Loading…

Corporate Transparency Act: Shell Companies are covered … but what about Shelf Companies?

Bad actors and nation states, such as China and Russia, are becoming more proficient in using our financial system to support illicit activity. As bad actors become more sophisticated, so to [sic] must our tools to deter and catch them. One such tool is identifying the beneficial owners of shell companies, which are used as fronts to launder money and finance terrorism or other illicit activity.

Congressman Patrick McHenry (D. NC) made that statement on the House floor on December 8, 2020 as he was speaking in support of the Corporate Transparency Act, which became Title LXIV of the Anti-Money Laundering Act of 2020.[2]

The Congressman’s statement that shell companies are used as front companies may be accurate, but it seems to equate shell companies with front companies. But he is not alone: many people confuse shell companies with front companies, and shell companies with shelf companies. And many of the headlines in the media after the Corporate Transparency Act was passed touted “the end of shell companies” in the United States. Even the 2020 National Strategy referred to “shell and front companies” as if they were interchangeable. They’re not.

What is a “shell company”? After all, one of the six purposes of the AML Act is to establish uniform beneficial ownership in formation reporting requirements in order to “discourage the use of shell corporations as a tool to disguise and move illicit funds” (subsection 6002(5)(B) of the AML Act).

Shell companies are featured in the AML Act but not defined. What is a “shell company”?  And how is it different from a “shelf company” or a “front company”?

Shell Companies, Front Companies, and Shelf Companies[1]

Although these terms are often used interchangeably, they are not the same. A Joint Report published by the FATF and the Egmont Group in July 2018 provides a great description or definition of each:

Shell company – incorporated company with no independent operations, significant assets, ongoing business activities, or employees.
Front company – fully functioning company with the characteristics of a legitimate business, serving to disguise and obscure illicit financial activity.
Shelf company – incorporated company with inactive shareholders, directors, and secretary and is left dormant for a longer period even if a customer relationship has already been established.

Shell companies are legal entities that exist “on paper” – more likely electronically on a state or Tribal company registry database – but have no physical presence, no activity, and no purpose. There is nothing illegal about shell companies.

A shell company that serves as a vehicle or legal entity for business transactions to pass through, without itself having any significant assets or operations, is acting as a front company.  A front company, on the other hand, may be more than a shell, and as FATF and Egmont note, be a fully functioning company with a physical presence which may be conducting some legitimate business, but its main purpose is to disguise illegal activity. So a shell company can be a front company, but a front company isn’t always a shell company (think of a pizza parlor as a front for drug trafficking, or Madoff Securities was a front company for Bernie Madoff’s Ponzi scheme).

Shell companies that have been incorporated but have been sitting inactive “on the shelf” for months or years are known as “shelf companies”. Like new shell companies, aged shelf companies are perfectly legal. Having a shell company that was created three, four, or more years before provides the appearance of a business history and thus legitimacy. As FATF/Egmont note in their paper, “as shelf companies can also be considered a type of shell company, particularly following their sale or transfer of ownership, it is possible that jurisdictions referred to former shelf companies as shell companies when providing case studies.”

Wyoming is known for its shelf corporations: where a new “shell” company might cost $250 – $500 to set up, an aged “shelf” company can cost thousands of dollars. See Dusting off the Congressional Version of an “Aged Shelf Company” – RegTech Consulting, LLC.

Speaking of Shelf Companies – Were They Missed Altogether?

The Corporate Transparency Act (CTA) creates a new section in title 31 – 31 USC section 5336 – that requires a “reporting company” to submit its beneficial ownership information to the to-be-constructed FinCEN central registry or database of beneficial ownership information.  A reporting company is defined in section 5336(a)(11)(A) as “a corporation, limited liability company, or other similar entity that is (i) created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe; or (ii) formed under the law of a foreign country and registered to do business in the United States by the filing of a document with a secretary of state or a similar office under the laws of a State or Indian Tribe.”

Subsection 5336(a)(11)(B) provides that a reporting company “does not include” twenty-four types of entities. Included in that list is what appears to be a classic shelf company: a company created by a corporate formation agent that does no business, has no employees, etc., and simply sits “on the shelf” of the corporate formation agent, waiting for someone to buy it and use it. Subsection (xxiii) provides that a reporting company does not include:

(xxiii) any corporation, limited liability company, or other similar entity

(I) in existence for over 1 year;

(II) that is not engaged in active business;

(III) that is not owned, directly or indirectly, by a foreign person;

(IV) that has not, in the preceding 12-month period, experienced a change in ownership or sent or received funds in an amount greater than $1,000 (including all funds sent to or received from any source through a financial account or accounts in which the entity, or an affiliate of the entity, maintains an interest); and

(V) that does not otherwise hold any kind or type of assets, including an ownership interest in any corporation, limited liability company, or other similar entity

Although the intent of Congress was likely to exempt companies that had been in business at one point but had been dormant for at least a year, what they came up with is literally the definition of a US shelf company. But what happens when that shelf company is taken off the shelf and purchased by someone? It appears from the definition in (xxiii)(IV) that it is no longer a shelf company: it has “experienced a change in ownership” and no longer qualifies as a dormant company that is exempt from providing beneficial ownership information.

The Act contemplates that a change in beneficial ownership will trigger a reporting requirement. Subsection 5336(b), “Beneficial Ownership Information Reporting”, provides in part:

(D) UPDATED REPORTING FOR CHANGES IN BENEFICIAL OWNERSHIP.—In accordance with regulations prescribed by the Secretary of the Treasury, a reporting company shall, in a timely manner, and not later than 1 year after the date on which there is a change with respect to any information described in paragraph (2), submit to FinCEN a report that updates the information relating to the change.

Based on the explicit wording of section 5336(b)(D), only reporting companies need to submit a report to FinCEN when there is a change in beneficial ownership. A shelf company (a subsection xxiii dormant company) is not a reporting company, but a shelf company that is taken off the shelf and purchased that, because of that change in ownership, becomes a reporting company and could be a front company to disguise nefarious activity. It is no longer excluded from the definition of “reporting company” and would have register its beneficial owners. But updated reporting for changes in beneficial ownership only apply to reporting companies that have a change in ownership, not to non-reporting companies that become reporting companies because of a change in ownership.

Phew. It’s complicated. Can shelf companies that become front companies avoid the beneficial ownership information disclosure laws? Perhaps the regulations that will soon be written can address what could be a loophole.  Better language might be:

(D) UPDATED REPORTING FOR CHANGES IN BENEFICIAL OWNERSHIP.—In accordance with regulations prescribed by the Secretary of the Treasury, a reporting company or any entity created by or registered to do business in a State or Indian Tribe that becomes a reporting company, shall, in a timely manner, and not later than 1 year after the date on which there is a change with respect to any information described in paragraph (2), submit to FinCEN a report that updates the information relating to the change.

For more on the AML Act of 2020 and the Corporate Transparency Act, see https://regtechconsulting.net/beneficial-ownership-customer-due-diligence/the-corporate-transparency-act-of-2020-the-good-the-bad-and-the-ugly/

[1] This is a play on a heading “Shell, Front, and Shelf” in an article “Follow the Proliferation Money” by Professor Moyara Ruehsen and Leonard Spector, published in the Bulletin of the Atomic Scientists 2015, Vol. 71(5) 51–58 (September 2, 2015). The article provides an excellent description of the differences between shell companies, shelf companies, and front companies. As referenced in the body, the joint FATF/Egmont paper, “Concealment of Beneficial Ownership”, offers perhaps the best descriptions and examples of shell, shelf, and front companies and how they are used to conceal true beneficial ownership and to disguise illicit activity. I highly recommend it.

[2] House Congressional Record from December 8, 2020 CREC-2020-12-08-pt1-PgH6919-3.pdf (congress.gov) at pages H6932-6933. See Appendix A for the full transcript.

Measuring Illicit Financial Flows – Getting Closer to a True Estimate of Global Money Laundering

Over $1 trillion is laundered globally every year, and less than one per cent is seized.

Where do these numbers come from? Are they accurate? Even if they’re not accurate, can they be useful, if used responsibly?

I first asked, and answered, these questions in an article published on September 7, 2018, UNODC Report 2011 – The Estimate for Global Money Launderinge-estimate-for-global-money-laundering/.

The first question can be answered simply: both of those numbers come from the same United Nations Office of Drug Control report issued in October 2011 titled “Estimating illicit financial flows resulting from drug trafficking and other transnational organized crimes.” The report is available at https://www.unodc.org/documents/data-and-analysis/Studies/Illicit_financial_flows_2011_web.pdf.

As to the second question: are the numbers accurate? The authors warn in the preface of the report that “the final monetary estimates are to be treated with caution. Further research and more systematic collection of data on this topic are clearly required.” And the various estimates of total criminal proceeds, criminal proceeds available for laundering, and transnational criminal organization proceeds laundered through the financial system, are all given in broad ranges. And the estimate of the amount seized by law enforcement – “less than one per cent” – is both accurate and inaccurate: the report actually provides that “globally, it appears that much less than 1% (probably around 0.2%) of the proceeds of crime laundered via the financial system are seized and frozen”. So yes, 0.2% is “less than 1%”, but it isn’t an impressive number either way.

As to the third question: even if they’re not accurate, can they be useful, if used responsibly? In my opinion, yes. Whether the amount laundered through the global financial system is $1,000,000,000,000 or $2,000,000,000,000 ($1 trillion or $2 trillion), the problem is enormous and must be addressed.

In an article titled Proceeds of Crime and GDP – Are We Comparing Apples to Oranges published on January 8, 2020, I noted that the 2015 National Money Laundering Risk Assessment estimated that the total amount of criminal proceeds generated in the United States was approximately $300 billion, or 2% of gross domestic produce (GDP). That report provided:

“United Nations Office on Drugs and Crime (UNODC) estimated proceeds from all forms of financial crime in the United States, excluding tax evasion, was $300 billion in 2010, or about two percent of the U.S. economy. [Footnote: United Nations Office on Drugs and Crime, Estimating Illicit Financial Flows Resulting From Drug Trafficking and other Transnational Organized Crimes, October 2011.] This is comparable to U.S. estimates. UNODC estimates illicit drug sales were $64 billion, which the DEA believes is a reasonable current estimate, putting the proceeds for all other forms of financial crime in the United States at $236 billion, most of which is attributable to fraud.” (citations omitted)

The figures of $300 billion in 2010 and two percent of the US economy are the midpoints of estimates based on a 2004 report. The UNODC report provided:

“… the criminal income in 2010 (excluding tax evasion) may have amounted to some US$350 bn in the world’s largest national economy [the United States]. This would probably be the upper limit estimate. A lower limit estimate – assuming that the nominal increases found over the 1990-2000 period continued unchanged over the 2000-2010 period, would result in an estimate of around US$235 bn for the year 2010 or 1.6% of GDP. A mid-point estimate would show criminal income of some US$300 bn (rounded) or 2% of GDP for 2010. (UNODC Report, page 20).”

I concluded that a critical review of the UNODC report, and the reports that it relies on, suggested that these estimates needed to updated. And, as the title of the article suggests, I questioned whether using GDP as a way to measure money laundering was even appropriate.

A recent report by the UNODC may go a long way to answering many of these questions and addressing many of these concerns.

Measuring Illicit Financial Flows – A Conceptual Framework

The United Nations Office on Drugs and Crime, or UNODC – the same organization that published the original 2011 estimate for global money laundering – teamed up with the United Nations Conference on Trade and Development, or UNCTAD, to develop a methodology to statistically measure illicit financial flows. The result of a three+ year effort was a report published on October 15, 2020 titled Conceptual Framework for the Statistical Measurement of Illicit Financial Flows. The effort and report were part of the United Nations’ 2030 Agenda for Sustainable Development. That Agenda had a number of goals or targets, and as the report provides, a critical component of meeting those goals or targets is combating illicit financial flows, or IFFs. In fact, one of the targets was Target 16.4: “by 2030, significantly reduce illicit financial and arms flows, strengthen the recovery and return of stolen assets and combat all forms of organized crime.”

The report defined “illicit financial flows” as “financial flows that are illicit in origin, transfer or use, that reflect an exchange of value and that cross country borders.” IFFs therefore have four features:

  1. Illicit in origin, transfer or use: a flow of value is considered illicit if it is illicitly generated (e.g., it originates from criminal activities or tax evasion), if it is illicitly transferred (e.g., violating a country’s currency controls), or if it is illicitly used (e.g., for financing terrorism);
  2. Exchange of value – not only financial transfers but an exchange of goods or services;
  3. Flow of value over time; and
  4. Flows that cross a border – including assets physically crossing a border, and the ownership of an asset changing from a person or entity in one country to a person or entity in another country.

In July 2017 the UN General Assembly developed a framework to monitor progress toward meeting those sustainable development goals or targets. The framework, or Indicator Framework as it is called, for Target 16.4 is “Indicator 16.4.1: Total value of inward and outward Illicit Financial Flows”.

As of July 2017 “there was no universal agreement on what should be included within the scope of illicit financial flows or how the component parts should be measured.”

This is a key admission. In addition, this October 2020 UNODC report on global illicit financial flows does not reference the October 2011 UNODC report on the global estimate of money laundering. The 2020 report provides that “this document reflects the results of international work on the statistical definition of illicit financial flows and concepts to enable their measurement.”

Illegal Activities Generating Illicit Financial Flows

The definitions for the the illegal activities generating IFFs come from the International Classification of Crime for Statistical Purposes, or ICCS. The ICCS groups these illegal activities into four categories: for each of these four types of illegal activities, IFFs emerge at two different stages: (i) at illicit income generation, and (ii) at illicit income management.

  1. Tax and commercial activities
  2. Illegal markets
  3. Corruption
  4. Exploitation-type activities and financing of crime and terrorism

Conclusion

The 2011 UNODC Report provides that “tracking the flows of illicit funds generated by drug trafficking and organized crime and analysing the magnitude and the extent to which these are laundered through the world’s financial systems remain daunting tasks … As with all such reports, however, the final monetary estimates are to be treated with caution. Further research and more systematic collection of data on this topic are clearly required.”

It appears that further research and more systematic collection of data on this topic has been provided with the UNODC’s conceptual framework for the statistical measurement of illicit financial flows. We are one step closer to a true estimate of global money laundering.

314(b) Information Sharing – a Valuable, but Underutilized Tool

The AML Act of 2020 doesn’t directly change the voluntary information sharing provisions set out in section 314(b) of the USA PATRIOT Act or 31 CFR section 1010.540, but there are provisions in the AML Act that could be used to actively encourage more financial institutions to share information.

On December 10, 2020, FinCEN Director Ken Blanco delivered prepared remarks at the American Bankers Association/American Bar Association Financial Crimes Compliance Conference. Blanco ABA Remarks 12-10-20. Director  Blanco’s remarks were wide-ranging, from COVID-19 frauds to cybercrime to business e-mail compromises. He opened his remarks, though, with a lengthy discussion of the private sector voluntary information sharing program under section 314(b) of the USA PATRIOT Act. At a very high level, section 314(b) allows two or more financial institutions and any association of financial institutions, on a voluntary basis and after giving notice to FinCEN of their participation in the 314(b) program, to share information with one another regarding individuals, entities, organizations, and countries suspected of possible terrorist or money laundering activities for the purposes of identifying and reporting activities that may involve terrorist acts or money laundering activities. Since the passage of the Patriot Act in October 2001, and the publication of the final rules for information sharing in September 2002 (those rules are now at 31 CFR 1010.540), there have been a number of guidance documents, fact sheets, and administrative rulings that have sought to clarify some of the aspects of 314(b), such as the form of an association, whether 314(b) provides a safe harbor for sharing information related to fraud or other underlying criminal activities, and what type of customer information can be shared.

Director Blanco’s prepared remarks coincided with the release of a revised FinCEN 314(b) Fact Sheet (Director Blanco called it “important guidance that FinCEN is issuing today which represents much needed clarity regarding how financial institutions may fully utilize FinCEN’s 314(b) information sharing program.”). That guidance, the 314(b) Fact Sheet rescinded three 314(b)-related documents: June 16, 2009 guidance (FIN-2009-G002), a July 25, 2012 administrative ruling, and a November 2016 314(b) Fact Sheet.

(Note: the Fact Sheet is “guidance” and not a regulation or rule, so it does not have the force and effect of law or regulation, and does not bind FinCEN nor any of the Federal functional regulators.)

The main themes of this new 314(b) Fact Sheet are as follows:

  1. Financial institutions may share under Section 314(b) information relating to activities that they suspect may involve possible terrorist financing or money laundering.  This includes, but is not limited to, information about activities they suspect involve the proceeds of a specified unlawful activity (SUA).  Importantly, our guidance clarifies that:
    • Financial institutions do not need to have specific information that these activities directly relate to proceeds of an SUA, or to have identified specific proceeds of an SUA being laundered.
    • Financial institutions do not need to have made a conclusive determination that the activity is suspicious.
    • Financial institutions may share information about activities as described, even if such activities do not constitute a “transaction.”  This includes, for example, an attempted transaction, or an attempt to induce others to engage in a transaction.  This clarification is significant and addresses some uncertainty with sharing incidents involving possible fraud, cybercrime, and other predicate offenses when financial institutions suspect those offenses may involve terrorist acts or money laundering activities.
    • In addition, the guidance notes that there is no limitation under Section 314(b) on the sharing of personally identifiable information, or the type or medium of information that can be shared (to include sharing information verbally).
  1. An entity that is not itself a financial institution may form and operate an association of financial institutions whose members can use 314(b).  Notably, this includes compliance service providers; and
  1. An unincorporated association of financial institutions, governed by a contract between its financial institutions’ members, may engage in information sharing under Section 314(b).

Director Blanco also stated that “information sharing among financial institutions through 314(b) is critical to identifying, reporting, and preventing crime and bad acts.  It is an important part of how we protect our national security.  It can also help financial institutions enhance compliance with their AML/CFT requirements.”

How widely used is the 314(b) voluntary information sharing regime? And how critical is it in identifying, reporting, and preventing crime and bad acts?

The data suggests that 314(b) is not widely used and may not be as critical to identifying and reporting crime and bad acts. That data is from two main reports: (i) an April 2020 FinCEN 314(b) Infographic that provides information on financial institutions participating in the 314(b) program, the number of SAR narratives referencing 314(b), and the number of financial institutions filing SARs referencing 314(b); and (ii) a May 26, 2020 FinCEN notice regarding the costs and burden of filing SARs, described in detail in my June 2, 2020 article, Costs & Burdens of Filing SARs.

Very Few Financial Institutions Participate in the Voluntary 314(b) Information Sharing Program

The April 2020 Infographic provides that over 7,000 financial institutions (actually, 7,199) are participating in the 314(b) program. But what the Infographic doesn’t show is the percentage of financial institutions that are participating. For that comparison, we can turn to the Costs & Burdens article, which gives us two figures for each of the eleven types of financial institutions that have mandatory SAR filing requirements. The first is the total number of each category of institution (if known), the second is the number of each category that filed SARs in 2019.

Looking first at the participation in the SAR filing, FinCEN reported in its May 26, 2020 Notice that 12,148 financial institutions filed SARs in 2019. Using either FinCEN data (from other publications) or various industry sources, there are approximately 58,540 financial institutions in the eleven categories of financial institutions that have BSA program and mandatory SAR filing requirements. As can be seen here, overall about 21% of the regulated financial institutions are filing SARs, ranging from 2% of insurance companies to 78% of banks and credit unions.

The FinCEN Infographic shows that 7,199 financial institutions are participating in the voluntary 314(b) information sharing program. The chart shows that is an overall participation rate of 12.3%, or one of every eight regulated financial institutions is participating, ranging from about 2% for MSBs to over 40% for bank and credit unions and broker dealers.

Why is the 314(b) participation rate so low?

There are a number of reasons. First, the vast majority of financial institutions in the United States are very small, have few customers, and file very few SARs. Their resources are already stretched thin complying with the mandatory requirements of a BSA/AML program: risk assessments, establishing and documenting policies and procedures, keeping the required records, monitoring for unusual activity and investigating and reporting suspicious activity, managing audits and exams, etc. So participation in – and spending resources on – a purely voluntary program such as 314(b) is often not commercially and practically feasible. Also, many smaller institutions complain that most 314(b) requests they send to larger institutions are ignored. And the Federal functional regulators have been reluctant to criticize a financial institution for not participating in a voluntary program but can criticize a participating institution for any failures in doing so. As a result, many institutions simply decide to save themselves from regulatory issues by not participating in an otherwise valuable program. Finally, the process of sending and receiving information is manual and inefficient and as a result can impact your SAR filing obligations: Bank A may request certain information from Bank B in order to gain information needed to complete a SAR. Bank A must complete its review of whether activity is suspicious or not within a reasonable period of time, then, once a determination is made that the activity is in fact suspicious, it has 30 days to file a SAR. Often, Bank B doesn’t respond in a timely manner, and Bank A spends valuable investigative time trying to cajole Bank B to respond. This back-and-forth, often to no avail, creates a level of complexity that not many financial institutions want to deal with. So they don’t participate in the 314(b) program at all. In fact, the April 2020 Infographic refers to situations where the SAR filer sent a 314(b) request: “The SAR filer sent a 314(b) request to another financial institution in support of an investigation into suspicious activity. Either the information received was used to further its investigation, ultimately contributing to the filing of the SAR, or the receiving financial institution was unresponsive and the sending financial institution filed a SAR based on their own assessment of the activity.”

(Note: Verafin has an automated 314(b) program that automates the communications and facilitates cross-institutional collaboration on cases. See https://verafin.com/product/314b-information-sharing/)

The Number of SARs Referencing 314(b) is Increasing, But the Percentage of Total SARs Remains Very Low

The April 2020 Infographic included some data on the number of SARs that reference 314(b) in the narrative for 2017, 2018, and 2019. That is the top row (in yellow) on the chart below. The Infographic also included some data on the number of financial institutions that filed SARs referencing 314(b) in the narrative: that is the first row in the green section of the chart below.

I have added the other data. The total number of SARs filed in those three years is taken from the FinCEN SAR Stats site: FinCEN SAR Stats. As can be seen from the yellow section of the chart, less than 1 percent of SARs reference 314(b). Arguably, many institutions are utilizing 314(b) but may not refer to it in the SAR narrative. Even if that was the case, and twice as many investigations that led to SARs utilized 314(b), that would still mean that less than 2 percent of all SARs came from investigations involving information shared between financial institutions.

The Infographic also mentioned that “the number of SARs indicating terrorist financing and referencing 314(b) has remained consistent during this three-year period.” So I included FinCEN SAR Stats and we can see, from the blue section of the chart, that about 2.7 percent of all SARs indicating terrorist financing also indicated that the institution utilized the voluntary 314(b) information sharing.

Finally, the Infographic provided that “the number of financial institutions filing SARs referencing 314(b) in the narrative has steadily increased during the past three years, with an increase of 19.7% in 2019”, and it included a chart showing the number of institutions (the top row in the green section). I used the May 26, 2020 FinCEN notice that had 12,148 institutions filing SARs in 2019, then assumed that the number was the same in 2017 and 2018. Even ignoring those two years, the 2019 numbers show that about 10 percent of financial institutions that did file a SAR in 2019, filed a SAR that referenced 314(b).

Encouraging Information Sharing – the AML Act of 2020 is a Good Start

If enacted into law, the Anti-Money Laundering Act of 2020 (AMLA2020), Division F of the National Defense Authorization Act of Fiscal Year 2021, will usher in the biggest changes to the American – and by extension, global – AML/CFT regime since the Patriot Act of 2001. And although information sharing is a feature of the AML Act, section 314(b) is not directly impacted.

Section 6002 of the AML Act describes the six purposes of the Act.  The first is “to improve coordination and information sharing among the agencies tasked with administering anti-money laundering and countering the financing of terrorism requirements, the agencies that examine financial institutions for compliance with those requirements, Federal law enforcement agencies, national security agencies, the intelligence community, and financial institutions”.

Section 6101 of the AML Act greatly expands the “purpose” section (section 5311) of the BSA from a single purpose – requiring records and reports where they have a high degree of usefulness to government authorities – to five purposes, including to “establish appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities to identify, stop, and apprehend money launderers and those who finance terrorists”.

And section 6214 encourages information sharing and Public-Private Partnerships, and requires the Secretary to convene a supervisory team of agencies, private sector experts, etc., to examine strategies to increase such cooperation.

Reforming the Voluntary 314(b) Private Sector Information Sharing Program

This supervisory team will likely come up with many strategies to increase information sharing. I would start with what may be a bold idea: make 314(b) information sharing mandatory for the largest banks operating in the United States. The Financial Stability Board (FSB) has identified the 2020 list of thirty global systemically important banks (G-SIBs): 314(b) could be amended to make participation mandatory for the G-SIBs and to call for a study of the effective of the mandatory use after two years, and 31 CFR 1010.540 could be revised to require those G-SIBs to demonstrate active participation, both sending requests to other G-SIBs and responding to requests from other G-SIBs. Since the G-SIBs account for most SARs filed (a list of the G-SIBs is available at https://www.fsb.org/wp-content/uploads/P111120.pdf and it includes JPMorgan, Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, and Toronto Dominion, among others), this approach could result in greater participation and use by the voluntary users.

Although the Exam Manual provides that “section 314(b) encourages financial institutions and associations of financial institutions located in the United States to share information …” (page 95), section 314(b) does not, in fact, provide that: there is nothing in the section that provides encouragement. And the Exam Manual’s exam procedures for 314(b) do not encourage participation. I would revise 31 CFR 1010.540 and the BSA/AML Exam Manual to actively encourage 314(b) information sharing.

A Better Approach – Combining Sections 314(a) and 314(b) for a True Public-Private Partnership to Fight Financial Crime

In an article posted February 16, 2019 I discussed how a 314(b) association of financial institutions can work directly with law enforcement through the 314(a) public to private sector sharing provisions. Richards on Public-Private Sector Sharing. That article provided, in part:

In Congressional testimony earlier this year, a witness testified that “of the roughly one million SARs filed annually by depository institutions (banks and credit unions), approximately half are filed by only four banks.” What if FinCEN and these four largest financial institutions worked together to share information? And what if they did that with tools already in the anti-money laundering (AML) toolbox?

Here’s how. Remember the language we emphasized above in Section 314(b)? Financial institutions and any association of financial institutions? An “association” can be a tremendously powerful tool when coupled with Section 314(a). Richards describes a scenario where these largest FIs get together to form an information sharing association under 314(b), which not only allows them to share certain information but provides legal protections when doing so, and then the association can work proactively with FinCEN and law enforcement to receive and send names of known targets under 314(a).

“I see this as the wave of the future,” Richards explained. “Otherwise, each individual FI is limited in what it can see and more importantly, what it can understand.” More importantly, he said, it allows FinCEN and FIs to take existing tools and use them “in a more efficient way to solve big problems like human trafficking, contraband smuggling, the opioid crisis, the fentanyl crisis, and other societal problems.”

“Information sharing associations shouldn’t be limited to the biggest FIs, although Greg Baer’s testimony about the largest four FIs, out of about 12,000 in the US, filing 60% of SARs illustrates how powerful such an association could be,” Richards noted. “This association approach, even with smaller institutions, allows law enforcement to target the worst offenders and allow those FIs to better identify those targets and share information between themselves and with the government. “I think it is really positive,” he added, “but it will only work if the regulatory agencies are fully on board and encourage FIs to participate. If there is no regulatory upside for financial institutions, even the best-intentioned of them will think twice before participating in what is otherwise the right thing to do for our communities and country.”

The financial crimes software company Verafin is the technology behind a formal 314(b) association, The Consortium LLC, made up of the five largest US banks and the US branches of two of the largest UK banks (see notices published in the Federal Register on August 9, 2018 for Standard Chartered (83 FR 39440) and on October 5, 2018 for HSBC (83 FR 50371) “to engage de novo through a newly formed entity, The Consortium, LLC, in data processing activities”. Through a formal process pursuant to and in compliance with 314(a), The Consortium members receive the names of entities that a federal law enforcement agency has identified as being engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering.

The multiplier effect of a 314(b) association of institutions working together is quite remarkable. To illustrate, assume the FBI submitted 10 names of known targets to FinCEN, which then forwarded those names to each of the seven Consortium member institutions. Those seven then each review their records to determine whether they maintain or have maintained accounts for, or have engaged in transactions with, any of those 10 entities. Those accounts may have related parties, and the transactions will have sending or receiving parties. And each member may have filed SARs on some or all of the entities. Assume that each member identifies an additional 5 “suspects”.

The results – now 10 targets and 35 new suspects – are then shared between the members of The Consortium (again, as a 314(b) association of financial institutions) and, using the Verafin technology, the members can then conduct a joint investigation. This joint investigation may reveal another 15 suspects. The Consortium shares these 60 names with the FBI and FinCEN, which may have identified 10 of the suspects but not linked them to the original case, or may not have known about the other 40 “new” suspects.

The ultimate output is individual SARs filed by the individual member institutions (a joint SAR or joint SARs remain legally impractical) supported by a joint intelligence memo for law enforcement.

Conclusion

One of the main purposes of the AML Act of 2020 is to improve coordination and information sharing among and between the public sector and private sector. In order to do that, the voluntary sharing of information between financial institutions – created by section 314(b) of the USA PATRIOT Act and administered by regulations set out in 31 CFR section 1010.540 – should become mandatory for the largest financial institutions (the thirty global systemically important banks, or G-SIBs) and should be actively encouraged by FinCEN and the Federal functional regulators. And associations of financial institutions, like The Consortium, LLC, should also be encouraged to be formed and work with the public sector to share information and perform cross-institutional, collaborative investigations and reports.

AML Act of 2020: Renewing America’s AML/CFT Regime

Executive Summary of the AML Act of 2020

On December 3, 2020 the Senate and House jointly issued a Conference Report on the National Defense Authorization Act for Fiscal Year 2021 (the “NDAA”). The Conference Report is 4,517 pages long.[1] The NDAA contains eight divisions – Division F is the Anti-Money Laundering Act of 2020 (the “AML Act of 2020”). The House passed the NDAA on December 8th with a vote of 335-78 (out of 435 Members): the Senate passed the NDAA on December 11th with a vote of 84-13 (out of 100 Senators). The NDAA will be headed to the President’s desk, where he can sign it into law or veto it. If vetoed, both chambers have veto-proof majorities (two-thirds) and can over-ride the veto, if they choose to exercise those powers.

If signed by the President, or Congress over-rides a Presidential veto, the AML Act of 2020 will usher in the most profound changes to the U.S. anti-money laundering regime since the USA PATRIOT Act of 2001.[2] As described in more detail below, the AML Act of 2020 broadens the mission or purpose of the Bank Secrecy Act (“BSA”) to include national security; formalizes the risk-based approach for financial institutions’ compliance programs; greatly expands the duties, powers, and functions of FinCEN; aligns the regulatory agencies’ supervision and examination priorities with the expanded purposes of the BSA; increases civil and criminal penalties for violations of the BSA; calls for multiple studies and reports; and establishes a beneficial ownership information reporting regime. The result is that the US is moving from a US-focused, regulator-versus-regulated, compliance-focused regime to a global, public/private partnership focused on fighting all financial crimes.

Of note is what is not in the AML Act that should be there. What is not in the AML Act are any references to, or changes to, the laws that give duties and powers to the Federal functional regulators. What we call the Bank Secrecy Act is actually three different laws, or parts of the US Code: 12 USC s. 1829b (“retention of records by insured depository institutions”), 12 USC Part 21 (“financial recordkeeping”, sections 1951-1959), and 31 USC subchapter II (“ records and reports on monetary instruments and transactions”, sections 5311-5314, 5316-5322). As explained in the following section, title 12 is “Banks & Banking” and includes the laws relating to the Federal functional regulators, and title 31 is “Money & Finance” and includes the laws relating to Treasury and FinCEN. The AML Act changes the title 31 laws (and regulations) but not the title 12 laws (and regulations) that collectively make up the BSA.[3] It remains to be seen how the title 12 regulators will be impacted, and how willing they will be to being impacted, by the title 31 changes.

Finally, whatever the impacts of the AML Act will be may not be fully realized for years. For example, the USA PATRIOT Act, which included Title III, the International Counter-Money Laundering and Anti-Terrorist Financing Act of 2001, was passed in October 2001; regulations implementing the Act were issued in 2002 and 2003; and regulatory guidance, in the form of the first FFIEC BSA/AML Exam Manual, wasn’t published until April 2005 (and that Manual was revised in 2006, 2007, 2010, and 2014 to reflect changing regulatory guidance). We can expect something similar with the AML Act of 2020: it calls for multiple studies and reports to Congress over the next two years; regulations will need to be issued over the next year to three years; the Exam Manual will need to be revised; regulators will need to be trained; and regulatory guidance will evolve.

I was pleased to see that many of the things I’ve been calling for over the years have been included in the AML Act. Most notably are the provisions relating to – even requiring – the public sector consumers of BSA reports to provide feedback to the private sector producers of BSA reports. My most recent article on what I’ve called “TSV SARs” or Tactical or Strategic Value SARs, is from October 1, 2020: Reforming the AML Regime Through TSV SARs

Background on the US Code, Code of Federal Regulations, and Regulatory Guidance

For those not familiar with how US laws and regulations work, a short primer is in order.

The Conference Report and AML Act of 2020 contain references to the United States Code (“USC”), the Code of Federal Regulations (“CFR”), and regulatory guidance such as the FFIEC BSA/AML Examination Manual.

Legislation, or laws, are set out in the United States Code, the codification by subject matter of the general and permanent laws of the United States. The U.S. Code is divided by broad subjects into 53 titles and published by the Office of the Law Revision Counsel of the U.S. House of Representatives.[4] The first six titles set out the laws relating to the functioning of the government generally. Titles 7 through 50 are alphabetical: title 7 is Agriculture, title 50 is War & National Defense. The main titles relating to anti-money laundering (AML) and countering the financing of terrorism (CFT) are:

  • Title 12 Banks & Banking – laws relating to the Federal financial regulatory agencies such as the Federal Reserve, FDIC, OCC
  • Title 18 Crimes & Criminal Procedure – criminal laws such as structuring and operating an unlicensed money transmitter
  • Title 26 – Internal Revenue Code – tax-related crimes and some BSA-related forms such as the Form 8300 (reporting cash received by a trade or business)
  • Title 31 Money & Finance – the Bank Secrecy Act is part of title 31: subchapter II, sections 5311 – 5322. The AML Act of 2020 adds sections 5333-5336 to subchapter II
  • Title 50 War & National Defense – U.S. sanctions laws administered by OFAC are in this title.[5]

Laws are described by the title and the section: 31 USC s. 5311, for example, is the “purpose” section of the laws known as the BSA that are codified in title 31.

Where laws generally describe “what” Congress has enacted, how those laws are implemented and enforced are set out in regulations issued by the appropriate executive branch agency or department, such as the Treasury Department and the Federal financial regulators. Regulations are set out in the Code of Federal Regulations. The OCC’s regulations are set out in Part 21 of title 12 of the Code ofFederal Regulations – 12 CFR Part 21 – while FinCEN’s regulations are set out in Part X of title 31 of the Code of Federal Regulations – 31 CFR Part X.[6]

Regulations provide the “how” and follow the “what of the law: an example of laws and corresponding regulations is 31 USC s. 5318(h), the law that requires all financial institutions to have AML/CFT programs, and its implementing regulation at 31 CFR s. 1020.200, the general program requirements for banks.

All of the Federal functional regulators and FinCEN issue what is called “supervisory guidance” to set out their expectations or priorities. For AML and CFT purposes, this supervisory guidance has been collected and compiled by the Federal Financial Institutions Examination Council, or FFIEC, into an examination manual that includes their collective guidance to their examiners on AML and CFT laws, regulations, and expectations. It is available at https://bsaaml.ffiec.gov. Although this guidance does not create enforceable requirements – those requirements are in the laws and regulations – the guidance does shape how financial institutions design, build, maintain, and update their programs, and how auditors and examiners test and examine those programs.

Explanation of this Summary of the AML Act of 2020

As set out above, the Conference Report for the NDAA is over 4,500 pages long. The AML Act of 2020, Division F of the NDAA, is at pages 2,843 – 3,078 (it is 235 pages long). The AML Act of 2020 is made up of 56 sections in five titles.[7] Sections 6001-6003 set out the title of the act, its purposes, and definitions of key terms. Following those three introductory sections are the five titles:

  • Title LXI – Strengthening Treasury Financial Intelligence, Anti-Money Laundering, and Countering the Financing of Terrorism Programs (sections 6101-6112)
  • Title LXII – Modernizing the Anti-Money Laundering and Countering the Financing of Terrorism System (sections 6201-6216)
  • Title LXIII – Improving Anti-Money Laundering and Countering the Financing of Terrorism Communication, Oversight, and Processes (sections 6301-6314)
  • Title LXIV – Establishing Beneficial Ownership Information Reporting Requirements (sections 6401-6403)
  • Title LXV – Miscellaneous (sections 6501-6511)

Scattered throughout many of the titles and sections are changes to particular aspects of, or themes of, the current AML/CFT regime. This summary, therefore, is arranged by those aspects or themes rather than going through the fifty-six sections and five titles in order. Text appearing in red font indicates a change or addition to language in laws or regulations: the intent is for the reader to see what has been added (or, in one case, taken away) from existing laws or regulations.

This is by no means a complete review, assessment, analysis, and commentary on the AML Act of 2020. However, I trust it is a good primer for those interested in contributing to the discussion around, and efforts to promote, a more effective, efficient, courageous, compassionate, and inclusive public and private sector effort at mitigating and, to the extent possible, eliminating money laundering ,terrorist financing, and other financial crimes.

Purposes of the Anti-Money Laundering Act of 2020

Section 6202 of the AML Act describes the purposes of the Act.  The full text of this section is set out below:

  • to improve coordination and information sharing among the agencies tasked with administering anti-money laundering and countering the financing of terrorism requirements, the agencies that examine financial institutions for compliance with those requirements, Federal law enforcement agencies, national security agencies, the intelligence community, and financial institutions;
  • to modernize anti-money laundering and countering the financing of terrorism laws to adapt the government and private sector response to new and emerging threats;
  • to encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism;
  • to reinforce that the anti-money laundering and countering the financing of terrorism policies, procedures, and controls of financial institutions shall be risk-based;
  • to establish uniform beneficial ownership in formation reporting requirements to (A) improve transparency for national security, intelligence, and law enforcement agencies and financial institutions concerning corporate structures and insight into the flow of illicit funds through those structures; (B) discourage the use of shell corporations as a tool to disguise and move illicit funds; (C) assist national security, intelligence, and law enforcement agencies with the pursuit of crimes; and (D) protect the national security of the United States; and
  • to establish a secure, nonpublic database at FinCEN for beneficial ownership information.

The Conference Report (at page 4,456 of the 4,517-page report) included some interesting language on the purposes of the Act:

“One overarching improvement now included in the conference agreement is to broaden the mission of the BSA to specifically safeguard national security as well as the more traditional investigatory pursuits of law enforcement … Currently, there is no clear statutory mandate for BSA stakeholders – law enforcement, financial regulators, and financial institutions – to provide routine, standardized feedback to one another for the purpose of improving the effectiveness of BSA AML programs … [and there is a] clear mandate for innovation.”

Changes to the Purpose of the Bank Secrecy Act – 31 USC s. 5311

The additions to the “purpose” section of the BSA may be the single biggest change to the current AML/CFT regime. As set out below, section 5311 of title 31 is the declaration of purpose. From 1970 through 2001, that purpose was simply “to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations, or proceedings.” The USA PATRIOT Act of 2001 added a clause relating to international terrorism: the amended section provided that the purpose was “to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations, or proceedings, or intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”

As can be seen below, the original (post-2001) purpose has been changed in three ways. First, changing reports “where they have a high degree of usefulness” to reports “that are highly useful”. [8] Second, those reports are now to be used in regulatory risk assessments. And third, it appears that BSA reports are intended for all terrorism purposes, not just international terrorism (domestic and international). The new section 5311 declaration adds four new purposes: strong private sector programs, tracking dirty money, conduct national risk assessments to protect the financial system and national security generally, and to encourage public private sector information sharing. And note the language in subsection (5) where “service providers” has been added, a recognition of the growing regtech/fintech industry. The Declaration of Purpose now provides that:

It is the purpose of this subchapter (except section 5315) to –

  1. require certain reports or records where they have a high degree of usefulness that are highly useful in – (A) criminal, tax, or regulatory investigations, risk assessments, or proceedings; or (B) intelligence or counterintelligence activities, including analysis, to protect against international terrorism;
  2. prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk based programs to combat money laundering and the financing of terrorism;
  3. facilitate the tracking of money that has been sourced through criminal activity or is intended to promote criminal or terrorist activity;
  4. assess the money laundering, terrorism finance, tax evasion, and fraud risks to financial institutions, products, or services to – (A) protect the financial system of the United States from criminal abuse; and (B) safeguard the national security of the United States; and
  5. establish appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities to identify, stop, and apprehend money launderers and those who finance terrorists.

Changes to the AML/CFT Program Requirements – 31 USC s. 5318(h)

Section 5318 of title 31 is the catch-all “compliance” section of the BSA. In addition to the SAR reporting requirements in subsection 5318(g), and the Customer Identification Program requirements in subsection 5318(l), this section has the requirements for financial institutions’ AML/CFT programs in subsection 5318(h).

Subsection (h)(1) is the so-called “four pillars” or minimum requirements of a program: “In order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs, including, at a minimum –

(A) the development of internal policies, procedures, and controls;

(B) the designation of a compliance officer;

(C) an ongoing employee training program; and

(D) an independent audit function to test programs.

Subsection (h)(1) is changed to reflect the CFT aspects of the regime. It now requires financial institutions to “establish AML and countering the financing of terrorism programs in order to guard against money laundering and the financing of terrorism”. The minimum standards, or “four pillars”, did not change.

Perhaps this was a lost opportunity to reconcile the four pillar program requirements in 31 USC s. 5318(h) with the five pillar program requirements in 31 CFR s. 1010.210 and with the four pillar program requirements in 12 CFR s. 21.21.[9]

Subsection (h)(2) gives the Treasury Secretary the power to prescribe rules (regulations) for the AML program standards. This subsection is dramatically altered with the addition of factors that the Secretary shall take into consideration. And a new subsection, (h)(4), is added that sets out a new requirement that the Government shall establish national priorities, updated every four years, that need to be incorporated into institutions’ AML/CFT programs and, notably, how those national priorities are incorporated will be examined by the regulatory agencies:

(h)(2)(B) – Factors that the Secretary shall take into account when prescribing minimum standards and regulators shall take into account in supervising and examining: (i) financial institutions are spending private funds for public and private benefit; (ii) key policy goals of the US are extending financial services to the underbanked and facilitating global remittances while preventing criminals from abusing the system; (iii) effective AML and CFT programs safeguard national security and generate public benefit; (iv) AML and CFT programs should be (I) “reasonably designed to assure and monitor compliance with the requirements of this subchapter and regulations promulgated under this subchapter; and (II) risk-based, including that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.”

(h)(4) – Priorities: (A) within 180 days the Government shall establish AML And CFT priorities; (B) those priorities will be renewed every 4 years; (C) these priorities will be aligned with national security priorities; (D) FinCEN will promulgate regulations within 180 days of (A); (E) financial institutions shall incorporate those priorities into their AML/CFT programs and will be supervised and examined thereon.

Changes to FinCEN’s Duties, Powers, and Scope – 31 USC s. 310

Part 3 of title 31 sets out the organization, function, powers, and duties of the Treasury Department generally, and each of the bureaus or divisions within the Treasury Department. Section 310 of Part 3 is the section for the Financial Crimes Enforcement Network, or FinCEN.

As can be seen below, the duties and powers of the FinCEN director set out in section 310(b) have been greatly expanded. The current subsection has nine duties – (A) through (I) – and a catch-all (J). That catch-all has been moved down to (O) as five new duties and powers have been added – (J) through (N):

(A) Provide advice and make recommendations to the Under Secretary for Enforcement

(B) Maintain a government-wide database of BSA reports

(C) Analyze and disseminate intel from that database

(D) Maintain a communications center for law enforcement

(E) Furnish research, analytical, and informational services to the private and public sectors

(F) Assist law enforcement and regulators in combatting informal value transfer systems

(G) Support the tracking of foreign assets

(H) Coordinate with foreign FIUs

(I) Administer the requirements of the BSA

(J) Promulgate regulations to implement the exam and supervision priorities of BSA/AML programs

(K) Communicate regularly with the private sector, regulators, and law enforcement to explain the Government’s AML/CFT exam and supervision priorities

(L) Give and receive feedback to and from the private sector and State bank and credit union supervisors

(M) Maintain money laundering and terrorist financing experts to support federal civil and criminal investigations

(N) Maintain emerging technology experts

(O) Such other duties and powers as the Secretary may delegate

Subsection 310(c) on FinCEN’s requirements relating to maintenance and use of its data banks, did not change. However, the AML Act added seven new subsections that greatly expand FinCEN’s purpose, reach, authority, and staffing/budget:

  • 310(d) – FinCEN Exchange (added by s. 6103, which (i) codifies in the statute the Exchange that FinCEN established two years ago; and (ii) requires FinCEN to report to Congress on the effectiveness of the Exchange within one year then once every two years for five years)
  • 310(e) – Special hiring authority for terrorism and intel (added by s. 6105, this gives both FinCEN and its parent agency, the Office of Terrorism and Financial Intelligence, or OTFI, the ability to makes certain hires without going through the usual federal government steps. Like section 6305, FinCEN and OTFI must report to Congress within a year)
  • 310(f) – adds at least 6 FinCEN Domestic Liaisons (added by s. 6107)
  • 310(g) – adds Chief of Domestic Liaison (added by s. 6107, which creates a Deputy Director of Domestic Liaison reporting to the FinCEN Director, with an Office of Domestic Liaison located in Washington DC. The six Domestic Liaisons will report regionally, and can be co-located with Federal Reserve offices, as needed. Same requirements to report to Congress.)
  • 310(h) – adds at least 6 Foreign FIU Liaisons (added by s. 6108, these positions will be similar to Treasury attaches and will work with Egmont and FATF)
  • 310(i) – FOIA protection of information shared with international FIUs (added by s. 6109)
  • 310(j) – requires analytical experts for FinCEN’s “Analytical Hub” (added by s. 6304)
  • 310(l) – Appropriation for FY2021 of $136 million, adding $10 million by s. 6509

In addition to the changes set out in 31 USC s. 310, the AML Act added some general provisions. Section 6203(a) of the AML Act provides that FinCEN shall solicit feedback from a cross section of BSA Officers on their financial institution’s SARs and trends observed by FinCEN, and FinCEN will provide that information to the institution’s regulator. Section 6203(b) of the AML Act requires that FinCEN shall periodically disclose to each financial institution, in summary form, information on SARs filed that proved useful to law enforcement and to DOJ. And section 6208 creates a new position of BSA Innovation Officer reporting directly to Director of FinCEN (similar positions for the Federal functional regulators).

Other Changes to the Bank Secrecy Act – 31 USC Subchapter II, ss. 5311 – 5322

31 USC s. 5321 Civil Penalties – section 6309 adds new subsection 31 USC 5321(f) and provides for enhanced or additional penalties for repeat offenders of 3x the profit gained or loss avoided as a result of the violation or 2x the maximum penalty. Section 6310 adds new subsection 31 USC 5321(g) and bans those who have committed “egregious violations”, defined as criminal convictions where the maximum sentence is more than one year and civil violations where the individual willfully committed the violation and the violation facilitated money laundering or terrorist financing, from serving on a financial institution board for ten years.

Section 6312 adds subsection 31 USC s. 5322(e) to the criminal penalties section. It requires the return of any profit gained by reason of the criminal violation and, if the offender was a partner, director, officer, or employee, they must repay the institution any bonus paid during the calendar year in which the violation occurred or the year thereafter. I expect there to be some questions raised about this subsection around why the offending institution is re-paid bonuses, and situations where directors are not paid bonuses (they rarely are).

Expanded Whistleblower Awards and Protections – 31 USC s. 5323

Section 6314 extensively altered and expanded the whistleblower section of title 31. The current section only allows for “informants” to receive rewards of between $12,500 and $150,000, and there is nothing in the section about protecting informants (whistleblowers) from retaliation. This new section increases the rewards to up to 30% of the penalty, and includes detailed provisions on protecting whistleblowers.

Modernizing the AML/CFT System Generally

Title LXII (sections 6201 – 6216) and title LXV (sections 6502 – 6508) collectively are intended to, and do, modernize the AML/CFT system.

  • 6201 – The Attorney General shall report annually on the use of BSA reports, including whether the reports contain “actionable information” that leads to further proceedings by law enforcement, intelligence community, or national security; and extent to which arrests, indictments, convictions result. Note the term “actional information”: is it different from information that provides a “high degree of usefulness” (the current language of section 5311) or is “highly useful” (the new language of section 5311)?
  • Sections 6204, 6205 call for a review of the contents, forms, and thresholds of CTRs and SARs. I have argued against raising the SAR or CTR thresholds[10]
  • Section 6209 adds 31 USC 5318(o) – a review of whether and how Model Validation applies to AML/CFT. Following that review, the new standards would be put into a regulation and incorporated in the FFIEC BSA/AML Examination Manual. This could be an impactful change: the current pedantic application of strict model validation requirements is a drain and distraction on effective financial crime programs. As I recently wrote:

Revising existing model-risk-management guidance to AML systems assumes there is existing model-risk-management guidance to AML systems. But there isn’t any such guidance. The model risk management guidance – from 2000 and revised in 2011 – was never intended to be applied against AML systems. None of the five editions of the FFIEC Exam Manual, the four after the original 2000 guidance and the one following the 2011 revision of the guidance, make any reference to the model risk management guidance. If AML systems are to be subject to strict model governance, then that governance must be set out in binding regulation subject to public review and comment. And AML systems should not be subject to the same strict model governance requirements as Value-At-Risk models, liquidity models, or even consumer lending models. Nothing has more adversely impacted the ability of large financial institutions to fight financial crime, human trafficking, kleptocracy, nuclear proliferation, etc., as the strict, pedantic, dogmatic application of model risk governance. [11]

  • Section 6213 adds 31 USC s. 5318(p), thereby codifying the October 2018 interagency statement on sharing BSA resources
  • Section 6214 encourages information sharing and Public/Private Partnerships, and requires the Secretary to convene a supervisory team of agencies, private sector experts, etc., to examine strategies to increase such cooperation.
  • Section 6215 requires the GAO to publish a de-risking analysis within one year, followed by a strategy from the Secretary one year thereafter. This section includes a definition of de-risking: “actions taken by a financial institution to terminate, fail to initiate, or restrict a business relationship with a customer, or a category of customers, rather than manage the risk associated with that relationship consistent with risk-based supervisory or regulatory requirements, due to drivers such as profitability, reputational risk, lower risk appetites of banks, regulatory burdens or unclear expectations, and sanctions regimes.”
  • Section 6216 requires a review of regulations and guidance within one year.
  • Title LXV calls for multiple GAO and Treasury studies:
    • Study on beneficial ownership information reporting requirements (section 6502 and both GAO and Treasury shall report separately within two years),
    • Study on feedback loops (section 6503 and GAO to report within eighteen months),
    • Study on CTRs (section 6504 and GAO to report no later than December 31, 2025)[12],
    • Study on trafficking networks (section 6505 and GAO to report within one year),
    • Study on trade-based money laundering (TBML) (section 6506 and Treasury to report within one year)[13],
    • Study on money laundering by China (section 6507 and Treasury to report within one year), and
    • Study on the efforts of authoritarian regimes to exploit the financial system of the US (Treasury and Justice to conduct the study within one year and report within two years).
  • Section 6305 is an assessment of (actually, it contemplates the creation of) BSA No-Action Letters. Within 180 days of the passage of the Act, the Director must report to the House Financial Services Committee and the Senate Banking Committee on (i) whether to establish a process to issue no-action letters in response to inquiries on the application of the BSA or any AML/CFT law or regulation to specific conduct, including a request for a statement as to whether FinCEN or any relevant Federal functional regulator intends to take an enforcement action against the person with respect to such conduct. This would be a major change. Since 1987 FinCEN has an “Administrative Ruling” regime, whereby a financial institution may submit an Administrative Ruling request seeking FinCEN’s interpretation of a particular BSA regulation to the facts set out in the request. FinCEN’s response, the Administrative Ruling itself, has precedential value and may be relied upon by others similarly situated only if the ruling is published on FinCEN’s website. According to a notice published in the Federal Register on December 11, 2020, FinCEN received 98 Administrative Ruling requests from 2018-2020. According to FinCEN’s website, it only published 5 of those 98 requests (so 93 of the 98 are not of value to other institutions). And it takes months, sometimes years, for FinCEN to issue these rulings. For all of these reasons, a “No Action Letter” regime may be more effective than the current Administrative Ruling regime.

Changes to the Reporting of Suspicious Transactions – 31 USC s. 5318(g)

Reporting of suspicious transactions, or Suspicious Activity Reports (SARs), is set out in subsection (g) of section 5318. The AML Act changes the SAR regime in a number of ways, including .

5318(g)(1) – gives the Secretary the ability to issue regulations to require financial institutions to report suspicious transactions.

(g)(2) – Notification Prohibited – A filing financial institution and any officer, director, or employee of a filing financial institution cannot notify or disclose to any person involved in a reported suspicious transaction that the transaction has been reported or otherwise reveal any information that would reveal that the transaction has been reported (this language was added by section 6212 and codifies what was in the regulation and regulatory guidance).

(g)(3) – Liability for disclosure of SAR

(g)(4) – Single designee for SARs (FinCEN)

(g)(5) – Establish streamlined, including automated, processes to, as appropriate, permit the filing of noncomplex categories of SARs (added by section 6202, this is similar to provisions that were in FinCEN’s September 16, 2020 Advance Notice of Proposed Rulemaking)

(g)(6) – FinCEN shall share threat pattern and trend information at least semiannually to provide meaningful information about the preparation, use, and value of BSA reports. It shall include typologies, including data that can be adapted in algorithms, if appropriate on emerging money laundering and terrorist financing threat patterns and trends (added by s. 6206, this appears to compel FinCEN to go back to its semi-annual SAR Activity Reports, which were discontinued in 2013)

(g)(7) – Rules of construction (added by s. 6206)

(g)(8) – Pilot program within one year to allow a US financial institution to share SAR-related information with its foreign branches and affiliates (added by s. 6212, this would close an anomaly in the law and regulation, where foreign banks operating in the United States could share SAR information with their home-country head office, but US banks could not share SAR information with their foreign branches and affiliates. There was an exception: prohibited jurisdictions are China and Russia, any state sponsor of terrorism, any jurisdiction subject to sanctions, and any jurisdiction determined by the Secretary that cannot reasonably protect the security and confidentiality of such information).

New Sections Have Been Added to the BSA (subchapter II of Title 31)

  1. 5333 – Safe harbor for “Keep Open Directives” (added by s. 6306, this section would require law enforcement to notify FinCEN of any “keep open request” made of a financial institution to keep an account “or transaction” open. Financial institutions are not required to comply)
  2. 5334 – Required annual training for Federal financial regulators’ examiners (added by s. 6307, one would have assumed that examiners would be required to be trained on the regulatory requirements they are examining. This new section requires annual training, and the training is to be done in consultation with FinCEN and all levels of law enforcement – federal, state, tribal, and local.)
  3. 5335 – Penalties for concealing PEPs’ source of funds (added by s. 6313, this new section applies to PEPs or Senior Foreign Political Figures where the aggregate value of monetary transactions is not less than $1 million and the transaction(s) affect(s) interstate or foreign commerce. It provides that no person shall knowingly conceal, falsify, or misrepresent, ot attempt to do so, a material fact concerning the ownership or control of assets involved in a monetary transactions. And, if the transaction(s) involve(s) an entity found to be of primary money laundering concern under section 5318A, the same person cannot conceal the source of funds. This section will be complex to administer.)
  4. 5336 – Beneficial Ownership Information Reporting requirements (added by s. 6403 – see below)

Two New BSAAG Subcommittees

Section 1564 of the Annunzio-Wylie AML Act of 1992 created the BSA Advisory Group (BSAAG). The AML Act of 2020 adds two subcommittees: the Subcommittee on Innovation and Technology added by s. 6207 (adding subsection 1564(d)) and the Subcommittee on Information Security & Confidentiality added by s. 6302 (adding subsection 1564(e)). Both subcommittees have a five-year “sunset” clause, or terminate in five years, unless the Secretary renews them for as many one-year terms as the Secretary chooses. The mandate of the Subcommittee on Innovation and Technology is to study and make recommendations on how to “most effectively encourage and support technological innovation [and reduce] obstacles to innovation that may arise from existing regulations, guidance, and examination practices.” This subcommittee will also include the BSA Innovation Officers authorized by section 6208.

New Beneficial Ownership Information Reporting Requirements

The New Requirements

Title LXIV – sections 6401-6403 adds 31 USC s. 5336

Section 6402 is the “Sense of Congress” section. That section provides, in part, that the beneficial ownership information “will be directly available only to authorized government authorities” and the database is intended to be “highly useful to national security, intelligence, and law enforcement agencies and Federal functional regulators”. There is no mention of making the information directly available to financial information or even having it benefit financial institutions. As seen from Congressman McHenry’s comments (see Appendix A), that was the intent: the registry is quite limited.

Under the AML Act:

  • Beneficial Owner is defined as an individual who directly or indirectly exercises substantial control or owns or controls not less than 25%.
  • Reporting Company is defined as not including companies with more than 20 FTE, more than $5 million in gross revenues, and with an operating presence in the United States.
  • Existing companies have two years to report. New companies shall report at the time of formation. Changes in beneficial ownership must be reported within a year.
  • Financial institutions can only query the database about a company with the consent of that company. The existing beneficial ownership rule of May 11, 2016 will be brought into conformance with this section within a year.

Why were the beneficial ownership registry provisions watered down so much? The answer to that question could be found in comments made by Congressman Patrick McHenry, (R. NC 10). His floor comments from December 8, 2020, as captured in the House Congressional Record, are included in Appendix A. His comments bear particular weight, as Congressman McHenry is the Ranking Member on the House Financial Services Committee.

The Impact on the Current Beneficial Ownership Rule

Congressman McHenry commented that this new reporting rule “rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses.” However, it may not be as cut-and-dried as he states. The section that Rep. McHenry is referring to is 6403(d). That section provides:

Section 6403(d) REVISED DUE DILIGENCE RULEMAKING.

(1) IN GENERAL. – Not later than 1 year after the effective date of the regulations promulgated under section 5336(b)(4) of title 31, United States Code, as added by subsection (a) of this section, the Secretary of the Treasury shall revise the final rule entitled “Customer Due Diligence Requirements for Financial Institutions” (81 Fed. Reg. 29397 (May 11, 2016)) to –

(A) bring the rule into conformance with this division and the amendments made by this division;

(B) account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336, and provided in the form and manner prescribed by the Secretary, in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law; and

(C) reduce any burdens on financial institutions and legal entity customers that are, in light of the enactment of this division and the amendments made by this division, unnecessary or duplicative.

(2) CONFORMANCE.

(A) IN GENERAL. – In carrying out paragraph (1), the Secretary of the Treasury shall rescind paragraphs (b) through (j) of section 1010.230 of title 31, Code of Federal Regulations upon the effective date of the revised rule promulgated under this subsection.

(B) RULE OF CONSTRUCTION. – Nothing in this section may be construed to authorize the Secretary of the Treasury to repeal the requirement that financial institutions identify and verify beneficial owners of legal entity customers under section 1010.230(a) of title 31, Code of Federal Regulations.

(3) CONSIDERATIONS. – In fulfilling the requirements under this subsection, the Secretary of the Treasury shall consider—

(A) the use of risk-based principles for requiring reports of beneficial ownership information;

(B) the degree of reliance by financial institutions on information provided by FinCEN for purposes of obtaining and updating beneficial ownership information;

(C) strategies to improve the accuracy, completeness, and timeliness of the beneficial ownership information reported to the Secretary; and

(D) any other matter that the Secretary determines is appropriate.

The result of this is that the Secretary shall rescind the current beneficial ownership rule but can replace it with a rule that is similar, if not identical to the current beneficial ownership rule. The current beneficial ownership rule provides financial institutions with more information on more legal entities sooner and requires them to use that information for not only onboarding due diligence, including customer risk rating, but ongoing due diligence (investigations of potential suspicious activity). It also gives financial institutions immediate access to existing legal entities’ beneficial ownership information where those entities open new accounts. This new beneficial ownership information registration requirement only includes the smallest legal entities, existing legal entities have two years to provide their owners’ information, and, most importantly, financial institutions have limited access to the registry as they need their customer’s approval to access the customer’s information. The differences between the existing rule and new law are recognized in subsection (B), which directs the Secretary to “account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336 … in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with” AML, CFT, and CDD requirements.

Division H – Other Matters, Title XCVII, Subtitles A, B

  • Subtitle A – Kleptocracy Asset Recovery Rewards Act
  • Subtitle B – Combating Russian Money Laundering Act

Appendix A – Corporate Transparency Act – Congressional Comments

House Congressional Record from December 8, 2020 CREC-2020-12-08-pt1-PgH6919-3.pdf (congress.gov) at pages H6932-6933 (bold red font has been added for emphasis, and the footnote has been added from the original text):

Mr. MCHENRY. Mr. Speaker, I rise in support of the conference report to the National Defense Authorization Act for fiscal year 2021. Combating illicit finance and targeting bad actors is a nonpartisan issue. However, Congress’ actions must be thoughtful and data driven. An example of this is H.R. 2514, the COUNTER Act, which is included in this conference report. Division G is a compilation of bipartisan policies that will modernize and reform the Bank Secrecy Act and anti-money laundering regimes. These policies will strengthen the Department of Treasury’s financial intelligence, anti-money laundering, and counter terrorism programs.

I would like to thank Chairman CLEAVER and Ranking Member STIVERS for their work on this bill and the language included in Division G. In addition to Division G, the conference report contains an amendment replacing the text of H.R. 2513, the Corporate Transparency Act, with new legislation. H.R. 2513, which passed the House on October 22, 2019, and again as an amendment to H.R. 6395 on July 21, 2020, attempted to establish a new beneficial ownership information reporting regime to assist law enforcement in tracking down terrorists and other bad actors who finance terrorism and illicit activities. But, it did so to the detriment of America’s small businesses.

Beneficial ownership information is the personally identifiable information (PII) on a company’s beneficial owners. This information is currently collected and held by financial institutions prior to a company gaining access to our financial system.

However, bad actors and nation states, such as China and Russia, are becoming more proficient in using our financial system to support illicit activity. As bad actors become more sophisticated, so to must our tools to deter and catch them. One such tool is identifying the beneficial owners of shell companies, which are used as fronts to launder money and finance terrorism or other illicit activity. Beneficial ownership information assists law enforcement to better target these bad actors.

Although well-intentioned, H.R. 2513 had numerous deficiencies in its reporting regime. First, H.R. 2513 placed numerous reporting and costly reporting requirements on small businesses. It lacked protections to properly protect small businesses’ personal information stored with a little-known government office within the Department of Treasury—known as FinCEN. The bill authorized access to this sensitive information without any limitation on who could access the information and when it could be accessed. Finally, it failed to hold FinCEN accountable for its actions.

The text of H.R. 2513 is replaced with new language that I negotiated, along with Senate Banking Committee Chairman CRAPO. This substitute, which is reflected in Division F of the conference report, is a significant improvement over the House-passed bill in three key areas.

First, Division F limits the burdens on small businesses. Unlike H.R. 2513, the language included in the conference report protects our nation’s small businesses. It prevents duplicative, burdensome, and costly reporting requirements for beneficial ownership data from being imposed in two ways. It rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses. Rescinding these provisions ensures that it cannot be used in a future rule to impose another duplicative, reporting regime on America’s small businesses. In addition, Division F requires the Department of Treasury to minimize the burdens the new reporting regime will have on small businesses, including eliminating any duplicative requirements.

House Republicans ensured the directive to minimize burdens on small businesses is fulfilled. Division F directs the Secretary of the Treasury to report to the House Committee on Financial Services and the Senate Committee on Banking annually for the first three years after the new rule is promulgated. The report must assess: the effectiveness of the new rule; the steps the Department of Treasury took to minimize the reporting burdens on reporting entities, including eliminating duplicative reporting requirements, and the accuracy of the new rule in targeting bad actors. The Department of Treasury is also required to identify the alternate procedures and standards that were considered and rejected in developing its new reporting regime. This report will help the Committees understand the effectiveness of the new rule in identifying and prosecuting bad actors. Moreover, it will give the Committees the data needed to understand whether the reporting threshold is sufficient or should be revised.

Second, Division F includes the strongest privacy and disclosure protections for America’s small businesses as it relates to the collection, maintenance, and disclosure of beneficial ownership information. The new protections set out in Division F ensure that small business beneficial ownership information will be protected just like an individual’s tax return information. The protections in Division F mirror or exceed the protections set out in 26 U.S.C. 6103, including:

  1. Agency Head Certification. Division F requires an agency head or designee to certify that an investigation or law enforcement, national security or intelligence activity is authorized and necessitates access to the database. Designees may only be identified through a process that mirrors the process followed by the Department of Treasury for those designations set out in 26 U.S.C. 6103.
  2. Semi-annual Certification of Protocols. Division F requires an Agency head to make a semi-annual certification to the Secretary of the Treasury that the protocols for accessing small business ownership data ensure maximum protection of this critically important information. This requirement is non-delegable.
  3. Court authorization of State, Local and Tribal law enforcement requests. Division F requires state, local and tribal law enforcement officials to obtain a court authorization from the court system in the local jurisdiction. Obtaining a court authorization is the first of two steps state, local and tribal governments must take prior to accessing the database. Separately, state, local and tribal law enforcement agencies must comply with the protocols and safeguards established by the Department of Treasury.
  4. Limited Disclosure of Beneficial Ownership Information. Division F prohibits the Secretary of Treasury from disclosing the requested beneficial ownership information to anyone other than a law enforcement or national security official who is directly engaged in the investigation.
  5. System of Records. Division F requires any requesting agency to establish and maintain a system of records to store beneficial ownership information provided directly by the Secretary of the Treasury.
  6. Penalties for Unauthorized Disclosure. Division F prohibits unauthorized disclosures. Specifically, the agreement reiterates that a violation of appropriate protocols, including unauthorized disclosure or use, is subject to criminal and civil penalties (up to five years in prison and $250,000 fine).

Third, Division F contains the necessary transparency, accountability and oversight provisions to ensure that the Department of Treasury promulgates and implements the new beneficial ownership reporting regime as intended by Congress. Specifically, Division F requires each requesting agency to establish and maintain a permanent, auditable system of records describing: each request, how the information is used, and how the beneficial ownership information is secured. It requires requesting agencies to furnish a report to the Department of Treasury describing the procedures in place to ensure the confidentiality of the beneficial ownership information provided directly by the Secretary of the Treasury.

Separately, Division F requires two additional audits. First, it directs the Secretary of Treasury to conduct an annual audit to determine whether beneficial ownership information is being collected, stored and used as intended by Congress. Separately, Division F directs the Government Accountability Office to conduct an audit for five years to ensure that the Department of Treasury and requesting agencies are using the beneficial ownership information as set out in Division F. This is the same audit that GAO conducts as it relates to the Department of Treasury’s collection, maintenance and protection of tax return information. This information will ensure that Congress has independent data on the efficacy of the reporting regime and whether confidentiality is being maintained.

Division F also requires the Department of Treasury to issue an annual report on the total number of court authorized requests received by the Secretary to access the database. The report must detail the total number of court authorized requests approved and rejected and a summary justifying the action. This report to Congress will ensure the Department of Treasury does not misuse its authority to either approve or reject court authorized requests.

Finally, Division F requires the Director of FinCEN, who is responsible for implementing this reporting regime, to testify annually for five years. This testimony is critical. For far too long FinCEN has evaded any type of congressional check on its activities. Yet, it has amassed a great deal of authority. Now, Congress will shine a light on its operations. It is my expectation that FinCEN will provide Congress with hard data on its effectiveness in targeting bad actors, including the effectiveness of this new authority to collect, maintain, and use beneficial ownership information.

One final comment about the importance of FinCEN’s annual testimony. In the months leading up to the House’s consideration of H.R. 2513 last October, I sought data from FinCEN and from the Treasury Department, along with the Department of Justice, to better understand the need for this legislation. No such data was forthcoming. Rather, FinCEN gave anecdotes of very scary stories to justify the need for a new reporting regime. It is my expectation that FinCEN will provide Congress with the necessary data to justify this new reporting regime and the burdens it is placing on legitimate companies. I will conclude by thanking Chairwoman MALONEY for her work over the last twelve years on this issue and her willingness to work with me to strengthen this bill. I believe we have a better product. I urge my colleagues to support the conference agreement.

Endnotes

[1] https://docs.house.gov/billsthisweek/20201207/CRPT-116hrpt617.pdf

[2] The NDAA has broad, bipartisan support in both the House and the Senate. If the President vetoes the bill, as he has threatened to do, Congress can override the veto with a two-thirds super-majority vote in both chambers. More than two-thirds of the members of each chamber voted in favor of that chamber’s version of the bill. The Conference Report is the agreed-upon reconciliation of the two versions.

[3] See footnote 7 for an example of this anomaly of changing the title 31 laws and regulations but not the corresponding title 12 laws and regulations.

[4] US laws are available at https://uscode.house.gov

[5] In an article I published on October 28, 2019, I referred to the sometimes conflicting nature of these titles as “the clash of the titles”. See The Current BSA/AML Regime is a Classic Fixer-Upper … and Here’s Seven Things to Fix – RegTech Consulting, LLC

[6] Regulations are available at https://www.govinfo.gov/app/collection/cfr/2020

[7] There are also two titles in Division H (“Other Matters”) that also impact financial crimes, specifically kleptocracy and Russian money laundering. Those are described below.

[8] Records and reports that have a “high degree of usefulness” were also referenced in the two parts of title 12 – 12 USC s. 1829b and 12 USC Part 21, sections 1951-1959 – that, with 31 USC sections 5311-5314, 5316-5332, make up the Bank Secrecy Act. The AML Act is changing “high degree of usefulness” to “highly useful” in title 31, but not in title 12. That may be an oversight.

[9] In addition, Congress could have, but chose not to treat the Customer Identification Program, or CIP requirements, as a new fifth (or sixth) pillar or minimum standard. Subsection 5318(i) is the “customer identification program” section. It requires financial institutions to identify and verify accountholders, and for the Secretary to implement regulations for the minimum standards in doing so. The regulations set out whether and to what extent the eleven different types of financial institutions are to implement a formal customer identification program (for banks, broker dealers, mutual funds, and futures commission merchants in 31 CFR 1020, 1023, 1024, and 1026, respectively), or to implement some form of customer verification as part of their overall AML program (for casinos, MSBs, insurance companies, loan or finance companies, and government supervised entities in 31 CFR 1021, 1022, 1025, 1029, and 1030, respectively). Two of the eleven types of financial institutions, dealers in precious metals and credit card system operators, do not have to identify or verify the identity of customers. The result is that most financial institutions must have both an AML program and a Customer Identification Program: Congress had the opportunity to consolidate these two programs into one overall program but chose not to. It was a lost opportunity to further streamline the regulatory regime.

[10] See FinCEN Files – Reforming AML Regimes Through TSV SARs (Tactical or Strategic Value Suspicious Activity Reports) – RegTech Consulting, LLC

[11] FinCEN’s Proposed AML Program Effectiveness Rule – Comments of RegTech Consulting LLC – RegTech Consulting, LLC

[12] This was an interesting timeline: a GAO study on the effectiveness of the CTR regime, the utility of CTRs, and an analysis of the effects of raising the reporting threshold must begin no later than January 1, 2025 – four years from the passage of the AML Act! – and must be reported no later than December 31, 2025.

[13] Section 6506 is the only “study and report” section that specifically provides that (in this case) the GAO can contract out the study.

Don’t Blame FinCEN – Congress Has Left it Underfunded for Years

In the last five years, FinCEN’s workload has gone up three times as much as its budget: if we care about preventing terrorist financing, human trafficking, and public corruption, Congress must fund our nation’s financial intelligence unit.

FinCEN is a bureau in the U.S. Department of the Treasury. The Director of FinCEN reports to the Under Secretary for Terrorism and Financial Intelligence (TFI). In carrying out its mission, FinCEN has numerous statutory areas of responsibility:

  1. Developing and issuing regulations under the Bank Secrecy Act (BSA);
  2. Enforcing compliance with the BSA in partnership with law enforcement and other regulatory partners;
  3. Serving as the U.S. Financial Intelligence Unit (FIU) and maintaining a network of information sharing with FIUs in 164 partner countries;
  4. Receiving millions of new financial reports each year;
  5. Securing and maintaining a database of over 300 million reports;
  6. Analyzing and disseminating financial intelligence to federal, state, and local law enforcement, federal and state regulators, foreign FIUs, and industry; and
  7. Bringing together the disparate interests of law enforcement, FIUs, regulatory partners, and industry.

What is FinCEN’s mission? According to its most recent Congressional budget justification and annual performance plan and report (Fiscal Year 2021) submitted earlier this year (see https://home.treasury.gov/system/files/266/12.-FinCEN-FY-2021-CJ.pdf), FinCEN’s mission statement is “to safeguard the financial system from illicit use, combat money laundering, and promote national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence.”

FinCEN has a daunting and important mission – to safeguard the financial system – and Congress has placed upon FinCEN many critical responsibilities in safeguarding the financial system, everything from developing and enforcing the regulations for tens of thousands of private sector entities, receiving millions of reports (actually, more than 20 million) intended to provide a high degree of usefulness to government authorities, safeguarding those reports, and analyzing those reports and getting information back to over 6,700 federal, state, local, and tribal law enforcement agencies (according to an FBI/DOJ notice published in the Federal Register on June 30, 2020).

With this daunting mission, and millions of reports to collect and analyze, tens of thousands of private sector entities to regulate, and thousands of law enforcement agencies to support, FinCEN must be a massive agency with an impressive budget.

Let’s take a look.

The first thing that should jump out at you, and will be a surprise to most people, is how small FinCEN is: less than 300 people and a budget that is eclipsed by many global banks’ financial crimes risk management departments. That aside, and clipped directly from the FY2021 budget request, this table shows FinCEN’s resource levels – people and budget – for six fiscal years and its requested resource levels for 2021. (FinCEN’s fiscal year – the federal government’s fiscal year – runs from October 1 to September 30). This table also shows FinCEN’s “workload output/activity”, or at least three measurable parts of its overall workload: (1) the total number of BSA reports filed each fiscal year, (2) the total number of Suspicious Activity Reports (SARs) each year (a subset of the total number of BSA reports), and (3) the number of people (generally law enforcement) who use, or access, FinCEN’s BSA database. What is not measured and shown here is the other work or output or activities FinCEN is responsible for (developing and enforcing BSA regulations and analyzing BSA reports and getting information back to law enforcement, for example).

A quick glance at this table suggests that the workload is going up: SARs have gone from just over 2 million in FY2015 to an estimated 3 million in FY2021; the total number of BSA reports continues to go up; and the number of BSA users has gone from 10,166 in FY2015 to an estimated 13,589 in FY2021.

Have FinCEN’s resources kept pace with its workload?

This is an important question. The recent “FinCEN Files” release by Buzzfeed News and the International Consortium of Investigative Journalists (ICIJ) has caste a very negative spotlight on some large global banks as being the reason for, or the facilitators of, financial crime and corruption. Those stories have resulted in calls to reform what the media and others are calling a broken, ineffective, and inefficient regime. Although the journalists haven’t focused on FinCEN, it too has been receiving some unwarranted attention. Questions are being asked: banks and other financial institutions are reporting all this suspicious activity, so what is FinCEN doing about it?

FinCEN’s resources are not keeping pace with its workload.

I reformatted FinCEN’s budget numbers in order to better compare the annual resource numbers with the workload numbers. Given the FinCEN Files focus on Suspicious Activity Reports (SARs), I’ve highlighted those:

What appears obvious from this is that the number of SARs has gone up about three times as fast as FinCEN’s resources: SARs are up almost 35% in five years, but FinCEN’s staffing has gone up just 9% and its overall budget has gone up just 12.5%. FinCEN’s resources aren’t keeping pace with its workload.

FinCEN has received more than 2 million SARs in each of the last six years … or has it?

This is not a criticism of FinCEN. But when I saw those numbers in the budget request, I paused. FinCEN has a “SAR Stats” feature that allows the public to access FinCEN’s data on the number of SARs filed, by what type of filers, when, for what kind of suspicious activity, etc. It’s a great resource, and I use it a lot, and didn’t recall seeing more than 2 million SARs as far back as 2015. So I went back into the SAR Stats page …

… and I exported the total number of SARs filed, by month, for the entire period of available data – January 2014 through August 2020. Here’s what FinCEN provided (reformatted):

These are the actual numbers exported from the FinCEN website (with the exception of September 2020, which isn’t yet available: I estimated the number of SARs filed for that one month). At first glance one can see that not all six fiscal years had more than 2 million filed SARs. So I put the two sets of data – the 2021 budget submission and the FinCEN SAR Stats – together for easier comparison:

I can’t explain the differences – there is likely a reason why the two sets of SAR data are different. But both show an increase in the number of SARs filed over the last five fiscal years that is triple the increase in FinCEN’s resources that are available to manage those SARs, analyze them, and disseminate actionable intelligence back to more than 6,000 law enforcement agencies in order to protect our financial system.

Congress must support the fight against financial crime

If Congress is serious about fighting financial crime and protecting our financial system, it must provide FinCEN with the appropriate resources. So far it has failed to do so.

A GAO Report on GTOs Reveals the Underlying Flaws In the Entire American BSA/AML Regime

The General Accountability Office, or GAO, issued a Report on August 14, 2020 titled “FinCEN Should Enhance Procedures for Implementing and Evaluating Geographic Targeting Orders”.[1] The Geographic Targeting Orders, or GTOs, subject to this report are a series of nine GTOs issued since 2016 targeting all-cash (or non-financed) purchases of residential real estate in certain areas of the country over a certain amount.

Most people will read this report for what it is – a full-fledged year-long, not-very-positive audit of FinCEN’s management of the real estate Geographic Targeting Order program. But the GTO program, and FinCEN’s management of it (which, by the way, I don’t think FinCEN got enough credit from the GAO for taking the initiative in the first place), are lesser issues than a single observation the GAO reported more than half way through (on page 22) the Report:

“Officials from five federal law enforcement agencies told us that their agencies do not systematically track the specific types of BSA reports used in investigations …”.

The GAO didn’t indicate which five federal law enforcement agencies these were, but the agencies interviewed for the Report were the DEA, FBI, ICE-HSI, IRS-CI, the DOJ’s Criminal Division, the US Attorneys Offices for the Southern District of New York and Southern District of Florida, FinCEN, and two task forces (OCDETF and El Dorado). So it’s likely that at least four of the five agencies that do not systematically track which Bank Secrecy Act or BSA reports are used in investigations are the “big four” of AML/CFT: the FBI, DEA, Homeland Security, and IRS.

Why is this important?

The entire purpose of the BSA regime is for the private sector to provide timely, actionable intelligence to law enforcement in order to protect the financial system, and society at large, from underlying criminal and terrorist activity. In the “Background” section of the Report, on page 5, the GAO explained the purpose behind the BSA:

“The BSA authorizes the Secretary of the Treasury to issue regulations requiring financial institutions to keep records and file reports the Secretary determines ‘have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.’ The Secretary also is authorized to impose AML program requirements on certain financial institutions. The authority of the Secretary to administer the BSA has been delegated to the Director of FinCEN.” [citations omitted][2]

Approximately 20 million BSA reports are filed by tens of thousands of private sector financial institutions every year: the most common are Currency Transaction Reports or CTRs (roughly 16 million) and Suspicious Activity Reports, or SARs (roughly 2.7 million). Those institutions are spending billions of dollars in running BSA programs intended to allow them to prepare and file those 20 million reports, and they face regulatory and even criminal sanctions for failing to maintain an adequate program or failing to detect and report suspicious activity or large currency transactions. And yet the primary users of those reports, the federal law enforcement agencies, “do not systematically track the specific types of BSA reports used in investigations …”.

It is time that the public sector consumers of BSA reports – primarily law enforcement agencies – provide feedback to the private sector producers of BSA reports – tens of thousands of financial institutions – on exactly which reports “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism”. It’s not enough for the private sector to know anecdotally that the reports it is filing are generally useful to law enforcement. In this age of machine learning and artificial intelligence, financial institutions are using these tools to teach and train their monitoring, surveillance, and alerting systems that churn through millions or billions of customer, account, and transaction data, in an effort to be more effective and efficient. And all of those machine learning and artificial intelligence efforts are for naught if the private sector doesn’t have the training data needed to identify those reports that are providing tactical and/or strategic value. Training a surveillance and alerting system against the SARs that are filed is a fool’s errand if you don’t know whether that SAR has ever been looked at by law enforcement, whether it was useful, whether it provided tactical or strategic value.

Lack of Law Enforcement Feedback Is One of the Two Main Flaws in the US BSA/AML Regime: the Other is the Lack of Corporate Transparency

The United States does not have an effective beneficial ownership regime. Even the Treasury Secretary calls this a “glaring hole in our system”, and I have written about this on a number of occasions. See, for example, https://regtechconsulting.net/beneficial-ownership-customer-due-diligence/lack-of-beneficial-ownership-information-a-glaring-hole-in-our-system-says-treasury-secretary/. And this GAO Report includes a section on the lack of a true beneficial ownership regime (notwithstanding FinCEN’s 2016 rule on customer due diligence and beneficial ownership), and how a FATF-compliant beneficial ownership regime would enhance the US AML/CFT regime and be complimentary to the real estate GTO.

The other flaw, as described in this article, is lack of law enforcement feedback. I have been writing about this flaw in our system for years. See my article from November 2019 https://regtechconsulting.net/fintech-financial-crimes-and-risk-management/like-sam-loves-free-fried-chicken-law-enforcement-loves-free-suspicious-activity-reports-but-what-if-law-enforcement-had-to-earn-the-right-to-use-the-private-sector/ and my article from July 2020 https://regtechconsulting.net/aml-regulations-and-enforcement-actions/anti-money-laundering-act-of-2020-pay-to-play-arrives-and-perhaps-we-have-an-answer-to-the-whereabouts-of-section-314d/. Both of these articles reference other articles I’ve written on this subject. The July 2020 article offers some solutions.

This is not a criticism of law enforcement or the intelligence community. They simply haven’t had the means to provide feedback to the private sector. Bills, or provisions in bills, currently before Congress aim to address this issue and provide the means for the public sector to begin the process of providing feedback to the private sector. If the purpose of the multi-billion dollar anti-money laundering regime is to compel the private sector to provide law enforcement and the intelligence agencies with timely, actionable reports of cross-border flows of cash, foreign bank accounts, suspicious activity, possible terrorist financing activity, and large cash transactions, then it is incumbent on law enforcement and the intelligence agencies to provide feedback on which of those reports have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism. Without that feedback, both the private and public sector, and society at large, will fail in their collective efforts to keep our financial system safe and secure. And for law enforcement and the intelligence community to get the means to provide that feedback, it is incumbent on Congress to act and pass the necessary legislation.

We all know what needs to be done to make the BSA/AML regime more effective and more efficient. Now Congress must act.

[1] See GAO-20-546 available at https://www.gao.gov/assets/710/708115.pdf

[2] The language “high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism” is pulled directly from the purpose statement of the main “BSA” statute, 31 USC section 5311.

FinCEN’s Marijuana-Related SAR Data: By Not Including MSBs, Are We Under-Reporting Marijuana Businesses’ Access to Financial Services?

Marijuana-Related Businesses may have greater access to financial services than is being reported, even if those services aren’t being provided by banks and credit unions

The only real guidance that financial institutions can turn to when deciding whether to provide financial services to marijuana-related businesses, or MRBs, is FinCEN’s February 14, 2014 guidance, FIN-2014-G001. The actual Guidance document – FIN-2014-G001 PDF – begins with: “The Financial Crimes Enforcement Network (“FinCEN”) is issuing guidance to clarify Bank Secrecy Act (“BSA”) expectations for financial institutions seeking to provide services to marijuana-related businesses.”

The section “Providing Financial Services to Marijuana-Related Businesses” begins with “This FinCEN guidance clarifies how financial institutions can provide services to marijuana-related businesses consistent with their BSA obligations. In general, the decision to open, close, or refuse any particular account or relationship should be made by each financial institution based on a number of factors specific to that institution.” Following that is a section on seven marijuana-related business-specific customer due diligence steps a financial institution should consider in assessing the risk of providing services to a marijuana-related business. Then there is guidance on the three types of marijuana-related Suspicious Activity Reports: Marijuana Limited, Marijuana Priority, and Marijuana Termination. Finally, there are two pages of “Red Flags to Distinguish Priority SARs”.

Throughout the Guidance, the term “financial institution” is used forty-four times in seven pages. The term “money services business” or “MSB” appears once (in the PDF version of the Guidance). In the “Currency Transaction Reports and Form 8300’s” section on the last page is: “Financial institutions and other persons subject to FinCEN’s regulations must report currency transactions in connection with marijuana-related businesses the same as they would in any other context, consistent with existing regulations and with the same thresholds that apply. For example, banks and money services businesses would need to file CTRs on the receipt or withdrawal by any person of more than $10,000 in cash per day.”

So, are MSBs covered by the 2014 Guidance or not? Are MSBs “financial institutions” and subject to the Guidance?

For BSA purposes, the term “financial institution” is defined in the regulations at 31 CFR s. 1010.100 as including banks, credit unions, broker dealers, casinos, mutual funds, and money services businesses, among other entities. So one could assume that the use of that term in the Guidance indicated that all entity types would be subject to the guidance – including money services businesses, broker dealers, casinos, card clubs, etc.

Although the PDF version of the FinCEN Guidance doesn’t define “financial institution”, both the news release and the non-PDF version had a reference to the term “Financial Institution” at the end (of both) that appears to mean that for the purposes of the “Guidance to Financial Institutions on Marijuana Businesses”, “financial institutions” meant money services businesses and depository institutions.

The term “depository institution” is defined in multiple banking regulations in Title 12 of the Code of Federal Regulations. To keep it simple, and in keeping with FinCEN’s reporting practices, it means banks and credit unions. So, according to FinCEN, it has issued guidance to clarify Bank Secrecy Act (“BSA”) expectations for banks, credit unions, and money services businesses seeking to provide services to marijuana-related businesses.

Since the publication of the that guidance, FinCEN has published a quarterly “Marijuana Banking” report that provides some high level data on the number of these marijuana-related SARs that it instructed depository institutions (banks and credit unions) and money services businesses to file. As can be seen from the chart, this reporting is limited to depository institutions – banks and credit unions. FinCEN hasn’t reported any marijuana-related SARs filed by any of the other “financial institution” types – money services businesses.

If FinCEN has provided guidance that banks, credit unions, and money services businesses are required to file marijuana-related SARs, why is it only reporting on the marijuana-related SARs filed by banks and credit unions?

Without knowing for sure whether any of the 227,745 MSBs (according to a GAO report released September 26, 2019 that looked at how BSA-related information was being shared between the public sector agencies and by FinCEN: see GAO-19-582 at page 9) have identified and reported any marijuana-related suspicious activity, one can assume that some of the millions of SARs filed by those MSBs since 2nd quarter 2014 must have included marijuana-related activity. Indeed, given the complaints by the cannabis/marijuana industries about the lack of access to traditional banking services, one can assume that marijuana-related businesses are turning to money services businesses and alternative financial services providers to conduct otherwise basic financial services such as paying suppliers, paying utility providers, paying taxes and license fees, even cashing checks for employees. And, if those marijuana-related businesses were doing those transactions at money services businesses, ALL of those transactions are supposed to be reported in a marijuana SAR. According to FinCEN.

The data may bear that out. FinCEN’s SAR Statistics allow you to drill down to SARs filed by depository institutions, by MSBs, by month and year, and by location of the reported suspicious activity (state, county, even metropolitan areas). See https://www.fincen.gov/reports/sar-stats

Let’s take a look at a marijuana hot spot – the Emerald Triangle of California: Humboldt, Trinity, and Mendocino counties that (reportedly) grow much of the illegal cannabis in California and about 35% of the legal cannabis.

In calendar year 2018, across all of the United States, MSBs filed about 90 SARs for every 100 SARs filed by Depository Institutions, or DIs. But for activity that occurred in California, MSBs filed 122 SARs for every 100 SARs filed by DIs. To put it another way, for suspicious activity across the United States, MSBs filed about 90% the number of SARs as banks and credit unions, but in California MSBs filed 122% the number of SARs as did DIs.  But according to FinCEN’s “heatmap” of SARs filed by MSBs by California county, there was a hotspot up in the three “Emerald Triangle” counties. Drilling down into the actual FinCEN data, in 2018 MSBs filed 327 SARs (10,076) for every 100 SARs (3,081) filed by DIs in the three Emerald Triangle counties. There are only 235,000 people in those three counties, which is 0.6% of California’s population, yet 4.6% of MSBs’ SARs were filed on activity that occurred in those three counties.

It could be that none of those 10,076 MSB SARs filed in 2018 on activity that occurred in the Emerald Triangle counties was flagged as a marijuana-related SAR for FinCEN to identify, track, and report. But the ratio of MSB-related SARs relative to the number of bank and credit union related SARs filed on activity in the Emerald Triangle – a ratio that has held steady for the last five years at 3.5 to 1 – suggests that FinCEN’s quarterly “Marijuana Banking” report of marijuana-related SARs filed by banks and credit unions may be under-reporting marijuana-related financial activity overall.

It’s logical – and likely – that this high MSB SAR count, both relative to depository institutions and to the population of the area, indicates that MSBs are filing “Marijuana Limited” SARs on all of the activity that marijuana-related businesses are doing with them, not just the traditional suspicious activity. In other words, MSBs are complying with the FinCEN guidance, and we don’t know it. The conclusion may be that marijuana related businesses have access to more financial services than is being reported, even if those financial services aren’t being provided by banks and credit unions.

Perhaps FinCEN can tell us in the next quarterly Marijuana Banking and Money Services Business Report …

BSA/AML Compliance Programs are Important, but Providing Timely, Actionable Intelligence to Law Enforcement Should be the Goal

Eighteen months ago I called for a renewal of the original purpose of the Bank Secrecy Act: with recent changes – and more expected changes – to the FFIEC’s BSA/AML Examination Manual, I’m renewing that call.

On April 15, 2020, state and federal bank regulatory agencies, through the Federal Financial Institutions Examination Council (FFIEC), updated one of the six main sections of the FFIEC’s BSA/AML Examination Manual, the section titled “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program.” What the regulators haven’t (yet) updated are the Introduction that precedes the newly-updated section, the core examination section on the regulatory requirements, the two expanded examination sections on products and services, and persons and entities, respectively, the expanded examination section on compliance compliance programs, and the twenty appendices.

So perhaps there’s time to influence their thinking.

The stated purpose of the Manual is to provide instructions to examiners as they assess the adequacy of a bank’s BSA/AML compliance program. But the Manual is much more than that: indeed, it could be called the “BSA/AML Program Design, Development, Testing, Auditing, and Examination” Manual. It is the proverbial Bible, Torah, and Koran for everyone involved in BSA/AML. It sets the tone, as well as expectations, for everyone involved in BSA/AML, not just examiners. What is written in the Manual is critical, because the Bank Secrecy Act, or BSA is critical: “The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses or financial crime, including money laundering, terrorist financing, and other illicit financial transactions.” So says the Introduction section of the Manual, at page 7.

That same Introduction section also includes this:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.” (emphasis added)

Eighteen months ago, Verafin released my White Paper titled “50 Years of the Bank Secrecy Act: It’s Time to Renew the Purpose of Providing Actionable Intelligence to Law Enforcement”. The Paper is available at https://verafin.com/resource/50-years-bank-secrecy-act/. I conclude with the following:

“I, and many others, believe that providing timely and actionable intelligence to law enforcement is critical to the successful prevention of illicit activity. Of course, as outlined in the FFIEC manual, a sound BSA/AML compliance program provides the necessary foundation for providing that intelligence. With that in mind, a first step in reforming the BSA/AML regime in the United States may be changing the language of the Manual itself. I propose that the language is changed from ‘a sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions…’ to ‘providing timely and actionable intelligence to law enforcement is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions, and a sound BSA/AML compliance program provides the foundation for the ability to provide that intelligence.’ The change is subtle but important as it strengthens and focuses the very purpose of the BSA. Providing actionable, timely intelligence to law enforcement, while maintaining sound but rational programs, should be the new goal.”

I believe that a financial institution should be supervised, examined, and judged first and foremost on whether it is providing timely, actionable intelligence to law enforcement over whether the hundreds or even thousands of BSA compliance program requirements are ticked and tied and documented. Having an effective – or to use the new adjective in the just-released update – “adequate” BSA/AML compliance program is critically important, but it shouldn’t be the only defense, or even the primary defense from money laundering, terrorist financing, or other illicit financial activity.

So my suggestion to the FFIEC is this: on page 7 of the current Introduction section, replace:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.

With:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. Providing timely and actionable intelligence to law enforcement is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions, and a sound BSA/AML compliance program provides the foundation for the ability to provide that intelligence.”

“Money Laundering/Terrorist Financing and Other Illicit Financial Activity” – a New BSA/AML Focus?

If this is, in fact, a new standard for the assessment of U.S. financial institutions’ BSA/AML compliance programs, then I believe it is a positive development.

The April 15, 2020 revision of four of the five introductory sections of the FFIEC BSA/AML Examination Manual is 43 pages long. It begins with “Scoping and Planning” a BSA/AML examination. In the just-replaced section from the 2014 Manual, the objective of scoping and planning was to “identify the bank’s BSA/AML risks”. The new objective is to “develop an understanding of the bank’s money laundering, terrorist financing (ML/TF) and other illicit financial activity risk profile.”

In fact, the phrase “money laundering, terrorist financing and other illicit financial activity risk” or “ML/TF and other illicit financial activity risk” appears fifty-three (53) times in forty-three (43) pages in this April 2020 update.

The phrase “money laundering or terrorist financing risk” appears three (3) times in the current Manual (twice in the CDD section, once in the MSB section), but the phrase “ML/TF and other illicit financial activity” appears exactly zero (0) times in 442 pages of the 2014 BSA/AML Examination Manual.[1]

It appears, then, that the regulatory agencies have replaced the term “BSA/AML risk” and “BSA/AML risk profile” with the phrase “ML/TF risk” and “ML/TF risk profile.”

What are the practical impacts, if any, with the regulators’ shift from examining a bank’s “BSA/AML risk profile” to examining a bank’s “ML/TF risk profile”?

Without guidance from the regulators, without knowing their intent, it’s impossible to say what, if any, practical difference there is.

What the regulators haven’t yet touched is the Introduction section of the Manual, which precedes the four sections they have updated. So, the 2014 Introduction remains. Among other things, the Introduction includes some discussion of money laundering and terrorist financing. At page 7:

Money Laundering and Terrorist Financing

The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions.  Money laundering and terrorist financing are financial crimes with potentially devastating social and financial effects.  From the profits of the narcotics trafficker to the assets looted from government coffers by dishonest foreign officials, criminal proceeds have the power to corrupt and ultimately destabilize communities or entire economies.  Terrorist networks are able to facilitate their activities if they have financial means and access to the financial system.  In both money laundering and terrorist financing, criminals can exploit loopholes and other weaknesses in the legitimate financial system to launder criminal proceeds, finance terrorism, or conduct other illegal activities, and, ultimately, hide the actual purpose of their activity.

Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system.  A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.

At page 8:

Terrorist Financing

The motivation behind terrorist financing is ideological as opposed to profit-seeking, which is generally the motivation for most crimes associated with money laundering.  Terrorism is intended to intimidate a population or to compel a government or an international organization to do or abstain from doing any specific act through the threat of violence.  An effective financial infrastructure is critical to terrorist operations.  Terrorist groups develop sources of funding that are relatively mobile to ensure that funds can be used to obtain material and other logistical items needed to commit terrorist acts.  Thus, money laundering is often a vital component of terrorist financing.

It appears, then, that the 2014 Introduction remains and provides clear direction that a sound BSA/AML compliance program is critical in deterring and preventing money laundering and terrorist financing at, or through, banks and other financial institutions. And it appears also that the 2020 updates have further emphasized the importance of focusing on ML/TF and other illicit financing activity risks as this phrase doesn’t appear at all in the old/existing Manual.

In this article I will make three observations about money laundering and terrorist financing, and all three come from a Congressional hearing that occurred almost seventeen (17) years ago – a year before the first BSA/AML Examination Manual was published – that was held by the House Financial Services Subcommittee on Oversight and Investigations. That hearing was titled “Improving Financial Oversight: A Private Sector View of Anti-Money Laundering Efforts”. It was held on May 18, 2004. The hearing transcript is available at Congressional Hearing May 2004. In full disclosure, I was one of five witnesses to appear before the Sub-Committee. The others were David Aufhauser (then a Senior Counsel, Center for Strategic and International Studies and Counsel, Williams & Connolly LLP, and previously General Counsel at the Treasury Department); John Byrne, at the time the Director of Center for Regulatory Compliance, American Bankers Association; Joe Cachey, then the Vice President, Global Compliance and Chief Compliance Officer and Counsel, Western Union Financial Services; and Steve Emerson, Executive Director, The Investigative Project.

1. From an operational point of view, money laundering and terrorist financing are different problems

“From a purely operational point of view, money laundering and terrorist financing are two, very, very different problems. Traditional money laundering prevention is a transaction-focused internally sourced issue where transactions lead to relational links. Terrorist financing prevention is very different. It is a relationship-focused, externally sourced issue where relational links lead to transactions.” – written testimony of Jim Richards, Operations Executive for Global Anti-Money Laundering, Bank of America, footnote 10 on page 13.

Seventeen years later, I wish I had taken a page from the FFIEC manual and added something about “money laundering is often a vital component of terrorist financing.” But in the immediate post-9/11 environment, most of our success in finding terrorist financing or the funding of terrorist operations came from getting names or other leads from law enforcement. That said, Sub-Committee Chairwoman Sue Kelly (D. NY) asked me “[c]an you identify any particular case in which your companies worked with law enforcement to stop the flow of funds to a terrorist group or an activity of some sort?” I replied:

“Madam Chairman, off the top of my head, I can think at least two particular cases: One prior to September 11 and one after September 11. In both cases, we identified what we thought was suspicious activity. Again, we are not required to detect money laundering or terrorist financing, we are required to detect and report suspicious activity. We did that. In both cases, we felt it was significant enough that we immediately contacted law enforcement, which we are entitled and indeed perhaps required to do if it is an ongoing, serious matter. And in this case, it was the Boston U.S. Attorney’s Office, and they immediately contacted us and sought the underlying records that were the basis of our suspicious activity reports. Subsequent news events confirmed that what we had reported was indeed tied to potential terrorist financing.”

So I actually contradicted myself: we reported what we thought was money laundering or suspicious activity, and subsequent events revealed that what we had actually reported was terrorist financing or the funding of terrorist activity. The FFIEC is correct: money laundering is often a vital component of terrorist financing.

2. Money laundering and terrorist financing should not just be viewed as problems, but as symptoms of problems

“… from the perspective of a bank’s risk officer, money laundering or terrorist financing is not a problem, but a symptom of an underlying operational or control problem.  When looked at from this perspective, the risk officer is able to look at the filing of a SAR or the activity represented in the SAR as a symptom of an underlying problem with account opening procedures, document collection and verification procedures, branch AML training, or the monitoring or surveillance functions.  Looking at money laundering or terrorist financing as a symptom rather than a problem can be an effective way to focus on and eliminate or mitigate the underlying causes.” – Written testimony of Jim Richards, page 13, footnote 10.

Seventeen years later, I wish I had written “from the perspective of a bank’s risk officer, money laundering or terrorist financing is not just a problem, but also a symptom of an underlying operational or control problem …”. Obviously, money laundering is a problem. As is terrorist financing. But the important point I was trying to make is that identifying and reporting the suspicious activity – whether related to money laundering or terrorist financing, or both – is not the end-game for the reporting financial institution. It’s equally important to take those reports – to take the problems that you’ve identified and reported – and view them as symptoms of possible problems or issues with your underlying operational controls, or policies and procedures, or training, or even auditing or independent testing, and to correct those problems. Being able to prevent money laundering or terrorist financing is the ultimate goal.

I attempted to explain this notion of symptom versus problem in answering a question from Congressman Jeb Hensarling (R. TX 5th):

Mr. Hensarling. Thank you, Madam Chair. Mr. Richards, I believe in your testimony you stated that money laundering or terrorist financing is not a problem but a symptom of a problem. Could you elaborate and explain that statement?

Mr. Richards. Yes. We believe that within the context of the total issue of operating risk, that the act of filing a suspicious activity report is not the end of your duty but indeed you take the suspicious activity reports and then you go back and look at the commonalities between them to determine whether the money laundering that you have reported or suspicious activity you are reported is caused by issues relating to account opening, failure to collect the proper identification, it might be a branch training issue where you have to train the people in the branch environment, something like that.

So that rather than looking at the end game being the filing of a suspicious activity report, you look at it as just the beginning of trying to see if there is an underlying operational issue in the bank. If you address the underlying operational issue, you may resolve the suspicious activity that is occurring in your bank. So, again, if you look at it as not a problem but a symptom, you can then drill down and see what the real underlying operational problem may be.

Mr. Hensarling. Thank you.

3. Managing money laundering and terrorist financing risks can only be done with creative, committed, and courageous professionals in the public and private sectors, working together

“The success of the financial sector’s anti-money laundering and terrorist financing prevention efforts is entirely dependent on two things: First, cooperation between and coordination by all of the parties involved: the law enforcement and intelligence communities, the regulatory community, the private sector, our trade associations, such as the ABA, and others; and, second, creative, committed professionals dedicated to this task. In my experience, Madam Chairman, the American financial sector has both.” – written testimony of Jim Richards

Just as I wish I had written “money laundering or terrorist financing is not just a problem, but also a symptom …”, seventeen years later I wish I had added “courageous” to my description of the type of professional that are dedicated to fighting money laundering, terrorist financing, and other illicit financial activity.

Since my Congressional testimony in 2004, I’ve come to realize that Winston Churchill was right when it comes to courage: “Courage is the single attribute upon which all other attributes depend”.

In an article I published in December 2018 titled “Rules-Based Monitoring, Alert-to-SAR Ratios, and False Positive Rates: Are We Having the Right Conversations?”  I wrote this about the importance of courage:

“After 20+ years in the AML/CTF field – designing, building, running, tuning, and revising programs in multiple global banks – I am convinced that rules-based interaction monitoring and customer surveillance systems, running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts, can result in an effective, efficient, proactive program that both provides timely, actionable intelligence to law enforcement and meets and exceeds all regulatory obligations. Can cloud-based, cross-institutional, machine learning-based technologies assist in those efforts? Yes! If properly deployed and if running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts.”

And in a March 2019 article titled “Lessons Learned as a BSA Officer 1998-2018” , one of the nine lessons I described was on the importance of courage. After quoting Winston Churchill (“Courage is the single attribute upon which all other attributes depend”), I wrote:

“After the September 2001 terrorist attacks, the 9/11 Commission was set up to look at what happened, and why. In its final report issued in 2004, they concluded that the US government’s failures could be grouped into four major categories: failure of policy, failure of capabilities, failure of management, and failure of imagination. And they concluded that the “most important failure” was a lack of imagination. I believe that all four of those failures – of policy, of capabilities, of management, and of imagination – have one thing in common. A failure of courage. What do I mean by courage? Courage to speak freely – but respectfully and fairly. Courage to walk away when your principles are compromised. Courage to change. Courage to listen. Courage to compromise.”

Finally, I apparently used the word “courage” six times in a podcast I did with the esteemed Jo Ann Barefoot in April 2018, just weeks after I retired from Wells Fargo. In the show notes, Jo Ann wrote, in part, that “executing the transformation [to digitally-enabled regulation] will take imagination, vision, wisdom and even courage, which is why I invited today’s guest to join us.  He is Jim Richards, founder of the new firm, RegTech Consulting, and I think he used the word “courage” six times, in our talk.”[2]

Conclusion

I don’t believe there are any practical differences between BSA/AML risks, on the one hand, and money laundering, terrorist financing (ML/TF) and other illicit financial activity risks, on the other hand. But if there are differences, then a greater focus on managing – and being examined on how financial institutions manage – ML/TF and other illicit financial activity risks is a positive thing.

It will take cooperation between, coordination by, and the courage of all of the parties involved in the fight against money laundering and terrorist financing: the law enforcement and intelligence communities, the regulatory communities, private sector financial institutions, fintech disrupters and vendors of financial crimes systems, trade associations, and others. In my experience, the American financial sector has what it takes to effectively manage money laundering and terrorist financing and other illicit financial activity risks.

[1] In fairness, the phrase “money laundering, terrorist financing, and other illicit financial transactions” appears in the current Introduction section (page 7).

[2] https://www.jsbarefoot.com/podcasts/2018/5/14/the-courage-to-change-former-wells-fargo-bsa-officer-jim-richards

The Perfect Storm: More Alerts, Fewer Investigators, & More False Positives

The Focus Has Always Been On the Increase in Fraud

Natural disasters bring out the best in some people and the worst in others. Almost fifteen years ago, in the wake of Hurricane Katrina, the Department of Justice formed the National Center for Disaster Fraud[1] to coordinate the investigations and prosecutions of benefits, charities, and cyber-related frauds that sprang up when billions of dollars in federal disaster relief poured into the Gulf Coast region. In October 2017, after a series of hurricanes in the southeast US and Caribbean (Harvey, Irma, and Maria), and California wildfires, the Financial Crimes Enforcement Network (FinCEN) issued an “Advisory to Financial Institutions Regarding Disaster-Related Fraud” that described some of the same fraud scams and instructed firms how to identify and report that activity.

FinCEN Recognizes The Strain on Resources

On March 16, 2020, three days after the President declared a National Emergency in response to COVID-19, FinCEN issued a press release (not an Advisory) encouraging financial institutions to (1) communicate concerns related to the “coronavirus disease 2019 (COVID-19)”, and (2) to remain alert to related illicit financial activity.[2]

Specifically, FinCEN requested that financial institutions contact FinCEN and their functional regulator as soon as practicable if it “has concern about any potential delays in its ability to file required Bank Secrecy Act (BSA) reports.”

This is an important acknowledgment by FinCEN. The previous Advisory focused on the increase in fraud as a result of natural disasters. This press release adds another element: at the same time fraud is increasing, the ability of financial institutions to manage that increase is impacted because of the “shelter in place” or work from home requirements. To put it in simple terms, where a bank may have had 1,000 fraud alerts handled by 50 investigators prior to the pandemic, it may now have 2,000 alerts being handled by only 20 investigators.

The Third Issue – Your Existing Fraud Alerting Logic May Produce More False Positives

Not only will the alerting “numerator” be going up (that is the transactions that a financial institution’s rules find are anomalous) but the denominator, or the volume of and types of transactions, is also changing. Very simply, people transact differently because of the pandemic. There will be more cash withdrawals (both numbers and amounts), and more activity (transactions and interactions) will shift from in-person to mobile, online, and telephone.

Elder fraud is a good example of the impact of the pandemic. The older population is most at risk from COVID-19, and most at risk of various fraud schemes. The alerting logic a bank had programmed was based on historical data relating to, say, changes in elderly customers’ use of online and mobile channels. With the pandemic, elderly customers are using those channels more often, and those alerts will now be hitting on anomalous but now-expected activity. This new current activity will be different than the historical activity on which the bank based its alerting logic.

And all of this at a time when banks have fewer investigators able to handle the output: they’re at home and either unable to access bank systems or less efficient in doing so.

Communication is the Key

As FinCEN points out, financial institutions need to communicate with their regulators if they’re finding that their investigations teams cannot keep up with the increase in fraud cases. One aspect a bank needs to consider is whether it should – and can – move analysts and investigators from AML over to fraud and sanctions screening. Sanctions screening and fraud monitoring requires real- and near-time screening and monitoring to prevent transactions from occurring – whether those are transactions with sanctioned entities, possible Business E-mail Compromise (BEC) frauds, or other frauds. Sanctions and fraud analysts and investigators need to be able to prevent certain transactions and investigate others in real- or near-time. AML analysts and investigators do not operate in the same time-sensitive environment: as a general rule, an AML alert generated in March will involve activity that occurred in February, it will be investigated in April in order to determine whether it was “suspicious”, then a SAR will be filed in May. So part of the external and internal communications a bank will need to have will involve shifting its AML resources over to sanctions and fraud monitoring and investigations.

But more important are the communications banks need to have with their clients and customers to warn them about common disaster-related frauds, and the communications within the bank to adapt to the changes in overall customer activity. How will the changes in customer activity impact the sanctions and fraud monitoring, detection, and alerting systems?

It’s the perfect storm: more alerts, more false positives, fewer investigators.

[1] https://www.justice.gov/disaster-fraud

[2] https://www.fincen.gov/news/news-releases/financial-crimes-enforcement-network-fincen-encourages-financial-institutions