The Financial Crimes Enforcement Network (“FinCEN”) has been busy during the last few weeks – and presumably will remain busy for the rest of 2021, as it attempts to satisfy numerous mandates imposed by the Anti-Money Laundering Act of 2020. In October, in addition to issuing an analysis of Suspicious Activity Reports and ransomware, FinCEN extended its Geographic Targeting Order for real estate transactions; issued exceptive relief providing that a casino may use suitable non-documentary methods to verify the identity of online customers; and reminded U.S. financial institutions to account for the fact that the Financial Action Task Force added and removed countries from its list of jurisdictions with anti-money laundering (“AML”) deficiencies. We discuss each of these developments in turn.
Real Estate GTOs
FinCEN announced on October 29 that, once again, it is extending for another six months the Geographic Targeting Order, or GTO, regarding real estate transactions. FinCEN’s press release is here. The new GTO is here. It is identical to the most recently issued GTOs. FinCEN has issued FAQs on the GTOs here. This is a topic on which we previously have blogged extensively. As we have observed, the constant extension of the real estate GTOs suggests that formal AML regulation of at least parts of the real estate industry appears to be an inevitable development.
Exceptive Relief for On-Line Casinos
On October 19, FinCEN granted limited exceptive relief under the authority set forth in 31 U.S.C. § 5318(a)(7) and 31 C.F.R. § 1010.970(a) to casinos from certain customer identity verification requirements in the context of online gaming. Specifically, FinCEN provided that a casino may utilize suitable non-documentary methods to verify the identity of online customers. The suitability or non-suitability of any particular method should be evaluated by the casino based on risk.
Under the Bank Secrecy Act (“BSA”), a casino must obtain the name, permanent address, and social security number of a customer prior to each deposit of funds, account opening, or extension of credit. The casino must verify, through examination of an approved document, the name and address of such person at the time the deposit is made, account opened, or credit extended. Somewhat ironically, because casinos are not subject to Customer Identification Program (“CIP”) regulations issued under the BSA, they lack the authorization under the BSA to rely upon non-documentary evidence to verify a customer’s identity.
In contrast, banks, brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities may rely on non-documentary evidence, because they are required under the BSA to implement a CIP. Any such CIP must include risk-based verification procedures that enable the financial institution (“FI”) to form a reasonable belief that it knows the true identity of its customer; the CIP also must describe when the FI will verify identity through documentary methods, non-documentary methods, or a combination of both. Non-documentary methods may include contacting the customer; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement. Non-documentary procedures must address situations where: the customer is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard; the FI is unfamiliar with the documents presented; the account is opened without obtaining documents; the customer opens the account without appearing in person; or there are circumstances that increase the risk that the FI will be unable to verify the true identity of the customer through documents.
Based on industry feedback, FinCEN issued the exceptive relief so that casinos now may verify the identities of online customers by implementing compliance measures consistent with a CIP, and therefore use non-documentary methods consistent with a risk-based approach. FinCEN explained the rationale for issuing the exceptive relief as follows:
The [historical] identity verification requirement [for casinos] reflects technological constraints and legal restrictions that incentivized in-person interaction with customers. The gaming industry has since evolved, with many casinos now offering new types of gaming, such as online sports wagering and online casino gambling, that involve remote interaction with customers. FinCEN recognizes that the onboarding procedures for online customers used by many brick and mortar casinos, which may include non-documentary identity verification, can provide more comprehensive verification of an online patron’s identity than the procedure currently required under FinCEN rules.
. . . [T]he use of third-party databases, which pull information from a multitude of publicly available resources, is widespread throughout the industry and can provide more comprehensive verification of an online patron’s identity than the documentary methods currently required by FinCEN’s regulations. These third-party databases can verify a customer’s identifying information across thousands of sources. This service can also validate that the information appears to be legitimate, belongs to a single identity and does not appear to be compromised or otherwise suspicious, and provides an overall risk assessment based on the information obtained.
FATF Identification of Jurisdictions with AML/CFT/CPF Deficiencies: the Grey and Black Lists
On October 26, FinCEN issued a release noting that the Financial Action Task Force (“FATF”) updated its lists of jurisdictions with strategic deficiencies involving AML, countering the financing of terrorism (“CFT”), and combatting weapons of mass destruction proliferation financing (“CPF”) as a result of the FATF’s plenary meeting on October 19 to 21. FinCEN observes that U.S. financial institutions therefore “should consider the FATF’s stance toward these jurisdictions when reviewing their obligations and risk-based policies, procedures, and practices.”
Specifically. the FATF added Jordan, Mali, and Turkey to its so-called “Grey List” of the Jurisdictions under Increased Monitoring, but removed Botswana and Mauritius. Jurisdictions under Increased Monitoring are jurisdictions deemed by the FATF to have strategic deficiencies in their AML/CFT/CPF regimes but which have committed to, or are actively working with, the FATF to address those deficiencies in accordance with an agreed upon timeline. With respect to these jurisdictions, FinCEN is reminding U.S. covered financial institutions of their obligations to comply with the due diligence obligations for foreign financial institutions (“FFIs”) in addition to their general obligations to maintain adequate AML compliance programs. Regarding the former requirement, “covered financial institutions should ensure that their due diligence programs, which address correspondent accounts maintained for FFIs, include appropriate, specific, risk-based, and, where necessary, enhanced policies, procedures, and controls that are reasonably designed to detect and report known or suspected money laundering activity conducted through or involving any correspondent account established, maintained, administered, or managed in the United States.” However, in a reference to the risk of wholesale “de-risking” by U.S. FIs, FinCEN further states that “such reasonable steps should not, however, put into question a financial institution’s ability to maintain or otherwise continue appropriate relationships with customers or other financial institutions, and should not be used as the basis to engage in wholesale or indiscriminate de-risking of any class of customers or financial institutions.”
FinCEN also observes that the FATF’s so-called “Black List” of High-Risk Jurisdictions Subject to a Call for Action remains the same: Iran and the Democratic People’s Republic of Korea. The list of “High-Risk Jurisdictions Subject to a Call for Action . . . publicly identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and calls on all FATF members to apply enhanced due diligence, and, in the most serious cases, apply counter-measures to protect the international financial system from the money laundering, terrorist financing, and proliferation financing risks emanating from the identified countries.” Of course, FIs also must comply with the extensive U.S. restrictions and prohibitions against opening or maintaining any correspondent accounts, directly or indirectly, for North Korean or Iranian financial institutions.