On January 25, 2022, the US Financial Crimes Enforcement Network (“FinCEN”) published a Notice of Proposed Rulemaking (“NPRM”) to establish a pilot program to permit financial institutions with a suspicious activity report (“SAR”) requirement to share the reports themselves and information revealing the fact that a SAR has been filed (together, “SAR Information”) with the financial institutions’ foreign branches, subsidiaries and affiliates for the purpose of combating illicit finance risks.1
Global financial institutions may find the proposed pilot program to be a useful device for coordinating anti-money laundering compliance efforts across jurisdictions. The proposed pilot program would be temporary and require financial institutions to apply to FinCEN before using it. Further, the exclusion of certain categories of foreign affiliates from receiving SAR Information may discourage some financial institutions from participating.
The comment period concludes March 28, 2022. In this Legal Update, we provide background on FinCEN’s approach to SAR sharing and summarize the NPRM.
The Bank Secrecy Act (“BSA”), enacted in 1970 and amended most recently by the Anti-Money Laundering Act of 2020 (“AML Act”), was intended to provide “appropriate frameworks for information sharing” among financial institutions, government authorities and others.2 The BSA provides for the reporting of suspicious transactions, authorizes the secretary of the Treasury (the “Secretary”) to issue regulations and allows the Secretary to delegate to the director of FinCEN the authority to “take all necessary and appropriate actions to implement and administer the provisions of the [BSA].”3
A “financial institution”4 is required by FinCEN’s regulations implementing the BSA (“FinCEN’s Implementing Regulations”) to file a SAR if it knows, suspects or has reason to suspect that a transaction or series of transactions conducted or attempted by, at or through the financial institution involves money laundering, BSA violations, terrorist financing or certain other crimes.5 The BSA itself prohibits financial institutions from disclosing SAR Information with the subjects involved in the reported transaction.6 FinCEN’s Implementing Regulations permit the financial institution to share with US and non-US entities in its organization underlying facts and contents of a SAR, including (1) information about the customer or suspect and (2) transactions reported,7 but historically there have been specific regulatory restrictions placed on sharing the SAR itself or information that discloses the existence of a SAR.
Furthermore, FinCEN’s initial Implementing Regulations were broader than the BSA prohibitions and prohibited practically all sharing of SAR Information to any affiliates, not only the subjects of a SAR.8
However, FinCEN has taken incremental steps to widen the universe of who may receive SAR Information. In 2006, FinCEN issued guidance that permits a US branch or agency of a foreign bank to share SAR Information with its head office and controlling entities to discharge its oversight responsibilities with respect to global enterprise-wide risk management and compliance with applicable laws and regulations.9 In connection with revisions to its SAR sharing regulation in 2010, FinCEN issued further guidance on sharing SAR Information, broadening the scope to permit sharing of SAR Information by financial institutions with their US affiliates that are subject to SAR reporting.10 The 2010 guidance also clarified that a US bank may not share SAR Information with foreign branches: “Because foreign branches of US banks are regarded as foreign banks for purposes of the BSA, under this guidance, they are ‘affiliates’ that are not subject to SAR regulation.”11
As we discuss in the following section, FinCEN’s proposed rule would further widen the universe of entities who may receive SAR Information by introducing a pilot program that would permit domestic financial institutions to share SAR Information with their foreign branches, subsidiaries and affiliates.
II. FinCEN’s Proposed Rule Introduces a Pilot Program to Share SAR Information with Foreign Branches, Subsidiaries and Affiliates
An aim of the AML Act was “to modernize the AML/countering the financing of terrorism (“AML/CFT”) laws to better adapt government and private sector response to new and emerging threats.”12 The NPRM, which is issued pursuant to the AML Act, would, if adopted, provide financial institutions with an opportunity to share the SAR itself and the fact that it has been filed (not just the information underlying the SAR) with foreign branches, subsidiaries and affiliates.13 This pilot program will in particular provide foreign affiliates of US banks a more complete picture of enterprise-wide financial crime risk.
Below we discuss the requirements for participating in the pilot program, the conditions and safeguards (including appropriate data security measures) expected by FinCEN for participation, the potential civil penalties and criminal sanctions for unauthorized use of SAR Information, the duration of the program and the ongoing reporting requirements for participant financial institutions.
A. Application Process and Policy Enhancements
Participation in the pilot is subject to prior approval by FinCEN. A financial institution must submit a written application before sharing SAR Information with foreign branches, subsidiaries and affiliates that:
- Identifies the financial institution’s point of contact for pilot program-related correspondence;
- Specifies the foreign branches, subsidiaries and affiliates with which the financial institution intends to share SAR Information (if eligible for the pilot program, a financial institution must maintain records that will assist FinCEN in identifying individuals and entities that were in possession of SAR Information in the event of unauthorized disclosure);
- Specifies the purpose for which the financial institution intends to share and use the information, including the jurisdictions in which the entities operate and whether such entities will provide reciprocal information to the applicant financial institution;
- Provides an estimated commencement date for the pilot program; and
- Describes the internal controls put in place to prevent the unauthorized disclosures of SAR Information.
Given the sensitive nature of SAR Information, it appears that FinCEN is also concerned that the pilot program might operate as a “back door” for foreign law enforcement and foreign regulators to obtain SAR Information through means outside of established information exchange procedures. The current process requires foreign authorities to obtain such information through a request to the United States pursuant to a mutual legal assistance treaty or the equivalent. To address FinCEN’s concern and to protect SAR confidentiality more generally, the proposed rule states that financial institutions will, at a minimum, be required to implement internal controls, including confidentiality agreements and procedures for personnel located in the United States.14 Financial institutions must also review requests from foreign law enforcement, foreign regulators or an outside foreign party for SAR Information; immediately notify FinCEN of such requests; and direct the foreign authority to contact FinCEN about obtaining the requested SAR Information through the existing treaty process.15
It remains to be seen whether FinCEN’s requirement for an application, along with its oversight over a financial institution’s data sharing policies and procedures, will discourage participation in the program. One key question, for which FinCEN seeks comment, is the expected costs, burden and impact of safeguards, enhancement and technical upkeep that financial institutions may have to address in order to participate in the pilot program; however, the benefits to a global financial institution may outweigh these costs.
B. Safeguarding SAR Information and Penalties for Unauthorized Disclosure
As discussed above, FinCEN expects that financial institutions will implement or enhance policies, procedures and internal controls to prevent unauthorized disclosure of SARs shared with foreign entities. Civil penalties and criminal sanctions may be imposed on domestic and foreign affiliates and personnel for the unauthorized disclosure of SAR Information.
FinCEN seeks comments on whether an appropriate balance has been struck between the facilitation of information sharing and safeguarding the unauthorized disclosure of SARs and confidential information in SARs. We expect that financial institutions will welcome the ability to share SARs Information with foreign affiliates, where they have been previously unable. However, financial institutions should provide FinCEN with comments on whether an appropriate balance has been struck to ensure safeguarding of SARs Information.
C. Offshoring Prohibition
The NPRM incorporates 31 U.S.C. 5318(g)(10) of the AML Act, without adding more, by prohibiting a financial institution from “establishing or maintaining any operation located outside of the United States the primary purpose of which is to ensure compliance with the BSA as a result of the information sharing granted by the pilot program.”16 It is unclear from the NPRM whether this provision would prevent the use of foreign shared services subsidiaries by participating financial institutions to centralize AML (or other) compliance activities that are unrelated to the pilot program. Given the uncertainty and potential for significant efficiencies from centralized processing, this is an area where financial institutions with offshore AML compliance operations may want to seek clarity. Otherwise, financial institutions may be deterred from participating in the pilot program if it would prevent them from obtaining any of the benefits of centralized compliance processing.
D. Restricted Jurisdictions
Consistent with the AML Act, the NPRM prohibits participant financial institutions from sharing SAR Information with foreign branches, subsidiaries and affiliates in China or Russia without seeking an exception from the Secretary. In addition, SARs Information may not be shared with foreign branches, subsidiaries and affiliates in jurisdictions that are subject to sanctions,17 a state sponsor of terrorism18 or identified as a primary money laundering concern.19
E. Duration of the Pilot Program
The pilot program will terminate three years after enactment of the AML Act (i.e., January 1, 2024) unless extended by the Secretary for up to two years. Given the limited duration of the pilot program, the NPRM indicates that FinCEN will endeavor to provide responses to applications within 90 days. FinCEN also requests comments on whether a broader, longer-term program should be considered. Notwithstanding the potential significant benefits conferred on participating institutions, we expect that certain financial institutions may be cautious about making significant changes to their SAR reporting policies for a program that is limited in duration.
F. Quarterly Reporting Requirements
The proposed rule would require that financial institutions participating in the pilot provide FinCEN with quarterly reports disclosing, in part, the total number of SARs and related information shared and the name and jurisdiction of entities that received SARs Information. FinCEN also expects that the pilot program will be an opportunity for participating financial institutions to enhance data sharing policies and procedures to ensure safekeeping of personally identifiable data and to focus the financial institution’s efforts on high-priority AML/CFT risks.20 To this end, the quarterly reports also would include information on any legal and compliance issues encountered as part of the pilot program, enhancements made to the financial institution’s AML/CFT program as a result of the pilot program and lessons learned.
Global financial institutions may view the NPRM as a much-needed step toward materially enhancing enterprise-wide financial crime compliance efforts. The NPRM, if finalized, may provide financial institutions with an opportunity to share SAR Information with foreign branches, subsidiaries and affiliates so that foreign affiliates can have a better understanding of their potential exposure to financial crime risks identified elsewhere in the enterprise. In addition, an ancillary bonus may be that financial institutions will also be able to share the internal decision-making that went into the determination to file a SAR, which might be valuable “best-practice” information for a foreign branch’s compliance function. This may be particularly true for foreign branches whose local standards for filing a SAR are aligned with the US standard.
Some financial institutions may be hesitant, however, to implement such a program for several reasons. First, if the pilot program will be terminated in 2024, or in 2026, if extended, the short time period may discourage financial institutions from participating. Financial institutions may be reluctant to build structures that enable them to share only limited additional information (i.e., SAR Information) with foreign affiliates when they must terminate those programs within a few years, especially because financial institutions may already share with such affiliates the facts and content underlying a SAR filing outside of the pilot program. Second, the AML Act prohibits the use of offshore compliance activities related to this pilot program, and it is unclear whether the NPRM would also prohibit the use of offshore compliance activities for other AML-related and non-AML-related compliance activities, which is a key selling point for many shared services subsidiaries and enterprise-wide programs.21 For example, a financial institution may rely (for both cost and efficiency) on non-US alert adjudicators to review AML alerts triggered by an automated transaction monitoring system. Financial institutions may not want to risk disrupting such offshore compliance operations as a result of participating in the pilot program. Third, some financial institutions may not want to expend their time and resources to prepare an application. Thus, financial institutions will have to carefully weigh these potential costs against the benefits of applying to the proposed pilot program.
Financial institutions that are interested in establishing a pilot program, and other interested parties, should consider submitting comments to FinCEN. One question that financial institutions may want to ask is whether nonbank affiliates (such as an affiliate used for back office, data processing or payroll functions) subject to the SAR reporting obligation in Regulation Y can be “eligible financial institutions” for purposes of this proposed rule. While FinCEN regulations do not impose a SAR reporting obligation on nonbank affiliates (unless they fall into another category of covered institutions (e.g., broker-dealers)), the Federal Reserve imposes SAR reporting obligations on all nonbank subsidiaries of a bank holding company or a foreign bank that are subject to the Bank Holding Company Act.22 If FinCEN determines in the final pilot program rule that such nonbank affiliates are covered, they would be able to share SAR Information with other foreign affiliates. Thus, commentators should encourage FinCEN to resolve these types of ambiguities to facilitate the implementation of a clear final rule.
1 Financial Crimes Enforcement Network, FinCEN Issues Proposed Rule for Suspicious Activity Report Sharing Pilot Program to Combat Illicit Finance Risks, FinCEN (Jan. 24, 2022), https://www.fincen.gov/news/news-releases/fincen-issues-proposed-rule-suspicious-activity-report-sharing-pilot-program.
2 31 U.S.C. § 5311(a), (5). Please refer to Mayer Brown’s Legal Update regarding the enactment of the National Defense Authorization Act, which included the AML Act: Marcus A. Christian, Rajesh De, Luke Levasseur, Stephen Lilley, Marcia G. Madsen, Andrew Olmem, David A. Simon, Tamer A. Soliman and Christina M. Thomas, The US National Defense Authorization Act for Fiscal Year 2021: What You Need to Know (Jan. 2, 2021), available at https://www.mayerbrown.com/en/perspectives-events/publications/2020/12/the-us-national-defense-authorization-act-for-fiscal-year-2021-what-you-need-to-know.
4 Pursuant to FinCEN’s regulations implementing the BSA, financial institutions obligated to file SARs include banks (at 31 C.F.R. § 1020.320), casinos and card clubs (at 31 C.F.R. § 1021.320), money service businesses (at 31 C.F.R. § 1022.320), broker-dealers (at 31 C.F.R. § 1023.320), mutual funds (at 31 C.F.R. § 1024.320), certain insurance companies (at 31 C.F.R. § 1025.320), futures commission merchants and introducing brokers in commodities (at 31 C.F.R. § 1026.320), certain loan and finance companies (at 31 C.F.R. § 1029.320), and housing government-sponsored enterprises (at 31 C.F.R. § 1030.320).
9 Financial Crimes Enforcement Network, Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies, FinCEN (Jan. 20, 2006), https://www.fincen.gov/resources/statutes-regulations/guidance/interagency-guidance-sharing-suspicious-activity-reports.
10 Financial Crimes Enforcement Network, Sharing Suspicious Activity Reports by Depository Institutions with Certain U.S. Affiliates, FinCEN (Nov. 23, 2010), https://www.fincen.gov/sites/default/files/shared/fin-2010-g006.pdf. FinCEN did not address whether nonbank subsidiaries of a bank holding company are subject to a SAR regulation. While such entities are subject to the Federal Reserve’s SAR regulation, their omission from FinCEN’s SAR regulations is notable. See 12 C.F.R. § 225.4(g).
17 Jurisdictions “subject to sanctions imposed by the Federal Government” are jurisdictions with governments whose property are blocked by US sanctions authorities or subject to broad prohibitions on transactions by US persons involving that jurisdiction, i.e., importing or exporting goods, services, etc.. 31 U.S.C. § 5318(g).
20 Please refer to Mayer Brown’s Legal Update on FinCEN’s AML/CFT priorities: Glen A. Kopp, Gina M. Parlovecchio and Brad A. Resnikoff, FinCEN’s First-Ever National AML/CFT Priorities Provide Insights Into Key Threats (July 6, 2021), available at https://www.mayerbrown.com/en/perspectives-events/publications/2021/07/fincens-firstever-national-amlcft-priorities-provide-insights-into-key-threats.