InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SBA addresses BSA compliance obligations in updated PPP FAQs
On January 29, the Small Business Administration (SBA) updated its Paycheck Protection Program (PPP) frequently asked questions to further address borrower and lender questions. Among other things, the updated FAQs clarify that FinCEN’s April 2020 PPP FAQs are applicable to Second Draw PPP loans. In addition, for purposes of Bank Secrecy Act (BSA)/anti-money laundering compliance, SBA states that PPP lenders can rely on the same information received from a borrower during a First Draw loan application for a Second Draw PPP loan provided the borrower is an existing customer. Accordingly, FinCEN, as administrator of the BSA, published updates to its FAQs to include SBA’s newest clarifications. Additionally, SBA notes that FAQs 1-53 are currently being revised and do not reflect changes made by the Economic Aid to Hard-Hit Small Businesses, Nonprofits, and Venues Act enacted on December 27, 2020 (covered by InfoBytes here).
Agencies release SARs/AML consideration FAQs
On January 19, the Financial Crimes Enforcement Network (FinCEN), Federal Reserve Board, FDIC, NCUA, and the OCC, in consultation with staff at certain other federal functional regulators, published answers to frequently asked questions concerning suspicious activity reporting (SAR) and other anti-money laundering (AML) considerations. The answers clarify financial institutions’ commonly asked questions about SARs/AML regulatory requirements and are provided to assist financial institutions with their Bank Secrecy Act (BSA)/AML compliance obligations in order to enable them “to focus resources on activities that produce the greatest value to law enforcement agencies and other government users of [BSA] reporting.” Topics discussed include (i) law enforcement requests for financial institutions to maintain accounts; (ii) receipt of grand jury subpoenas and law enforcement inquiries and SAR filings; (iii) maintaining customer relationships following the filing of SARs; (iv) filing SARs based on negative news identified in media searches; (v) information provided in SAR data and narrative fields; and (vi) SAR character limits. The agencies note that the FAQs do not alter existing BSA/AML requirements or establish new supervisory expectations, but have been developed in response to recent recommendations as described more thoroughly in FinCEN’s Advance Notice or Proposed Rulemaking issued last September on AML program effectiveness (covered by InfoBytes here).
FinCEN reaches $390 million settlement with bank for BSA violations
On January 15, the Financial Crimes Enforcement Network (FinCEN) announced a $390 million civil money penalty against a national bank for allegedly violating the Bank Secrecy Act and its implementing regulations. The settlement resolves an investigation into the bank’s alleged failure to maintain an effective anti-money laundering (AML) program. According to FinCEN, the bank’s check-cashing business unit failed to file thousands of suspicious activity reports (SARs) and currency transaction reports (CTR). As a result, suspicious transactions were not reported in a timely and accurate manner. FinCen noted that while the bank was allegedly aware of several compliance and money laundering risks associated with its check-cashing business unit, its process for investigating suspicious transactions was insufficient. The bank also allegedly failed to file SARs even though it had actual knowledge of criminal charges against specific customers and continued to process transactions for these customers’ businesses. In determining the penalty, FinCEN considered the bank’s significant remediation efforts—including taking remedial measures related to its SARs and CTR filing systems and enhancing its AML program over the past several years—as well as its cooperation with the agency’s investigation.
FinCEN proposes new reporting requirements for certain CVC and digital asset transactions
On December 18, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPRM) that would require financial institutions and money service businesses (MSBs) to maintain records and submit reports to verify customer identities for certain transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (LTDA). Under the NPRM, the requirements would apply to transactions involving CVC and LTDA that are held in certain “hosted” wallets at financial institutions, as well as in “unhosted” wallets, which are not held in an exchange or bank. Banks and MSBs would be required to file transaction reports within 15 days with FinCEN verifying the identity of customers if a counterparty to the transaction is using an unhosted or otherwise covered wallet and the transaction is greater than $10,000. Banks and MSBs would also be required to maintain records of customers’ CVC or LTDA transactions and counterparties—“including verifying the identity of their customers, if a counterparty uses an unhosted or otherwise covered wallet and the transaction is greater than $3,000.” According to Treasury Secretary Steven T. Mnuchin, the proposed rule “is intended to protect national security, assist law enforcement, and increase transparency while minimizing impact on responsible innovation” by “closing loopholes that malign actors may exploit.” FinCEN notes that, while the NPRM “proposes to prescribe by regulation that CVC and LTDA are ‘monetary instruments’ for purposes of the” Bank Secrecy Act (BSA), it does not “modify the regulatory definition of ‘monetary instruments’ or otherwise alter existing BSA regulatory requirements applicable to ‘monetary instruments’ in FinCEN’s regulations.” Comments on the NPRM were due January 4.
Agencies proposes SAR filing exemptions
On December 15, the FDIC issued a proposed rule (with accompanying Financial Institution Letter FIL-114-2020), which would amend the agency’s Suspicious Activity Report (SAR) regulation to permit additional, case-by-case, exemptions from SAR filing requirements. The proposed rule would allow the FDIC, in conjunction with the Financial Crimes Enforcement Network (FinCEN), to grant supervised institutions exemptions to SAR filing requirements when developing “innovative solutions to meet Bank Secrecy Act (BSA) requirements more efficiently and effectively.” The FDIC would seek FinCEN’s concurrence with an exemption when the exemption request involves the filing of a SAR for potential money laundering, violations of the BSA, or other unusual activity covered by FinCEN’s SAR regulation. The proposal allows the FDIC to grant the exemption for a specified time period and allows the FDIC to extend or revoke the exemption if circumstances change. The proposal is intended to reduce the regulatory burden on supervised financial institutions that are likely to leverage existing or future technologies to report suspicious activity in a different and innovative manner. Comments on the proposed rule must be submitted within 30 days of publication in the Federal Register.
The OCC also issued a proposal that would similarly allow the OCC to issue exemptions from SAR filing requirements to support national banks or federal savings associations developing innovative solutions intended to meet BSA requirements more efficiently and effectively.
FinCEN clarifies financial crime information sharing program
On December 10, FinCEN Director Kenneth A. Blanco spoke at the Financial Crimes Enforcement Conference hosted by the American Bankers Association and American Bar Association to discuss the importance of information sharing in identifying, reporting, and preventing financial crime. Specifically, Blanco addressed recently updated guidance designed to provide additional clarity on FinCEN’s information sharing program under Section 314(b) of the USA PATRIOT Act, which provides financial institutions “the ability to share information with one another, under a safe harbor provision that offers protections from civil liability, in order to better identify and report potential money laundering or terrorist financing.”
FinCEN provided three main clarifications:
- While financial institutions may share information about suspected terrorist financing or money laundering, they “do not need to have specific information that these activities directly relate to proceeds of [a specified unlawful activity (SUA)], or to have identified specific laundered proceeds of an SUA.” FinCEN also stated that a conclusive determination that an activity is suspicious does not need to be made in order for a financial institution to benefit from the statutory safe harbor. Furthermore, information may be shared “even if the activities do not constitute a ‘transaction,’” such as “an attempted transaction, or an attempt to induce others engage in a transaction.” FinCEN added that there is no limitation under Section 314(b) on the sharing of personally identifiable information and no restrictions on the type of information shared or how the information can be shared, including verbally.
- “An entity that is not itself a financial institution under the Bank Secrecy Act [(BSA)] may form and operate an association of financial institutions whose members share information under Section 314(b),” FinCEN noted, adding that this includes compliance service providers.
- An unincorporated association of financial institutions governed by a contract between its members “may engage in information sharing under Section 314(b).”
In prepared remarks, Blanco reiterated, among other things, that companies should be specific in describing the activity they see in their suspicious activity reports (SAR), and discussed FinCEN’s Advance Notice of Proposed Rulemaking issued in September (covered by InfoBytes here), which solicited comments on questions concerning potential regulatory amendments under the BSA. Blanco also highlighted recent FinCEN’s advisories and guidance related to Covid-19 fraud (covered by InfoBytes here, here, and here) and encouraged the audience to review the agency’s dedicated Covid-19 webpage.
FinCEN, federal banking agencies clarify CDD requirements for charities and non-profit organizations
On November 19, the Financial Crimes Enforcement Network (FinCEN), in concurrence with the Federal Reserve Board, FDIC, NCUA, and OCC (collectively, “federal banking agencies”), released a fact sheet clarifying that Bank Secrecy Act (BSA) customer due diligence (CDD) requirements for charities and nonprofit organizations (NPOs) should be based on the money laundering risks posed by customer relationships. FinCEN and the federal banking agencies remind banks that “the application of a risk-based approach for charities and other NPOs is consistent with existing CDD and other [BSA/anti-money laundering] compliance requirements.” The fact sheet further emphasizes that while “the U.S. government does not view the charitable sector as a whole as presenting a uniform or unacceptably high risk of being used or exploited for money laundering, terrorist financing [], or sanctions violations,” banks must adopt risk-based procedures for conducting CDD that will allow banks to (i) understand the nature and purpose of a customer relationship in order to develop a customer risk profile, and (ii) conduct ongoing monitoring for the purposes of identifying and reporting suspicious transactions “on a risk basis, to maintain and update customer information.” The fact sheet does not alter existing BSA/AML legal or regulatory requirements, nor does it establish new supervisory expectations. (See also OCC Bulletin 2020-101 and FDIC FIL-106-2020.)
Agencies propose lowering threshold for certain fund transfers and transmittals of funds under Bank Secrecy Act
On October 23, the Federal Reserve Board and the Financial Crimes Enforcement Network (FinCEN) announced a proposed rule that would, among other things, amend the Recordkeeping Rule and the Travel Rule under the Bank Secrecy Act (BSA) by reducing the data collection threshold from $3,000 to $250 for certain fund transfers that begin or end outside of the U.S. In addition, the proposed rule would set the threshold at $250 for financial institutions “to transmit to other financial institutions in the payment chain information on fund transfers and transmittals of funds that begin or end outside of the [U.S.]” The proposed rule’s $250 threshold for data collection would also apply to digital currency transactions, both for international transfers and those within the U.S. The agencies also propose to clarify the meaning of “money” as used in certain defined terms to ensure the rules apply to domestic and cross-border transactions involving convertible virtual currencies. By proposing to lower the current threshold, the agencies “specifically considered Suspicious Activity Reports filed by money transmitters, which indicate that a substantial volume of potentially illicit funds transfers and transmittals of funds occur below the $3,000 threshold.” The agencies also note that the threshold for domestic transactions would remain unchanged at $3,000. Comments are due 30 days after publication in the Federal Register.
FinCEN penalizes first bitcoin “mixer” $60 million for violating BSA
On October 19, the Financial Crimes Enforcement Network (FinCEN) announced a civil money penalty against an individual exchanger who founded and operated two convertible virtual currency (CVC) platforms known as “mixers” or “tumblers” for allegedly violating the Bank Secrecy Act’s (BSA) registration, program, and reporting requirements. According to FinCEN, the exchanger, among other things, (i) accepted and transmitted CVC through a variety of means, which “contain[ed] the proceeds of various acts of cybercrime”; (ii) conducted over 1,225,000 transactions for customers; and (iii) “is associated with virtual currency wallet addresses that have sent or received over $311 million.” FinCEN also contends that the exchanger advertised his services to customers on the dark web and circumvented BSA’s requirements by disregarding his obligations and operating the platforms as unregistered money service businesses (MSB).
Under FinCEN’s 2013 guidance and 2019 clarification, exchangers and administrators of CVC are money transmitters and therefore subject to BSA regulations, with mixers and tumblers subject to the same rules. (Previously covered by InfoBytes here and here.) According to FinCEN, the exchanger’s activities qualified him as a virtual currency exchanger, MSB, and a financial institution under the BSA. As such, the exchanger was required to register as an MSB with FinCEN, establish and implement an effective written anti-money laundering program, detect and file suspicious activity reports, and report currency transactions, which he failed to do. The order requires the exchanger to pay a $60 million civil money penalty.
FinCEN, federal banking agencies provide CIP program relief
On October 9, the Financial Crimes Enforcement Network (FinCEN), in concurrence with the OCC, Federal Reserve, FDIC, and NCUA (collectively, “federal banking agencies”), issued an interagency order granting an exemption from the requirements of the customer identification program (CIP) rules for insurance premium finance loans extended by banks to all customers. The exemption is intended to facilitate insurance premium finance lending for the purchase of property and casualty insurance policies and will apply to loans extended by banks and their subsidiaries, subject to the federal banking agencies’ jurisdiction. According to FinCEN, insurance premium finance loans present a low risk for money laundering due to the purpose for which the loans are extended and the limitations on how such funds may be used. Moreover, FinCEN emphasized that “property and casualty insurance policies themselves are not an effective means for transferring illicit funds.” Banks, however, must still comply with all other regulatory requirements, including those implementing the Bank Secrecy Act that require the filing of suspicious activity reports. Furthermore, the federal banking agencies determined that the order is consistent with safe and sound banking practices. The order supersedes a September 2018 order, which previously granted an exemption from the CIP rule requirements for commercial customers (covered by InfoBytes here).