With many banks and credit unions electing to limit Paycheck Protection Program (PPP) loans to existing customers, many nonbank lenders are scrambling to fill the gap and take part in the $349 billion program prior to the end of the application period on June 30, 2020. There is, however, at least one major obstacle preventing many nonbank lenders from qualifying to lend under the PPP—the requirement under Section 1102 of the CARES Act that they apply “the [Bank Secrecy Act (BSA)] requirements of an equivalent federally regulated financial institution,” which requires having a robust anti-money laundering (AML) and Know-Your-Customer (KYC) compliance program.
Basic Elements of BSA Compliance for Nonbank Financial Institutions
Compliance with the BSA requires financial institutions to, among other things, maintain an adequate AML and KYC program, which must be founded upon the well-known “five pillars” of BSA compliance: (1) a system of internal controls to ensure ongoing compliance, (2) independent testing for compliance, (3) a designated AML officer to coordinate and monitor day-to-day compliance, (4) ongoing training for applicable personnel, and (5) procedures for ongoing customer due diligence that include, among other things, procedures for identifying the “beneficial ownership” of legal entity customers.
Compliance with the BSA also requires that the institution file currency transaction reports (CTRs) for cash transactions involving more than $10,000, and file suspicious activity reports (SARs) when the institution “knows, suspects, or has reason to suspect that the transaction (or pattern of transactions of which the transaction is a part)” involves money laundering, is designed to evade the requirements of the BSA, serves no apparent lawful purpose, or facilitates criminal activity.
Developing and maintaining an adequate AML and KYC compliance program can be both time-consuming and expensive, which is why many fintechs and other prospective nonbank lenders have been effectively shut out of PPP lending (fintechs with payments businesses are a notable exception, as they already have these programs in place). Developing an AML program can take many weeks, if not months, making it unlikely that a prospective PPP lender without an existing compliant program could qualify well enough in advance of the program’s application deadline of June 30, 2020. Additionally, becoming BSA compliant may be cost-prohibitive for many prospective PPP lenders when weighed against the risks of making loans with a 1% interest rate and no payments for six months, even with processing fees of up to 5% of the loan amount.
The time commitment and expense of conducting KYC diligence into customer identity and beneficial ownership explains in part many banks’ reluctance or refusal to accept PPP applications from new small-business customers. Recognizing the urgency of facilitating PPP lending and the growing regulatory bottleneck over BSA compliance, the Financial Crimes Enforcement Network (FinCEN) issued guidance on April 3, 2020, relaxing beneficial ownership information collection for existing small-business customers and suspending implementation of a February 6, 2020 ruling on CTR filing obligations when reporting transactions involving sole proprietorships and entities operating under a “doing business as” name. FinCEN also set up a new online contact mechanism for institutions to communicate to FinCEN COVID-19-related concerns, including delays in the filing of BSA reports. In response to FinCEN’s April 3 notice, and to assure banks that its regulator is on board, the Office of the Comptroller of the Currency (OCC) issued a bulletin on April 7, 2020, expressing support for FinCEN’s guidance. Should BSA compliance obligations continue to inhibit the flow of PPP loan applications for bank and nonbank financial institutions, FinCEN and the prudential regulators may need to issue further guidance relaxing certain BSA requirements.
Nonbank Lenders May Have BSA Compliance Obligations Regardless of Their Participation in the Paycheck Protection Program
Whether or not a nonbank seeks to qualify as a lender under the PPP, it is critical for that entity to know whether it already satisfies the definition of a “financial institution” under the BSA. If so, failure to adhere to the BSA’s robust AML and KYC program and reporting requirements can expose it to regulatory enforcement action, or civil or criminal liability for willfully failing to maintain an adequate AML program, money laundering, securities fraud, or other federal or state offenses.
Under the BSA, a “financial institution” includes not only banks but also “money services businesses” (MSBs), brokers and dealers in securities, mutual funds, certain types of insurance companies, operators of credit card systems, and loan or finance companies. Fintech companies, in particular, need to be cognizant of the applicability of the BSA. Whether a fintech is subject to the BSA’s AML and KYC program requirements depends on the nature of its products and services. For example, a fintech that accepts currency, funds or other value (that substitutes for currency) from one person and transmits that currency, funds or value to another location or person by any means qualifies as an MSB, as would a fintech that issues, exchanges or administers virtual currency or cryptocurrency. In addition to complying with the BSA’s AML and KYC compliance and reporting requirements, MSBs must also register with FinCEN or face additional penalties for failing to do so.
It therefore is essential that any nonbank lender, whether or not seeking to become eligible to lend to qualified small businesses under Section 1102 of the CARES Act, consult with legal counsel to determine if it meets the definition of a financial institution under the BSA, and if so, whether it has an adequate AML and KYC compliance program in place.