Congress Contemplates Broad AML/BSA Reform
Second Post in a Two-Part Series
As we blogged earlier this week, Congress is considering a new draft bill, the Counter-Terrorism and Illicit Finance Act (“CTIFA”), in committee in the Senate. The CTIFA proposes the most substantial overhaul of the Bank Secrecy Act (“BSA”) since the PATRIOT Act.
We previously discussed CTIFA’s proposed requirement for legal entities to submit to FinCEN a list their beneficial owners (“BOs”) and the creation of a central directory of these BOs. Today, we discuss CTIFA’s many other major proposed revisions to the BSA. These include:
- Raising the minimum monetary thresholds for filing Currency Transaction Reports (“CTRs”) and Suspicious Activity Reports (“SARs”), and requiring a review of how those filing requirements could be streamlined;
- Expanding the prohibition against disclosing SAR-related information to third parties, including in private litigation;
- Codifying absolute civil immunity for SAR filing;
- Expanding the scope of voluntary information sharing among financial institutions;
- Allowing FinCEN to issue no-action letters; and
- A grab-bag of other proposals, including a safe harbor for AML-related technological innovation; requiring a review of whether FinCEN should assume a greater role in AML/BSA examinations of financial institutions; requiring a review of the costs to the private sector for AML/BSA compliance; and requiring an annual report to the Secretary of the Treasury (“the Secretary”) regarding the usefulness of BSA reporting to law enforcement.
Increasing SAR and CTR Filing Thresholds – and Scrutiny of the Forms’ Usefulness
Section 2 of the CTIFA proposes that the monetary threshold that triggers a duty to file a CTR should be raised from $10,000 to $30,000. Similarly, the CTIFA proposes that the monetary threshold triggering a duty to file a SAR, assuming that a transaction or series of transactions has been deemed “suspicious,” should be raised from $5,000 to $10,000.
When the BSA was first passed in 1970, it created the duty for banks to file CTRs. The SAR filing requirement took effect in 1996. If nothing else, the increased thresholds seek in part to better track inflation: $10,000 in January 1970 is equal to approximately $65,000 in current dollars, and $5,000 in January 1996 is equal to approximately $8,000 in current dollars.
But there is more going on here. As we have blogged, the current SAR filing regime has been criticized by some as producing — over time — an ever-increasing barrage of SAR filings by risk-adverse financial institutions inclined to engage in “defensive filing,” which is costly to the institutions and can lead to SARs of limited value to law enforcement. Further, many provisions in the CTIFA track reforms proposed in a detailed paper published in 2017 by The Clearing House, a banking association and payments company. That paper, titled A New Paradigm: Redesigning the U.S. AML/CFT Framework to Protect National Security and Aid Law Enforcement (“The New Paradigm”), analyzes the effectiveness of the current AML and Combatting the Financing of Terrorism (CFT) regime in the U.S., identifies problems with that regime, and proposes reforms. As we previously blogged, The New Paradigm has argued in part that the regime for filing SARs is outdated, that “the combined dataset [from filed SARs] has massive amounts of noise and little information of use to law enforcement,” and that “the SAR database includes no feedback loop [and] . . . . there is no mechanism for law enforcement to provide feedback on whether a given SAR produced a lead or was never utilized.”
Echoing the above critique, Section 3 of the CTIFA, entitled “Streamlining Requirements for Currency Transaction Reports and Suspicious Activity Reports,” would require the Secretary to undertake a “formal review of the current financial institution reporting requirements under the [BSA] . . . and propose changes to further reduce reporting burdens and ensure that the information provided is of a ‘high degree of usefulness,'” –- referring here to the BSA’s stated purpose of requiring reports and records which “have a high degree of usefulness in criminal, tax or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities . . . to protect against international terrorism.”
The review required by the CTIFA would include a study of the following issues, all geared to reduce filings. Note in particular the requirement that the review should identify how SARs and CTRs are most useful.
- Whether the timeframe for filing a SAR should be increased from 30 days;
- The feasibility of combining SAR and CTR filing information on a single form;
- Whether the monetary thresholds for filing should be tied to inflation;
- Whether the duty to file a “continuing” SAR for ongoing conduct “can be narrowed;”
- Whether the number of fields designated on a SAR form as “critical” should be reduced;
- Determining “the categories, types, and characteristics of [SARs] and [CTRs] that are of the greatest value to, and that best support, investigative priorities of law enforcement and national security personnel;” and
- Whether the use of exemption provisions can be increased to reduce CTRs “that are of little or no value to law enforcement efforts[.]”
SAR Reporting and Related Disclosures
Prohibition on Disclosure of SAR-Related Information
Plaintiffs in civil litigation increasingly request discovery of SAR-related information from financial institutions. However, the BSA imposes a categorical prohibition against notifying “any person involved in the transaction that the transaction has been reported[,]” 31 U.S.C. §5318(g)(2)(A), and a BSA regulation more broadly prohibits the production of “a SAR or any information that would reveal the existence of a SAR.” The relevant regulation also states that any bank, or any agent of the bank, which receives a subpoena or is otherwise requested to disclose a “SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information . . . .” In contrast, the regulation’s prohibition against disclosure of SAR-related information specifically does not bar disclosure of “[t]he underlying facts, transactions, and documents upon which a SAR is based.”
In the Federal Register, both FinCEN and the OCC have discussed what constitutes “underlying facts, transactions, and documents upon which a SAR is based” in the context the SAR-related prohibition. According to FinCEN, documents “created in the ordinary course of business,” such as business records and account information on which a SAR is based, do not fall within the prohibition against SAR-related disclosures. However, FinCEN also has stated that the strong public policy of encouraging financial institutions to report suspicious activity without fear of reprisal, “leans heavily in favor of applying SAR confidentiality not only to a SAR itself, but also in appropriate circumstances to material prepared by the financial institution as part of its process to detect and report suspicious activity, regardless of whether a SAR ultimately was filed or not.” The OCC agrees. Finally, FinCEN has explained that confidentiality is also extended to “any document stating that a SAR was not filed.” (emphasis added). The rationale behind this extension is that “[w]ere FinCEN to allow disclosure of information when a SAR is not filed, institutions would implicitly reveal the existence of a SAR any time they were unable to produce records because a SAR was filed.” FinCEN has recognized “[t]he more difficult situation is when a document or other information is silent as to whether a SAR has or has not been filed.” The above pronouncements have produced some conflicting case law across the country as to whether a particular document was (1) created or received in the ordinary course of business, and therefore is not covered by the prohibition, or (2) was prepared as part of the institution’s process for complying with SAR reporting requirements, and therefore is covered by the prohibition.
The CTIFA seeks to expand the prohibition against disclosure of SAR-related information by amending 31 U.S.C. §5318(g)(2)(A) to provide that the prohibition extends to information which would “otherwise reveal any information that would reveal that the transaction has been reported, including materials prepared or used by the financial institution for the purposes of identifying and detecting potentially suspicious activity.” Although this amendment still retains some ambiguity, it clearly seeks to expand the confidentiality of SAR-related information.
Absolute Civil Immunity for Reporting
When the SAR filing requirement was first created, financial institutions sometimes were reluctant to file SARs for fear of being sued by the customers implicated in a SAR. Congress, therefore, created a safe-harbor provision, 31 U.S.C. §5318(g) (3), that precludes liability for disclosures under the BSA. The safe harbor covers both required and voluntary disclosures and broadly protects a financial institution that makes a disclosure of “any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this subsection or any other authority.” In addition, the safe harbor protects both the institution and any director, officer, employee, or agent of the institution involved in the disclosure. The protection is comprehensive and precludes liability as to any person who is the subject of the disclosure under any law or regulation of the United States; any law, regulation, or constitution of any state or political subdivision; and/or under any contract. Not only does the protection from liability extend to making a required or voluntary disclosure, a SAR filer is also protected from liability for not notifying the subject of the SAR about the fact that a SAR was filed. The safe-harbor provision extends to every institution that participates in a joint disclosure, as well.
The great weight of legal authority to date has held that a financial institution or individual does not need to show a “good faith” suspicion that a reportable transaction may have occurred to take advantage of this safe-harbor provision, and that the immunity conferred by Section 5318(g) (3) is absolute. Section 4(b) of the CTIFA would codify this authority by amending 31 U.S.C. § 5318(g)(3)(B) to provide that the safe harbor provision does not create “any duty or requirement of a financial institution or any director, officer, employee, or agent of such institution to demonstrate to any person . . . that a disclosure . . . is made in good faith.”
Reporting to an Institution’s Foreign Branches and Affiliates
Section 4(c) also seeks to amend 31 U.S.C. § 5318(g) by adding subsection (5), which would require the Secretary of the Treasury to issue regulations allowing financial institutions to share SAR filings with the institution’s foreign branches and affiliates “for the purposes of combating illicit finance risk,” unless the foreign branch or affiliate is located in a jurisdiction subject to countermeasures imposed by the U.S. government or, in the determination of the Secretary of the Treasury, “cannot reasonably protect the privacy of such information.”
Enhancing Section 314(b) Voluntary Information Sharing Among Financial Institutions
As we have blogged (here and here), a key part of the current debate regarding AML reform involves information sharing, both between industry and government and between financial institutions themselves, to try to better identify and deter possible criminal schemes in real time. As we also have blogged, Section 314(b) of the Patriot Act and relevant regulations allow the voluntary sharing of information among financial institutions. Subject to requirements, financial institutions or an association of financial institutions may share information — free from liability — with other financial institutions about individuals, entities, organizations, and countries to identify and report activities that may involve “money laundering” or “terrorist activities.”
Section 4(a) of the CTIFA seeks to amend Section 314(b) to state that the breadth of permissible reporting and the safe harbor provision under Section 314(b) both involve the reporting of “activities that may involve terrorist acts, money laundering activities, or a specified unlawful activity.” (emphasis added). This amendment in part codifies prior FinCEN guidance regarding the breadth of Section 314(b) reporting and the safe harbor provision: FinCEN previously issued guidance in 2009 stating that financial institutions may share information within the protections of Section 314(b)’s safe harbor when the institution suspects that a transaction may involve the proceeds of a specified unlawful activity (“SUA”) and the information relates to the SUA. This guidance is consistent with the fact that “money laundering” is a potentially very broad crime, given the very long list of offenses which qualify as SUAs; almost any “financial transaction” (which by necessity will be the sort of activity occurring at a financial institution) involving “SUA proceeds” possibly could represent “money laundering.” The proposed amendment apparently broadens the safe harbor protections to cover even instances identified in a 2012 FinCEN administrative ruling as not currently covered by the safe harbor: that is, “the sharing of information solely for the purposes of identifying a specified unlawful activity, including fraud, and not otherwise related to a transaction regarding the proceeds of such fraud[.]” As a practical matter, however, it is difficult to imagine suspected SUA activity that a financial transaction would want to report but which did not involve some sort of “transaction.”
No-Action Letters from FinCEN
Section 5 of the CTIFA would require FinCEN to issue regulations to establish a no-action letter process for inquiries regarding the application of the BSA “or any other anti-money laundering and counterterrorist financing law or regulation to specific conduct, which shall include a statement as to whether or not FinCEN has any intention of taking an enforcement action against the person with respect to such conduct.” A person who relies on a no-action letter would not be liable to “any person” (therefore including private plaintiffs) under any of the above-referenced laws, so long as that person is involved in the specific conduct that is the subject of the no-action letter, or the person’s conduct is “indistinguishable in all its material aspects” from the specific conduct discussed in the no-action letter.
Again, this proposal is taken straight from The New Paradigm, published by The Clearing House. In a guest blog here, Greg Baer, the President of The Clearing House, explained:
A no-action letter process could be effective in enhancing communication and transparency, in an efficient manner, between FinCEN and the industry. In this manner, FinCEN could provide a shield from liability on questions posed by banks. We believe that this is a practical way to reduce de-risking, whereby banks exit correspondent relationships out of fear of regulatory criticism –- given their role as gatekeepers of the financial system.
Miscellaneous Proposed Amendments: Assessing Costs and Benefits
Finally, the CTIFA contains several other miscellaneous provisions, summarized below. They tend to focus on reducing regulatory burden and potential legal exposure for financial institutions, and on increasing the dialogue between government and the regulated community.
- Requiring a study within two years which provides “a comprehensive quantitative and qualitative estimate of the annualized costs to the private sector to comply with the statutory and regulatory requirements” of the BSA.
- Similar to the review of SAR and CTR filings mandated by Section 3, requiring an annual report by the Attorney General to the Secretary involving “statistics, metrics, and other information on the use of [BSA] data,” so that the Secretary may better “assess the usefulness of [BSA] reporting to law enforcement[,]” and in order to “enhance feedback and communications with financial institutions and other entities subject to [BSA] requirements.”
- Requiring a review of whether FinCEN should take a larger role in conducting AML/BSA examinations of financial institutions, which currently are conducted by a patchwork quilt of regulators; this proposal also was discussed in Greg Baer’s guest blog.
- Requiring a study within two years which evaluates whether the lack of available BO information for legal entities in the U.S. raises concerns about money laundering committed by such entities, has impeded investigations, or “has elicited international criticism” (you don’t need a Congressionally-mandated study to answer the last question; as we repeatedly have noted, the answer is “yes” — see here, here, here, and here).
- Requiring a study within five years regarding the effectiveness of the CTIFA’s proposed BO reporting provisions.
- Creating 31 U.S.C. §5318(h)(4), a defined safe harbor provision for a violation of an institution’s AML program which occurs due to a technological innovation used by the institution to try to improve its AML program.