Breadth of List Undermines Usefulness to Industry
As required by the Anti-Money Laundering Act (“AML Act”), the Financial Crimes Enforcement Network (“FinCEN”) issued on June 30, 2021 the first government-wide list of priorities for anti-money laundering and countering the financing of terrorism (“AML/CFT”) (the “Priorities”). The Priorities purport to identify and describe the most significant AML/CFT threats facing the United States. The Priorities have been much-anticipated because, under the AML Act, regulators will review and examine financial institutions in part according to how their AML/CFT compliance programs incorporate and further the Priorities, “as appropriate.”
Unfortunately, and as we will discuss, there is a strong argument that FinCEN has prioritized almost everything, and therefore nothing.
The Priorities and Their Utility
The Priorities – listed, according to FinCEN, “[i]n no particular order” – are as follows:
- Corruption;
- Cybercrime;
- Domestic and international terrorist financing;
- Fraud;
- Transnational criminal organizations;
- Drug trafficking organizations;
- Human trafficking and human smuggling; and
- Proliferation financing.
In its press release, FinCEN hailed the Priorities as “a significant milestone in FinCEN’s efforts to improve the efficiency and effectiveness of the nation’s AML/CFT regime and to foster greater public-private partnerships[.]” Indeed, the regulated industry has been pushing for years for greater feedback and guidance from regulators and law enforcement on the usefulness of BSA filings. According to FinCEN, “coupled with the Department of the Treasury’s 2020 Illicit Finance Strategy and 2018 National Risk Assessment, the Priorities aim to help covered institutions assess their risks, tailor their AML programs, and prioritize their resources.”
However, the collective Priorities are so broad and so numerous that it is difficult to imagine a crime or suspicious activity that is not somehow captured by one or more of the eight Priorities, or at least arguably so (and financial institutions often will be in the position of having to guess and make inferences which generally lean towards cautiously assuming that a given set of circumstances falls into one of the Priorities). Accordingly, they provide little guidance to financial institutions attempting to figure out how to focus their limited compliance resources. Although the purpose of the Priorities was to enable financial institutions to allocate existing compliance resources more appropriately, the Priorities, as announced, implicitly suggest that financial institutions really need to invest more overall compliance resources, to cover everything.
A prime example of this problem is the inclusion of “fraud” as a Priority. This Priority is not specific, like “securities fraud,” or “e-mail compromise scheme fraud” – it’s just “fraud,” with no qualification. As prosecutors employing the federal mail fraud and wire fraud statutes can tell you, just about any illicit activity can be characterized as a fraud. Indeed, the Priorities state that
. . . . fraud – such as bank, consumer, health care, securities and investment, and tax fraud – is believed to generate the largest share of illicit proceeds in the United States. Health care fraud alone is estimated to generate proceeds of approximately $100 billion annually. Increasingly, fraud schemes are internet-enabled, such as romance scams, synthetic identity fraud, and other forms of identity theft. Proceeds from fraudulent activities may be laundered through a variety of methods, including transfers through accounts of offshore legal entities, accounts controlled by cyber actors, and money mules.
The fraud section goes on to discuss the dangers of cyber- and COVID-19-related fraud schemes, as well as foreign actors using the U.S. financial system to influence political campaigns and gain illicit access to U.S. technology and trade secrets. None of this is wrong, of course. It’s just that it is not really a “priority,” particularly when considered in the context of the other seven, unranked Priorities, because a priority by definition involves selection and sometimes painful choices. But it seems like, to date, FinCEN just could not bring itself to exclude any illicit activity from the Priorities, perhaps because it was concerned that doing so would suggest that the excluded criminal behavior wasn’t bad or important, or perhaps because every government agency consulted by FinCEN when compiling the Priorities lobbied for the importance of their particular focus.
FinCEN will propose implementing regulations in the coming months (and is required to do so by the AML Act within 180 days of having issued the Priorities), so it is possible that the regulations will provide better and more specific guidance to financial institutions. Given the already-existing breadth of the eight Priorities, that goal looks challenging. One possible approach to providing guidance by making choices would be to rank the Priorities, rather than give them all equal status.
The Priorities do recognize that “not every Priority will be relevant to every covered institution, but each covered institution should, upon the effective date of future regulations to be promulgated [within 180 days] in connection with these Priorities, review and incorporate, as appropriate, each Priority based on the institution’s broader risk-based program.” The practical result here appears to be that financial institutions are still mainly on their own when pursuing their already-ongoing AML/CFT programs, and the importance of financial institutions performing prescient risk assessments and fine-tuning AML transaction monitoring, based on the typical factors such as the relevant customers, geographies, business lines, etc., has become even greater. The risk posed by the Priorities for financial institutions is that regulators who find a problem during an examination will decide that the problem – whatever it is – invariably is captured by a Priority and will punish the financial institution more. The purpose of the Priorities was to help financial institutions, and enhance the quality of their BSA monitoring and filings, not expose them to more regulatory risk.
When publishing the Priorities, FinCEN also issued related statements to both banks and non-bank financial institutions, noting that covered institutions are not required to make any immediate changes to their AML programs to respond to the Priorities, and that regulators will not examine any covered institution for the incorporation of the Priorities into AML programs until regulations have been promulgated. “Nevertheless, in preparation for any new requirements when those final rules are published, covered institutions may wish to start considering how they will incorporate the AML/CFT Priorities into their risk-based AML programs.” FinCEN will update these Priorities at least once every four years, again as required by the AML Act.
Other Observations
A few specific comments regarding the Priorities still are in order. The Priorities list corruption – with an emphasis on foreign corruption – as the first Priority, in its list of seeming equals. This placement appears to be a nod to President Biden’s June 3, 2021 National Security Study Memorandum entitled Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest. It reveals—as the title might suggest—that the administration views “countering corruption as a core United States national security interest.” Certainly, financial transactions promoting corruption by foreign kleptocrats and human rights abusers are terrible – but not a significant real-world AML risk, relatively speaking, for the vast majority of “financial institutions” covered by the BSA that do not represent major international institutions. Rather, the most pernicious real-world threat with almost universal application appears to be the second Priority – cybercrime, in all of its innumerable variations. But after describing the ills posed by “traditional” cybercrimes, such as business email compromise schemes and the growing threat of ransomware attacks, the Priorities then pivot and discuss cryptocurrency and how it can be used to facilitate the funding of a broad variety of illicit conduct (including financial crime in general). Regardless, the Priorities here serve a reminder – hopefully unnecessary at this point – of the critical need for any institution’s AML compliance department and cyber- and privacy-security personnel to communicate and work together. Finally, the Priorities also include domestic terrorism, which certainly is a serious problem. However, because there is literally no list of identified domestic terrorist (contra lists published by OFAC regarding sanctioned foreign actors), and because associated financial transactions can be mundane, detecting such illicit financial activity generally will be difficult if not impossible for financial institutions.
Tomorrow we will blog on the other FinCEN publication that accompanied the issuance of the Priorities – FinCEN’ s assessment, also required under the AML Act, regarding the feasibility of FinCEN issuing non-action letters to financial institutions.
