We blogged previously on the significant steps the European Union (“EU”) recently has taken toward implementing a rigorous new transnational anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) enforcement framework. This included, inter aliaEU-wide guidelines proposed by the European Banking Authority (“EBA”) for AML/CFT compliance officers. The need for competent, experienced, and sufficiently empowered AML/CFT compliance teams was further underlined by an Opinion and Report (“Opinion”) issued by the EBA last week on the potentially problematic trend of widespread “de-risking” across the EU.

“De-risking” is the term for a financial institution’s decision to terminate a business relationship, or refuse to do business, with an individual or category of individuals associated with a heightened risk of involvement in money laundering or terrorist financing. The EBA was impelled to address this institutional behavior, which, even if consistent with existing Authority guidance, “can be unwarranted and a sign of ineffective ML/TF risk management,” if done “without due consideration of individual customers’ risk profiles.”

The Opinion points out that indiscriminate de-risking can have the unintended effect of excluding certain (non-criminal) categories of individuals and entities from the financial system. This is framed, if not explicitly labeled, as a civil rights issue: the Opinion states that “access to at least basic financial products and services is a prerequisite for participation in modern economic and social life.” In some cases, the Opinion notes, financial institutions themselves have found themselves the targets of de-risking because of their regions’ reputations for ML/TF problems. De-risking these institutions essentially disqualifies them from participation in the EU transnational financial system, potentially affecting the socioeconomic stability of their home EU member state.

Such de-risking also, paradoxically, has the potential to exacerbate risk for the EU as a whole. The Report notes that “customers affected by de-risking may resort to alternative payment channels in the EU and elsewhere to meet their financial needs. As a result, transactions may no longer be monitored, making the detection and reporting of suspicious transactions and, ultimately, the prevention of ML/TF more difficult.” Because, as noted previously, entities need to access “at least basic financial products and services” to participate in modern society, restricting their access to such services may push them to seek alternatives in the so-called “shadow banking system,” an unregulated web of lenders which the EBA has attempted to weaken. Continue Reading A Paradox: “De-Risking” Can Increase AML/CFT Risks By Driving People into the “Shadow Banking System”

Farewell to 2021, and welcome 2022 — which hopefully will be better year for all.  As we do every year, let’s look back — because 2021 was a very busy year in the world of money laundering and BSA/AML compliance, and 2022 is shaping up to be the same.

Indicative of the increased pace and breadth of activity in this space both, our list is bigger this year.  We are highlighting 20 of our most-read blog posts from 2021, which address many of the key issues we’ve examined during the past year: the many permutations of the sprawling AML Act; the Corporate Transparency Act and beneficial ownership reporting; potential AML regulation of the real estate industry; criminal and civil money laundering and BSA enforcement cases; efforts to crack down on domestic and foreign corruption; digital assets and cryptocurrency; data privacy and ransomware; ESG and related social issues; the increasing focus on the potential AML obligations of so-called “gate keepers,” including lawyers; and more:

We now move on to 2022.  This year also will be an important and interesting year for BSA/AML and money laundering issues, given the many forthcoming regulations and reports required by the AML Act and the Corporate Transparency Act, which will affect a broad variety of stakeholders.  We look forward to keeping you informed throughout 2022 on these and other developments.

We also want to thank our many readers around the world who continue to make this blog such a success. The feedback we receive from financial industry professionals, compliance officers, in-house and external lawyers, BSA/AML consultants, government personnel, journalists, and others interested in this field is invaluable, and we hope you will continue to share your perspectives with us.  We pride ourselves on providing in-depth discussions of the important developments in this ever-evolving area.

If you would like to subscribe to Money Laundering Watch, please click here. To learn more about Ballard Spahr’s Anti-Money Laundering Team, please click here

Consent Order Stresses that Only Three AML Analysts Struggled to Review 100 “Alerts” Per Day, Each – and Notes in Passing that “Outside Examiners” Blessed the Bank’s AML Program for the Same Five Years that the Bank Allegedly Maintained a Willfully Deficient Program

On December 16, 2021, the Financial Crimes Enforcement Network (“FinCEN”) entered into a Consent Order with CommunityBank of Texas, N.A. (“CBOT”), in which CBOT admitted to major shortcomings with respect to the implementation and effectiveness of its anti-money laundering (“AML”) program. The monetary penalties imposed on CBOT are substantial: FinCEN assessed an $8 million penalty, although CBOT will receive credit for a separate $1 million penalty to be paid to the Office of the Comptroller of the Currency (“OCC”).

The Consent Order, available here, offers valuable insight into FinCEN’s reasoning for its enforcement actions.  According to the Consent Order, CBOT has a regional footprint and operates several branches in Texas.  It serves small and medium-sized businesses and professionals.  And, in the “back of the house,” CBOT established a typical AML system designed to detect and escalate alerts for suspicious activity for investigation and potential filing of Suspicious Activity Reports (“SARs”). However, FinCEN alleged that over a period of at least four years, CBOT “willfully” failed to effectively implement its AML, program, leading to a failure to file SARs and otherwise detect specific suspicious activity.  As detailed below, many of the alleged shortcomings of CBOT’s AML program flowed from a lack of compliance resources and personnel between 2015 and 2019: too few analysts were assigned to review and investigate potentially suspicious transactions, and as a result, downstream investigations and due diligence suffered, including an alleged failure to file at least 17 specific SARs.

Because the detailed Consent Order offers a somewhat rare opportunity to glean FinCEN’s reasoning behind its enforcement actions generally, we explore the alleged failures in some detail below.  Then, we summarize key details of the Consent Order, offer key takeaways, and note several questions that the Consent Order still leaves unresolved. Continue Reading FinCEN Assesses Civil Penalty Against CommunityBank of Texas for AML Program Weaknesses

On December 14, the Financial Crimes Enforcement Network (“FinCEN”) issued a request for information (“RFI”), seeking comment on ways to “streamline, modernize, and update” the anti-money laundering (“AML”) and counter-terrorism financing (“CTF”) regime of the United States.  As we will discuss, the RFI is the latest development in a protracted inquiry into how to try to leverage technology in order to maximize the usefulness to the government of Bank Secrecy Act (“BSA”) reporting and record-keeping, and minimize the compliance costs imposed on industry.  However, as we also discuss, the RFI may add fuel to ongoing efforts to expand the coverage and reporting requirements of BSA regulations. Continue Reading FinCEN Seeks Comments on Modernizing the AML/CFT Regime

Proposed Reporting Rules Will Require Careful Parsing for Businesses and Revision of CDD Rule for Banks

As we initially blogged, the Financial Crimes Enforcement Network (“FinCEN”) issued on December 7 a Notice of Proposed Rulemaking (“NPRM”) regarding the beneficial ownership (“BO”) reporting requirements of the Corporate Transparency Act (“CTA”).  FinCEN’s press release is here; the NPRM is here; and a summary “fact sheet” regarding the NPRM is here.

The CTA requires defined entities – including most domestic corporations and foreign entities registered to do business in the U.S. – to report beneficial owner information (“BOI”) and company applicant information to a database created and run by FinCEN upon the entities’ creation or registration within the U.S.  This database will be accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions seeking to comply with their own Anti-Money Laundering (“AML”) and Customer Due Diligence (“CDD”) compliance obligations.

Congress passed the CTA because the ability to operate through legal entities without requiring the identification of BOI is a key AML risk for the U.S. financial system.  The CTA seeks to mitigate this risk by reducing an individual’s ability to use corporate structures to conceal illicit activity such as money laundering, financing of terrorism, and other offenses.  We often have blogged on the CTA and these impending regulations (see herehereherehere and here).

The NPRM describes who must file a BOI report, what information must be reported, and when a report is due.  Although this blog post is lengthy, it still only summarizes the NPRM, which is 55 pages long in the Federal Register.  The NPRM envisions broad and often complicated reporting requirements under the CTA, including an ongoing duty to update any changes in information.

Further, this NPRM addresses “only” BOI reporting.  FinCEN will engage in two additional rulemakings under the CTA to (1) establish rules for who may access BOI, for what purposes, and what safeguards will be required to protect such information; and (2) revise and conform FinCEN’s existing CDD rule for financial institutions.  As we will discuss, the NPRM undermines hopes that the CTA regulations would simplify the compliance obligations of financial institutions already covered by the CDD rule, which requires covered financial institutions to obtain BOI from certain entity customers.  To the contrary, the NPRM indicates that FinCEN will complicate and expand the definitions of the two groups of individuals qualifying as BOs – those exercising “substantial control” and those with a 25% “ownership interest” – and amend the existing CDD rule accordingly, so that the CTA regulations and the CDD rule supposedly align.

The potential application of these regulations is sweeping.  FinCEN estimates at least 25 million existing U.S. companies will have to make a report under the CTA when the proposed regulations become effective.  And approximately three million new entities created each year in the U.S. potentially will be subject to the regulations going forward.  The NPRM does not address the additional amount of foreign entities registered to do business in the U.S. covered by the CTA. Continue Reading Proposed Beneficial Ownership Reporting Regulations Under the CTA:  Broad and Complex

On December 1, 2021, the Federal Financial Institutions Examination Council (“FFIEC”) released updates to its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (the “Manual”), which provides guidance to examiners for evaluating a financial institution’s BSA/AML compliance program and its compliance with related regulatory requirements.  This update is the third of 2021: the FFIEC also released updates to the Manual on February 25, 2021 and June 21, 2021.

This most recent update to the Manual adds a new introductory section, Introduction – Customers.  The updated Manual also includes changes to sections pertaining to Charities and Nonprofit Organizations, Independent Automated Teller Machine Owners or Operators, and Politically Exposed Persons (“PEP”).  The breadth of this most recent Manual update is consistent with the previous 2021 updates.  In February, FFIEC released an introductory section and updates to three sections pertaining to Customer Identification Programs (“CIP”), Currency Transaction Reporting (“CTR”), and Transactions of Exempt Persons.  In June, the FFIEC released updates to four sections pertaining to International Transportation of Currency or Monetary Instruments Reporting, Purchase and Sale of Monetary Instruments Recordkeeping, Reports of Foreign Financial, and Special Measures.

Consistent with prior FFIEC Interagency press releases associated with Manual updates, the FFIEC explained that “[t]he updates should not be interpreted as new requirements or as a new or increased focus on certain areas,” but rather “provide information and considerations related to certain customers that may indicate the need for bank policies, procedures, and processes to address potential money laundering, terrorist financing, and other illicit financial activity risks.”  Despite this disclaimer, the updates provide helpful insight into what examiners prioritize with regard to BSA/AML compliance. Continue Reading The FFIEC’S Third 2021 Update to the BSA/AML Examination Manual

Strategy Reflects Coordinated Focus on Transparency and “Gatekeeper” Responsibilities

Last week, the Biden Administration unveiled a sweeping “whole-of-government approach” to combating corruption.  Identifying corruption as a “cancer within the body of societies—a disease that eats at the public trust and the ability of governments to deliver for their citizens”—the United States Strategy on Countering Corruption (the “Plan”) articulates a global vision for rooting out this national security threat.  The first-of-its-kind approach focuses on responding to corruption’s transnational dimensions, with a specific emphasis on reducing “the ability of corrupt actors to use the U.S. and international financial systems to hide assets and launder proceeds of corrupt acts.”  Although the Plan is grounded in “five-mutually reinforcing pillars,” pillars two and three merit a closer look from this blog’s readers.  They serve as an important recap of the various steps the Administration has taken to combat illicit finance and its strategy for increased enforcement using both the new and existing tools at its disposal.  Further, the Plan implicates many pressing Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) issues on which we repeatedly blog, as we will discuss. Continue Reading White House Releases Sweeping U.S. Strategy on Countering Corruption

On December 6, FinCEN announced that it was issuing an Advanced Notice of Proposed Rulemaking (“AMPRM”) to solicit public comment on potential requirements under the Bank Secrecy Act (“BSA”) for certain persons involved in real estate transactions to collect, report, and retain information.  If finalized, such regulations could affect a whole new set of professionals and one of the largest industries in the U.S.—an industry which, heretofore, has not been subject to the requirements of the BSA, with limited exceptions.

The ANPRM envisions imposing nationwide recordkeeping and reporting requirements on specified participants in transactions involving non-financed real estate purchases, with no minimum dollar threshold.  Fundamentally, FinCEN highlights two alternate, proposed rules.  One proposed option, promulgated under 31 U.S.C § 5318(a)(2), would involve implementing specific and relatively limited reporting requirements, similar to those currently required of title insurance companies in the non-financed real estate market.  This rule would require covered persons to collect and report certain prescribed information, such as, presumably, beneficial ownership.  Alternatively, FinCEN is considering imposing more fulsome Anti-Money Laundering (“AML”) monitoring and reporting requirements, including filing Suspicious Activity Reports (“SARs”) and establishing AML/CFT programs under 31 U.S.C. § 5318(g)(1) and 31 U.S.C. §§ 5318(h)(1)-(2).   This latter option would require covered persons to adopt adequate AML/CFT policies, designate an AML/CFT compliance officer, establish AML/CFT training programs, implement independent compliance testing, and perform customer due diligence.

Notably, FinCEN suggests that any new rule may cover attorneys and law firms, along with other client-facing participants.  FinCEN also is considering regulations applicable to both residential and commercial real estate transactions.

As we discuss, real estate and money laundering has been a long-simmering issue.  We repeatedly have blogged on AML and real estate, and previously published a detailed chapter, The Intersection of Money Laundering and Real Estate, in Anti-Money Laundering Laws and Regulations 2020, a publication issued by International Comparative Legal Guides.  FinCEN’s ANPRM appears to represent the culmination of an inevitable march towards the issuance of regulations under the BSA regarding real estate transactions, following years of increasing focus by the U.S. government and others on perceived AML risks in the real estate industry. Continue Reading Real Estate and Money Laundering: FinCEN Issues Advanced Notice of Regulations for the Real Estate Industry

Notice is First of Three Sets of Regulations for the CTA

Yesterday, the Financial Crimes Enforcement Network (“FinCEN”) issued a Notice of Proposed Rulemaking (“NPRM”) regarding the beneficial ownership reporting requirements of the Corporate Transparency Act (“CTA”), which requires defined entities – including foreign entities with a presence in the U.S. – to report their beneficial owners to FinCEN upon their creation/incorporation.  The CTA is a key piece of legislation designed to enhance transparency and combat the misuse of so-called “shell companies.”

The press release is here; the actual NPRM is here; and a summary “fact sheet” issued by FinCEN regarding the NPRM is here.  We have blogged on the CTA and these impending regulations many times (here, here, here, here and here).

The federal register version of the NPRM is 55 pages long and very detailed.  Accordingly, this blog post serves only to announce the issuance of the NPRM — we will follow up in the next few days with a detailed analysis of these long-anticipated proposed regulations.  The complexity of the CTA is highlighted by the fact that this NPRM only addresses beneficial ownership reporting.  FinCEN has stated that it will engage in two additional rulemakings under the CTA to (1) establish rules for who may access beneficial ownership information, for what purposes, and what safeguards will be required to protect such information; and (2) revise and conform the customer due diligence rule for financial institutions following the promulgation of the final version of this NPRM.

FinCEN’s summary fact sheet, linked above, is entitled “Key Elements of the Proposed Beneficial Ownership Information Reporting Regulation.”  It observes that the NPRM describes who must file a report on beneficial ownership, what information must be reported, and when a report is due. It further observes that the proposed rule “would require reporting companies to file reports with FinCEN that identify two categories of individuals: (1) the beneficial owners of the entity; and (2) individuals who have filed an application with specified governmental or tribal authorities to form the entity or register it to do business.”

Please stay tuned.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

As anticipated, the Office of the Comptroller of the Currency, the Federal Reserve Board, and the FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”).  The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic.  It places new reporting requirements on both U.S. banking organizations, as well as bank service providers.  We have blogged repeatedly on the pernicious issue of ransomware.

The Final Rule applies to “banking organizations” as defined in the Final Rule.  Covered banking organizations are required to provide notice to their relevant regulator in the event that a “Notification Incident” occurs.  A Notification Incident is a computer security event that results in actual harm to the confidentiality, integrity, or availability of information or an information system, when that occurrence has—or is reasonably likely to—materially disrupt or degrade:

  • a banking organization’s ability to carry out banking operations or deliver banking products and services to a material portion of its customer base;
  • business line(s), that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • operations, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The Final Rule specifically calls out ransomware and DDOS attacks as potential Notification Incident. Banking organizations that suffer a Notification Incident must provide notice to their respective regulator as soon as possible, but not later than 36 hours after the occurrence of the incident.  Despite the 36-hour notification window, covered banking organizations that offer “sector critical services” are encouraged to provide same day notification.  Finally, the required notice should be provided either by email, telephone, or any other similar methods later prescribed by regulators for providing notice.

The Final Rule also requires that bank service providers notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has—or is likely to—materially disrupt or degrade covered services for more than four hours.  Banking organizations and service providers are required to work collaboratively to designate a method of communication that is feasible for both parties and reasonably designed to ensure that banking organizations actually receive the notice in a timely manner.  This requirement is designed to enable a banking organization to promptly respond to an incident, determine whether it must notify its primary federal regulator, and take any other measures that may be appropriate.

The Final Rule is likely to impact the operations of both banking organizations and bank service providers.  Banking entities should closely review the definitions in this Final Rule to determine whether they fall within its scope.  Moving forward, covered entities should expect to include relevant notification provisions in new and existing service contracts.  Covered entities will also want to ensure that they create internal policies and procedures for identifying when an incident requiring notification has occurred, and what steps must be taken by whom to provide notice to relevant parties in compliance with the Final Rule.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.