Sixth Post in an Extended Series on Legislative Changes to BSA/AML Regulatory Regime
As we have blogged, the Anti-Money Laundering Act of 2020 (“AMLA”) contains major changes to the Bank Secrecy Act (“BSA”), coupled with other changes relating to money laundering, anti-money laundering (“AML”), counter-terrorism financing (“CTF”), and protecting the U.S. financial system against illicit foreign actors.
A recurring theme of the changes offered by AMLA is information sharing. AMLA mandates that the Department of Treasury’s supervision priorities must include “appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities.” The increased emphasis on information sharing is accompanied by provisions requiring confidentiality and data security protocols.
The Financial Crimes Enforcement Network (“FinCEN”) is already beginning to address AMLA’s focus on the sharing and protection of information, as it explained in its recent detailed Report on FinCEN’s Innovation Hours Program, which focuses on fostering technological innovation in AML/CTF compliance. In this post, we explore AMLA’s expansion of information sharing, corresponding privacy and data security protections, and the tensions that lie therein.
AMLA is replete with new avenues for information sharing. We address those provisions here, which fall into three categories: (1) the information-sharing provisions of the Corporate Transparency Act (“CTA”), (2) expansions to information sharing via public-private partnerships, and (3) expansions to information sharing within financial institutions, specifically between a domestic and foreign branch.
Information Sharing under the CTA
Arguably, the most important information-sharing provisions are in the CTA. The CTA establishes a beneficial ownership (“BO”) database housed within the Department of Treasury. This database will include a BO’s full name, date of birth, current address, and a unique identifying number from an acceptable identification document (or an acceptable FinCEN identifier). In a previous blog post in this series, we discussed how the new BO database may relieve financial institutions of some customer due diligence obligations and could allow regulators to spend more time on investigation of substance, rather than determining an entity’s BOs. Although the BO database will be stored at the Department of Treasury, the CTA provides for interagency, state, cross-border, and public-private sharing of BO information to assist in law enforcement and prosecution efforts. If requested, access will be given to regulators and law enforcement only to the information needed and only to those individuals that require access. Financial institutions may also satisfy customer due diligence requirements by requesting information from the BO database, but only if given consent by the reporting company.
Although we discuss AMLA’s privacy and data security provisions in detail below, the CTA’s privacy and data security provisions are important enough to highlight here. While the privacy and data security regulations described by the CTA are likely not to be published until later in 2021, their general contents are explained by AMLA.
The CTA requires each requesting agency to establish and maintain a secure system to store BO information, establish privacy and data security protocols, and certify compliance with the Secretary of Treasury on a semi-annual basis. The regulations will also limit access to the BO database information in two ways. First, the BO database information will only be available to requesting agencies upon written request describing the reasons for the request. Second, access to the BO database information is limited to personnel who must go through appropriate training, use identity verification to obtain access to the BO database information, and must also be authorized—by agreement with the Secretary of Treasury—to access that information.
Finally, the CTA requires regulations enforcing strict compliance with minimum data security protocols and access requirements. The regulations will require recordkeeping by the requesting agency showing what information was requested (and by whom), audits by the requesting agency and the Secretary of Treasury, and any other additional safeguards deemed necessary by the Secretary of Treasury. Violations of these regulations may lead to criminal or civil penalties.
AMLA also codifies public-private partnerships for information sharing in three ways. First, AMLA creates the “Office of the Domestic Liaison,” which reports to FinCEN’s Director. The Office of the Domestic Liaison will contain a Chief Domestic Liaison and regional, Domestic Liaisons. The Domestic Liaisons will be a conduit between the federal functional regulators and BSA officers at financial institutions. Importantly, the Domestic Liaisons will receive confidential feedback from financial institutions on BSA examinations and will help coordinate public-private information sharing matters. Having individuals dedicated to facilitating and strengthening these public-private partnerships may help foster more and more useful information sharing.
Second, AMLA acknowledges the FinCEN Exchange, a “public-private information sharing partnership among law enforcement agencies, national security agencies, financial institutions, and FinCEN” that has existed since December 2017. AMLA codifies this ad hoc program into the statutory scheme. Although AMLA does not provide details, it appears the FinCEN Exchange will continue to share information on “broader typologies” and “high priority issues” for AML/CTF issues with financial institutions.
Third, AMLA instructs the Secretary of the Treasury to “convene a supervisory team of relevant Federal agencies, private sector experts in banking, national security, and law enforcement, and other stakeholders to examine strategies to increase cooperation between the public and private sectors.” This supervisory team may use its diverse perspectives to offer insights into future avenues for information sharing within public-private partnerships.
Information Sharing within Financial Groups
AMLA also contains a pilot program allowing financial institutions to share information related to suspicious activity reports (“SARs”), as well as the fact that a SAR has been filed, with foreign branches. This would allow financial institutions to more effectively combat cross-border money laundering or terrorist financing. While the animating regulations must be developed, the contours of the pilot program are relatively clear. The pilot program will allow information sharing with foreign branches, but will impose penalties on foreign branches for public disclosure of the information shared. The pilot program will also not permit financial institutions to share information with foreign branches in China, Russia, or jurisdictions that are state-sponsors of terrorism or are subject to sanctions.
Privacy and Data Security Provisions
Along with information sharing, AMLA provides additional provisions on privacy and data security. Most notably, AMLA creates the role of Bank Secrecy Act Information Security Officers (“BSA ISOs”), each of whom will serve within the federal functional regulators, FinCEN, and the IRS. The BSA ISOs will be central to marrying the new information-sharing provisions to data security protocols. To perform this function, the BSA ISOs will help create data security regulations and internal protocols, be consulted on information-sharing policies and data security concerns, and may help develop new technologies to strengthen future data security.
They will also be given a seat at the table on the Subcommittee on Information Security and Confidentiality, an AMLA-created subcommittee within the Bank Secrecy Act Advisory Group. AMLA instructs that the Subcommittee will “advise the Secretary of the Treasury regarding the information security and confidentiality implications of regulations, guidance, [and] information[-]sharing programs.” In addition to the BSA ISOs, the Subcommittee will also include the heads of the federal functional regulators and representatives from financial institutions, law enforcement, and FinCEN. The Report on FinCEN’s Innovation Hours Program details that FinCEN’s BSA ISO and the Subcommittee will work closely with the Bank Secrecy Act Advisory Group on Innovation and Technology to “support responsible AML/CFT innovation.” The combination of voices hopefully will provide the necessary BSA expertise, technological know-how, and industry experience to advise the Secretary of Treasury into the future.
The information-sharing provisions discussed above also contain their own requirements. Whether information sharing is interagency, between federal and state or federal and foreign authorities, or between public and private actors, the privacy and data security provisions remain the same:
- AMLA requires the collecting agency to, by regulation or otherwise, establish protocols for privacy and data security;
- AMLA requires the collecting agency to impose its protocols for privacy and data security on those receiving the information;
- AMLA restricts sharing to the narrowest possible group of individuals on the narrowest possible amount of information and generally restricts its use to AML/CTF functions; and
- AMLA suggests the collecting agency should revisit its privacy and data security protocols often, by requiring annual or biannual reports or by requiring the protocols to be created by regulation (as opposed to baking them into the statutory scheme).
AMLA provides more avenues for information to be shared between agencies, states, foreign law enforcement, and financial institutions. As the opportunities for information sharing expand and personal, confidential information continues to spread, concerns over privacy and data security multiply—especially when that information has national security implications.
AMLA acknowledges the centrality of information sharing as a regulatory response to increasingly complex, cross-border and interagency schemes. Allowing more—and more seamless—information sharing may give regulators and law enforcement the ability to use that information to more effectively fuel their investigations and track down wrongdoers. Information sharing will also give financial institutions insight into regulatory focus and industry trends, theoretically allowing the financial institutions to better track and triage AML/CTF priorities.
But increased information sharing is necessarily in tension with privacy and data security concerns. With more people given access to sensitive information, there are more chances for inadvertent disclosure or nefarious actors to gain access. Moreover, to the extent a small subset of agencies or vendors may serve as a hub for information-sharing purposes, lessons from the SolarWinds hack apply (which we blogged about). A data security weakness in one is a weakness for all. Finally, sharing across borders brings its own set of challenges, including translating protocols linguistically and technologically and ensuring maintenance of proper systems and data security protocols.
Pursuit of increased information—and increased information sharing—almost always leads to heightened privacy and data security concerns. But these concerns need not lead to barriers. AMLA contains a number of provisions that require creation of protocols and procedures, mandate continuing maintenance, narrowly restricts access, and solicits ideas from a variety of perspectives. These are sensible solutions on paper, but only time will tell whether this legislative vision will create both robust information sharing and adequate privacy and data protection.
If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team. Please also visit CyberAdviser, our blog focused on the latest news and developments in privacy and cybersecurity law, produced by the members of our Privacy and Data Security Group.