On January 13, 2022, Himamauli “Him” Das, the Acting Director of FinCEN, virtually addressed the Financial Crimes Enforcement Conference hosted by the American Bankers Association and the American Bar Association. In his speech, Mr. Das highlighted the transformation and modernization of the anti-money laundering/counter-terrorist financing (“AML/CFT”) regulatory framework from a tool updated in the wake of September 11, 2001 to combat money flows to terrorist organizations, to an instrument designed to address the more complex current and future challenges presented by digital assets and strategic corruption.
Acting on the authority accorded FinCEN by the Anti-Money Laundering Act of 2020 (the “AML Act”), FinCEN has been in the process of reorganizing and upscaling several of its divisions in order to meet increased obligations. New divisions include the Global Investigations Division, the Strategic Operations Division and the Enforcement and Compliance Division, which together work to combine resources against bad actors, share information, and act to resolve investigations across the financial sector. Mr. Das focused on three additional areas that FinCEN would concentrate on moving forward: new threats, new innovations and new partnerships.
FinCEN identified new threats as a potentially broad group of bad actors, such as cybercriminals conducting ransomware attacks on American organizations. Ransomware attacks have increased in frequency, with FinCEN receiving 30 percent more Suspicious Activity Reports (“SARs”), in the first half of 2021, then during all of 2020, as we have blogged.
Mr. Das emphasized recent FinCEN rulemaking initiatives, including a proposed rule issued last December to implement the beneficial ownership information reporting provisions of the Corporate Transparency Act (“CTA”). In particular, the proposed rule would require many U.S. and foreign companies to report their true beneficial owners to FinCEN and update that information when those beneficial owners change. Mr. Das noted that FinCEN still needs to issue a proposed rule on the critical question of how the CTA will interact with the existing Customer Due Diligence rule, which requires financial institutions to collect beneficial ownership from their entity customers (and which may be expanded because of FinCEN’s proposed definition of beneficial ownership under the CTA).
As noted by Mr. Das, a potentially similar rule is being proposed to address perceived vulnerabilities in the U.S. real estate market to money laundering and other illicit activity by potentially imposing nationwide recordkeeping and reporting requirements under the Bank Secrecy Act (“BSA”). Mr. Das turned a colorful phrase by stating that “[w]e’re also ensuring that a similar principle of transparency applies to real estate. After all, many corrupt actors can hide their money in homes the same way they do in shell companies. Secretary Yellen has called them, ‘money laundromats on the 81st floor.’” However, his comments seemed to emphasize that the potential real estate regulations ultimately will require “just” the reporting of beneficial ownership during purchases, and there was no suggestion during his speech that real estate transactions would be subject to full BSA/AML compliance program requirements.
FinCEN is further concerned with new innovations and technologies that have rendered traditional threats more potent. New regulatory frameworks must account for increased financial activity in the digital world, such as cryptocurrency and other digital assets, and balance the risk posed by these innovations, without stifling the positive opportunities presented by the very same innovations. Mr. Das remarked on the recent BitMEX case, where FinCEN imposed a $100 penalty. However, Mr. Das conceded that enforcement alone is not enough – and everyone can agree that “regulation through enforcement” is not ideal: “[R]egulators cannot only communicate via red lights; we cannot only say what NOT to do. To encourage innovation in this space, we know we have to flash yellow lights – and even the occasional green light.”
FinCEN is also focused on new technologies, such as artificial intelligence, blockchain, and machine learning as a means of lessening the administrative burden on banking institutions for compliance checking, as well as ensuring that the private sector has sufficient room to innovate without the concern of running afoul of regulatory pitfalls. FinCEN wants to create regulatory sandboxes to test new methods of transaction monitoring, and requests input from private institutions on the potential use, needed assurances, and risks of the program.
Mr. Das acknowledged that SAR reporting can be burdensome, and the key goal is for SARs to be actually useful and actionable to law enforcement. His comments are consistent with a request for information (“RFI”) issued last December by FinCEN, seeking comment on ways to “streamline, modernize, and update” the U.S. AML compliance regime. As we blogged, the RFI was the latest development in a protracted inquiry into how to try to leverage technology in order to maximize the usefulness to the government of BSA reporting and record-keeping, and minimize the compliance costs imposed on industry.
Mr. Das characterized the following as the “central question:” “How do we build a regulatory framework that creates the room to foster what’s positive about innovation while at the same time ensuring that bad actors can’t take advantage of innovations more effectively than the good guys?”
FinCEN is looking to enhance its engagement with the private sector and create a better public-private partnership. This partnership hopefully will not only provide for the government’s receipt of information from the private sector, but also provide data back to private institutions to assist in their risk assessment and protection against cyberattacks. FinCEN is planning to use its Innovation Hours program, the FinCEN Exchange and the BSA Advisory Group as forums for private sector participation. Returning to the issue of maximizing actionable SARs, Mr. Das stated:
I know that often when your institutions communicate with FinCEN and other regulatory bodies, especially via SARs, there’s very little sense of where the data goes – or what it’s for. Is law enforcement using it? Is it helpful? . . . . Our goal is to create a feedback loop – not just to collect information from you, but to crunch it and tell you what it did. This way, the data you provide can be leveraged to inform your risk assessments and compliance decisions. The same goes for cyber threat intelligence data. We are working to create real-time data flows that will help to protect against future cyberattacks.
Ideally, the implementation of the AML Act has created a new era in the regulatory regime, one in which FinCEN seeks to not only enhance existing rules and regulations, but to create a new regulatory framework that addresses new threats and innovations, while establishing a public-private partnership to usher in these new precedents. Time will tell if these hopes are fulfilled.