In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders (here and here) with two banks who partner with fintechs to offer “banking as a service” (BaaS) related to safety and soundness concerns relating to compliance with the Bank Secrecy Act (BSA), compliance with applicable laws, and third-party oversight. 

BaaS refers to arrangements in which banks integrate their banking products and services into the services of non-bank third-party distributors and the distributors deliver the integrated banking services directly to the customer.  A common example of BaaS is banks’ delivery of lending services through fintech partners’ digital platforms.  BaaS has gained popularity in recent years as the bank partner can generally roll out banking services to customers at a much faster pace and for lower costs than traditional banking products and services.

These two consent orders do not arise in a vacuum.  In June 2023, the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.  The guidance explained that supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.  At that time, we noted that we expected increased regulatory attention to bank/fintech partnership programs like the BaaS relationships addressed here.  Although these FDIC consent orders did not specifically cite to the interagency guidance, the guidance presumably was used to support the third-party oversight criticisms in the supervisory examinations of the two banks.

Continue Reading  Recent FDIC Consent Orders Reflect Ongoing Scrutiny of Bank Relationships with Fintechs

The Financial Crimes Enforcement Network (“FinCEN”) and the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) recently issued Joint Notice FIN-2023-NTC2, “Announnc[ing] New Reporting Key Term and Highlight[ing] Red Flags Relating to Global Evasion of U.S. Export Controls” (the “Joint Notice”). As we have blogged (here and here), these agencies issued two prior joint alerts warning financial institutions (“FIs”) about efforts by individuals or entities to evade Russia-related export controls administered by BIS.

The practical import of the Joint Notice – which re-emphasizes the focus of the U.S. government on fighting sanctions evasion – is that many customers involved in international trade should be subject to some degree of enhanced due diligence by FIs, simply because they participate in international trade.  FIs should review and adjust their risk assessments accordingly.

Continue Reading  FinCEN and BIS Issue Joint Notice on SAR Filings for Evasion of U.S. Export Controls

The Federal Reserve, FDIC, and OCC have released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.  The guidance is intended to provide principles for effective third-party risk management for all  types of third-party relationships, regardless of how they may be structured.  At the same time, the agencies state that banking organizations have flexibility in their approach to assessing the risks posed by each third- party relationship and deciding the relevance of the considerations discussed in the final guidance

The final guidance rescinds and replaces each agency’s previously-issued guidance on risk management practices for third-party relationships.  In their July 2021 proposal, the agencies had included as an appendix FAQs issued by the OCC to supplement the OCC’s existing 2013 third-party risk management guidance.  The proposed guidance included the revised FAQs as an exhibit and the agencies sought comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance.  In their discussion of the final guidance, the agencies identify which concepts from the FAQs have been incorporated into the final guidance.

Continue Reading  Federal Banking Agencies Issue Final Interagency Guidance on Risk Management in Third-Party Relationships

Report Offers Weak Insight on Causation but Lists Steps that Treasury Can and Should Take

The Department of Treasury (“DOT”) recently released its first ever strategy report (the “Strategy”) on the topic of de-risking, taking the form of a 54-page document that combines a summary of the problem of de-risking with an overview of recommended steps to solve it. While the Strategy is the first document of its kind issued by the U.S. government, it is not unexpected – Section 6215 of the Anti-Money Laundering Act of 2020 (“AMLA”) requires the DOT to develop a strategy to mitigate the adverse effects of de-risking after conducting interviews with regulators, non-profit organizations and other public and private stakeholders.

As we’ve discussed over the years, “de-risking” is a practice taken by financial institutions (FIs) to restrict certain categories of customers from accessing their services – typically due to the perception that the compliance risk associated with such customers would outweigh the benefits, financial or otherwise, of servicing them. It is important to note that the concept of de-risking is not about a customer’s individual risk profile; rather, de-risking involves a FI making a wholesale or indiscriminate determination about a category of customers, and failing to use an individualized risk-based approach favored by the anti-money laundering/countering the financing of terrorism (AML/CFT) regulatory framework.  As we have discussed, and as global watchdog groups have noted, de-risking often has a disproportionate impact on developing countries.  The Strategy itself notes that de-risking “prevent[s] low- and middle-income segments of the population, as well as other underserved communities, from efficiently accessing the financial system[.]” Thus, the issue of de-risking is intertwined with concerns regarding economic and ethnic disparities. 

As the Strategy notes, de-risking also can undermine development, humanitarian and disaster relief funds flowing to other countries.  Finally, de-risking can threaten the U.S. financial system because driving funds outside of the regulated financial system makes it harder to detect and deter illicit finance, and increases the risk of sanctions evasion. 

According to the Strategy, the profit motive of FIs is the main driver behind the ongoing problem of de-risking:  because the cost of compliance for risky categories of customers would be too high, FIs cannot justify providing services to them from a profitability perspective.

Arguably, this claim in the Strategy suffers from, at best, a certain lack of self-awareness and, at worst, a degree of hypocrisy, used to deflect a Congressional demand that the DOT address and ameliorate the problem of de-risking. Increasingly onerous BSA/AML regulations, the occasionally haphazard enforcement of those regulations, and the practical disconnect between the expectations of AML examiners and law enforcement agents arguably represent the true source of the compliance-related fears and costs that drive FIs to de-risk.  If banks and other FIs are rejecting certain customers wholesale, it’s often because they fear that they will get “dinged” during a regulatory examination for servicing such customers if perceived problems develop after the application of 20/20 hindsight, and because the compliance hoops can range from the onerous to the practically impossible.  Similar considerations are partially why FIs now file over four million Suspicious Activity Reports (“SARs”) annually, regardless of whether any given SAR is actually helpful to law enforcement: no one has been subjected to an enforcement action for filing too many SARs.

Continue Reading  Department of Treasury Issues Strategy on De-Risking

With Guest Speaker Matthew Haslinger of M&T Bank

We are extremely pleased to offer a podcast (here) on the legal and logistical issues facing financial institutions as they implement the regulations issued by the Financial Crimes Enforcement Network (FinCEN) pursuant to the Anti-Money Laundering Act of 2020 (AMLA) and the Corporate Transparency Act

On September 8, the Office of the Comptroller of the Currency (“OCC”) published an extension of its notice and request for comment (the “Notice”) in the Federal Register regarding changes to the OCC’s Money Laundering Risk System (the “MLR System”)  The Notice indicates that the OCC is inviting greater scrutiny of customers and transactions involving

As we have repeatedly blogged, concerns about perceived anti-money laundering (“AML”) risks in the real estate industry are rising globally.  Consistent with this concern, the Financial Action Task Force (“FATF”) has updated its AML guidance for the real estate sector in a document entitled “Guidance for a Risk-Based Approach: Real Estate Sector,” (“FATF Guidance” or “the Updated Guidance”).  The FATF Guidance urges a variety of players in the real estate industry to adopt a risk-based approach (“RBA”) to mitigate AML risks and sets forth some high-level recommendations.  The Updated Guidance notably coincides with FinCEN’s advanced notice of proposed rulemaking to impose reporting and perhaps other requirements under the Bank Secrecy Act (“BSA”) for persons involved in real estate transactions to collect, report, and retain information, and the  recent extension of Geographic Targeting Orders for U.S. title insurance companies.

The FATF Guidance appears to be driven, at least in part, by FATF assessments showing that the real estate sector has high AML risks, which industry players often fail to appreciate and/or mitigate.  The Updated Guidance explains how various industry players can use an RBA to mitigate those risks.  It identifies sector-specific risks, sets forth strategies for assessing and managing those risks, and describes challenges the industry faces in doing so.  The FATF also offers specific guidance for “private sector players” and “supervisors” (e.g., countries and self-regulatory boards) for going forward.  The Updated Guidance includes tools, case studies, and examples of both private sector and supervisory practices to show real estate supervisors and practitioners how to implement FATF standards in an adequate, risk-based and effective manner.

The FATF is an inter-governmental policymaking body dedicated to creating AML standards and promoting effective measures to combat money laundering (“ML”) and terrorist financing (“TF”).  The FATF issued the Updated Guidance with input from the private sector, including from a public consultation with thirteen private-sector representatives (including from sector specific professional associations, the legal profession, FinTech providers, and non-profit organizations) in March and April 2022.  This consultation urged FinCEN, among other things, to provide greater clarity in the Updated Guidance regarding its applicability to the real estate sector and related professions (such as lawyers, notaries, and financial institutions) and extend FATF recommendations to broader real estate activities (such as property development and leasing).

Continue Reading  FATF Updates Risk-Based Approach Guidance for the Real Estate Sector

On July 6, the Financial Crimes Enforcement Network (“FinCEN”), The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (collectively, “the Agencies”) issued a Joint Statement to “remind” banks that they, of course, should apply a risk-based approach to assessing customer relationships and conducting customer due diligence (“CDD”).

The Joint Statement appears to echo FinCEN’s June 22 Statement on Bank Secrecy Act Due Diligence for Independent ATM Owners or Operators (“ATM Statement”), in which FinCEN also “reminded” banks that “that not all independent ATM owner or operator customers pose the same level of money laundering, terrorist financing (ML/TF), or other illicit financial activity risk, and not all independent ATM owner or operator customers are automatically higher risk.”

Combined – and although generally worded – these publications appear to urge financial institutions (“FIs”) to not pursue broadly-applied “de-risking” strategies.  De-risking is the term for a FI’s decision to terminate a business relationship, or refuse to do business, with a type of customer because that type is associated with a perceived heightened risk of involvement in money laundering or terrorist financing.  Indeed, both new publications caution FIs against turning away potential customers, or closing the accounts of existing customers, on the basis of general customer types.  However, regulators themselves have been criticized for encouraging de-risking by driving highly risk-adverse decisions by FIs, who are unwilling to take the chance and assume the compliance costs of doing business with specific customers who may in fact be “legitimate,” but whose risk profile is deemed to be high due to their group affiliation.  Some front-line regulatory BSA/AML examiners arguably may review a FI’s compliance in a narrow and check-the-box manner versus a more holistic approach, and will not truly value broader societal and equity issues such as the need for equal access to the global financial system, particularly by certain industries and persons living in less-developed countries.  Accordingly, although these new publications are welcome, it might have been better if they had been more explicit – particularly because it is arguably ironic for regulators to be chiding FIs for conforming to de-risking behavior that regulators themselves have encouraged.

Continue Reading  FinCEN and Federal Functional Regulators Issue Coded Warnings Against De-Risking

Meaningful Overlap or Superficial Similarities?

On October 3, the release of the Pandora Papers flooded the global media, as millions of documents detailed incidents of wealthy and powerful people allegedly using so-called offshore accounts and other structures to shield wealth from taxation and other asset reporting. Data gathered by the International Consortium of Investigative Journalists, the architect of the Pandora Papers release, suggests that governments collectively lose $427 billion each year to tax evasion and tax avoidance. These figures and the identification of high-profile politicians and oligarchs involved in the scandal (Tony Blair, Vladimir Putin, and King Abdullah II of Jordan, to name a few) have grabbed headlines and spurred conversations about fairness in the international financial system – particularly as COVID-19 has highlighted and exacerbated economic disparities.

Much of the conduct revealed by the Pandora Papers appears to involve entirely legal structures used by the wealthy to – not surprisingly – maintain or enhance wealth.  Thus, the core debate implicated by the Pandora Papers is arguably one of social equity and related reputational risk for financial institutions (“FIs”), rather than “just” crime and anti-money laundering (“AML”). Media treatment of the Pandora Papers often blurs the distinction between AML and social concerns – and traditionally, there has been a distinction.

This focus on social concerns made us consider the current interest by the U.S. government, corporations and investors in ESG, and how ESG might begin to inform – perhaps only implicitly – aspects of AML compliance and examination.  ESG, which stands for Environmental, Social, and Governance, are criteria that set the foundation for socially-conscious investing that attempts to identify related business risks.  At first blush, the two are separate fields.  But as we discuss, there are ESG-related issues that link concretely to discrete AML issues: for example, transaction monitoring by FIs of potential environmental crime by customers for the purposes of filing a Suspicious Activity Report, or SAR, under the Bank Secrecy Act (“BSA”).  Moreover, there is a bigger picture consideration regarding BSA/AML relating to ESG:  will regulators and examiners of FIs covered by the BSA now consider – consciously or unconsciously – whether FIs are providing financial services to customers that are not necessarily breaking the law or engaging in suspicious activity, but whose conduct is inconsistent with ESG principles?

If so, then ESG concerns may fuel the phenomenon of de-risking, which is when FIs limit, restrict or close the accounts of clients perceived as being a high risk for money laundering or terrorist financing.  Arguably, and as we discuss, there also would be a historical and controversial analog – Operation Chokepoint, which involved a push by the government (not investors) for FIs to de-risk certain types of customers.  Regardless, interest in ESG means that FIs have to be even more aware of potential reputational risk with certain clients.  Even if the money in the accounts is perfectly legal, the next data breach can mean unwanted publicity for servicing certain clients.

These concepts are slippery, involve emerging trends that have yet to play out fully, and the similarities between AML and ESG can be overstated.  Nonetheless, it is possible that these two fields, both of which are subject to increasing global interest, may converge in important respects.  A preliminary discussion seems merited, however caveated or subject to debate.
Continue Reading  ESG, AML Compliance and the Convergence of Social Concerns

Breadth of List Undermines Usefulness to Industry

As required by the Anti-Money Laundering Act (“AML Act”), the Financial Crimes Enforcement Network (“FinCEN”) issued on June 30, 2021 the first government-wide list of priorities for anti-money laundering and countering the financing of terrorism (“AML/CFT”) (the “Priorities”).  The Priorities purport to identify and describe the most significant AML/CFT threats facing the United States.  The Priorities have been much-anticipated because, under the AML Act, regulators will review and examine financial institutions in part according to how their AML/CFT compliance programs incorporate and further the Priorities, “as appropriate.”

Unfortunately, and as we will discuss, there is a strong argument that FinCEN has prioritized almost everything, and therefore nothing.
Continue Reading  FinCEN Identifies AML/CFT “Priorities” For Financial Institutions