On 1 January 2021, Congress overrode President Trump’s veto of the National Defense Authorization Act (the NDAA). As part of the NDAA, Congress included long-considered provisions with the potential to revolutionize anti-money laundering and Bank Secrecy Act (AML/BSA) enforcement in the United States. Specifically, the NDAA includes the Anti-Money Laundering Act of 2020 (the AMLA), which contains numerous provisions to enhance the government’s enforcement powers, redefine enforcement priorities, increase international data sharing, and streamline certain reporting procedures. The NDAA also includes the Corporate Transparency Act (CTA), which establishes beneficial owner reporting obligations for certain non-public companies. Both the AMLA and the CTA include significant penalties for violations. As the Treasury Department issues new priorities for the Financial Crimes Enforcement Network (FinCEN) and promulgates regulations pursuant to each of the AMLA and the CTA, we will learn more about how financial institutions and entities will need to modify existing compliance programs and procedures or otherwise ensure compliance.
Increased Enforcement and Investigative Authority
The AMLA enhances the government’s AML enforcement capabilities, announcing new priorities and establishing new tools to identify and investigate potential BSA violations, such as:
- Formal Adoption of the Risk-Based Approach to AML/BSA Compliance. Many BSA requirements, but not all, are intended to be implemented on a risk-basis, which takes into account the risk to the financial institution that terrorist financing, money laundering, or other financial crimes might take place in or through the institution. For example, the current Federal Financial Institutions Examination Council’s BSA/AML Examination Manual states that the “cornerstone of a strong BSA/AML compliance program is the adoption and implementation of risk-based [customer due diligence] policies, procedures, and processes for all customers, particularly those that present a higher risk of money laundering and terrorist financing.”
The AMLA formally adopts this risk-based approach by requiring that compliance program standards issued by the Secretary of the Treasury be “risk-based, including ensuring that more attention and resources of financial institutions should be directed toward high-risk customers and activities…rather than toward lower-risk customers and activities.” This risk-based approach also reflects the amended purposes of the AMLA, which now includes the establishment of “reasonably designed risk-based programs.” Although what this will mean in practice might still depend on the individual examiner, financial institutions can hope to receive additional guidance on risk-based compliance programs as regulations are issued in the coming year.
- Updated FinCEN Priorities. The AMLA directs the Secretary of the Treasury to, within 180 days after enactment of the AMLA, establish and publish priorities for AML and countering the financing of terrorism policy (CFT). These AML/CFT priorities are to be “consistent with the national strategy for countering the financing of terrorism and related forms of illicit finance.” After the priorities are issued, FinCEN will have 180 days to promulgate rules to carry out enforcement pursuant to these priorities. After these regulations are issued, financial institutions will be required to incorporate the national priorities into their AML compliance programs, but larger institutions may want to begin this process as soon as the priorities are announced.
- Pilot Program for Cross-Border Sharing of Suspicious Activity Reports (SARs). The Treasury Department will create a “pilot program” to allow financial institutions to share information related to SARs with foreign branches, subsidiaries, and affiliates, subject to certain exclusions (e.g., Russia and China). Under the 2006 guidance issued by FinCEN and the federal banking agencies, a U.S. bank or savings association already may disclose a SAR to its holding company (and certain other controlling companies, whether domestic or foreign); and a U.S. branch or agency of a foreign bank may disclose a SAR to its head office outside the U.S. The pilot program would expand this authority to allow covered financial institutions to share “information related to” SARs, including that a SAR has been filed, with the institution’s foreign branches, subsidiaries, and affiliates. Whether this would allow the sharing of the SAR itself is unclear under the amended statute, but may be made more clear when the pilot program regulations are issued. The pilot program regulations are to be issued within one year, and the pilot program is anticipated to last three years with the possibility of a two-year extension. Financial institutions should consider developing procedures for securely sharing information related to SARs outside of the United States and maintaining the statutory prohibition on notifying any involved persons.
- Updates to SAR and Currency Transaction Report (CTR) Filing Processes. The AMLA directs the Secretary of the Treasury to conduct a formal review of SAR and CTR reporting requirements and to propose changes to these reports “to reduce any unnecessarily burdensome” requirements. The required review would include, among other things, a review of (a) whether different SAR and CTR reporting thresholds should apply to different categories of activities; (b) whether the circumstances under which an institution determines whether to file a continuing SAR should be streamlined or adjusted; and (c) the most appropriate ways to promote “financial inclusion” and address the adverse consequences of “de-risking entire categories of relationships,” including money services businesses.
- De-Risking. The Comptroller General of the United States also is directed to conduct an analysis and submit to Congress a report on financial services de-risking. The analysis would, among other things, (a) consider the drivers of de-risking, including profitability, reputational risk, and lower-risk appetites of banks; and (b) identify options for financial institutions handling transactions or accounts for high-risk categories of clients and for minimizing the negative impacts of AML and CFT requirements on persons and on certain high-risk geographies.
The stated goal of this review is to allow the relevant regulators to develop a strategy to reduce de-risking and the adverse consequences of de-risking. One adverse consequence noted in the AMLA is financial exclusion caused by de-risking, which “can ultimately drive money into less transparent, shadow channels through the carrying of cash or use of unlicensed or unregistered money service remitters.”
- Expanded Definitions of Financial Institution. The AMLA amends the BSA to define “money transmitting business” so as to include the transmission of “value that substitutes for currency,” thus specifically including within the definition those businesses that transmit cryptocurrencies. This amendment provides statutory support for the position that FinCEN has taken since 2013, under which many cryptocurrency businesses are required to register with FinCEN as MSBs (a form of money transmitter) and maintain a written AML program.
The AMLA also broadens the definition of financial institution to include persons engaged in the trade of “antiquities,” including as an advisor or consultant. These businesses will need to establish and maintain a written AML program, but the exact requirements for such AML programs likely will be unclear for at least a year because the Secretary of the Treasury is given 360 days to issue proposed rules to carry out this amendment. The AMLA also directs FinCEN to perform a study of the facilitation of money laundering and the financing of terrorism through the trade in “works of art.” Because the AMLA does not define “antiquities,” it is unclear at this time when a work of art could rise to the level of an antiquity and be covered by the rules applicable to traders in antiquities.
- New and Enhanced Penalties. The AMLA creates new criminal penalties for knowingly concealing or misrepresenting material facts related to transactions either (1) over US$1 million and involving assets controlled by a foreign political official, close family member, or close associate; or (2) involving an entity that is a primary money laundering concern. When determining if an entity is a primary money laundering concern, the Secretary of the Treasury considers, among other factors, the extent to which the entity is used to facilitate or promote money laundering and the extent to which the entity has a legitimate business purpose. The penalty for violating this provision is imprisonment for up to 10 years or fines of up to US$1 million.
Additionally, the AMLA increases penalties for certain existing AML/BSA offenses. For example, under the civil penalties provision of the BSA, the Treasury Department may impose additional penalties on repeat violators of up to the greater of three times the profit gained as a result of the violation or two times the maximum penalty. The AMLA also modifies the criminal penalties provision to provide for additional penalties for individuals violating the BSA, including a fine equal to the profit gained and repayment to the financial institution of any bonuses paid, if applicable.
- Correspondent Accounts. The AMLA expands the scope of the government’s ability to issue subpoenas to foreign banks with correspondent accounts in the United States, including “any records relating to the correspondent account or any account at the foreign bank, including records maintained outside the United States,” provided that such accounts are the subject of an investigation or other enforcement action.
The AMLA also specifically requires covered financial institutions to maintain records of the owners and beneficial owners of the foreign bank, and of the name and address of a person who resides in the United States that is authorized to accept service of legal process, which should strengthen the new subpoena power. “Covered financial institutions” include U.S. banking institutions and SEC-registered brokers or dealers, as well as certain other businesses. In addition, the covered institution is required to terminate any correspondent relationship with a foreign bank within 10 days after receiving written notice from the Secretary of the Treasury or Attorney General that the foreign bank has failed to comply with a subpoena.
Assessment of No-Action Letters
FinCEN is directed to conduct an assessment of whether to establish a process for the issuance of no-action letters in response to inquiries concerning the application of the BSA. This report is to be submitted to Congress, along with any proposed rulemakings if that is decided to be appropriate, within 180 days after the enactment of the AMLA.
Keep-Open Safe Harbor
In some instances after a financial institution has filed a SAR with respect to its customer, law enforcement will ask the institution to retain the customer’s account or other relationship so that law enforcement can monitor the situation and so as to minimize alerting the customer that he or she might be under investigation. That puts the financial institution in a difficult position because the providing of financial services to a suspected money launderer, terrorist or other criminal may expose the institution to liability. The AMLA amends to the BSA to provide that, if a federal law enforcement agency notifies FinCEN of the intent to submit a written request to the financial institution to keep the account or transaction open, the institution will not be liable under the BSA for maintaining the account or relationship “consistent with the parameters and timing of the request.”
New and Expanded Whistleblower Protection Program
The AMLA also expands the current AML/BSA whistleblower protection program, providing increased awards and additional protections. In particular, the AMLA provides that whistleblowers whose reporting leads to monetary penalties in excess of US$1 million could receive awards of up to 30 percent of the total penalty against the company. This is similar to the whistleblower program established by the Dodd-Frank Act, where whistleblowers may receive awards between 10 percent and 30 percent of monetary sanctions above US$1 million. The amount of the award will depend on the significance of the information, the degree of assistance provided, the government’s interest in deterring AML/BSA violations through providing whistleblower awards, and any other factor determined by the Secretary of the Treasury in consultation with the Attorney General. Previously, AML/BSA whistleblowers were eligible to receive awards of US$150,000 or 25 percent of the penalty (whichever is lower), regardless of the amount of the penalty ultimately assessed against the company.
The AMLA further creates a private right of action for whistleblowers to file a complaint with the Occupational Safety and Health Administration (OSHA) if they believe they were retaliated against for reporting potential violations to the government. If after 180 days, OSHA has not issued a final decision and there has been no finding of bad faith, the whistleblower may file a complaint in the appropriate federal district court. As with other OSHA complaints, the employer may be entitled to limited attorneys’ fees if there is a finding of bad faith on the part of the employee.
As with the passage of the Dodd-Frank Act, such enhanced whistleblower incentives and protections are expected to result in significant increases in whistleblower reporting. To prepare for this, companies should reevaluate their existing whistleblower policies to further encourage reporting and ensure a meaningful corporate response to any concerns raised through the whistleblower process. Companies should aim to reduce obstacles to internal reporting and demonstrate a track record of proactive, fair, and thorough responses to whistleblower complaints, including appropriate disciplinary actions for whistleblower retaliation.
Enhanced Beneficial Owner Reporting Requirements under the CTA
Under the CTA, companies covered by the CTA will be required to submit a report to FinCEN that includes the name, date of birth, address, and identifying number (e.g., passport or state identification document number) of the “beneficial owners” of the company. Each covered company also will be required to report any changes to its beneficial ownership, within one year of the change. These measures should enhance the ability of U.S. law enforcement to address money laundering concerns and the financing of terrorism. However, the CTA itself will not fundamentally change the obligations of banks and other covered financial institutions to verify the identity of the beneficial owners of their legal entity customers.
The CTA excludes more than 20 classes of entities from coverage of the reporting obligations thereunder, including (1) public companies; (2) any entity with more than 20 U.S.-based employees, greater than US$5 million in yearly revenue reported to the U.S. Internal Revenue Service, and a physical operating presence at an office location in the United States; and (3) certain financial institutions, investment funds, and charities. The CTA appears to be drafted to exclude from coverage certain companies exhibiting greater indicia of legitimacy or subject to other U.S. regulation, primarily focusing on entities which pose the greatest perceived AML risk (e.g., shell companies with no employees or operating presence).
Under the CTA, a beneficial owner is defined as each individual who, directly or indirectly, owns or controls 25 percent or more of the ownership interests of the entity, or who exercises “substantial control” over the entity. Although substantial control is not defined under the CTA, indicia of such control often includes such factors as possession of special voting rights, appointment or veto powers, or approval of operational or strategic decision-making. As enacted, there will be significant questions surrounding the determination of who is a beneficial owner and guidance on the interpretation of “substantial control” under the CTA will likely be included in the regulations to be issued in the coming year.
The CTA requires the Secretary of the Treasury to promulgate regulations describing in greater detail the reporting process and requirements within a year after enactment of the CTA. The CTA will go into effect on the effective date of these regulations. At that time, any covered entity formed or registered prior to the effective date of the regulations will be required to file a report with the required information within two years after such effective date. A covered entity formed after the effective date will be required to submit the required information at the time of formation, representing a significant deviation from the prior practice of entity formations in the United States.
The Secretary of the Treasury may, with the agreement of the Attorney General and Secretary of Homeland Security, exempt additional classes of entities if it is determined that gathering this information would not serve the public interest and would be of limited use for national security, intelligence, and law enforcement purposes.
The information reported to FinCEN will not be publically available, but can be shared with federal law enforcement agencies. State, local, and tribal law enforcement agencies may obtain information in the FinCEN registry with court approval. The CTA also provides for criminal and civil penalties for willfully providing, or attempting to provide, false or fraudulent beneficial ownership information, or willfully failing to report complete or updated beneficial ownership information to FinCEN. The civil penalty is up to US$500 for each day that the violation continues or has not been remedied. A person that violates the reporting requirements also can be fined up to US$10,000, imprisoned for up to two years, or both.
As noted above, under the AMLA, banks and other covered financial institutions will continue to be required to verify the beneficial owners of their legal entity customers. In many cases the financial institution might be able to verify this information by reviewing the beneficial owner report filed by the company with FinCEN, but this would be permitted only with the consent of the reporting company. Because the AMLA provides for fines of up to US$250,000 for unauthorized disclosure of beneficial owner information, financial institutions should consider processes for requesting, protecting, and managing this data.
More to Come
As regulations are issued in the coming year, we will learn more regarding the full implications and scope of both the AMLA and the CTA on financial institutions, including those with robust AML compliance programs, as well as on relevant companies and other covered entities. K&L Gates regularly provides advice to clients regarding effective AML risk assessments and development of compliance programs appropriately tailored and proportionate to identifiable risks, including know-your-customer and enhanced due diligence procedures, which will likely require modification and enhancement once the Treasury Department publishes its new AML priorities and promulgates the required set of regulations under the AMLA. Similarly, as the Treasury Department promulgates regulations implementing the CTA, K&L Gates is well positioned to advise companies and other legal entities of the applicability of the CTA to them as well as their related reporting obligations thereunder.