Category: Beneficial Ownership & Customer Due Diligence

Corporate Transparency Act – There’s much that is Good, but there’s also some things that are Bad and other things that are downright Ugly

Many people are touting the proposed Anti-Money Laundering Act of 2020 (“AMLA2020”) and one of the titles of that Act, the Corporate Transparency Act, as the biggest change to American efforts to fight crime and corruption since the USA PATRIOT Act of 2001.

And they’re right. As a whole, the AMLA2020 will ultimately have the effect of shifting the US AML/CFT regime from a domestic-focused, regulator-versus-regulated, compliance inputs-based regime to an international, collaborative public/private sector, threat-focused, outputs-driven regime.

Just like Clint Eastwood in the classic Western “The Good, the Bad, and the Ugly”, that is all Good.

But like Lee Van Cleef, there is also some Bad, and unfortunately for the AMLA2020 (but fortunately for Eli Wallach) there is also some Ugly things that will reduce the impact and effectiveness of this new AML law. In fairness, regulations have yet to be issued, and regulations often address some of the bad and even ugly things in statutes.

This article looks at all aspects of the Corporate Transparency Act of 2020: the concept of “ultimate beneficial owner” and the so-called “Matryoshka doll” problem; the definitions of beneficial owner, applicant, and reporting company, and how those definitions differ from the current beneficial ownership rule; the new FinCEN identifier; the time that reporting companies have to report to FinCEN’s new database; the required information for beneficial owners and applicants; and who has access to the database.

The Good – the US gets a centralized, national registry of beneficial ownership information

Advocates celebrate major US anti-money laundering victory

Welcoming the clampdown, Transparency International’s U.S. director Gary Kalman said, “It is rare for such a simple measure to promise such an enormous impact.” Kalman added that the long sought anti-corruption reforms would “move us into a new era of enforcement.” The new legislation will allow law enforcement agencies and financial institutions to request company ownership information from FinCEN. The data will not be publicly available.

The Bad – Why exclude Money Transmitters and “Tall, Dark, and Handsome” Companies?

Under this new law, money transmitters have been added to the list of exempt entities (up to twenty-four from the current sixteen) that do not have to report their beneficial owner(s) or applicant. The rationale seems to be that they have to register with FinCEN already, so why register again? I discuss below why this doesn’t make sense and may create a loophole a money launderer can drive a truck through.

“Tall, Dark, and Handsome” is a reference to another new exception created by this law: a corporation or LLC that has 20 or more employees and more than $5 million in revenues and a physical office in the United States. These (very few, as it turns out) companies are the legal entity equivalent of (very rare!) men who are tall, dark, and handsome. Why they are not required to disclose their ultimate beneficial owners isn’t obvious to me: it’s discussed below.

(This is the second article I’ve written that includes the phrase “Tall, Dark, and Handsome” (see https://regtechconsulting.net/uncategorized/tall-dark-or-handsome-the-new-special-inspector-general-for-pandemic-recovery/). And this phrase, with its two commas, is an example of the use of the “Oxford comma”: the comma used after the penultimate item in a list of three or more items, before ‘and’ or ‘or’, to clearly indicate three items rather than two. I’ve also written an article on Oxford commas, see https://regtechconsulting.net/uncategorized/grave-danger-and-oxford-commas-words-and-punctuation-matter/).

The Ugly – There is very limited, and difficult, access to the central registry

Even if money transmitters and the “Tall, Dark, and Handsome” companies had to report their beneficial owners and applicant, there would still be very little transparency into those owners, or any other beneficial owners in the proposed FinCEN database. Financial institutions’ access to the database is severely restricted, and the punishing requirements imposed on federal, State, and Tribal government agencies to gain access to the information in the database may dissuade many of them from using it at all. Also ugly is the creation of the FinCEN identifier as a replacement for a Social Security Number, Drivers License number, or Passport number. I’m hedging on how ugly this actually is, though: regulations may turn what appears to be ugly into something pretty attractive.

Caution – the AMLA2020 Hasn’t Been Enacted Yet

The Corporate Transparency Act is one title (of five) within the AMLA2020, the AMLA2020 is one division (of seven) of the National Defense Authorization Act for Fiscal Year 2021 (the “NDAA”). The NDAA has been passed by the House and Senate with veto-proof majorities, and was sent to the President for his consideration on December 11th. As of this writing (December 20th) the President has not signed the NDAA and continues to indicate he will veto it. If he does veto it, it’s not known whether the House and Senate will have the votes or the time to override the veto.

Note: This article focuses only on the beneficial ownership or corporate transparency title of the AMLA2020. I have written an article describing all other aspects of the AMLA2020 (with a short section on beneficial ownership: see https://regtechconsulting.net/aml-regulations-and-enforcement-actions/aml-act-of-2020-renewing-americas-aml-cft-regime/).

Introduction to the Corporate Transparency Act – Title LXIV of the AMLA2020 adding 31 USC s. 5336

Section 6401 simply states “this title may be cited as the ‘Corporate Transparency Act’.” The comments to the conference report provide that “Division F is substantially similar to H.R. 2513, the Corporate Transparency Act of 2019, introduced by Representative [Carolyn] Maloney [Democrat] of New York.” In fact, Rep. Maloney has introduced a corporate transparency bill in every Congress since 2009: HR 6098 (111^th Congress), HR 3416 (112^th Congress), HR 3331 (113^th Congress), HR 4450 (114^th Congress), HR 2089 (115^th Congress), and HR 2513 (116^th Congress). Our collective thanks to Representative Maloney and her staff for their courage and perseverance.

Why has Rep. Maloney, and so many others, been pushing for corporate transparency? Among other reasons, Recommendation 24 of the Financial Action Task Force (FATF) requires legal entity transparency, including the disclosure of beneficial ownership. Since its first FATF Mutual Evaluation in 1996, and in every subsequent evaluation (2006 and 2016), the United States has been criticized for failing to meet this recommendation. Since at least 2008, with Senator Carl Levin’s (D. MI) Incorporation Transparency and Law Enforcement Assistance Act (S. 2956), corporate transparency bills have been introduced in Congress seeking to satisfy the FATF recommendations. They have all failed – until now. A good summary of why they’ve failed, and why this version of the Corporate Transparency Act is still quite limited in its scope and will be quite limited in its impact, is included in the comments of Congressman Patrick McHenry in Appendix A, below.

Section 6402 is the “Sense of Congress” section. This section provides, in part, that “most or all” of the 50 states that create about 2 million corporations and LLCs each year “do not require information about the beneficial owners”, that “malign actors seek to conceal their ownership” and that money launderers layer corporate structures across various secretive jurisdictions “much like Russian nesting ‘Matryoshka’ dolls.” With that ominous beginning, the section then continues with a statement that the beneficial ownership information “will be directly available only to authorized government authorities” and the database is intended to be “highly useful to national security, intelligence, and law enforcement agencies and Federal functional regulators”. There is no mention of making the information directly available to financial institutions or even having it benefit financial institutions.

The result is a national, centralized registry that is not accessible to the public and has limited value to financial institutions. The table to the right summarizes a review done by Transparency International on the types of national registries, as of October 2020: those with a central registry that is publicly accessible with no restrictions (green); central registry that is publicly accessible but is behind a paywall or with other restrictions (yellow); central registry that is not publicly accessible (yellow); no central registry but concrete steps are being taken to develop one (orange); and no central registry (red). I did not include all the countries listed in the “nothing” category as there are more than 150 that do not have such a registry. Currently, the United States is one of those lagging countries. With the AMLA2020 it will move form the lowest (red) tier up to the category of having a central registry that is not publicly accessible (yellow).

Ultimate Beneficial Owner – The Matryoshka Doll Problem

As Congress noted in section 6402 (above), most or all of the 50 states do not require information about the beneficial owners of the corporations and LLCs they create and register. So it currently isn’t difficult to mask the beneficial owner of a US-created or US-registered legal entity. But skilled and experienced money launderers and other criminal actors will create many layers that cross multiple jurisdictions in a bid to mask the true owners as much as possible. This is the “Matryoshka” doll visual – as seen by the (actual) Russian Matryoshka doll I have on my office bookshelf. In this visual, the “reporting company” is the largest doll on the left; the legal owner is the doll immediately to its right; and the ultimate beneficial owner, or UBO, is the smallest doll on the far right:

Figure 1 is taken from a March 2019 OECD “Beneficial Ownership Toolkit”. That toolkit provides “beneficial owners are always natural persons who ultimately own or control a legal entity or arrangement, such as a company, a trust, a foundation, etc. Figure 1 demonstrates how the use of a legal entity or arrangement can obscure the identity of a beneficial owner.” Figure 2 of the OECD toolkit show a more complex, nested series of arrangements that further distance the ultimate beneficial owner from the legal entity.

As Congress did in the Corporate Transparency Act, the OECD has identified these “nested” layers of entities that make it very difficult to identify the ultimate beneficial owner of a legal entity.[1] As explained below, however, Congress may have missed addressing this problem, or even made it worse by allowing ultimate beneficial owners of certain companies and money transmitters to be masked by intervening corporate entities. 

Beneficial Owner

The FATF has established the following definition of beneficial ownership:

“Beneficial owner refers to the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.”

The proposed definition of Beneficial Owner is in 31 USC s. 5336(a)(3). It defines Beneficial Owner as an individual who “directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, (i) exercises substantial control or (ii) owns or controls not less than 25 percent of the ownership interests”. This is slightly different than the definition of beneficial owner in 31 CFR 1010.540(d), which begins with the so-called ownership prong, which is “25 percent or more of the equity interests of a legal entity customer” and then follows with the control prong: “a single individual with significant responsibility to control, manage, or direct a legal entity customer” including a CEO, CFO, or similar position. In addition, the current regulation includes the trustee of a trust that is a legal owner: the AMLA2020 does not include a trustee. Regulations to be promulgated within one year will need to reconcile these different definitions.

And both the existing regulation – 31 CFR section 1010.230(d)(3) – and the new law – 31 USC section 5336(b)(2)(B) – exempt certain types of legal entities from having to provide beneficial ownership information (these are discussed below). If any of these exempt entities directly or indirectly own 25 percent or more of the equity interests of a legal entity customer or reporting company, respectively, they are not required to identify their owners. The current regulation exempts sixteen categories of entities from providing any beneficial ownership information, and two categories of entities only need to provide the name of one “control” person. The proposed law exempts twenty-four categories of entities from providing any beneficial ownership information. As mentioned above and described in more detail below, the addition of money transmitters and the “Tall, Dark, and Handsome” companies to the list of exempt entities will mask the beneficial owners of some potentially high risk entities. 

Applicant

The current beneficial ownership regulation does not include an “applicant”; rather, it includes the individual providing the beneficial ownership information to the financial institution and certifying that the information is complete and accurate. And that individual is only required to provide their name and position with the legal entity customer.

Subsection 5336(a)(2) defines an applicant as an individual who files an application to form a corporation, LLC, or similar entity with a State or Indian Tribe, or to register a foreign corporation, LLC, or similar entity with a State or Indian Tribe. Most states allow a “registered agent” to file the formation/registration documents, and most registered agents are companies. The individual is often a clerk working for that registered agent. Like the beneficial owner(s), the individual applicant must provide their full legal name, date of birth, current residential or street address, and either an identifying number like a SSN or a FinCEN identifier.

These differences must be reconciled in the new regulations.

Reporting Company

The definition of Reporting Company in 31 USC s. 5336(a)(11) is the same as the definition of “legal entity customer” in the current regulation. However, the exceptions (and, in the case of legal entity customers, the exemptions) are different, and, in some cases, materially different. A side-by-side comparison is set out in an Appendix B to this article, but the notable differences are the AMLA2020’s exceptions for (1) the Tall, Dark, and Handsome companies and LLCs – those with more than 20 FTE, more than $5 million in gross revenues (as reported to the IRS in the previous year), and with an operating presence in the United States (section 5336(a)(II)(B)(xxi))[2]; and (2) money transmitters registered with FinCEN (section 5336(a)(II)(B)(vi)), which include virtual currency exchanges.

Why did Congress carve out larger companies and money transmitters? Congressional staffers have told me that their primary focus was on the types of privately-held companies that can be used as shell companies: new companies without employees, with little or no revenue, and without a physical presence or office. That makes sense – if legal vehicles used to launder money were only shell companies. But larger companies with actual employees, revenue, and physical locations are also perfectly suited to generate, hide, and move illicit proceeds. And now with these companies being exempt from providing beneficial ownership information, they will be used to layer and hide the ownership of otherwise transparent shell companies. It would have been simpler and more effective to include all privately-held, non-financial institution companies and LLCs in the definition of “reporting company”. 

A similar reason was given for money transmitters (a form of Money Services Business, or MSB, and which include virtual currency exchanges): they are required to register with FinCEN (using Form 107) and as part of that registration, disclose their owner. Some of those who have commented on this, such as the pre-eminent law firm Sullivan & Cromwell, have noted that money transmitters “are already required to disclose beneficial ownership information publicly or to federal regulators … and exempting them from the reporting requirement does not appear to represent a gap in coverage.” See https://www.sullcrom.com/files/upload/sc-publication-anti-money-laundering-act-2020.pdf at page 7.

I disagree. First, there is nothing in the AMLA2020 that ties the ownership information contained in the Form 107 (MSB registration form) to the new beneficial ownership information. Second, MSBs do not have to disclose up to four legal owners and one control person – they only need to disclose one owner or controlling person – so FinCEN will not have complete beneficial ownership information on one of the highest risk business types. The instructions to the MSB registration form require that an “Owner or Controlling Person” submit the form, and that person is described in the instructions to the form as:

Any person who owns or controls a money services business is responsible for registering the MSB. Only one registration form is required for any business in any registration period. If more than one person owns or controls the business, they may enter into an agreement designating one of them to register the business. The designated owner or controlling person must complete Part III and provide the requested information [full name, date of birth, address, and identifying number]. In addition, that person must sign and date the form as indicated in Part VII … An “Owner or Controlling Person” includes the following: Sole Proprietorship – the individual who owns the business; Partnership – a general partner; Trust – a trustee; Corporation – the largest single shareholder. If two or more persons own equal numbers of shares of a corporation, those persons may enter into an agreement as explained above that one of those persons may register the business. If the owner or controlling person is a corporation, a duly authorized officer of the owner-corporation may execute the form on behalf of the owner-corporation.[3]

The Act includes a provision that this list of exemptions is subject to ongoing review by Treasury and, if a determination is made that an exempted category is being used to facilitate financial crime, Treasury may remove it from the list or impose other administrative actions. I hope that both money transmitters and “Tall, Dark, and Handsome” companies and LLCs are eventually remoted from the list of exempt entities. The loopholes they create are too tempting for professional money launderers and the gatekeepers (lawyers and accountants) who facilitate so much financial crime.

Time to Report

There are three time frames for reporting companies to report to FinCEN. All three begin when the regulations for this section are promulgated, which must be within one year of the passage of the Act. Companies in existence at the time of the regulations have (a very generous) two years to report. New companies created or registered after the regulations shall report at the time of formation (that is aggressive: money services businesses have 180 days from formation to register with FinCEN under 31 USC s. 5330(a)(1)). Changes in beneficial ownership must be reported within a year of the change.

How Many Companies Will Need to Report?

How many reporting companies will need to register their beneficial ownership information, and when? The most recent US Census Bureau data (2017) suggests there are 6 million businesses in the United States.[4] When adding in sole proprietorships and other single-persons doing business, other data suggests ~30 million businesses. This Act indicates that 2 million new companies and LLCs are being formed every year. There are ~3,000 publicly-traded companies, and ~100,000 regulated financial institutions, public accounting firms, etc., that are excluded from the definition of reporting company.

This leaves the “Tall, Dark, and Handsome” companies that will be excluded: those with more than 20 FTE, more than $5 million in gross revenues (as reported to the IRS in the previous year), and with an operating presence in the United States. Using Census Bureau information that suggests the average small business generates $100,000 in revenue per employee, the ~650,000 businesses the Census Bureau’s SUSB has identified, and analyzing the 5.2 million PPP loan recipients, it appears that approximately 2% of privately-owned small businesses have more than 20 employees, more than $5 million in annual revenue, and have a physical office in the United States (leaving 98% as “reporting companies”). The result is likely:

• At least 5 million and as many as 20-30 million existing companies and LLCs will need to report their beneficial ownership information to FinCEN from January 2021 to January 2023; and
• 2 million companies and LLCs per year will need to report their beneficial ownership information to FinCEN when they are created, beginning in January 2021.

The regulations for the FinCEN database of beneficial ownership information that will need to be issued, and the systems and procedures that will need to be designed, need to take into account the initial surge in reporting, as well as the 2 million or more new reports filed each year, and the revisions to existing reporting company records.

Required Information for Beneficial Owners and Applicants

Section 6403 is the main section for the new beneficial ownership information reporting requirements. It creates a new section in title 31 – section 5336. Subsection 5336(2) sets out the required information. There are some interesting, and perhaps some confusing, aspects about this subsection.

First is subsection 5336(2)(A). It provides:

(A) IN GENERAL.—In accordance with regulations prescribed by the Secretary of the Treasury, a report delivered under paragraph (1) shall, except as provided in subparagraph (B), identify each beneficial owner of the applicable reporting company and each applicant with respect to that reporting company by – (i) full legal name; (ii) date of birth; (iii) current, as of the date on which the report is delivered, residential or business street address; and (iv)(I) unique identifying number from an acceptable identification document; or (II) FinCEN identifier in accordance with requirements in paragraph (3).

With this, the report submitted to FinCEN shall identify from one to five beneficial owners and each applicant (defined as the individual who filed the application to create or register the reporting company with the state or Indian Tribe) by their full name, date of birth, address, and either their SSN or driver’s license number or Passport number or a FinCEN identifier. Allowing beneficial owners and applicants to be identified by the FinCEN identifier, and not by the commonly used SSN, drivers license, or passport number, could make the registry effectively unusable and/or ineffective (as explained below).

Subparagraph 5336(b)(2)(B) is the exception set out in (A), above, to providing a report that identifies the beneficial owner(s) and applicants of a reporting company. It provides:

(B) REPORTING REQUIREMENT FOR EXEMPT ENTITIES HAVING AN OWNERSHIP INTEREST. If an exempt entity described in subsection (a)(11)(B) has or will have a direct or indirect ownership interest in a reporting company, the reporting company or the applicant – (i) shall, with respect to the exempt entity, only list the name of the exempt entity; and (ii) shall not be required to report the information with respect to the exempt entity otherwise required under subparagraph (A).

This section mirrors the current regulation at 31 CFR s. 1010.230(d)(3). But the addition of money transmitters and “Tall, Dark, and Handsome” companies and LLCs to the list of exempt entities creates an interesting result. The box to the right shows an example of two of the listed exempt entity types: the so-called “Tall, Dark, and Handsome” companies, and money transmitters that are registered with FinCEN. The effect of this subsection, and subsection 5336(b)(3)(C), described below, may be that the Reporting Company must still disclose the Applicant (the person who filed the registration papers with the State or Indian Tribe that created the entity or registered it, if a foreign company, to do business in the State or Indian Tribe), but need not disclose the individuals that own or control the exempt company that owns the Reporting Company. In the example above, a reporting company owned by a money transmitting business only needs to list the name of the Applicant and the name of the money transmitting company as its beneficial owner: there is no “drill down” requirement as there is in the current beneficial ownership regulation. And because of the Form 107 limitation of listing only one person who own or controls the money transmitter, FinCEN has little information on one of the riskiest business types. One of the stated purposes of this new section was to address layered corporate structures “much like Russian nesting ‘Matryoshka’ dolls …” (section 6402(4)). This appears to be exactly that – a layered corporate structure involving money transmitters and privately-owned companies – which the law should have included.[5]

FinCEN Identifier

Section 5336(b)(3) is the FinCEN Identifier subsection. It provides:

(3) FINCEN IDENTIFIER. (A) ISSUANCE OF FINCEN IDENTIFIER. –

(i) IN GENERAL. – Upon request by an individual who has provided FinCEN with the information described in paragraph (2)(A) pertaining to the individual, or by an entity that has reported its beneficial ownership information to FinCEN in accordance with this section, FinCEN shall issue a FinCEN identifier to such individual or entity.

(ii) UPDATING OF INFORMATION. – An individual or entity with a FinCEN identifier shall submit filings with FinCEN pursuant to paragraph (1) updating any information described in paragraph (2) in a timely manner consistent with paragraph (1)(D).

(iii) EXCLUSIVE IDENTIFIER. – FinCEN shall not issue more than 1 FinCEN identifier to the same individual or to the same entity (including any successor entity).

From this, it appears that once an individual or reporting entity is named in a Beneficial Owner Information Report, they/it can request to have issued to them/it a unique FinCEN Identifier. The required information from subsection (2) – for individuals, that is their full legal name, DOB, current residential or business street address – will remain, but their identifying number, such as SSN, will be replaced by the FinCEN Identifier. This either/or approach is clear from the “required information” section[6] as well as subsection 5336(b)(3)(B): “USE OF FINCEN IDENTIFIER FOR INDIVIDUALS. – Any person required to report the information described in paragraph (2) with respect to an individual may instead report the FinCEN identifier of the individual.”

Like the money transmitter example above (the exception in 5336(b)(2)(B)) and subsection 5336(b)(3)(C)), this appears to allow an opaque “Matryoshka doll” of layered corporate entities. It provides:

(C) USE OF FINCEN IDENTIFIER FOR ENTITIES. – If an individual is or may be a beneficial owner of a reporting company by an interest held by the individual in an entity that, directly or indirectly, holds an interest in the reporting company, the reporting company may report the FinCEN identifier of the entity in lieu of providing the information required by paragraph (2)(A) with respect to the individual.

Once a beneficial owner and/or a reporting company obtains a FinCEN identifier, they/it can update any existing report or submit any new report using that FinCEN Identifier instead of the beneficial owner’s SSN or drivers license number or passport number and not even identify the actual beneficial owners going forward. Are those individuals thereafter “masked” from law enforcement unless FinCEN also maintains the SSN or other identifying number that would be known to law enforcement, and can cross-reference the law enforcement request? In the example above, as long as Reporting Company C has a FinCEN identifier, Reporting Company A may report that FinCEN identifier in lieu of providing the names and information of the beneficial owners (in this example, Messrs. Mossack and Fonseca).

Also, it is unclear how law enforcement will query, and how FinCEN will search, the beneficial ownership information database using FinCEN identifiers. For example, assume Al Capone is named as a beneficial owner of Reporting Company A. He provides his full name, SSN, etc. He then requests a FinCEN Identifier, and updates that report with his Identifier. Later, Reporting Company B submits a report and lists Al Capone with Al’s Identifier, but not his SSN. Law enforcement is later interested in Al Capone and queries FinCEN with “do you have Al Capone, SSN 010-56-1234?” and FinCEN replies “nope, nobody with that name matching that SSN. We’ve got 7 other ‘Al Capones’ with different SSNs or FinCEN identifiers.”

Access to the Database – None for the Public, Limited for Financial Institutions, Difficult for Law Enforcement

Subsection 5336(c) provides for the retention and disclosure of beneficial ownership information. The key is the disclosure provisions. The new FinCEN central registry of beneficial ownership information is not publicly accessible. Financial institutions can only query the database “with the consent of the reporting company to facilitate compliance … with CDD requirements”. And the procedures for law enforcement and other federal agencies are daunting enough that they may be discouraged from accessing the database.

Subsection 5336(c)(2)(B) lists five situations where FinCEN may disclose beneficial ownership information:

(i)(I) upon receipt of a request from “a federal agency engaged in national security, intelligence, or law enforcement activity, for use in furtherance of such activity”;

(i)(II) upon receipt of a request from a State, Tribal, or local law enforcement agency with a court order;

(ii) a request from a federal agency on behalf of a foreign government pursuant to a treaty, mutual legal assistance treaty, etc.;

(iii) upon receipt of “a request made by a financial institution subject to customer due diligence requirements, with the consent of the reporting company, to facilitate the compliance of the financial institution with customer due diligence requirements under applicable law”; and

(iv) upon receipt of a request from a Federal functional regulator.

And the “appropriate protocols” for requesting and releasing beneficial ownership information, set out in subsection 5336(c)(2)(C) are daunting: each request by a federal agency must include “the specific reason or reasons why the beneficial ownership information is relevant” to the investigation; the agency must have procedures and training in place to handle and restrict the information, the agency must keep auditable records, and be audited by the agency and annually by Treasury.

The biggest issue with the central registry of beneficial ownership information may be the limitations placed on financial institutions’ access and use. Examples of these limitations are:

1. By limiting requests to those made with the consent of the reporting company, financial institutions cannot query the database without “tipping off” the reporting company, so financial institutions may only be able to use the database for onboarding due diligence or updating general due diligence, and not for investigations of unusual or possible suspicious activity;
2. It is not clear whether financial institutions can perform due diligence on individuals by querying the database to determine if an individual customer is a beneficial owner of the institution’s new or proposed customer (a legal entity customer under the current rules, or a reporting company under the AMLA2020). In the example of Al Capone, above, it does not appear that a financial institution can submit a request to FinCEN to search the database for “Al Capone”;
3. It is not clear what information FinCEN will return in response to a request for beneficial ownership information: will it release the PII of the applicant and beneficial owner(s), or just the name(s) and address(es)? What utility, if any, will FinCEN identifiers be to financial institutions?
4. The database won’t be fully populated with the ~5-30 million existing reporting companies until 2023: what will financial institutions do if they get a “null return” from FinCEN for a company the financial institution knows should be registered? What will financial institutions be expected to do when the information they have in their files is different than what is returned by FinCEN?

Why was access to the beneficial ownership registry limited to the extent it was? The answer to that question could be found in comments made by Congressman Patrick McHenry, (R. NC 10). His floor comments from December 8, 2020, as captured in the House Congressional Record, are included in Appendix A, below. His comments bear particular weight, as Congressman McHenry is the Ranking Member on the House Financial Services Committee.

Only Part of the Current Beneficial Ownership Rule Remains

Congressman McHenry commented that this new reporting rule “rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses.” However, it may not be as cut-and-dried as he states. The section that Rep. McHenry is referring to is 6403(d). That section provides:

Section 6403(d) REVISED DUE DILIGENCE RULEMAKING.

(1) IN GENERAL. – Not later than 1 year after the effective date of the regulations promulgated under section 5336(b)(4) of title 31, United States Code, as added by subsection (a) of this section, the Secretary of the Treasury shall revise the final rule entitled “Customer Due Diligence Requirements for Financial Institutions” (81 Fed. Reg. 29397 (May 11, 2016)) to –

(A) bring the rule into conformance with this division and the amendments made by this division;

(B) account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336, and provided in the form and manner prescribed by the Secretary, in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law; and

(C) reduce any burdens on financial institutions and legal entity customers that are, in light of the enactment of this division and the amendments made by this division, unnecessary or duplicative.

(2) CONFORMANCE.

(A) IN GENERAL. – In carrying out paragraph (1), the Secretary of the Treasury shall rescind paragraphs (b) through (j) of section 1010.230 of title 31, Code of Federal Regulations upon the effective date of the revised rule promulgated under this subsection.

(B) RULE OF CONSTRUCTION. – Nothing in this section may be construed to authorize the Secretary of the Treasury to repeal the requirement that financial institutions identify and verify beneficial owners of legal entity customers under section 1010.230(a) of title 31, Code of Federal Regulations.

(3) CONSIDERATIONS. – In fulfilling the requirements under this subsection, the Secretary of the Treasury shall consider—

(A) the use of risk-based principles for requiring reports of beneficial ownership information;

(B) the degree of reliance by financial institutions on information provided by FinCEN for purposes of obtaining and updating beneficial ownership information;

(C) strategies to improve the accuracy, completeness, and timeliness of the beneficial ownership information reported to the Secretary; and

(D) any other matter that the Secretary determines is appropriate.

Some, But Not All, of the Current Beneficial Ownership Rule Will Change

The current Beneficial Ownership rule is set out in 31 CFR section 1010.540(a) – (j):

(a) “Covered financial institutions are required to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of legal entity customers” and to include those procedures in their overall 31 USC s. 5318(h) programs

(b) Identification and verification of beneficial owners when a new account is opened unless excluded pursuant to (e) or exempt pursuant to (h)

(c) Definition of “account”

(d) Definition of “beneficial owner” to be (1) each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, owns 25 percent or more of the equity interest of a legal entity customer [the so-called “ownership prong”]; and (2) a single individual with significant responsibility to control, manage, or direct a legal entity customer (including CEO, CFO, etc.) [the so-called “control prong”]; and (3) if a trust is the legal owner, the trustee.

(e) Definition of Legal Entity Customer – includes a list of exceptions and entities subject to only the control prong

(f) Definition of “Covered Financial Institution”

(g) Definition of “New Account”

(h) Exemptions

(i) Recordkeeping requirements

(j) Reliance on other financial institutions

The AML Act provides that “the Secretary of the Treasury shall rescind paragraphs (b) through (j) of section 1010.230 of title 31, Code of Federal Regulations upon the effective date of the revised rule promulgated under this subsection”. The result is that financial institutions will still be required to have procedures to identify and verify beneficial owners, but how that is done will be determined by new rules and regulations. So the new rules will be similar to the current beneficial ownership rule.

The current beneficial ownership rule provides financial institutions with more information on more legal entities sooner and requires them to use that information for not only onboarding due diligence, including customer risk rating, but ongoing due diligence (investigations of potential suspicious activity). It also gives financial institutions immediate access to existing legal entities’ beneficial ownership information where those entities open new accounts.

The new beneficial ownership information registration requirement only includes the smallest legal entities, existing legal entities have two years to provide their owners’ information, and, most importantly, financial institutions have limited access to the registry as they need their customer’s approval to access the customer’s information. The differences between the existing rule and new law are recognized in subsection (B), which directs the Secretary to “account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336 … in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with” AML, CFT, and CDD requirements.

Conclusion

There is so much that is good about the Corporate Transparency Act. I’m hoping that by raising what appear to be, but may not be, bad and even ugly things about the Act, we will have more transparency into those aspects of the Act and we will be able to address them in regulations or even amendments to the Act itself.

Appendix A – Corporate Transparency Act – Congressional Comments

House Congressional Record from December 8, 2020 CREC-2020-12-08-pt1-PgH6919-3.pdf (congress.gov) at pages H6932-6933 (bold red font has been added for emphasis, and the footnote has been added from the original text):

Mr. MCHENRY. Mr. Speaker, I rise in support of the conference report to the National Defense Authorization Act for fiscal year 2021. Combating illicit finance and targeting bad actors is a nonpartisan issue. However, Congress’ actions must be thoughtful and data driven. An example of this is H.R. 2514, the COUNTER Act, which is included in this conference report. Division G is a compilation of bipartisan policies that will modernize and reform the Bank Secrecy Act and anti-money laundering regimes. These policies will strengthen the Department of Treasury’s financial intelligence, anti-money laundering, and counter terrorism programs.

I would like to thank Chairman CLEAVER and Ranking Member STIVERS for their work on this bill and the language included in Division G. In addition to Division G, the conference report contains an amendment replacing the text of H.R. 2513, the Corporate Transparency Act, with new legislation. H.R. 2513, which passed the House on October 22, 2019, and again as an amendment to H.R. 6395 on July 21, 2020, attempted to establish a new beneficial ownership information reporting regime to assist law enforcement in tracking down terrorists and other bad actors who finance terrorism and illicit activities. But, it did so to the detriment of America’s small businesses.

Beneficial ownership information is the personally identifiable information (PII) on a company’s beneficial owners. This information is currently collected and held by financial institutions prior to a company gaining access to our financial system.

However, bad actors and nation states, such as China and Russia, are becoming more proficient in using our financial system to support illicit activity. As bad actors become more sophisticated, so to must our tools to deter and catch them. One such tool is identifying the beneficial owners of shell companies, which are used as fronts to launder money and finance terrorism or other illicit activity. Beneficial ownership information assists law enforcement to better target these bad actors.

Although well-intentioned, H.R. 2513 had numerous deficiencies in its reporting regime. First, H.R. 2513 placed numerous reporting and costly reporting requirements on small businesses. It lacked protections to properly protect small businesses’ personal information stored with a little-known government office within the Department of Treasury—known as FinCEN. The bill authorized access to this sensitive information without any limitation on who could access the information and when it could be accessed. Finally, it failed to hold FinCEN accountable for its actions.

The text of H.R. 2513 is replaced with new language that I negotiated, along with Senate Banking Committee Chairman CRAPO. This substitute, which is reflected in Division F of the conference report, is a significant improvement over the House-passed bill in three key areas.

First, Division F limits the burdens on small businesses. Unlike H.R. 2513, the language included in the conference report protects our nation’s small businesses. It prevents duplicative, burdensome, and costly reporting requirements for beneficial ownership data from being imposed in two ways. It rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses. Rescinding these provisions ensures that it cannot be used in a future rule to impose another duplicative, reporting regime on America’s small businesses. In addition, Division F requires the Department of Treasury to minimize the burdens the new reporting regime will have on small businesses, including eliminating any duplicative requirements.

House Republicans ensured the directive to minimize burdens on small businesses is fulfilled. Division F directs the Secretary of the Treasury to report to the House Committee on Financial Services and the Senate Committee on Banking annually for the first three years after the new rule is promulgated. The report must assess: the effectiveness of the new rule; the steps the Department of Treasury took to minimize the reporting burdens on reporting entities, including eliminating duplicative reporting requirements, and the accuracy of the new rule in targeting bad actors. The Department of Treasury is also required to identify the alternate procedures and standards that were considered and rejected in developing its new reporting regime. This report will help the Committees understand the effectiveness of the new rule in identifying and prosecuting bad actors. Moreover, it will give the Committees the data needed to understand whether the reporting threshold is sufficient or should be revised.

Second, Division F includes the strongest privacy and disclosure protections for America’s small businesses as it relates to the collection, maintenance, and disclosure of beneficial ownership information. The new protections set out in Division F ensure that small business beneficial ownership information will be protected just like an individual’s tax return information. The protections in Division F mirror or exceed the protections set out in 26 U.S.C. 6103, including:

1. Agency Head Certification. Division F requires an agency head or designee to certify that an investigation or law enforcement, national security or intelligence activity is authorized and necessitates access to the database. Designees may only be identified through a process that mirrors the process followed by the Department of Treasury for those designations set out in 26 U.S.C. 6103.
2. Semi-annual Certification of Protocols. Division F requires an Agency head to make a semi-annual certification to the Secretary of the Treasury that the protocols for accessing small business ownership data ensure maximum protection of this critically important information. This requirement is non-delegable.
3. Court authorization of State, Local and Tribal law enforcement requests. Division F requires state, local and tribal law enforcement officials to obtain a court authorization from the court system in the local jurisdiction. Obtaining a court authorization is the first of two steps state, local and tribal governments must take prior to accessing the database. Separately, state, local and tribal law enforcement agencies must comply with the protocols and safeguards established by the Department of Treasury.
4. Limited Disclosure of Beneficial Ownership Information. Division F prohibits the Secretary of Treasury from disclosing the requested beneficial ownership information to anyone other than a law enforcement or national security official who is directly engaged in the investigation.
5. System of Records. Division F requires any requesting agency to establish and maintain a system of records to store beneficial ownership information provided directly by the Secretary of the Treasury.
6. Penalties for Unauthorized Disclosure. Division F prohibits unauthorized disclosures. Specifically, the agreement reiterates that a violation of appropriate protocols, including unauthorized disclosure or use, is subject to criminal and civil penalties (up to five years in prison and $250,000 fine).

Third, Division F contains the necessary transparency, accountability and oversight provisions to ensure that the Department of Treasury promulgates and implements the new beneficial ownership reporting regime as intended by Congress. Specifically, Division F requires each requesting agency to establish and maintain a permanent, auditable system of records describing: each request, how the information is used, and how the beneficial ownership information is secured. It requires requesting agencies to furnish a report to the Department of Treasury describing the procedures in place to ensure the confidentiality of the beneficial ownership information provided directly by the Secretary of the Treasury.

Separately, Division F requires two additional audits. First, it directs the Secretary of Treasury to conduct an annual audit to determine whether beneficial ownership information is being collected, stored and used as intended by Congress. Separately, Division F directs the Government Accountability Office to conduct an audit for five years to ensure that the Department of Treasury and requesting agencies are using the beneficial ownership information as set out in Division F. This is the same audit that GAO conducts as it relates to the Department of Treasury’s collection, maintenance and protection of tax return information. This information will ensure that Congress has independent data on the efficacy of the reporting regime and whether confidentiality is being maintained.

Division F also requires the Department of Treasury to issue an annual report on the total number of court authorized requests received by the Secretary to access the database. The report must detail the total number of court authorized requests approved and rejected and a summary justifying the action. This report to Congress will ensure the Department of Treasury does not misuse its authority to either approve or reject court authorized requests.

Finally, Division F requires the Director of FinCEN, who is responsible for implementing this reporting regime, to testify annually for five years. This testimony is critical. For far too long FinCEN has evaded any type of congressional check on its activities. Yet, it has amassed a great deal of authority. Now, Congress will shine a light on its operations. It is my expectation that FinCEN will provide Congress with hard data on its effectiveness in targeting bad actors, including the effectiveness of this new authority to collect, maintain, and use beneficial ownership information.

One final comment about the importance of FinCEN’s annual testimony. In the months leading up to the House’s consideration of H.R. 2513 last October, I sought data from FinCEN and from the Treasury Department, along with the Department of Justice, to better understand the need for this legislation. No such data was forthcoming. Rather, FinCEN gave anecdotes of very scary stories to justify the need for a new reporting regime. It is my expectation that FinCEN will provide Congress with the necessary data to justify this new reporting regime and the burdens it is placing on legitimate companies. I will conclude by thanking Chairwoman MALONEY for her work over the last twelve years on this issue and her willingness to work with me to strengthen this bill. I believe we have a better product. I urge my colleagues to support the conference agreement.

[1] Beneficial Ownership Toolkit (oecd.org)

[2] With the Oxford comma separating the three attributes, it is clear that these companies must have all three attributes. And there are very few companies or LLCs in the United States that have all three. They are in fact the corporate equivalent of a man who is tall, dark, and handsome – very rare.

[3] FinCEN FORM 107 (Rev. 8-2008) (irs.gov)

[4] The US Census Bureau’s Statistics of US Businesses, or SUSB, data available at 2017 SUSB Annual Data Tables by Establishment Industry (census.gov). This shows ~5.35 million businesses with 20 or fewer employees; ~550,000 with 20-99 employees; ~100,000 with 100-499 employees (these ~5,990,000 businesses are all “small businesses”. Note that the Paycheck Protection Program, limited to small businesses with 500 or fewer employees, resulted in ~5.2 million loans); and ~10,000 businesses with more than 500 employees.

[5] All money transmitters must register with FinCEN: it is a federal criminal offense for a licensed money transmitter not to be registered with FinCEN. See 31 USC s. 5330 and 18 USC s. 1960.

[6] This is clear from subsection 5336(b)(2)(A) which provides that each beneficial owner and applicant shall be identified by their full legal name, date of birth, current residential or business street address, and either an identifying number from an acceptable form of identification such as a SSN or drivers license or passport, or a FinCEN identifier.

Appendix B – Comparison of Legal Entities Subject to Beneficial Ownership

The Senate Banking Committee’s top Republican (Senator Crapo from Idaho) and top Democrat (Senator Brown from Ohio) have joined forces to draft the Anti-Money Laundering Act of 2020 as an amendment to the National Defense Authorization Act. It takes some of what the House passed in HR2513, the Corporate Transparency Act, and replicates most of what the Senate has been horse-trading on with the ILLICIT CASH Act (S2563), and adds a few other provisions: 214 pages of provisions.

If enacted, it would be the biggest revision to the U.S. AML/CFT regime since the USA PATRIOT Act of 2001. The main legislation for the AML/CFT regime is found in Title 31 of the US Code. 31 USC 5311 (the purpose of the BSA) and 5318 (the program and reporting requirements) will materially change, four new sections (5333-5336) will be added, two new BSAAG subcommittees will be created, and of course a FinCEN database of beneficial ownership information will be created to house some legal entity beneficial ownership information (more on that in another article).

Anti-Money Laundering Act of 2020

The proposed AML Act of 2020 would be tacked on to the back end – Division E – of the 2021 Defense Appropriations bill. So the titles for the Act begin at title 51 – actually the Roman numeral LI. There are five titles:

• Title LI – Strengthening Treasury Financial Intelligence, Anti-Money Laundering [AML], and Countering the Financing of Terrorism [CFT] Programs
• Title LII – Modernizing the AML and CFT Systems
• Title LIII – Improving AML and CFT Communication, Oversight, and Processes
• Title LIV – Establishing Beneficial Ownership Reporting Requirements
• Title LV – Miscellaneous

Section 5201 – Annual Reporting Requirements

This article focuses solely on section 5201 of Title LII. Why? It includes my long-sought-after SAR feedback from law enforcement, while at the same time resurrects the long-forgotten section 314(d) of the USA PATRIOT Act.

In a nutshell, section 5201 is a “pay to play” requirement imposed on law enforcement and the intelligence community. At requires the Attorney General, on behalf of federal and state prosecutors and law enforcement agencies, to deliver an annual report and, once every five years a broader long-term trending report, to the Secretary of the Treasury, setting out statistics, metrics, and other information on the use of BSA reports. The annual report must include:

1. The frequency with which the BSA reports contains actionable information that leads to, among other things, actions by law enforcement agencies such as grand jury subpoenas, and actions by intelligence, national security, and homeland security agencies;
2. Calculations on the time between the BSA reporting and the use of the data by law enforcement or intelligence agencies;
3. An analysis of the transactions associations with the BSA reports, including whether the accounts were held by legal entities or persons, and any trends or patterns in cross-border activity;
4. The number of legal entities and persons identified by the BSA reports;
5. The extent to which arrests, indictments, convictions, etc., were related to the reports; and
6. Data on state and federal investigations that resulted from the reports.

The five-year report would focus on longer-term trends, patterns and threats: retrospective trends and emerging patterns and threats.

And what would the Secretary of the Treasury do with these reports? That is covered by subsection (d) of section 5201, which provides that the Secretary shall use these reports

1. To help assess the usefulness of BSA reports;
2. “to enhance feedback and communications with financial institutions and other entities subject to the requirements under the BSA, including by providing more detail in the reports published and distributed under section 314(d) of the USA PATRIOT Act (31 USC s. 5311 note);
3. to assist FinCEN in considering revisions to the reporting requirements promulgated under section 314(d) of the USA PATRIOT Act (31 USC s. 5311 note).

The result? This July 2020 proposed AML legislation would require the public sector consumers of BSA reports to provide feedback to the private sector producers of those reports – essentially a “pay to play” requirement, and that feedback would be through the almost 20-year old provision of the USA PATRIOT Act, section 314(d).

I’ve written about both of these things.

On July 30, 2019 I published an article titled “SAR Feedback? What Ever Happened to Section 314(d)?” See https://regtechconsulting.net/aml-regulations-and-enforcement-actions/sar-feedback-what-ever-happened-to-section-314d/ I wrote:

Wouldn’t it be great if Treasury published a report, perhaps semi-annually, that contained a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports (SARs) and investigations conducted by federal, state, and local law enforcement agencies (to the extent appropriate) and distributed that report to financial institutions that filed those SARs?

To get Treasury to do that, though, would probably require Congress to pass a law compelling it to do so.

Hold it. Congress did pass that law.  Almost 18 years ago. And, by all accounts, it’s still on the books. What happened to those semi-annual reports? When did they begin? If they began, when did they end?

Section 314(d) – Its Origins

What became 314(d) was introduced in the House version of what became the USA PATRIOT Act. The House version, the Financial Anti-Terrorism Act, was introduced on October 3, 2001. It was marked up by the House Financial Services Committee on October 11. The Senate version, originally titled the Uniting and Strengthening America Act, or USA Act, was introduced on October 4th and had sections 314(a) (public to private sector information sharing), 314(b) (cooperation among financial institutions, or private-to-private sector information sharing), and 314(c) (“rule of construction”). There was no 314(d) in that early version.

On October 17th, HR 3004, the Financial Anti-Terrorism Act, was passed by the House 412-1. Title II was “public-private cooperation”. Section 203 was:

“Reports to the Financial Services Industry on Suspicious Financial Activities – at least once each calendar quarter, the Secretary shall (1) publish a report containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate; and (2) distribute such report to financial institutions as defined in section 5312 of title 31, US code.”

The Senate and House versions were reconciled, and on October 23rd the House Congressional Record shows a consideration of what was then the USA PATRIOT Act. That version of the bill then included what had been section 203 and was now 314(d). It was the same, except instead of a quarterly report it was a semi-annual report (“at least once each calendar quarter” was changed to “at least semiannually”).

SAR Activity Review – Was That The Answer to 314(d)?

The ABA has written, and at least one former FinCEN employee has stated that the “SAR Activity Review – Trends, Tips, and Issues” was the response to 314(d). The SAR Activity Reviews were excellent resources. They contained sections on SAR statistics, national trends and analysis, law enforcement cases, tips on SAR form preparation and filing, issues and guidance, and an industry forum. The first SAR Activity Review noted that it was published under the auspices of the BSAAG, was to be published semi-annually in October and April, and was “the product of a continuing collaboration among the nation’s financial institutions, federal law enforcement, and regulatory agencies to provide meaningful information about the preparation, use, and utility of SARs.”  Although that certainly sounds like it is responsive to section 314(d), there is no reference to 314(d).

And the first SAR Activity Review was published more than a year before 314(d) was passed. Even the first SAR Activity Review published after the enactment of the USA PATRIOT Act and section 314(d) – the 4th issue published on July 31, 2002 – didn’t make any reference to 314(d). Beginning with the 6th issue of the SAR Activity Review, published in October 2003, the authors broke out the statistics from the “Trends, Tips & Issues” document and published a separate, and more detailed, “SAR Activity Review – By The Numbers”. The last SAR Activity Review (the 23rd) and the last “By The Numbers” (the 18th) were published on April 30, 2013. None of those forty-one publications referenced 314(d). After the SAR Activity Reviews stopped, FinCEN continued to publish “SAR Statistics”, and did so three times from June 2014 through March 2017.  For the last few years, FinCEN has maintained SAR Stats on its website – https://www.fincen.gov/reports/sar-stats  – that is updated on a monthly basis. Those statistics are useful, but cannot be thought of as “containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate”, quoting the 314(d) language.

Does Anyone Know What Happened to 314(d)?

I don’t have the answer to that question. Perhaps 314(d) is seen as satisfied by the accumulation of advisories, guidance, bulletins, etc., published by FinCEN and other Treasury bureaus and agencies and departments from time to time. Perhaps there is a Treasury Memorandum out there that I’m not aware of that provides a simple explanation. Perhaps not: most BSA/AML experts I speak with are not even aware of 314(d), and if the SAR Activity Review did satisfy the spirit and intent of 314(d), the last one was published more than six years ago. But everyone in the private sector BSA/AML risk management space has been clamoring for more feedback from law enforcement and FinCEN on the effectiveness and usefulness of their SAR filings. Perhaps a renewed (or any) focus on 314(d) is the answer.  The revival of 314(d) could give FinCEN the mandate they’ve been looking for to provide more valuable information to the private sector producers of Suspicious Activity Reports. We would all benefit.

Public Sector is Going to Have to Pay in Order to Play With the Private Sector’s BSA Reports

On November 21, 2019 I wrote an article titled “Like Sam Loves Free Fried Chicken, Law Enforcement Loves ‘Free’ Suspicious Activity Reports … But What If Law Enforcement Had to Earn the Right to Use the Private Sector’s ‘Free’ SARs?” See https://regtechconsulting.net/fintech-financial-crimes-and-risk-management/like-sam-loves-free-fried-chicken-law-enforcement-loves-free-suspicious-activity-reports-but-what-if-law-enforcement-had-to-earn-the-right-to-use-the-private-sector/. That article provided:

Eleven year-old Sam Caruana of Buffalo, New York waited outside a Chick-fil-A restaurant in the freezing cold in order to be one of the 100 people given free fried chicken for one year (actually, one chicken sandwich a week for fifty-two weeks). In a video that went viral (Sam Caruana YouTube – Free Chicken), young Sam explained that he simply loved fried chicken, and he’d stand in the cold for free fried chicken.

Just as Sam loves free fried chicken, law enforcement loves free Suspicious Activity Reports, or SARs. In the United States, over 30,000 private sector financial institutions – from banks to credit unions, to money transmitters and check cashers, to casinos and insurance companies, to broker dealers and investment advisers – file more than 2,000,000 SARs every year. And it costs those financial institutions billions of dollars to have the programs, policies, procedures, processes, technology, and people to onboard and risk-rate customers, to monitor for and identify unusual activity, to investigate that unusual activity to determine if it is suspicious, and, if it is, to file a SAR with the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. From there, hundreds of law enforcement agencies across the country, at every level of government, can access those SARs and use them in their investigations into possible tax, criminal, or other investigations or proceedings. To law enforcement, those SARs are, essentially, free. And like Sam loves free fried chicken, law enforcement loves free SARs. Who wouldn’t?

But should those private sector SARs, that cost billions of dollars to produce, be “free” to public sector law enforcement agencies? Put another way, should the public sector law enforcement agency consumers of SARs need to provide something in return to the private sector producers of SARs?

I say they should. And here’s what I propose: that in return for the privilege of accessing and using private sector SARs, law enforcement shouldn’t have to pay for that privilege with money, but with effort. The public sector consumers of SARs should let the private sector producers know which of those SARs provide tactical or strategic value.

A recent Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had: 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). Note that the survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Some of the mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) 6% – 8% of SARs.

I argue that the Alert/SAR and even Case/SAR ratios are all of interest, but tracking to SARs filed is a little bit like a car manufacturer tracking how many cars it builds but not how many cars it sells, or how well those cars perform, how long they last, and how popular they are. And just like the automobile industry measuring how many cars are purchased, the better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

Also, there is much being written about how machine learning and artificial intelligence will transform anti-money laundering programs. Indeed, ML and AI proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate. The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government. But the fundamental problem that every one of those ML/AI systems has is that they are using the wrong data to train their algorithms and “teach” their machines: they are looking at the SARs that are filed, not the SARs that have tactical or strategic value to law enforcement.

Tactical or Strategic Value Suspicious Activity Reports – TSV SARs

The best measure of an effective and efficient financial crimes program is how well it is providing timely, effective intelligence to law enforcement. And the best measure of that is whether the SARs that are being filed are providing tactical or strategic value to law enforcement. How do you determine whether a SAR provides value to law enforcement? One way would be to ask law enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure law enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, law enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.

A TSV SAR is one that has either tactical value – it was used in a particular case – or strategic value – it contributed to understanding a typology or trend. And some SARs can have both tactical and strategic value. That value is determined by law enforcement indicating, within seven years of the filing of the SAR (more on that later), that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value.  That law enforcement response or feedback is provided to FinCEN through the same BSA Database interfaces that exist today – obviously, some coding and training will need to be done (for how FinCEN does it, see below). If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within seven years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.

FinCEN’s TSV SAR Feedback Loop

FinCEN is working to provide more feedback to the private sector producers of BSA reports. As FinCEN Director Ken Blanco recently stated:[1]

“Earlier this year, FinCEN began the BSA Value Project, a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient. We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm — that is clear. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis.”

FinCEN receives every SAR. Indeed, FinCEN receives a number of different BSA-related reporting: SARs, CTRs, CMIRs, and Form 8300s. It’s a daunting amount of information. As FinCEN Director Ken Blanco noted in the same speech:

FinCEN’s BSA database includes nearly 300 million records — 55,000 new documents are added each day. The reporting contributes critical information that is routinely analyzed, resulting in the identification of suspected criminal and terrorist activity and the initiation of investigations.

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data taking place each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, which bring together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed.

Each day, law enforcement, FinCEN, regulators, and others are querying this data:  7.4 million queries per year on average. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that protect our nation from harm, help deter crime, and save lives.”

This doesn’t tell us how many of those 55,000 daily reports are SARs, but we do know that in 2018 there were 2,171,173 SARs filed, or about 8,700 every (business) day. And it appears that FinCEN knows which law enforcement agencies access which SARs, and when. And we now know that there are “18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities” every year. But which filings?

The law enforcement agencies know which SARs provide tactical or strategic value, or both. So if law enforcement finds value in a SAR, it should acknowledge that, and provide that information back to FinCEN. FinCEN, in turn, could provide an annual report to every financial institution that filed, say, more than 250 SARs a year (that’s one every business day, and is more than three times the number filed by the average bank or credit union). That report would be a simple relational database indicating which SARs had either or both tactical or strategic value. SAR filers would then be able to use that information to actually train or tune their monitoring and surveillance systems, and even eliminate those alerting systems that weren’t providing any value to law enforcement.

Why give law enforcement seven years to respond? Criminal cases take years to develop. And sometimes a case may not even be opened for years, and a SAR filing may trigger an investigation. And sometimes a case is developed and the law enforcement agency searches the SAR database and finds SARs that were filed five, six, seven or more years earlier. Between record retention rules and practical value, seven years seems reasonable.

Law enforcement agencies have tremendous responsibilities and obligations, and their resources and budgets are stretched to the breaking point. Adding another obligation – to provide feedback to the banks, credit unions, and other private sector institutions that provide them with reports of suspicious activity – may not be feasible. But the upside of that feedback – that law enforcement may get fewer, but better, reports, and the private sector institutions can focus more on human trafficking, human smuggling, and terrorist financing and less on identifying and reporting activity that isn’t of interest to law enforcement – may far exceed the downside.

Free Suspicious Activity Reports are great. But like Sam being prepared to stand in the freezing cold for his fried chicken, perhaps law enforcement is prepared to let us know whether the reports we’re filing have value.

Conclusion

As of this writing – July 3, 2020 – it remains to be seen whether the Anti-Money Laundering Act of 2020 will become law, or what parts of the Act will become law. But section 5201, which requires the public sector consumers of the BSA reports produced by the private sector to provide feedback to the private sector on the usefulness of those reports. This is a critically important, long-awaited development in the US AML/CFT regime.

For more on alert-to-SAR rates, the TSV feedback loop, machine learning and artificial intelligence, see other articles I’ve written:

The TSV SAR Feedback Loop – June 4 2019

AML and Machine Learning – December 14 2018

Rules Based Monitoring – December 20 2018

FinCEN FY2020 Report – June 4 2019

FinCEN BSA Value Project – August 19 2019

BSA Regime – A Classic Fixer-Upper – October 29 2019

[1] November 15, 2019, prepared remarks for the Chainalysis Blockchain Symposium, available at https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-chainalysis-blockchain-symposium

Can something like the REAL ID Act of 2005 be used to solve the beneficial ownership issue?

Without a national registry of beneficial ownership (BO) information, banks can collect BO information, but have no way to verify it

The REAL ID Act of 2005 compelled the 50 states to have their citizens’ state-issued identification documents meet certain minimum requirements and issuance standards … could a similar thing be done to compel the 50 states to have their state-created legal entities meet certain minimum requirements for beneficial ownership information?

The REAL ID Act of 2005 established minimum security standards for state-issued driver’s licenses and identification cards by prohibiting Federal agencies from accepting non-compliant state-issued driver’s licenses and identification cards that do not meet the Act’s minimum standards. The REAL ID Act was a way for the Federal Government to compel (sort of) the fifty states to meet certain standards for their drivers’ licenses. The Federal Government essentially told the fifty states “you have the power to issue state drivers’ licenses, and you can do what you’d like, but if you want those licenses to be used for any federal purposes, such as accessing Federal facilities, entering nuclear power plants, and, notably, boarding federally regulated commercial aircraft, then they have to meet our standards.”

The REAL ID Act’s genesis was the attacks of 9/11. It enacted recommendations from the July 2002 National Strategy for Homeland Security and the July 2004 9/11 Commission Report that the Federal Government “set standards for the issuance of sources of identification, such as driver’s licenses.” The REAL ID Act was included in the Emergency Supplemental Appropriation for Defense, the Global War on Terror, and Tsunami Relief Act of 2005 (PL 109-13, 119 Stat. 231 at 302), and the actual ID provisions are in Title II, Improved Security for Drivers’ Licenses and Personal Identification Cards, section 202, “minimum document requirements and issuance standards for federal recognition.” (Section 204 provides for grants to states to implement the document requirements and issuance standards).

The main part of section 202 provides:

REAL ID Act regulations weren’t finalized until January 2008, at which time it was clear that it would take billions of dollars and many years to get states into compliance. States were originally required to be compliant by May 2008 (the regulations weren’t published until January 2008). That deadline was extended multiple times to 2009, then 2011, then 2013, then 2015, and extended again to January 22, 2018. As of April 2018, only thirty states were compliant and the remaining twenty had obtained extensions. For those with non-compliant driver’s licenses issued by compliant states, they have until October 1, 2020 to get a compliant driver’s license.

To find out more about the REAL ID Act requirements, California’s DMV site has a good section: CA DMV on REAL ID Act

Can’t Board an Airplane … Can’t Bid on Federal Contracts

How could something like the REAL ID Act help banks with the beneficial ownership issue? Like driver’s licenses, creation of legal entities is left to each state, and (anecdotally) only three states currently require the collection and verification of beneficial ownership information.

Like they did to effectively compel the fifty states to issue individuals’ driver’s licenses that met federal standards, the federal government could pass a law that would prevent entities created in states that do not meet certain Beneficial Ownership standards from bidding on and winning federal government contracts. In other words, those states would not be compelled to collect, verify, and maintain accurate beneficial ownership information on state-incorporated legal entities, but would need to have an incorporation regime that did so if it wanted those legal entities to be able to bid on federal government contracts.

This might be a radical idea, full of legal and regulatory pitfalls. There might be dozens of reasons why it can’t work. But it might work. Or something similar could work (it doesn’t have to be about bidding on federal contracts).  But there must be something that could work. As Arthur C. Clarke wrote, “new ideas pass through three phases: it can’t be done; it probably can be done, but it’s not worth doing; I knew it was a good idea all along!”

One word of further caution. It will have taken fifteen years for all states to comply with the REAL ID Act of 2005 requirements. Hopefully it wouldn’t take states fifteen years to comply with the REAL Beneficial Owners Act of 2019.