The U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) released proposed regulations on Jan. 24, 2022, for implementing a pilot program allowing financial institutions to share suspicious activity reports (SARs) and related information with foreign branches, subsidiaries and affiliates. The program, required by the Anti-Money Laundering Act of 2020 (AML Act), expands on FinCEN's prior guidance, which allowed financial institutions to share SARs or related information with foreign head offices, controlling companies (whether domestic or foreign) and domestic affiliates to promote enterprise-wide risk management and compliance with applicable laws and regulations.
What is the Pilot Program?
As noted in the proposed regulations, a primary purpose of the AML Act was to "modernize anti-money laundering and countering the financing of terrorism laws to better adapt the government and private sector response to new and emerging threats." To that end, the AML Act added 31 U.S.C. § 5318(g)(8), which requires the secretary of the treasury to issue rules establishing a pilot program permitting financial institutions with SAR reporting obligations to share SARs and related information with foreign branches, subsidiaries and affiliates for the purposes of combating illicit finance risks. By statute, the new rules must comport with the requirements of state and federal law enforcement operations, take into account potential concerns of the intelligence community, meet appropriate standards and requirements regarding data security and confidentiality of personally identifiable information, and bar the sharing of information with entities in certain jurisdictions.
The pilot program will terminate on Jan. 1, 2024, but the secretary may seek an extension of the program of up to two years following a report to the appropriate U.S. Senate and House committees.
Who is Eligible to Participate in the Pilot Program?
Financial institutions that are obligated to report suspicious activity under 31 U.S.C. § 5318(g) are eligible to participate in the pilot program. Eligible institutions include banks, casinos and card clubs, money services businesses, brokers or dealers in securities, mutual funds, insurance companies, futures commission merchants and introducing brokers in commodities, loan or finance companies, and housing government-sponsored enterprises.1
Under the proposed rules, financial institutions that are interested in participating in the pilot program must submit a written application to FinCEN that:
- identifies the institution's point of contact for pilot program-related correspondence
- specifies the foreign branches, subsidiaries and affiliates with which the financial institution intends to share SARs and related information
- specifies the particular purpose(s) for which the foreign branches, subsidiaries and affiliates intend to use SARs and related information, including the operational jurisdictions of such entities, as well as whether such entities will be providing reciprocal information to the applicant financial institution
- provides an estimated commencement date for the pilot program
- describes internal controls in place to prevent unauthorized disclosures of SARs and related information
In weighing applications, FinCEN will evaluate the strength of the applicant financial institution's internal controls and consider the institutions and entities the financial institution intends on sharing information with. FinCEN will also consider the location of the institutions and entities potentially receiving information.
FinCEN would seek to alert a financial institution of its acceptance or denial into the pilot program within 90 days of receipt of the application. Approved financial institutions would be required to provide FinCEN written confirmation of the date it will start sharing SARs and related information with its foreign counterparts.
Participant Requirements and Restrictions
Given the sensitive nature of the information included in SARs, FinCEN is particularly concerned about financial institutions' internal controls. Accordingly, the proposed rules would require that participating financial institutions implement, at minimum, the following controls:
- written confidentiality agreements with all personnel employed at foreign affiliates regarding how to safeguard the confidentiality of SARs and related information, including that an SAR has been filed
- provisions for the secure transmission and storage of SARs and related information between the participant financial institution and its foreign affiliates
- procedures for U.S.-based personnel to review requests for SARs or related information from foreign entities (e.g., foreign law enforcement agencies or regulators)
Participating financial institutions would also be required to maintain sufficient records to identify the specific jurisdictions in which their foreign branches/subsidiaries/affiliates are located and with whom they've shared SARs or related information.
Additionally, financial institutions would be required to immediately alert FinCEN of any unauthorized disclosures. A financial institution could face civil and criminal sanctions if it fails to prevent unauthorized disclosures of SARs or related information.
Finally, a participating financial institution could not change any of its previously listed internal controls without first receiving approval from FinCEN.
Under the proposed rules, participating financial institutions would be required to submit quarterly reports to FinCEN that include the following information:
- total number of SARs and related information shared
- the name and jurisdiction of each entity that received SARs and related information, the relationship between the entity and the participant financial institution, and the intended purposes and uses for which the SARs and related information were shared
- legal and compliance issues encountered
- technical difficulties and challenges
- enhancements to the financial institution's anti-money laundering/combatting the financing of terrorism (AML/CFT) program enabled as result of participating in the pilot program
- lessons learned
As required by statute, participating financial institutions would be prohibited under the rules from sharing SARs and related information with foreign branches, subsidiaries and affiliates in China, Russia and jurisdictions that are state sponsors of terrorism,2 subject to sanctions imposed by the United States government, and those that the secretary of the treasury has determined cannot reasonably protect the security and confidentiality of the information. The law permits FinCEN to make exceptions to this requirement on a case-by-case basis under limited circumstances.
Under the proposed rule, FinCEN would have the right to terminate a financial institution's participation in the program at any time and for any reason. Grounds for termination include, but are not limited to "actual or unreasonable risk of unauthorized disclosures of SARs and relating information; significant internal control deficiencies identified while participating in the pilot program; failure to adhere to the specific requirements for participation; or any other issues that indicate that a participant financial institution is unable to adequately safeguard against unauthorized disclosures of SARs and related information or to ensure adequate data security and confidentiality of personally identifiable information."
Financial institutions that have concluded that their Bank Secrecy Act (BSA) and AML programs have been hampered by the lack of an ability to share SARs with foreign affiliates now have an opportunity to address that gap. In addition to strengthening their own programs, participating financial institutions may be viewed more favorably by regulators and examiners for seeking to address enterprise-wide risk. Not surprisingly, however, the pilot project will impose new reporting and internal control obligations, and participating financial institutions may find themselves subject to penalties if mistakes are made.
Comments on the proposed rule may be submitted to FinCEN on or before March 28, 2022.
1 See 31 CFR 1010.1000 for specific definitions for each institution.
2 "State sponsor of terrorism" is determined by the U.S. Department of State.