Bank Secrecy Act Update: The Financial Crimes Enforcement Network Details Its Bank Secrecy Act Enforcement Approach; Bank Regulators Provide Guidance on Their Approach to BSA Enforcement; FinCEN’s Final Rule Requiring BSA Compliance by All Financial Institutions; and Anti-Money Laundering Program Effectiveness

FINCEN STATEMENT ON BSA ENFORCEMENT APPROACH

The Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) recently provided clarity and transparency regarding its approach to the enforcement of the Bank Secrecy Act (“BSA”) against covered financial institutions.[i] On August 18, 2020, FinCEN, the primary regulator and administrator of the BSA, published its “Statement on Enforcement of the Bank Secrecy Act” (the “Enforcement Statement”).^[ii] The Enforcement Statement identifies the range of actions FinCEN could take in relation to an actual or possible violation of the BSA or any BSA regulation or order, and articulates the factors FinCEN uses to evaluate the disposition of an actual or possible violation. As FinCEN noted, the BSA requirements apply to "a wide variety of [financial] institutions, including banks, broker-dealers in securities, money services businesses, and casinos and card clubs," in addition to nonfinancial trades and businesses and individuals in limited circumstances.^[iii]

In addition, the Enforcement Statement declares FinCEN’s intent to take an enforcement action only where the action is based on FinCEN’s applicable statutes and regulations, and not solely on guidance-related documents.^[iv] This approach comports with FinCEN Direct Kenneth A. Blanco’s statement that “FinCEN is committed to being transparent about its approach to BSA enforcement. It is not a ‘gotcha’ game.”^[v] This approach stands in contrast to bank prudential regulators, which may take an action based upon noncompliance with standards of conduct that the bank regulators deem as “deficiencies.”^[vi]

As detailed in the Enforcement Statement, FinCEN has authority to take the following actions when it identifies an actual or possible violation of the BSA or any BSA regulation or order:

1. No Action;
2. Warning Letter;
3. Equitable Remedies;
4. Settlements;
5. Civil Monetary Penalties;
6. Criminal Referral.^[vii]

The Enforcement Statement notes that FinCEN “strives for proportionality, consistency, and effectiveness” in enforcing the BSA. To that end, FinCEN notes a list of ten, non-exclusive factors it will consider in any enforcement action:

1. Nature and seriousness of the violations, including the extent of possible harm to the public and the amounts involved.
2. Impact or harm of the violations on FinCEN’s mission to safeguard the financial system from illicit use, combat money laundering, and promote national security.
3. Pervasiveness of wrongdoing within an entity, including management’s complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations.
4. History of similar violations, or misconduct in general, including prior criminal, civil, and regulatory enforcement actions.
5. Financial gain or other benefit resulting from, or attributable to, the violations.
6. Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures.
7. Timely and voluntary disclosure of the violations to FinCEN.
8. Quality and extent of cooperation with FinCEN and other relevant agencies, including as to potential wrongdoing by its directors, officers, employees, agents, and counterparties.
9. Systemic nature of violations. Considerations include, but are not limited to, the number and extent of violations, failure rates (e.g., the number of violations out of total number of transactions), and duration of violations.
10. Whether another agency took enforcement action for related activity. FinCEN will consider the amount of any fine, penalty, forfeiture, and/or remedial action ordered.^[viii]

When faced with an actual or possible violation of the BSA or any BSA regulation or order, FinCEN will weigh the factors noted above, and any other relevant information, on a case-by-case basis, and the weight of each factor may change based upon the facts and circumstances of a case.^[ix] While FinCEN has the independent authority to assess civil money penalties under the BSA, it does not have cease and desist authority given to Federal functional regulators (as defined under 15 U.S.C. 6809 and 31 CFR 1010.100(r)).

JOINT STATEMENT FROM BANK REGULATORS ON BSA ENFORCEMENT APPROACH

The Enforcement Statement follows a joint statement (“Joint Agency Statement”) from the federal banking agencies.^[x] On August 13, 2020, the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency (collectively the “Agencies” or individually, the “Agency”) issued the Joint Agency Statement updating and clarifying their 2007 guidance regarding how they evaluate enforcement actions when financial institutions violate or fail to meet BSA/AML requirements.

Noting that isolated or technical violations of these requirements generally will not result in an enforcement action, the Joint Agency Statement specifically addresses BSA/AML compliance provisions pursuant to section 8(s) of the Federal Deposit Insurance Act (“FDIA”) and section 206(q) of the Federal Credit Union Act (“FCUA”), and the circumstances under which a cease and desist order would be brought. The statement provides guidance on sections 8(s) and 206(q), which mandate that the Agencies issue cease and desist orders when financial institutions (“FIs”) fail to: (i) establish and maintain appropriate AML programs, or (ii) correct problems with their BSA/AML compliance programs previously identified by their regulators. It also addresses the circumstances under which an Agency may take other formal or informal enforcement action for additional types of BSA/AML program concerns or deficiencies, including for violations of the individual components or pillars of BSA/AML compliance programs. Notably, this statement does not address the assessment of civil money penalties for violations of the BSA or its implementing regulations.

An Agency “shall” issue a cease and desist order for failure to establish and maintain an adequate BSA/AML program. The joint statement lists three areas of such failures:

• The first is where the FI “fails to have a written BSA/AML compliance program, including a customer identification program, that adequately covers the required program components or pillars (internal controls, independent testing, designated BSA/AML personnel, and training).”^[xi] For example, an FI would be subject to a cease and desist order if (1) its system of internal controls is inadequate with respect to either a high risk part of its business or multiple lines of business that significantly impact its BSA/AML compliance program; or (2) it has deficiencies in one key component, such as testing, coupled with other issues, such as evidence of highly suspicious activity, creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions at the FI.
• The second area is where the FI “fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars. . . .”^[xii] For example, this would arise when an FI rapidly expands its business relationships through its foreign affiliates and businesses without: (1) conducting an appropriate AML risk assessment; (2) implementing the internal controls necessary to verify customer identities, conduct customer due diligence, or identify and monitor suspicious activity; (3) giving its BSA officer sufficient authority, resources, and staffing required to exercise proper oversight of the BSA/AML program; (4) establishing an adequate program of independent testing to identify any potential problems; and (5) deploying adequate training of relevant employees so that they understand their BSA/AML responsibilities.
• The third area is where the FI “has defects in its BSA/AML compliance program in one or more program components or pillars that indicate that either the written BSA/AML compliance program or its implementation is not effective, for example, where the deficiencies are coupled with other aggravating factors, such as (i) highly suspicious activity creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions, (ii) patterns of structuring to evade reporting requirements, (iii) significant insider complicity, or (iv) systemic failures to file currency transaction reports (‘CTRs’), suspicious activity reports (‘SARs’), or other required BSA reports.”^[xiii] For a cease and desist order to ensue, the deficiencies typically must be significant enough to render the entire BSA/AML compliance program ineffective across all lines of business and activities.

An Agency “shall” also issue a cease and desist order where an FI fails to correct a problem, regulators previously identified during the supervisory process. The identified problem would need to be quite substantial, involving substantive deficiencies in one or more pillars. Moreover, the problems would have been reported to the FI’s board of directors or senior management in a supervisory communication as a violation of law or regulation that must be corrected.

Further, an Agency usually will not issue a cease and desist order for failure to correct a previously identified problem unless the Agency subsequently finds a problem that is substantially similar to what was previously reported to the FI. For instance, if an Agency notes in a report of examination that the FI’s training program was inadequate because it failed to reflect changes in the law, and at the next examination, the training had been updated, but the Agency finds unrelated deficiencies, such as with the FI’s internal controls, the Agency would not issue a cease and desist order (but it “will consider the full range of potential supervisory responses.”)^[xiv]

The Agencies may pursue formal (public) or informal (private) enforcement actions for deficiencies in individual components of an FI’s BSA/AML compliance program or for BSA-related safe and sound practices that may impact individual components. “The form and content of the enforcement action in a particular case will depend on the severity of the concerns or deficiencies, the capability and cooperation of the institution’s management, and the Agency’s confidence that the institution’s management will take appropriate and timely corrective action.”^[xv]

An Agency also may take formal or informal enforcement action to address other violations of BSA/AML requirements, such as suspicious activity and currency transaction reporting, beneficial ownership, customer due diligence, and foreign correspondent banking requirements.

FINCEN ISSUES FINAL RULE TO REQUIRE CUSTOMER IDENTIFICATION PROGRAM, ANTI-MONEY LAUNDERING PROGRAM, AND BENEFICIAL OWNERSHIP REQUIREMENTS FOR BANKS LACKING A FEDERAL FUNCTIONAL REGULATOR

Separately, earlier this week, FinCEN issued a final rule that brings non-federally regulated and/or insured financial institutions (non-depository trust companies, non-federally insured credit unions, non-federally banks and savings associations, and international banking agencies) into full BSA compliance, requiring adherence to anti-money laundering compliance program, customer identification program, and customer due diligence/beneficial ownership requirements.^[xvi]

FinCEN's expectation, as expressed in its Notice of Proposed Rulemaking, is that many of the banks without a Federal functional regulator are small entities and will impose minimal burdens given that many of these entities are already subject to various BSA requirements. Banks that lack a Federal functional regulator are exempt from the requirement to establish an AML program, though they are required to comply with many other BSA requirements. For example, FinCEN regulations require all banks, regardless of whether they have a Federal functional regulator, to file CTRs and SARs, as well as to make and maintain certain records. In addition, like other covered financial institutions, banks that lack a Federal functional regulator are prohibited from maintaining correspondent accounts for foreign shell banks and are required to obtain and retain information on the ownership of foreign banks. Certain banks lacking a Federal functional regulator—namely, private banks, non-federally insured credit unions, and certain trust companies—must maintain customer identification programs. Moreover, banks lacking a Federal functional regulator generally are required by state banking regulation and guidance to have policies, management oversight, personnel training, internal compliance review, and various procedures and systems in place to comply with BSA regulations and guidance.

ANTI-MONEY LAUNDERING PROGRAM EFFECTIVENESS

On September 17, 2020, FinCEN released an Advance Notice of Proposed Rulemaking (“ANPRM”), seeking comment on potential amendments to the BSA for the purpose of enhancing the effectiveness and efficiency of banks’ AML programs.^[xvii]

The ANPRM summarizes recommendations from the Bank Secrecy Act Advisory Group (“BSAAG”), which created the Anti-Money-Laundering Effectiveness Working Group in June 2019, designed to strengthen the national AML regime by increasing its effectiveness and efficiency, including clarifying requirements and expectations to help stakeholders reduce unnecessary activities and allocate resources to areas reflecting the highest risk. Incorporating recommendations from the BSAAG and other supervisory agencies, the ANPRM states that an “effective and reasonably designed” program is one that:

• “Identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity”, consistent with the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities;
• “Assures and monitors compliance” with BSA recordkeeping and reporting requirements; and
• Provides information with a high degree of usefulness to government authorities based on “the institution’s risk assessment and the risks communicated by relevant government authorities.”^[xviii]

One of the most significant changes under consideration involves the role of institutional risk assessments in designing AML programs. FinCEN is requesting comment on whether it should formally mandate such assessments and if doing so would create an undue burden for financial institutions. FinCEN is evaluating whether such an assessment should consider an institution’s “business activities, products, services, customers and geographic locations in which the financial institution does business or services customers.”^[xix]

FinCEN also requested comment on whether “any regulatory changes” are necessary to better reflect the variety of business models and risk profiles among financial institutions as well as whether it should play a more active role in guiding the priorities of financial institutions with AML compliance requirements.^[xx]

FinCEN is also considering a national bulletin, referred to as its “Strategic Anti-Money Laundering Priorities,” to signal the highest risk areas in AML/BSA compliance, which would be updated every two years. While the bulletin would not capture the universe of all AML priorities, FinCEN commented that such a bulletin could, among other objectives, highlight “emerging risks and provide red flags and typologies that assist financial institutions in identifying and reporting suspicious activity.”^[xxi]

In total, FinCEN requested input on 11 specific questions related to its proposals to enhance AML requirements; comments are required to be submitted within 60 days, or by November 16, 2020.

[i] Despite previous efforts by FinCEN, registered investment advisors that manage hedge funds, venture capital funds, and private equity funds remain excluded from the definition of a “financial institution” under the BSA. While the recent developments discussed herein are not directly applicable, many investment advisors have voluntarily implemented anti-money laundering programs on their own initiative in order to satisfy the requirements of counterparties or to guard against emerging anti-money laundering risks. See https://blueleaks.io/jric/files/DDF/200501%20LES%20FBI%20Intelligence%20Bulletin%20-%20Threat%20Actors%20Likely%20Use%20Private%20Investment%20Funds%20to%20Launder%20Money,%20Circumventing%20Regulatory%20Tripwires.pdf.

[ii] “Financial Crimes Enforcement Network (FinCEN) Statement on Enforcement of the Bank Secrecy Act,” available at: https://www.fincen.gov/sites/default/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf.

[iii] Id.

[iv] Id.

[v] “FinCEN Statement on Enforcement of the Bank Secrecy Act,” available at: https://www.fincen.gov/news/news-releases/fincen-statement-enforcement-bank-secrecy-act.

[vi] See id. See also “Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements,” available at: https://www.occ.gov/news-issuances/news-releases/2020/nr-ia-2020-105a.pdf (“As noted above, in addition to the situations described in this statement where an Agency will issue a cease and desist order for a violation of the BSA/AML compliance program regulation or for failure to correct a previously reported BSA/AML compliance program problem, an Agency may also take formal or informal enforcement actions against an institution for other types of BSA/AML compliance program concerns or deficiencies separate from enforcement actions taken under the authorities referred to in sections 8(s) and 206(q).”)

[vii] Supra at n.1.

[viii] Id.

[ix] Id.

[x] “Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements,” available at: https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf.

[xi] Id. at p.6.

[xii] Id.

[xiii] Id.

[xiv] Id. at p.10.

[xv] Id. at p.11.

[xvi] “Customer Identification Programs, Anti-Money Laundering Programs, and Beneficial Ownership Requirements for Banks Lacking a Federal Functional Regulator,” available at: https://www.federalregister.gov/documents/2020/09/15/2020-20325/financial-crimes-enforcement-network-customer-identification-programs-anti-money-laundering-programs.

[xvii] “Anti-Money Laundering Program Effectiveness,” available at: https://www.federalregister.gov/documents/2020/09/17/2020-20527/anti-money-laundering-program-effectiveness.

[xviii] Id. at p.2.

[xix] Id. at p.1.

[xx] Id. at p.3.

[xxi] Id. at p.4.