reported to the institution. For example, during a previous examination, an institution’s system of internal controls was considered inadequate as a result of substantive deficiencies related to customer due diligence and suspicious activity monitoring processes. Specifically, the institution had not developed customer risk profiles to identify, monitor, and report suspicious activities related to the institution’s higher-risk businesses lines. These substantive deficiencies were identified in the previous report of examination as a problem requiring board attention and management’s correction. The subsequent report of examination determined that management had not addressed the previously reported problem with the institution’s BSA/AML compliance program. Customer risk profiles remained undeveloped to identify, monitor, and report suspicious activity related to the institution’s higher-risk business lines. As a result, the institution would be subject to a cease and desist order for failure to correct a previously reported problem with its BSA/AML compliance program.”

This is important language for any financial institution: a financial institution’s end-to-end high risk customer management program must address the importance of having “customer risk profiles to identify, monitor, and report suspicious activities related to the institution’s higher-risk businesses lines”.

Other Changes

There was some curious language, or changes in language, in the section on when a mandatory C&D will issue. Note that this August 2020 Joint Statement was signed by the top lawyers at each of the regulatory agencies: lawyers choose their words very carefully, and any changes in wording are deliberate and thought out.

A mandatory cease and desist order will be issued in three situations: (1) where the institution fails to have a written program that adequately covers the pillars; (2) where the institution fails to implement that program; or (3) there are defects in one or more pillars of the program and those deficiencies are coupled with other aggravating factors (and both the 2020 joint statement and 2014 appendix R have four aggravating factors). The first aggravating factor was about suspicious activity creating a potential for money laundering or terrorist financing:

2014 Appendix R – “highly suspicious activity creating a significant potential for unreported money laundering or terrorist financing …”.

2020 Joint Statement – “highly suspicious activity creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions …”.

Two points.

First, the modifier “highly” suggests that the regulators aren’t concerned about run-of-the-mill cases and SARs (or failure to open cases or file SARs) on low-end, low-dollar activity.

Second is the shift in what I’ll call the “likelihood and severity” of the activity. The old standard was a low likelihood but high severity: “a potential for significant money laundering”, while the new standard is a high likelihood but low severity: “significant potential for unreported money laundering”. It is unlikely that this difference in language will create a different regulatory experience and outcome, either for any one institution or all institutions, but it is interesting nonetheless, and seems to support the agencies’ statement “that isolated or technical violations or deficiencies are generally not considered the kinds of problems that would result in an enforcement action.”

Summary & Conclusion

No substantive or immediate changes are needed to most institution’s program. All institutions must remain vigilant around foreign expansion, and ensure AML/CFT controls “keep pace” with any foreign expansion. “Expansion” includes new products and services in existing jurisdictions, not just expansion into new jurisdictions. Also, don’t forget that in order to get cooperation credit from FinCEN or the Department of Justice, an institution will need to provide authorities with the names and particulars of all persons involved in or responsible for the impugned conduct. And that includes MLROs and BSA Officers.

A GAO Report on GTOs Reveals the Underlying Flaws In the Entire American BSA/AML Regime

The General Accountability Office, or GAO, issued a Report on August 14, 2020 titled “FinCEN Should Enhance Procedures for Implementing and Evaluating Geographic Targeting Orders”.[1] The Geographic Targeting Orders, or GTOs, subject to this report are a series of nine GTOs issued since 2016 targeting all-cash (or non-financed) purchases of residential real estate in certain areas of the country over a certain amount.

Most people will read this report for what it is – a full-fledged year-long, not-very-positive audit of FinCEN’s management of the real estate Geographic Targeting Order program. But the GTO program, and FinCEN’s management of it (which, by the way, I don’t think FinCEN got enough credit from the GAO for taking the initiative in the first place), are lesser issues than a single observation the GAO reported more than half way through (on page 22) the Report:

“Officials from five federal law enforcement agencies told us that their agencies do not systematically track the specific types of BSA reports used in investigations …”.

The GAO didn’t indicate which five federal law enforcement agencies these were, but the agencies interviewed for the Report were the DEA, FBI, ICE-HSI, IRS-CI, the DOJ’s Criminal Division, the US Attorneys Offices for the Southern District of New York and Southern District of Florida, FinCEN, and two task forces (OCDETF and El Dorado). So it’s likely that at least four of the five agencies that do not systematically track which Bank Secrecy Act or BSA reports are used in investigations are the “big four” of AML/CFT: the FBI, DEA, Homeland Security, and IRS.

Why is this important?

The entire purpose of the BSA regime is for the private sector to provide timely, actionable intelligence to law enforcement in order to protect the financial system, and society at large, from underlying criminal and terrorist activity. In the “Background” section of the Report, on page 5, the GAO explained the purpose behind the BSA:

“The BSA authorizes the Secretary of the Treasury to issue regulations requiring financial institutions to keep records and file reports the Secretary determines ‘have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.’ The Secretary also is authorized to impose AML program requirements on certain financial institutions. The authority of the Secretary to administer the BSA has been delegated to the Director of FinCEN.” [citations omitted][2]

Approximately 20 million BSA reports are filed by tens of thousands of private sector financial institutions every year: the most common are Currency Transaction Reports or CTRs (roughly 16 million) and Suspicious Activity Reports, or SARs (roughly 2.7 million). Those institutions are spending billions of dollars in running BSA programs intended to allow them to prepare and file those 20 million reports, and they face regulatory and even criminal sanctions for failing to maintain an adequate program or failing to detect and report suspicious activity or large currency transactions. And yet the primary users of those reports, the federal law enforcement agencies, “do not systematically track the specific types of BSA reports used in investigations …”.

It is time that the public sector consumers of BSA reports – primarily law enforcement agencies – provide feedback to the private sector producers of BSA reports – tens of thousands of financial institutions – on exactly which reports “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism”. It’s not enough for the private sector to know anecdotally that the reports it is filing are generally useful to law enforcement. In this age of machine learning and artificial intelligence, financial institutions are using these tools to teach and train their monitoring, surveillance, and alerting systems that churn through millions or billions of customer, account, and transaction data, in an effort to be more effective and efficient. And all of those machine learning and artificial intelligence efforts are for naught if the private sector doesn’t have the training data needed to identify those reports that are providing tactical and/or strategic value. Training a surveillance and alerting system against the SARs that are filed is a fool’s errand if you don’t know whether that SAR has ever been looked at by law enforcement, whether it was useful, whether it provided tactical or strategic value.

Lack of Law Enforcement Feedback Is One of the Two Main Flaws in the US BSA/AML Regime: the Other is the Lack of Corporate Transparency

The United States does not have an effective beneficial ownership regime. Even the Treasury Secretary calls this a “glaring hole in our system”, and I have written about this on a number of occasions. See, for example, https://regtechconsulting.net/beneficial-ownership-customer-due-diligence/lack-of-beneficial-ownership-information-a-glaring-hole-in-our-system-says-treasury-secretary/. And this GAO Report includes a section on the lack of a true beneficial ownership regime (notwithstanding FinCEN’s 2016 rule on customer due diligence and beneficial ownership), and how a FATF-compliant beneficial ownership regime would enhance the US AML/CFT regime and be complimentary to the real estate GTO.

The other flaw, as described in this article, is lack of law enforcement feedback. I have been writing about this flaw in our system for years. See my article from November 2019 https://regtechconsulting.net/fintech-financial-crimes-and-risk-management/like-sam-loves-free-fried-chicken-law-enforcement-loves-free-suspicious-activity-reports-but-what-if-law-enforcement-had-to-earn-the-right-to-use-the-private-sector/ and my article from July 2020 https://regtechconsulting.net/aml-regulations-and-enforcement-actions/anti-money-laundering-act-of-2020-pay-to-play-arrives-and-perhaps-we-have-an-answer-to-the-whereabouts-of-section-314d/. Both of these articles reference other articles I’ve written on this subject. The July 2020 article offers some solutions.

This is not a criticism of law enforcement or the intelligence community. They simply haven’t had the means to provide feedback to the private sector. Bills, or provisions in bills, currently before Congress aim to address this issue and provide the means for the public sector to begin the process of providing feedback to the private sector. If the purpose of the multi-billion dollar anti-money laundering regime is to compel the private sector to provide law enforcement and the intelligence agencies with timely, actionable reports of cross-border flows of cash, foreign bank accounts, suspicious activity, possible terrorist financing activity, and large cash transactions, then it is incumbent on law enforcement and the intelligence agencies to provide feedback on which of those reports have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism. Without that feedback, both the private and public sector, and society at large, will fail in their collective efforts to keep our financial system safe and secure. And for law enforcement and the intelligence community to get the means to provide that feedback, it is incumbent on Congress to act and pass the necessary legislation.

We all know what needs to be done to make the BSA/AML regime more effective and more efficient. Now Congress must act.

[1] See GAO-20-546 available at https://www.gao.gov/assets/710/708115.pdf

[2] The language “high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism” is pulled directly from the purpose statement of the main “BSA” statute, 31 USC section 5311.

What Does It Take to Run a BSA Program? Not Much, According to the FDIC

Unfortunately, the FDIC’s estimate of the time and effort it takes to run a BSA/AML compliance program is … laughable.

Let’s start with some background information.

FDIC-Supervised Banks

There are about 5,200 FDIC-insured banks in the United States. And the FDIC is the primary regulator for about 3,340 of these banks – those that are “state-chartered”.

The FDIC has placed those banks into three buckets, based on their size (as measured by total assets of the bank. Note that loans are always the biggest category of asset that banks have on their books, and the asset “loans” is generally offset by the liability of “deposits” … balance sheets of most banks aren’t that complicated).

  • Small Institutions – are those with assets of less than $500 million. About 75% of state-chartered and FDIC-supervised banks, or 2,523 banks, are in this category. FDIC data suggests that the average bank in this category has 40 to 50 employees.
  • Medium Institutions – are hose with assets between $500 million and $10 billion. About 23% of state-chartered and FDIC-supervised banks, or 774 banks, are in this category. FDIC data suggests that the average bank in this category has about 270 employees.
  • Large Institutions – are those with assets of more than $10 billion. Only about 2% of state-chartered and FDIC-supervised banks, or 47 banks, are in this category. FDIC data suggests that the average bank in this category has about 2,500 employees.

One other bench mark. A full-time employee, or FTE, has about 250 work days in a year (52 weeks, 5 days a week, less 10 statutory or legal holidays). Let’s also assume they take four weeks vacation – so we’re at about 230 days.  At 8 hours a day, that’s 1,840 hours. To keep the math simple, let’s use 1,800 hours as the bench mark for how many hours any one employee, or FTE, has available in a year.

Bank Secrecy Act (BSA) Program Requirements

All financial institutions in the United States – banks, credit unions, broker dealers, insurance companies, check cashers, and more – are required to have written BSA compliance programs. The requirements around these programs are so onerous that the regulatory agencies have published a manual that gives their examiners a roadmap on how to examine or supervise those institutions to ensure they do, in fact, have adequate programs. That manual, the FFIEC BSA/AML Examination Manual, is now over 420 pages long.

What are the program requirements? As the FDIC notes, the banks it supervises must “establish and maintain procedures designed to monitor and ensure their compliance with the requirements of the Bank Secrecy Act and the implementing regulations promulgated by the Department of Treasury at 31 CFR Chapter X. Respondents must also provide training for appropriate personnel.” The Manual gives some more detail. Banks must do a risk assessment to understand their customer, product and service, and geographical risks. That risk assessment must be updated as the bank’s profile changes over time. Banks must also have a Customer Identification Program, or CIP. Banks must have a written, board-approved program that includes, at a minimum, certain “pillars” – preventive and detective controls, a BSA compliance officer, independent testing or auditing of the program, and training. And those preventive and detective controls include the ability to monitor for, and alert on, unusual activity, and to investigate and report suspicious activity.

How Much Time Does it Take to Build and Maintain a BSA Compliance Program?

Let’s use a “Medium” institution as a benchmark. Those are the 774 FDIC-supervised institutions that have about 270 employees, on average. We’ll also assume that they have a full-time BSA Officer with a staff of four people. Those five people are responsible for writing policies and procedures and distributing those down to the business and operations people; for establishing customer onboarding requirements; for setting up and maintaining the transaction monitoring systems; for generating and dispositioning any alerts from those systems; for investigating and reporting possible suspicious activity; for designing and conducting training for the other 265 employees; for managing the audits and FDIC examinations of the program; and for doing the required reporting to senior management and the board.

Those five people can’t do everything themselves. They depend on front-line staff to onboard customers and handle the documentation of transactions. They depend on the audit group for the independent testing. The in-house law department is likely involved and providing legal and compliance-related advice. So let’s assume that there may be 20 or 30 other people that spend 20% of their time managing one or more aspects of the BSA/AML compliance program. That’s another 5 FTE. So we’re up to 10 FTE.

10 FTE is 18,400 hours of time. And let’s not forget training. Assume that everyone goes through 1 hour of training a year. Now we’re up to 18,670 hours of time. It’s probably safe to build in a 5% +/- cushion, in case these estimates are off a little bit. And it makes the math easier. It’s fair to say that …

A medium-size bank will spend 20,000 hours a year running its BSA/AML compliance program

What about small and large banks? If we simply extrapolate the 20,000 hours for the average medium-sized bank out to the average small and large bank, we’d get the following estimates:

Small Bank – 3,700 hours or 2 FTE to run a BSA/AML compliance program

Medium Bank – 20,000 hours or 10 FTE to run a BSA/AML compliance program

Large Bank – 185,000 hours or 100 FTE to run a BSA/AML compliance program

What does the FDIC have to say about that?

According to the FDIC, a bank will spend between 35 and 450 hours a year running its BSA/AML compliance program!

What?

On June 2, 2020, the FDIC published a request for comment in the Federal Register – https://www.govinfo.gov/content/pkg/FR-2020-06-02/pdf/2020-11855.pdf. The FDIC, as part of its obligations under the Paperwork Reduction Act of 1995 (PRA), invited the general public and other Federal agencies to comment on the renewal of the then-existing burden on FDIC-supervised banks to “establish and
maintain procedures designed to monitor and ensure their compliance with the requirements of the Bank Secrecy Act and the implementing regulations promulgated by the Department of Treasury at 31 CFR Chapter X” and to “provide training for appropriate
personnel.”

At that time, here’s what the FDIC estimated were the burdens for its supervised banks:

As can be seen here, the FDIC estimated that the burden on 75% of its supervised banks – the smallest banks – was 35 hours a year. That’s one person spending less than one week a year to run a BSA/AML compliance program – all the policies, procedures, customer onboarding, monitoring, investigating, reporting, auditing, and examining. And for the largest banks, where, if you believe my estimate that it takes the equivalent of about 185,000 people-hours to run a BSA/AML compliance program, the FDIC estimates that it takes about 0.2% of that time to actually run the program.

There’s a disconnect.

But, as the FDIC points out in its most recent Federal Register notice, which will be formally published tomorrow (August 7, 2020) but is available today (August 6th), it didn’t receive any comments from the private or public sector about its estimates of the burden of running a BSA/AML compliance program! See https://s3.amazonaws.com/public-inspection.federalregister.gov/2020-17330.pdf

But there is still an opportunity to comment. The FDIC is giving us another 30 days to submit comments. I encourage people to do so.

Anti-Money Laundering Act of 2020 – “Pay to Play” Arrives and Perhaps We Have An Answer to the Whereabouts of Section 314(d)

The Senate Banking Committee’s top Republican (Senator Crapo from Idaho) and top Democrat (Senator Brown from Ohio) have joined forces to draft the Anti-Money Laundering Act of 2020 as an amendment to the National Defense Authorization Act. It takes some of what the House passed in HR2513, the Corporate Transparency Act, and replicates most of what the Senate has been horse-trading on with the ILLICIT CASH Act (S2563), and adds a few other provisions: 214 pages of provisions.

If enacted, it would be the biggest revision to the U.S. AML/CFT regime since the USA PATRIOT Act of 2001. The main legislation for the AML/CFT regime is found in Title 31 of the US Code. 31 USC 5311 (the purpose of the BSA) and 5318 (the program and reporting requirements) will materially change, four new sections (5333-5336) will be added, two new BSAAG subcommittees will be created, and of course a FinCEN database of beneficial ownership information will be created to house some legal entity beneficial ownership information (more on that in another article).

Anti-Money Laundering Act of 2020

The proposed AML Act of 2020 would be tacked on to the back end – Division E – of the 2021 Defense Appropriations bill. So the titles for the Act begin at title 51 – actually the Roman numeral LI. There are five titles:

  • Title LI – Strengthening Treasury Financial Intelligence, Anti-Money Laundering [AML], and Countering the Financing of Terrorism [CFT] Programs
  • Title LII – Modernizing the AML and CFT Systems
  • Title LIII – Improving AML and CFT Communication, Oversight, and Processes
  • Title LIV – Establishing Beneficial Ownership Reporting Requirements
  • Title LV – Miscellaneous

Section 5201 – Annual Reporting Requirements

This article focuses solely on section 5201 of Title LII. Why? It includes my long-sought-after SAR feedback from law enforcement, while at the same time resurrects the long-forgotten section 314(d) of the USA PATRIOT Act.

In a nutshell, section 5201 is a “pay to play” requirement imposed on law enforcement and the intelligence community. At requires the Attorney General, on behalf of federal and state prosecutors and law enforcement agencies, to deliver an annual report and, once every five years a broader long-term trending report, to the Secretary of the Treasury, setting out statistics, metrics, and other information on the use of BSA reports. The annual report must include:

  1. The frequency with which the BSA reports contains actionable information that leads to, among other things, actions by law enforcement agencies such as grand jury subpoenas, and actions by intelligence, national security, and homeland security agencies;
  2. Calculations on the time between the BSA reporting and the use of the data by law enforcement or intelligence agencies;
  3. An analysis of the transactions associations with the BSA reports, including whether the accounts were held by legal entities or persons, and any trends or patterns in cross-border activity;
  4. The number of legal entities and persons identified by the BSA reports;
  5. The extent to which arrests, indictments, convictions, etc., were related to the reports; and
  6. Data on state and federal investigations that resulted from the reports.

The five-year report would focus on longer-term trends, patterns and threats: retrospective trends and emerging patterns and threats.

And what would the Secretary of the Treasury do with these reports? That is covered by subsection (d) of section 5201, which provides that the Secretary shall use these reports

  1. To help assess the usefulness of BSA reports;
  2. “to enhance feedback and communications with financial institutions and other entities subject to the requirements under the BSA, including by providing more detail in the reports published and distributed under section 314(d) of the USA PATRIOT Act (31 USC s. 5311 note);
  3. to assist FinCEN in considering revisions to the reporting requirements promulgated under section 314(d) of the USA PATRIOT Act (31 USC s. 5311 note).

The result? This July 2020 proposed AML legislation would require the public sector consumers of BSA reports to provide feedback to the private sector producers of those reports – essentially a “pay to play” requirement, and that feedback would be through the almost 20-year old provision of the USA PATRIOT Act, section 314(d).

I’ve written about both of these things.

On July 30, 2019 I published an article titled “SAR Feedback? What Ever Happened to Section 314(d)?” See https://regtechconsulting.net/aml-regulations-and-enforcement-actions/sar-feedback-what-ever-happened-to-section-314d/ I wrote:

Wouldn’t it be great if Treasury published a report, perhaps semi-annually, that contained a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports (SARs) and investigations conducted by federal, state, and local law enforcement agencies (to the extent appropriate) and distributed that report to financial institutions that filed those SARs?

To get Treasury to do that, though, would probably require Congress to pass a law compelling it to do so.

Hold it. Congress did pass that law.  Almost 18 years ago. And, by all accounts, it’s still on the books. What happened to those semi-annual reports? When did they begin? If they began, when did they end?

Section 314(d) – Its Origins

What became 314(d) was introduced in the House version of what became the USA PATRIOT Act. The House version, the Financial Anti-Terrorism Act, was introduced on October 3, 2001. It was marked up by the House Financial Services Committee on October 11. The Senate version, originally titled the Uniting and Strengthening America Act, or USA Act, was introduced on October 4th and had sections 314(a) (public to private sector information sharing), 314(b) (cooperation among financial institutions, or private-to-private sector information sharing), and 314(c) (“rule of construction”). There was no 314(d) in that early version.

On October 17th, HR 3004, the Financial Anti-Terrorism Act, was passed by the House 412-1. Title II was “public-private cooperation”. Section 203 was:

“Reports to the Financial Services Industry on Suspicious Financial Activities – at least once each calendar quarter, the Secretary shall (1) publish a report containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate; and (2) distribute such report to financial institutions as defined in section 5312 of title 31, US code.”

The Senate and House versions were reconciled, and on October 23rd the House Congressional Record shows a consideration of what was then the USA PATRIOT Act. That version of the bill then included what had been section 203 and was now 314(d). It was the same, except instead of a quarterly report it was a semi-annual report (“at least once each calendar quarter” was changed to “at least semiannually”).

SAR Activity Review – Was That The Answer to 314(d)?

The ABA has written, and at least one former FinCEN employee has stated that the “SAR Activity Review – Trends, Tips, and Issues” was the response to 314(d). The SAR Activity Reviews were excellent resources. They contained sections on SAR statistics, national trends and analysis, law enforcement cases, tips on SAR form preparation and filing, issues and guidance, and an industry forum. The first SAR Activity Review noted that it was published under the auspices of the BSAAG, was to be published semi-annually in October and April, and was “the product of a continuing collaboration among the nation’s financial institutions, federal law enforcement, and regulatory agencies to provide meaningful information about the preparation, use, and utility of SARs.”  Although that certainly sounds like it is responsive to section 314(d), there is no reference to 314(d).

And the first SAR Activity Review was published more than a year before 314(d) was passed. Even the first SAR Activity Review published after the enactment of the USA PATRIOT Act and section 314(d) – the 4th issue published on July 31, 2002 – didn’t make any reference to 314(d). Beginning with the 6th issue of the SAR Activity Review, published in October 2003, the authors broke out the statistics from the “Trends, Tips & Issues” document and published a separate, and more detailed, “SAR Activity Review – By The Numbers”. The last SAR Activity Review (the 23rd) and the last “By The Numbers” (the 18th) were published on April 30, 2013. None of those forty-one publications referenced 314(d). After the SAR Activity Reviews stopped, FinCEN continued to publish “SAR Statistics”, and did so three times from June 2014 through March 2017.  For the last few years, FinCEN has maintained SAR Stats on its website – https://www.fincen.gov/reports/sar-stats  – that is updated on a monthly basis. Those statistics are useful, but cannot be thought of as “containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate”, quoting the 314(d) language.

Does Anyone Know What Happened to 314(d)?

I don’t have the answer to that question. Perhaps 314(d) is seen as satisfied by the accumulation of advisories, guidance, bulletins, etc., published by FinCEN and other Treasury bureaus and agencies and departments from time to time. Perhaps there is a Treasury Memorandum out there that I’m not aware of that provides a simple explanation. Perhaps not: most BSA/AML experts I speak with are not even aware of 314(d), and if the SAR Activity Review did satisfy the spirit and intent of 314(d), the last one was published more than six years ago. But everyone in the private sector BSA/AML risk management space has been clamoring for more feedback from law enforcement and FinCEN on the effectiveness and usefulness of their SAR filings. Perhaps a renewed (or any) focus on 314(d) is the answer.  The revival of 314(d) could give FinCEN the mandate they’ve been looking for to provide more valuable information to the private sector producers of Suspicious Activity Reports. We would all benefit.

Public Sector is Going to Have to Pay in Order to Play With the Private Sector’s BSA Reports

On November 21, 2019 I wrote an article titled “Like Sam Loves Free Fried Chicken, Law Enforcement Loves ‘Free’ Suspicious Activity Reports … But What If Law Enforcement Had to Earn the Right to Use the Private Sector’s ‘Free’ SARs?” See https://regtechconsulting.net/fintech-financial-crimes-and-risk-management/like-sam-loves-free-fried-chicken-law-enforcement-loves-free-suspicious-activity-reports-but-what-if-law-enforcement-had-to-earn-the-right-to-use-the-private-sector/. That article provided:

Eleven year-old Sam Caruana of Buffalo, New York waited outside a Chick-fil-A restaurant in the freezing cold in order to be one of the 100 people given free fried chicken for one year (actually, one chicken sandwich a week for fifty-two weeks). In a video that went viral (Sam Caruana YouTube – Free Chicken), young Sam explained that he simply loved fried chicken, and he’d stand in the cold for free fried chicken.

Just as Sam loves free fried chicken, law enforcement loves free Suspicious Activity Reports, or SARs. In the United States, over 30,000 private sector financial institutions – from banks to credit unions, to money transmitters and check cashers, to casinos and insurance companies, to broker dealers and investment advisers – file more than 2,000,000 SARs every year. And it costs those financial institutions billions of dollars to have the programs, policies, procedures, processes, technology, and people to onboard and risk-rate customers, to monitor for and identify unusual activity, to investigate that unusual activity to determine if it is suspicious, and, if it is, to file a SAR with the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. From there, hundreds of law enforcement agencies across the country, at every level of government, can access those SARs and use them in their investigations into possible tax, criminal, or other investigations or proceedings. To law enforcement, those SARs are, essentially, free. And like Sam loves free fried chicken, law enforcement loves free SARs. Who wouldn’t?

But should those private sector SARs, that cost billions of dollars to produce, be “free” to public sector law enforcement agencies? Put another way, should the public sector law enforcement agency consumers of SARs need to provide something in return to the private sector producers of SARs?

I say they should. And here’s what I propose: that in return for the privilege of accessing and using private sector SARs, law enforcement shouldn’t have to pay for that privilege with money, but with effort. The public sector consumers of SARs should let the private sector producers know which of those SARs provide tactical or strategic value.

A recent Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had: 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). Note that the survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Some of the mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) 6% – 8% of SARs.

I argue that the Alert/SAR and even Case/SAR ratios are all of interest, but tracking to SARs filed is a little bit like a car manufacturer tracking how many cars it builds but not how many cars it sells, or how well those cars perform, how long they last, and how popular they are. And just like the automobile industry measuring how many cars are purchased, the better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

Also, there is much being written about how machine learning and artificial intelligence will transform anti-money laundering programs. Indeed, ML and AI proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate. The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government. But the fundamental problem that every one of those ML/AI systems has is that they are using the wrong data to train their algorithms and “teach” their machines: they are looking at the SARs that are filed, not the SARs that have tactical or strategic value to law enforcement.

Tactical or Strategic Value Suspicious Activity Reports – TSV SARs

The best measure of an effective and efficient financial crimes program is how well it is providing timely, effective intelligence to law enforcement. And the best measure of that is whether the SARs that are being filed are providing tactical or strategic value to law enforcement. How do you determine whether a SAR provides value to law enforcement? One way would be to ask law enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure law enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, law enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.

A TSV SAR is one that has either tactical value – it was used in a particular case – or strategic value – it contributed to understanding a typology or trend. And some SARs can have both tactical and strategic value. That value is determined by law enforcement indicating, within seven years of the filing of the SAR (more on that later), that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value.  That law enforcement response or feedback is provided to FinCEN through the same BSA Database interfaces that exist today – obviously, some coding and training will need to be done (for how FinCEN does it, see below). If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within seven years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.

FinCEN’s TSV SAR Feedback Loop

FinCEN is working to provide more feedback to the private sector producers of BSA reports. As FinCEN Director Ken Blanco recently stated:[1]

“Earlier this year, FinCEN began the BSA Value Project, a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient. We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm — that is clear. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis.”

FinCEN receives every SAR. Indeed, FinCEN receives a number of different BSA-related reporting: SARs, CTRs, CMIRs, and Form 8300s. It’s a daunting amount of information. As FinCEN Director Ken Blanco noted in the same speech:

FinCEN’s BSA database includes nearly 300 million records — 55,000 new documents are added each day. The reporting contributes critical information that is routinely analyzed, resulting in the identification of suspected criminal and terrorist activity and the initiation of investigations.

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data taking place each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, which bring together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed.

Each day, law enforcement, FinCEN, regulators, and others are querying this data:  7.4 million queries per year on average. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that protect our nation from harm, help deter crime, and save lives.”

This doesn’t tell us how many of those 55,000 daily reports are SARs, but we do know that in 2018 there were 2,171,173 SARs filed, or about 8,700 every (business) day. And it appears that FinCEN knows which law enforcement agencies access which SARs, and when. And we now know that there are “18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities” every year. But which filings?

The law enforcement agencies know which SARs provide tactical or strategic value, or both. So if law enforcement finds value in a SAR, it should acknowledge that, and provide that information back to FinCEN. FinCEN, in turn, could provide an annual report to every financial institution that filed, say, more than 250 SARs a year (that’s one every business day, and is more than three times the number filed by the average bank or credit union). That report would be a simple relational database indicating which SARs had either or both tactical or strategic value. SAR filers would then be able to use that information to actually train or tune their monitoring and surveillance systems, and even eliminate those alerting systems that weren’t providing any value to law enforcement.

Why give law enforcement seven years to respond? Criminal cases take years to develop. And sometimes a case may not even be opened for years, and a SAR filing may trigger an investigation. And sometimes a case is developed and the law enforcement agency searches the SAR database and finds SARs that were filed five, six, seven or more years earlier. Between record retention rules and practical value, seven years seems reasonable.

Law enforcement agencies have tremendous responsibilities and obligations, and their resources and budgets are stretched to the breaking point. Adding another obligation – to provide feedback to the banks, credit unions, and other private sector institutions that provide them with reports of suspicious activity – may not be feasible. But the upside of that feedback – that law enforcement may get fewer, but better, reports, and the private sector institutions can focus more on human trafficking, human smuggling, and terrorist financing and less on identifying and reporting activity that isn’t of interest to law enforcement – may far exceed the downside.

Free Suspicious Activity Reports are great. But like Sam being prepared to stand in the freezing cold for his fried chicken, perhaps law enforcement is prepared to let us know whether the reports we’re filing have value.

Conclusion

As of this writing – July 3, 2020 – it remains to be seen whether the Anti-Money Laundering Act of 2020 will become law, or what parts of the Act will become law. But section 5201, which requires the public sector consumers of the BSA reports produced by the private sector to provide feedback to the private sector on the usefulness of those reports. This is a critically important, long-awaited development in the US AML/CFT regime.

For more on alert-to-SAR rates, the TSV feedback loop, machine learning and artificial intelligence, see other articles I’ve written:

The TSV SAR Feedback Loop – June 4 2019

AML and Machine Learning – December 14 2018

Rules Based Monitoring – December 20 2018

FinCEN FY2020 Report – June 4 2019

FinCEN BSA Value Project – August 19 2019

BSA Regime – A Classic Fixer-Upper – October 29 2019

[1] November 15, 2019, prepared remarks for the Chainalysis Blockchain Symposium, available at https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-chainalysis-blockchain-symposium