In response to the COVID-19 pandemic, the Financial Crimes Enforcement Network (FinCEN) on March 16, 2020, issued guidance asking regulated financial institutions to contact FinCEN and their functional regulator as soon as practicable if they have concerns that the pandemic may delay filings required by the Bank Secrecy Act (BSA). The guidance implicitly recognizes the impacts that COVID-19 has had on AML compliance teams and work processes, and the steps many financial institutions are taking to attempt automation or remote operation of parts of their programs.
At the same time, FinCEN identified certain trends of potential suspicious activity, and advised financial institutions to be alert for the kind of malicious or fraudulent transactions that it suggested are common with natural disasters. In particular, FinCEN noted the following trends:
- Imposter scams – bad actors attempt to solicit donations, steal personal information, or distribute malware by impersonating government agencies, international organizations, or healthcare organizations.
- Investor scams – The U.S. Securities and Exchange Commission (SEC) urged investors to be wary of COVID-19 related investment scams, such as promotions, that falsely claim that the products or services of publicly traded companies can prevent, detect, or cure coronavirus.
- Product scams – The U.S. Federal Trade Commission (FTC) and U.S. Food and Drug Administration (FDA) have issued public statements and warning letters to companies selling unapproved or misbranded products that make false health claims pertaining to COVID-19.
- Insider Trading – FinCEN has received reports regarding suspected COVID-19-related insider trading.
The agency also pointed to its previous 2017 advisory for descriptions of other types of disaster-related fraud. FinCEN has asked financial institutions, when reporting suspicious activity relating to COVID-19, to enter “COVID-19” in Field 2 of the suspicious activity report (SAR) template.
Similarly, the Federal Financial Institutions Examination Council (FFIEC), which includes the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee, issued rare guidance in an “Interagency Statement on Pandemic Planning” in an effort to underscore the importance of business continuity and the delivery of critical financial services during the pandemic. Among other guidance, the FFIEC explained that financial institutions should have business continuity plans tailored to the specific challenges of pandemics. Unlike natural disasters, technical disasters, malicious acts, or terrorist events, the FFIEC reasons, the impact of a pandemic is much more difficult to determine because of the anticipated difference in scale and duration. In particular, unlike the limited duration of traditional disasters, pandemics generally occur in multiple waves, each lasting two to three months. Some of the most significant impacts from pandemics, the guidance suggests, may be staffing shortages and the need to operate remotely. The FFIEC accordingly asks financial institutions to consider measures such as cross-training employees to allow operation with smaller staffs when needed, ensure that systems are in place for remote work and online customer service, and to evaluate the risk that third-party vendors may be unable to continue adequate service. The FFIEC also expects financial institutions to consider the extent to which applicable legal obligations allow flexibility to address the challenges that customers face, and to plan for temporarily altered public-facing policies.
All of this guidance is relevant for AML program contingency planning. Regulated financial institutions should continue to (1) assess their risk, including from decreased capacity to implement their AML program, as well as pandemic-related types of suspicious activity, (2) establish or revisit policies and procedures as needed in accordance with the FFIEC guidance, scaling these to potential changes in the impacts of the epidemic, and (3) plan for the potential impacts of the illness on staffing and the needs of their customers. With respect to staffing, institutions should consider, in line with FinCEN’s guidance, whether the pandemic may impact their ability to detect and report suspicious activity, and file other BSA-required reports, in a timely manner, and reach out proactively to regulators if there are reasons to think this might be an issue. With respect to their customers, financial institutions may wish to consider where they have flexibility to alter or relax existing aspects of their AML programs consistent with the requirements of the law to allow for the many difficulties and needs that customers are likely to experience during this time, such as allowing for alternative forms of customer identification other than drivers licenses given the closure of many Departments of Motor Vehicles. Financial institutions should assess such adjustments on a risk basis and should document their determinations on any adjustments they make to their AML program implementation.
Simultaneously, however, FinCEN’s guidance makes clear that the agency expects financial institutions to remain vigilant against efforts by fraudsters and other bad actors to take advantage of the pandemic. Institutions should consider the typologies identified by the agency, in addition to their own experiences and other available information. Fraud in particular historically increases during disaster-related events, and the COVID-19 pandemic likely will not be an exception.
As the number of fraudulent transactions will likely rise in the coming weeks, financial institutions could face the possibility of a backlog of suspicious activity reports. Ensuring that efficient protocols are in place now – such as comprehensive procedures for SAR preparation, review, and approval in order to submit within the prescribed time period, and the maintenance of comprehensive SAR reporting supporting documentation – for this and other aspects of a company’s AML program, might reduce scrutiny from regulators later.