Financial Crimes Enforcement Network (FinCEN)

Final Post in a Three-Post Series Regarding Recent Regulatory Action by FinCEN

On September 29, 2020, the Financial Crimes Enforcement Network (“FinCEN”) published a request for comment on existing regulations regarding enhanced due diligence (“EDD”) for correspondent bank accounts. The notice seeks to give the public an opportunity to comment on the existing regulatory requirements and burden estimates. Written comments must be received on or before November 30, 2020.

Currently, Bank Secrecy Act (“BSA”) regulations for due diligence and EDD for correspondent bank accounts require certain covered entities (banks, brokers or dealers in securities, futures, commission merchants, introducing brokers in commodities, and mutual funds) to establish due diligence programs that include risk-based, and, where necessary, enhanced policies, procedures, and controls reasonably designed to detect and report money laundering conducted through or involving any correspondent accounts established or maintained for foreign financial institutions. The regulations also require that these same financial institutions establish anti-money laundering (“AML”) programs “designed to detect and report money laundering conducted through or involving any private banking accounts established by the financial institutions.”

In issuing the request, FinCEN has not proposed any changes to the current regulations for correspondent or private banking. Instead, the request is intended to cover “a future expansion of the scope of the annual hourly burden and cost estimate associated with these regulations.”

This is the third and final post in a series of blogs regarding a recent flurry of regulatory activity by FinCEN. In our prior posts, we discussed a final rule by FinCEN extending BSA/AML regulatory requirements to banks lacking a Federal functional regulator, and FinCEN’s advanced notice of proposed rulemaking as to potential regulatory amendments regarding “effective and reasonably designed” anti-money laundering (“AML”) programs. Unlike the first two regulatory actions discussed in our series, FinCEN’s request for comments on the burdens of correspondent bank account due diligence and EDD seems purely procedural: it simply asks covered institutions to report how much time and resources are spent on compliance. Nonetheless, it’s hard not to conclude that this request for comment is a prelude to some future, more substantive action regarding correspondent bank account regulation. The U.S. Department of Treasury identified correspondent banking as a “key vulnerability” for exploitation by illicit actors in its 2020 National Strategy for Combating Terrorist and Other Illicit Financing. Further, and as we will discuss, correspondent banking has long had a troubled status: such accounts are simultaneously necessary to the world economy but also regarded as higher risk from an AML perspective. As a real-world example, an alleged lack of diligence regarding the risks posed by correspondent bank accounts played a prominent role in the major alleged AML failures suffered by Westpac, Australia’s second-largest retail bank, which contributed to the bank recently agreeing to a whopping $1.3 billion penalty for violating Australia’s AML/CTF Act.


Continue Reading Regulatory Round Up: FinCEN Solicits Comments on Due Diligence for Correspondent and Private Bank Accounts

October is National Cybersecurity Awareness Month, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) kicked off the month by issuing two advisories that aim to increase cybersecurity awareness, assist financial institutions in detecting and reporting ransomware activity, and highlight potential sanctions risks for facilitating ransomware payments.

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via Suspicious Activity Reports (“SARs”) and to fully cooperate with law enforcement during and after ransomware attacks.
Continue Reading FinCEN and OFAC Advisories Aim to Increase Cybersecurity Awareness and Thwart Ransomware Attacks in the Financial Sector

Second Post in a Three-Post Series Regarding Recent Regulatory Action by FinCEN

On September 16, 2020, the Financial Crimes Enforcement Network (“FinCEN”) issued an Advance Notice of Proposed Rulemaking (“ANPRM”) soliciting public comment on what it describes as “a wide range of questions pertaining to potential regulatory amendments under the Bank Secrecy Act (“BSA”).” As stated, the job which FinCEN created for itself that resulted in the ANPRM was not a small one: “to re-examine the BSA regulatory framework and the broader AML regime.”

The ANPRM seeks to help modernize the current BSA/AML regime – modernization being a frequent theme of public comments by FinCEN Director Ken Blanco, as we have blogged. Indeed, the U.S. Department of Treasury’s 2020 National Strategy for Combating Terrorist and Other Illicit Financing calls for AML modernization, in order to “[l]everag[e] new technologies and other responsible innovative compliance approaches to more effectively and efficiently detect illicit activity.” Meanwhile, and as we have blogged, Congress has been contemplating various proposals for BSA/AML reform for some time (see here, here, here, here and here).

Despite its broad language, however, the ANPRM essentially boils down to a potential amendment requiring those financial institutions already required under the BSA to have an AML compliance program to formally include a risk assessment as part of their program – and for the risk assessment to take into account the government’s AML priorities, which the government will announce approximately every two years. On the one hand, this proposal does not add much that is new, because the vast majority of financial institutions required to maintain AML programs already perform risk assessments in order to conduct KYC and file Suspicious Activity Reports (“SARs”). On the other hand, the ANPRM takes a standard industry practice and turns it into a new regulatory requirement, thereby increasing liability risk. The ANPRM also touches on the tension between the government creating objective requirements – which can be helpful because they add clarity – in a compliance and enforcement regime that is supposed to be flexible and “risk based.” Under any scenario, the ANPRM is important and certainly will be the focus of industry attention.

This is the second post in a series of three blogs regarding a recent flurry of regulatory activity by FinCEN. In our first post, we discussed a final rule by FinCEN extending BSA/AML regulatory requirements to banks lacking a Federal functional regulator. In our third and final post, we will discuss the publication by FinCEN of a request for comment on existing regulations regarding enhanced due diligence for correspondent bank accounts.
Continue Reading Regulatory Round Up: FinCEN Issues ANPRM on Modernizing the BSA/AML Regulatory Regime

First Post in a Three-Post Series Regarding Recent Regulatory Action by FinCEN

The Financial Crimes Enforcement Network (“FINCEN”) has been busy. In the last two weeks, FinCEN has posted three documents in the Federal Register. Any one of these publications, standing alone, would be significant, particularly given the infrequency of such postings. Collectively they reflect an unusual flurry of regulatory activity by FinCEN, perhaps spurred by the impending election and potential management turn-over at FinCEN. These publications are:

  • A final rule (“Final Rule”) extending BSA/AML regulatory requirements to banks lacking a Federal functional regulator;
  • An advanced notice of proposed rulemaking regarding potential regulatory amendments regarding “effective and reasonably designed” anti-money laundering (“AML”) programs; and
  • A request for comment on existing regulations regarding enhanced due diligence for correspondent bank accounts.

Today, we discuss the Final Rule, published on September 14, 2020, extending BSA/AML regulatory requirements to banks lacking a Federal functional regulator. In our next posts, we will discuss the advanced notice and request for comment.

The Final Rule provides that banks lacking a Federal functional regulator now will be required to (i) develop and implement an AML program, (ii) establish a written Customer Identification Program (“CIP”) appropriate for the bank’s size and type of business, and (iii) verify the identity of the beneficial owners of their customers. While stressing the perceived importance of closing this prior gap in regulatory coverage, FinCEN also attempted to minimize concern that the Final Rule would impose a serious burden on the covered financial institutions. The Final Rule will become effective on November 16, 2020, with a compliance deadline of March 15, 2021.
Continue Reading Regulatory Round Up: FinCEN Extends BSA/AML Requirements to Banks Lacking a Federal Functional Regulator

We are pleased to offer the latest episode in Ballard Spahr’s Consumer Financial Monitor Podcast series — a weekly podcast focusing on the consumer finance issues that matter most, from new product development and emerging technologies to regulatory compliance and enforcement and the ramifications of private litigation.  Following up on a recent blog post,

Regulators’ Joint Statement Attempts to Clarify AML Expectations Regarding Potential Corrupt Actors

On August 21, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and other banking regulators – specifically the Federal Reserve, the FDIC, the National Credit Union Administration, and the OCC – issued a joint statement that provides additional guidance in applying Bank Secrecy

Can BSA/AML Requirements Lead to Deemed Knowledge of Borrower Fraud?

The first two weeks of August brought a milestone of sorts in the ongoing recovery from the economic downturn brought on by the COVID-19 pandemic. The Paycheck Protection Program (“PPP”) ended its enrollment period on August 8, 2020 and the window for borrowers to apply to have their PPP loans forgiven opened on August 10, 2020.

The PPP was a centerpiece of the over $2 trillion Coronavirus Aid, Relief and Economic Security Act (“CARES Act”) that, according to a study by the Massachusetts Institute of Technology published on July 22, 2020 had to that point saved between 1.4 and 3.2 million jobs. Less formally observed but possibly more widely agreed, the PPP caused at least as many headaches with its rocky initial rollout and the ongoing uncertainty over applicable loan forgiveness standards. But, whereas implementing the PPP poses challenges to lenders now, due to the rampant fraud in the program (which, along with all COVID-19-related enforcement actions and policy statements, we track here) and its funding mechanics, it creates substantial downstream enforcement risk through the False Claims Act (“FCA”) for participating financial institutions.

Numerous districts already have charged borrowers with PPP-related fraud. To date, cases generally involve one of these scenarios:

  • Borrowers submitted fraudulent loan applications and supporting documents to seek PPP funds for businesses that either already had failed pre-pandemic or that they did not actually own.
  • Borrowers lied about amount, or even existence, of employees and payroll. These schemes involve inflated numbers of employees for companies, or even completely fake companies.
  • Borrowers certified that they would use loan funds to support payroll expenses or other allowable expenses, but in fact used all or most loan funds to pay personal and non-business expenses.

The prosecutions to date have all centered on relatively obvious fraud by borrowers, not lenders. But, wider-reaching investigations are occurring and though we are very much at the beginning of the enforcement phase, the magnitude of fraud in these programs is coming into focus. On September 1, 2020, the House Select Committee on the Coronavirus Crisis released a preliminary analysis finding, among other things, over $1 billion in fraudulent PPP loans were issued and identifying red flags with respect to an additional $2.98 billion in loans made to 11,000 borrowers.

And, as we discuss, the anti-money laundering (“AML”) requirements of lenders imposed under the Bank Secrecy Act (“BSA”) may expose lenders to greater risk under the FCA, which can impose civil liability for the reduced mental state of reckless disregard. Many lenders have extended PPP loans to previously-existing customers. This is a rational business decision, given typically lower business risks presented by existing customers and lower compliance costs, because existing customers do not need to provide beneficial ownership information under the Customer Due Diligence (“CDD”) rule of the BSA. However, because lenders also are required under the BSA to understand to a degree the historical and current activities of its customers, lenders may be deemed in future FCA actions to have “known” about red flags generated by fraudulent borrowers because of information obtained by the lenders properly executing their AML programs. That is, compliance with the BSA ironically may generate evidence for downstream FCA enforcement actions based on deemed “knowledge” by the lender of borrower malfeasance. This irony may be exacerbated by any disconnect in real time between the AML compliance staff at financial institutions and the front-line business people extending loans, particularly given the incredible speed with which institutions have extended PPP loans, at the government’s urging.

The point here is not that PPP lenders will face direct regulatory liability for alleged BSA/AML failures – although they may. Rather, the point is that PPP lenders may face enhanced FCA liability due to borrower information obtained through an entirely functional BSA/AML program. This phenomenon highlights the need for the “front” and “back” offices at lenders to communicate.
Continue Reading PPP Lenders and Fraudulent Borrowers: False Claims Act Liability and AML Risk

Law Enforcement Has Been Using GTO Data

First of Two Posts on Evolving Issues Regarding Real Estate and Money Laundering

The U.S. Government Accountability Office (“GAO”) has issued a report on the status and effectiveness of the Geographic Targeting Orders (“GTOs”) issued by the Financial Crimes Enforcement Network (“FinCEN”) since 2016, and on which we repeatedly have blogged.  The GAO’s report, entitled “Anti-Money Laundering — FinCEN Should Enhance Procedures for Implementing and Evaluating Geographic Targeting Orders,” (“the Report”) is lengthy.  In this post, we will describe the Report at a high level, and will attempt to focus on the portions which shed possible light on two key questions:  (1) how is law enforcement using the information culled from filings received by FinCEN as a result of the GTOs; and (2) whether the information obtained from GTO fillings may fuel legislation or regulations that will permanently subject portions of the real estate industry to anti-money laundering (“AML”) reporting requirements under the Bank Secrecy Act (“BSA”).

In our next post, we will turn from regulatory requirements to enforcement actions, and explore some recent high-profile civil forfeiture actions by the Department of Justice — at least some of which may have been fueled by information obtained through GTOs — involving real estate and alleged foreign corruption.  Under any scenario, these forfeiture actions confirm the U.S. government’s sustained focus on real estate as a mechanism for money laundering.
Continue Reading GAO Publishes Report on Effectiveness of Real Estate GTOs Issued by FinCEN

Regulators Provide Greater Transparency into BSA/AML Enforcement Process

On August 13, 2020 the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency (the “Agency” or collectively the “Agencies”) issued a joint statement updating and clarifying their 2007 guidance regarding how they evaluate enforcement actions when financial institutions violate or fail to meet BSA/AML requirements. The Financial Crimes Enforcement Network (“FinCEN”) followed with its own statement on August 18, 2020, setting forth its approach when considering enforcement actions against financial institutions that violate the BSA.

Below are a few highlights from the two sets of guidance:

  • The joint statement repeatedly emphasizes that isolated or technical deficiencies in BSA/AML compliance programs will not generally result in cease and desist orders.
  • The joint statement provides specific categories and examples of BSA/AML program failures that typically would (or would not) result in a cease and desist order. Certain of these examples are discussed below.
  • Compared to the 2007 guidance, the joint statement provides more detailed descriptions and examples of the pillars of BSA/AML compliance programs, such as designated BSA/AML personnel, independent testing, internal controls, and training.
  • FinCEN explains in its statement that it will base enforcement actions on violations of law, not standards of conduct contained solely in guidance documents.
  • The FinCEN statement lays out the factors FinCEN considers when determining the disposition of a BSA violation. Unsurprisingly, these factors include the pervasiveness and seriousness of the conduct and the violator’s cooperation and history of wrongdoing.

All in all, the two statements, particularly the joint statement, succeed in providing greater transparency into the regulators’ decision-making processes with regards to pursuing enforcement actions for violations of the BSA and for AML program deficiencies.
Continue Reading Federal Banking Agencies Issue Joint Statement On Enforcement of BSA/AML Requirements; FinCEN Follows With Its Own

On Monday, the Financial Crimes Enforcement Network (FinCEN) issued new Frequently Asked Questions (FAQs) regarding customer due diligence (CDD) requirements for covered financial institutions.  The FAQs supplement FinCEN’s previously issued FAQs on the topic from July 2016 and April 2018 and deal with requirements regarding obtaining customer information, establishing a customer risk profile, and performing ongoing monitoring of the customer relationship.

The issuance of these FAQs amidst the current regulatory landscape – that is, in the context of FinCEN’s onslaught of guidance surrounding possible fraudulent schemes arising out the current global pandemic – is not a surprise.  Indeed, this week’s FAQs further clarifies FinCEN’s expectations that financial institutions take seriously not only their initial duties to conduct risk-appropriate levels of due diligence of their customers, but also continue to monitor the relationships on an ongoing basis and at a cadence that matches any assigned risk assessment.
Continue Reading FinCEN Issues New FAQs on CDD Rule