In perhaps the last major legislative action under this presidential administration, on New Year’s Day 2021, Congress passed—over President Trump’s veto—what could be the most significant anti-money laundering (AML) statute since the Patriot Act of 2001, as part of the annual National Defense Appropriations Act (NDAA). Among many changes to the existing AML regime, the legislation creates a new whistleblower reward program, administered by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), which resembles similar programs set up in other agencies over the past decade. Those pre-existing whistleblower programs have led to a vast flow of tips from company insiders and outsiders alleging various forms of unlawful conduct, leading to an increase in enforcement actions. The new program similarly provides enormous incentives to report violations of the Bank Secrecy Act, 31 U.S.C. § 5311 et seq. (BSA), and its implementing regulations.
Coming against a backdrop of heightened BSA enforcement and global public outcry against money laundering, the new FinCEN program will likely turbocharge scrutiny of BSA and AML compliance. Financial institutions subject to the BSA—such as banks, credit unions, money service firms, and casinos—should embrace the lessons learned from earlier whistleblower actions and prepare for this new form of enforcement risk.
BSA Enforcement on the Rise
Over the past decade, the U.S. government has stepped up its enforcement of the BSA, leading to major fines for financial institutions. For example, in 2012, a foreign bank agreed to pay $1.9 billion to the DOJ, Treasury, FinCEN, and other agencies to resolve claims of BSA violations that helped Mexican drug cartels launder money through the bank. In 2014, another foreign bank paid nearly $9 billion in fines and pleaded guilty to violating U.S. sanctions against Sudan, China, and Iran. In 2017, the yet another foreign bank was fined $630 million by New York State and U.K. regulators for helping Russian investors secretly move $10 billion through branches in London, Moscow and New York. Two years later, another bank agreed to pay $1.1 billion to DOJ, Treasury, and other agencies to settle allegations money laundering and sanctions violations.
Whistleblowers have played a role in major money laundering investigations and enforcement actions. In 2018, a bank announced that more than $230 billion had flowed from Russia and other former Soviet states through one of its tiny branch offices, most of which was illicit money. The fallout wiped out nearly half of the bank’s share value and led to an onslaught of investor lawsuits against the bank and its senior executives. The case was initially broken by an internal whistleblower in the small branch office.
Even these actions have proven too tame for some critics, who have urged even more drastic action against money laundering, prompted by whistleblower leaks of confidential information and dramatic revelations contained in them. In 2016, the “Panama Papers”—11.5 million documents regarding over 200,000 offshore entities—revealed the use of shell companies and bank secrecy rules by hidden financial dealings of various powerful individuals, including criminal actors engaged in drug trafficking, arms deals, and tax evasion. The next year, another 13.4 million documents, emails, and presentations also provided by a whistleblower (the “Paradise Papers”) showed more of the same.
Most recently in September 2020, confidential FinCEN records were leaked and published, allegedly showing over 200,000 reported suspicious financial transactions valued at over $2 trillion from 1999 to 2017 across multiple global financial institutions. Journalists reporting on the disclosures have described them as showing the inadequacy of existing AML measures.
It was amidst this atmosphere of major scandals and resulting backlash that pressure built for further legislative solutions. In 2019, both chambers of Congress passed new AML legislation with bipartisan support: the Corporate Transparency Act in the House, and the ILLICIT CASH Act in the Senate. Although further movement on the legislation stalled through much of 2020, it was eventually included as an amendment to the NDAA, and passed by solid majorities in both chambers.
The new law is perhaps most notable for its requirement that all corporations and limited liability companies (with various exceptions) disclose their beneficial owners to FinCEN, its imposition of enhanced penalties for repeat BSA violators, and its allocation of greater resources to FinCEN. But another of its feature—the creation of an enhanced whistleblower reward program within FinCEN—may prove to be just as consequential.
Whistleblower Rewards: Adding Fuel to the Fire
That the creation of an expansive whistleblower reward system will increase BSA enforcement further is not mere speculation; it is informed by the experience of other agencies—like the Securities Exchange Commission, the Commodity Futures Trading Commission, and the Department of Justice—that have administered similar programs.
For example, since the 2010 Dodd-Frank statute created the SEC’s own whistleblower reward program, that agency has received over 40,000 whistleblower tips, filed related enforcement actions resulting in over $2.5 billion in fines and disgorgement, and paid $562 million in awards to 106 whistleblowers—including a record $175 million in 2020 alone. This past year has seen the SEC issue its two largest whistleblower awards ever, after receiving over 6,900 separate referrals.
The CFTC’s similar program has also seen growth. Since 2014, the agency has obtained sanctions of nearly $1 billion in cases arising from whistleblower referrals, and has awarded over $120 million to those whistleblowers. $20 million of those awards were made in October 2019 – October 2020 alone; the figure for the prior year was $15 million. In 2017-2018, the CFTC paid over $75 million in awards, including a single award of $30 million.
And of course, the largest federal whistleblower program of all—the False Claims Act, enforced by the Department of Justice—has continued in full force. DOJ’s most recently-published data noted that it had recovered over $3 billion in settlements and judgments from civil fraud and false claims act cases during the fiscal year ending September 2019, an increase from $2.8 billion the prior year, though lower than the $3.7 billion collected in 2017. Those figures do not account for fines and other penalties imposed in criminal prosecutions resulting from whistleblower lawsuits under the FCA.
Treasury has technically had a BSA whistleblower reward law in place since 1984, described in the prior version of 31 U.S.C. § 5323. But those provisions were rudimentary, and the rewards were capped at $150,000. As a result, there has been very little (if any) activity under the program. The new law was expressly designed to “modernize” the program by increasing the potential awards and thus the incentive to report violations.
The New FinCEN Whistleblower Program
The new BSA whistleblower reward rules are modeled on the SEC program created by Dodd-Frank. They provide that if a whistleblower voluntarily provides “original information” to Treasury, DOJ, or the whistleblower’s employer that leads to the successful enforcement of a “covered judicial or administrative action” or “related action,” Treasury may pay to that whistleblower up to 30 percent of any monetary sanctions collected from the action. A “covered” action is one brought by Treasury or DOJ under the BSA that results in more than $1 million in sanctions; a “related action” is one brought by a different federal, state or foreign agency.
The concept of “original information” is similar to that used in the SEC and CFTC programs, as well as in the False Claims Act’s “original source” requirement. A whistleblower will only get credit for information “derived from [his or her] independent knowledge or analysis” and not already known to Treasury or DOJ from another source. While this could allow for “outsiders” to act as whistleblowers based on their own original analysis or information obtained from “insiders,” the information may not be “exclusively derived from an allegation made in a judicial or administrative hearing, in a governmental report, hearing, audit, or investigation, or from the news media,” unless the whistleblower was a source of the information used in those contexts. Similarly, an award may not be made to a whistleblower who acquired the information while “acting in the normal course of the job duties of the whistleblower,” limiting the ability of bank auditors and BSA compliance personnel to act as whistleblowers.
As in Dodd-Frank, the new statute gives Treasury discretion as to the amount of any award, but lists several factors that must be considered, including (1) the significance of the whistleblower’s information to the success of the enforcement action; (2) the degree of assistance provided by the whistleblower and his/her counsel; (3) the value of the whistleblower program to Treasury’s law enforcement mission; and (4) other factors the Treasury department sets out in forthcoming regulations. The whistleblower is entitled to appeal any award decision.
The law also protects whistleblowers from retaliation by employers. It provides that if a whistleblower is subject to such retaliation for reporting violations, he or she may refer the matter to the Labor Department and, if it takes no action, may file a federal lawsuit and seek reinstatement, double back pay, and attorney fees and costs. Employers may not require employees to waive these rights or others under the statute, or to arbitration any disputes regarding those rights.
In addition, the new law provides for Treasury to enact regulations implementing the whistleblower program. Among these would be detailed rules on how whistleblower referrals can be submitted to Treasury, which could potentially involve the creation of a dedicated whistleblower liaison department, as the SEC has done.
Adapting to BSA Whistleblower Risk
The growth of the SEC’s and other agencies’ whistleblower programs over the past decade holds a number of lessons for banks, credit unions, and others subject to the BSA. Massive financial incentives to report actual or suspected violations, combined with increased FinCEN resources and an expanded mandate, will almost certainly herald an increase in enforcement actions and resulting risks of BSA compliance problems and related personnel issues. BSA covered entities should thus take a number of steps in response.
First, and most obviously, step up BSA compliance. With increased scrutiny from within and without and possibly higher penalties, the consequences of BSA violations and inadequate compliance programs are that much greater. Companies should re-examine their existing BSA/AML policies, training, and staffing, and strongly consider devoting additional resources to ensure they would pass regulatory muster and are well-tailored to the company’s particular business and risk profile.
Second, encourage internal reporting of BSA compliance problems. A company will of course be better positioned to correct any deficiencies and reduce the risk and impact of a regulatory or law enforcement investigation if it knows of the problem before the government does. To that end, companies should create, improve, and inform employees of internal tip hotlines through which BSA issues can be reported, as well as anti-retaliation policies that protect those who make reports. Potential whistleblowers should be reassured that their concerns will be appreciated and addressed by the company. At the same time, companies should use caution when considering more heavy-handed tactics, such as confidentiality agreements, to deter reporting outside the company, as such practices have drawn fire from the SEC and others in different contexts.
Third, investigate any internal reports of BSA issues. While this need not always mean retaining an outside law firm, such independent counsel may well be appropriate if the issue may be significant, widespread, or involve senior managers. Experienced outside counsel can help to maintain privilege as to any investigation, avoid creating retaliation problems, and enhance credibility both with the whistleblower (thus possibly reducing the impetus for outside reporting) and with government investigators.
Fourth, engage with whistleblowers during any investigation. Experience has shown that whistleblowers who believe their complaints are not being taken seriously are likely to take more aggressive action, whether complaining to regulators or spreading negative information within the company. Although confidentiality and privilege must be maintained in internal investigations, it is appropriate and well-advised to remain in contact with the internal whistleblower to assure them that action is being taken. At the same time, all such interactions should be carefully documented, and the company should be wary of the potential for allegations of retaliation should they make any personnel changes affecting the relevant employee.
Fifth, take corrective action and update compliance programs in response to any issues uncovered in an investigation. An internal whistleblower complaint that uncovers genuine issues can be a blessing that prevents significant liability in the future, whether from a separate whistleblower disclosure or an independent government investigation. By the same token, failing to adequately address any problems uncovered by an internal complaint and investigation can make the company look even worse in a later investigation, and can lead to harsher sanctions and settlement demands from government enforcers.
Sixth, consider self-disclosure of BSA issues uncovered. Both DOJ and regulatory agencies charged with BSA enforcement—such as the OCC—have published policy statements indicating that voluntary disclosure of violations will be considered a positive factor in determining potential penalties. This is always a difficult issue in any corporate compliance context, as the balance between pros and cons of voluntary disclosure can vary from case to case and agency to agency. As in other areas, advice from experienced counsel is particularly important here.
* * *
BSA/AML enforcement is certainly nothing new, and well-managed financial institutions have paid attention to compliance requirements in this area for some time. But the creation of a bounty-hunting regime within FinCEN, with massive financial inducements for insiders to report violations, may change the game in striking ways. BSA subjects would be wise to heed the lessons of older whistleblower programs, and take a proactive approach to managing this new dimension of risk.
 See International Consortium of Investigative Journalists, The Panama Papers.
 See id., Paradise Papers.
 See id., FinCEN Files.
 U.S. Securities and Exchange Commission, Division of Enforcement, 2020 Annual Report, at 5, 19-20, 27.
 Commodity Futures Trading Commission, Whistleblower Program and Customer Education Initiatives, 2020 Annual Report, at 3.
 Id. at 2; Commodity Futures Trading Commission, Whistleblower Program and Customer Education Initiatives, 2019 Annual Report, at 2.
 Commodity Futures Trading Commission, Whistleblower Program and Customer Education Initiatives, 2018 Annual Report, at 2.
 Justice Department Recovers Over $3 Billion from False Claims Act Cases in Fiscal Year 2019, Department of Justice Press Release, January 9, 2020.
 The SEC and CFTC enforce compliance with BSA rules applicable to brokers, commodities merchants, and others regulated by those agencies, and their whistleblower programs cover such enforcement actions. See 17 C.F.R. § 280.17a-8; 17 CFR § 42.2 (CFTC).
 Section 5323(b)(1). “Monetary sanctions” would include penalties, disgorgement, and interest, but would not include forfeiture, restitution, or victim compensation payments. § 5323(a)(2).
 Section 5323(a)(4), (g)(4)(D)(i).
 Section 5323(a)(3).
 Section 5323(a)(3)(C).
 Section 5323(c)(2)(A)(ii).
 Section 5323(c)(1).
 Section 5323(f)(2)(A).
 Section 5323(g).
 Section 5323(j).
 The Department of Justice expressly considers the “thoroughness and speed of internal investigations” as part of the factors used in evaluating corporate cooperation and deciding whether to charge a corporation. Department of Justice, Justice Manual, § 9-28.700.
 Id., §§ 9-28.800, 9-28.1000.
 See Department of Justice, Justice Manual, § 9-28.900; Federal Financial Institutions Examination Council: Assessment of Civil Money Penalties, 63 FR 30226-02, 1998 WL 280287 (June 3, 1998); Office of the Comptroller of the Currency, Policies and Procedures Manual, PPM 5000-7 (Rev.) (Feb. 26, 2016).