Anti-Money Laundering (AML)

Subscribe to Anti-Money Laundering (AML)
Photo by Allen Allen;

On December 3, 2018, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Financial Crimes Enforcement Network (FinCEN), the National Credit Union Administration, and the Office of the Comptroller of the Currency (together “the agencies”), issued a joint statement encouraging banks to test and implement innovative approaches to meeting their Bank Secrecy Act/Anti-Money Laundering (BSA/AML) obligations. The agencies hope to harness private sector innovation to better protect the financial system from financial crime and to allow financial institutions to make better use of limited compliance resources. The agencies identify in particular risk identification, transaction monitoring, and suspicious activity reporting as obligations that can benefit from innovation. They also identify internal financial intelligence units, artificial intelligence, and digital identity technologies as innovations that can help advance AML programs.

To foster innovation without fear of criticism, the agencies have laid out policies for how they will interact with banks piloting new technologies.

  • First, while the agencies may provide feedback, banks that pilot innovative technologies should not be subject to supervisory criticism for any failures in such pilot programs.
  • Second, “pilot programs that expose gaps in current BSA/AML compliance programs will not necessarily lead to supervisory action.” For example, “when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the agencies will not automatically assume that banks’ existing processes are deficient.”
  • Third, the implementation of innovative approaches in banks’ BSA/AML programs “will not result in additional regulatory expectations.”
  • Fourth, FinCEN will consider requests for exceptive relief under 31 C.F.R. § 1010.970 to promote the testing of new technologies, provided that banks maintain the overall effectiveness of their AML programs.

The agencies’ joint statement did make clear, though, that while innovation is critical to continued protection against money laundering and other financial crime actors, it is not an excuse to fail to comply with current BSA/AML requirements. Banks “must continue to meet their BSA/AML compliance obligations, as well as ensure the safety and soundness of the bank, when developing pilot programs and other innovative approaches.” In making such determinations, “bank management should prudently evaluate whether, and at what point, innovative approaches may be considered sufficiently developed to replace or augment existing BSA/AML processes.” Such a decision should also address other factors like third-party risk management, compliance with other applicable laws and regulations, and issues of customer privacy. Banks also are encouraged to engage early with regulators regarding such programs to promote the agencies’ understandings of these programs and as “a means to discuss expectations regarding compliance and risk management.” Each of the agencies has committed to establishing projects or offices to support engagement on the implementation of such innovations.

The joint statement comes against a backdrop of continued increases for many banks in the costs of operating compliant AML programs, and continued enforcement – such as the recent $598 million settlement with federal regulators of alleged AML violations by US Bank — emphasizing the need for greater resourcing of AML programs. This has led many banks to consider innovations that might make compliance more efficient and reduce costs, but also has led Congress to consider other measures, such as changing BSA reporting thresholds. The new statement appears to be an effort by the agencies to resolve this resource tension by favoring innovation. It complements another recent guidance document from the same agencies encouraging smaller banks to share compliance resources where possible.

Practical Considerations

 

A number of new products and services offer real opportunities for banks to improve their transaction monitoring and other AML processes, resulting in stronger programs and reduced cost. However, banks should ensure that pilot projects and other innovations do not compromise their ability to effectively operate their current BSA/AML compliance programs. One way this can happen is migrating from previous methods to new technologies before the latter have been properly tested. For example, money transmitter MoneyGram International recently was required to pay an additional $125 million penalty, and had its deferred prosecution agreement extended, for AML program failures that occurred after it transitioned to a new fraud interdiction system that turned out to be ineffective. Another way this can happen is if the resources needed to administer a pilot project take away from resources needed to operate existing aspects of an AML program. The agencies have made clear that while they will not necessarily subject any failed pilot programs to supervisory criticism, they will continue to scrutinize banks’ current processes for any deficiencies, and expect them to remain compliant while testing new methods.

On October 3, 2018, the Financial Crimes Enforcement Network (FinCEN), the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) (collectively, “the Agencies”) issued a statement addressing instances in which banks can collaborate with each other and share resources to manage their Bank Secrecy Act (BSA) and anti-money laundering (AML) obligations more efficiently and effectively. This may involve pooling human, technology, or other resources to reduce costs, increase efficiency, and leverage specialized expertise. The statement indicates that such collaborative arrangements are generally are most suitable for community banks with simple operations and lower risk for money laundering and terrorist financing. The statement does not apply to collaborative arrangements for the purpose of sharing information under Section 314(b) of the USA PATRIOT Act.

The statement provides several non-exhaustive examples of how banks may collaborate:

Internal Controls

Two or more banks may share resources to conduct internal control functions such as: (1) reviewing, updating, and drafting BSA/AML policies and procedures; (2) reviewing and developing risk-based customer identification and account monitoring processes; and (3) tailoring monitoring systems and reports for the risks posed.

Independent Testing

Personnel at one bank may be used to conduct the BSA/AML independent test at another bank within a collaborative arrangement.

BSA/AML Training

A collaborative arrangement may allow for the hiring of a qualified instructor to conduct the BSA/AML training across multiple banks.

In certain instances it may not be appropriate to share resources under a collaborative arrangement. For instance, it may not be appropriate for banks to share a BSA officer due to the confidential nature of SARs filed and the potential impact on the ability of the BSA officer to effectively manage each bank’s daily BSA/AML compliance.  Further, banks should be careful when considering entering into arrangements due to potential privacy concerns, regulatory requirements specific to third parties, oversight issues, and more. Any arrangement should be documented with a contract and evaluated on a periodic basis. It is also important that banks tailor any agreements to meet their specific risk profile for money laundering and terrorist financing. Finally, each bank remains individually responsible for ensuring compliance with BSA requirements.

The statement appears to reflect an acknowledgement by regulators of the increasing amount of financial and human resources that banks are obligated to invest in AML compliance and the growing dichotomy in the ability of large versus smaller banks to maintain complex AML programs.

Practical Considerations

Banks considering such arrangements may wish to consider incorporating into these agreements other types of collaboration allowed by BSA rules. For example, although the statement does not govern sharing under Section 314(b) of the USA PATRIOT Act, such arrangements could be combined with section 314(b) relationships where appropriate to help banks improve the quality of their SAR reporting. Likewise, banks have the option under BSA rules to enter into agreements to rely on other banks to perform customer identification and collect beneficial ownership information on shared customers, which could be combined with the new collaborative arrangements.

Of course, banks should be careful when entering into such arrangements to ensure regulatory and other concerns are met. Any collaborative arrangement should be fully documented, reviewed periodically, and commensurate with the banks’ risk profiles.

 

Finally, the statement encourages banks to engage with their primary federal regulators when first considering collaborative arrangements to ensure that regulators understand the nature and extent of the proposed collaboration and have an opportunity to provide feedback.

On September 28, 2018, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency (collectively the Federal Banking Agencies or FBAs), with the concurrence of the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), issued an interagency order (the Order) exempting premium finance lenders from the requirements of the customer identification program (CIP) rules imposed by the Bank Secrecy Act (BSA). The exemption applies to banks and their subsidiaries subject to the FBAs’ jurisdiction who offer loans to commercial customers (i.e., corporations, partnerships, sole proprietorships, and trusts) to facilitate purchases of property and casualty insurance policies (herein referred to as premium finance loans or premium finance lending). The FBAs based their exemption on FinCEN’s conclusion that certain structural aspects of such loans make them a low risk for money laundering or terrorist financing, and also on their conclusion that such lending did not present a safety or soundness issue.

The structural aspects of these loans that make them low risk include (1) the fact that loan proceeds typically are remitted to the insurance company directly or through a broker or agent, and not to the borrower; (2) property and casualty insurance policies have no investment value; and (3) borrowers cannot use these accounts to purchase other merchandise, deposit or withdraw cash, write checks, or transfer funds.

The FBAs found no safety and soundness issue because: (1) in the event of default by the borrower, the insurance company is legally obligated to return unearned premiums to the lender; and (2) most bank-affiliated lenders will finance premiums only for insurance issued by creditworthy insurers.

The order builds on FinCEN’s previous determination, in its 2016 customer due diligence rule, to exempt premium finance accounts from the requirement to collect beneficial ownership information on legal entity customers based on the low money laundering risk associated with such lending. The continued application of CIP requirements to banks and bank-affiliated premium finance companies for such accounts despite FinCEN’s finding of negligible money laundering risk put these companies at a competitive disadvantage against non-bank affiliated premium finance lenders that are not subject to regulation under the BSA. In particular, such entities are not required to obtain and verify customer identifying information such as social security numbers, allowing them to process loan requests more quickly and less intrusively.  This led a consortium of bank-affiliated premium finance lenders to petition FinCEN for a change in the rules to harmonize its approach to this issue across both CIP and beneficial ownership rules. Although it took the FBAs more than two years to respond to this request with an exemption, it shows a welcome and thoughtful flexibility in the administration of the BSA and related AML rules that could provide a useful model in other contexts. It also appears to represent only the second time that a categorical exemption to CIP rules has been granted. (FinCEN previously granted an exemption for certain state address confidentiality programs).

Practical Considerations

The exemption applies only to CIP requirements, and banks must continue to comply with various other BSA requirements for such accounts, including the requirement to file suspicious activity reports (SARs). Accordingly, although their obligations will be easier than for typical accounts, banks should continue to provide in their AML programs for the collection of basic information as needed to establish a customer risk profile, to understand the nature and purpose of such accounts, and to update customer information on a risk-basis, so as to allow them to file SARs or take other action when necessary. Automated commercial diligence services likely will be helpful in this regard.

 

 

In 2015, the European Union adopted its Fourth Anti-Money Laundering Directive, which imposed on Member States the obligation to establish a register containing the details of the ultimate beneficial owners (UBOs) of corporate and other legal entities within the European Union (the so-called UBO register). By way of the Act of September 18, 2017, the UBO register became part of Belgian law, and a Royal Decree of July 30, 2018 now provides the required details about the operation of the Belgian UBO register. The Royal Decree obliges all Belgian companies, foundations, (international) non-profit organizations, fiduciaries, and trusts to submit information about their ultimate beneficial owners to this UBO register, which is administered by the Belgian Ministry of Finance. The information must be submitted by March 31, 2019.

Introduction

The need for accurate and up-to-date information regarding beneficial ownership is key in tracing criminals who might otherwise hide their identity behind a corporate structure.

With this in mind, the Fourth Anti-Money Laundering Directive (Directive (EU) 2015/849 of May 20, 2015), implemented into Belgian law by the Act of September 18, 2017, introduced an obligation on Member States to ensure that:

  1. Corporate and other legal entities incorporated within their territory obtain and hold adequate, accurate, and current information on their beneficial ownership.
  2. This beneficial ownership information is submitted by the directors of the entities in question and held in a national Ultimate Beneficial Owner register (UBO register).

Among other things, the Act of September 18, 2017 (i) added to article 14/1 of the Belgian Companies Code an obligation to obtain and hold adequate, accurate, and current information concerning beneficial ownership and (ii) provided for the Belgian UBO register to be controlled by a service of the Ministry of Finance.

However, the terms of operation of the Belgian UBO register still needed to be determined. These terms have now finally been set out in a Royal Decree of July 30, 2018.

For more, please see Crowell’s Client Alert.

 

 

On April 19, Crowell & Moring’s International Trade Attorneys hosted a webinar on “Trade in 2018 – What’s Ahead?”

Please click here to register and view the webinar on demand.

Summary

From the Section 232 national security tariffs on steel and aluminum imports to the ongoing NAFTA re-negotiation, the Trump administration is seeking to implement significant changes in international trade policy and enforcement. Economic sanctions on Russia continue to expand, the future is far from clear regarding Iran, and perhaps North Korea is coming into focus. A new Asia trade agreement without the United States, and a bumpy road ahead for Brexit all make for uncertainty and the need for enhanced trade risk management. Join us as we identify the international trade risks and opportunities likely to continue and grow in 2018.

Our Crowell & Moring team discussed predictions for the remainder of the year, with cross-border insights from our practitioners in the U.S., London, and Brussels. Topics included likely trends and issues in the U.S. and EU including:

  • Trade policy developments: Section 232, NAFTA renegotiation, and trade remedies
  • Sanctions in Year Two of the Trump Administration: Russia, Iran, North Korea, and beyond
  • Anti-money laundering (AML) and beneficial ownership
  • Supply chain risk management: blockchain, forced labor, the U.K. Modern Slavery Act, and GDPR
  • Europe: Brexit, the EU’s 4th AML Directive, and the EU/U.K. AML enforcement
  • CFIUS: how significant is the new legislation?
  • Export controls: Wither reform?
  • Import and customs

The last week of March has brought new measures against Maduro’s regime from the U.S., Europe, and Latin-America. While Switzerland has aligned with European Union (EU) sanctions, Panama has included Venezuelan government officials and several companies in their Politically Exposed Persons’ (PEPs) list. The State of Florida has also enacted divestment laws targeting Venezuela.

Florida Actions: On March 29, Governor Rick Scott of Florida signed into law HB 359, stating that the State Board of Administration shall divest any funds and is prohibited from investing in any institution or company (U.S. company or its subsidiary), doing business in or with the Government of Venezuela (GoV), or with any agency or instrumentality thereof, in violation of federal law. It is unclear how Florida will assess whether a company has undertaken an activity “in violation of Federal law” and, specifically, whether it will wait for Federal indictments, or whether it will be making an independent state-level assessment.

Panama Actions: On March 27, Panama published a list of PEPs with ties to the GoV. Although the press has described this measure as “sanctions” against the Maduro regime, on its face, the measure only requires financial institutions to conduct enhanced due diligence (EDD) in certain persons considered as high risk due to its political exposure. This new resolution from the Panamanian National Anti-Money Laundering Commission (AML Commission) imposes for the first time in Panama the need to conduct EDD on specific Venezuelan government officials and related companies. Among the due diligence measures the AML Commission requires financial institutions and other regulated persons to investigate is whether any PEPs from Venezuela are directly or indirectly participating in a given transaction.

In a separate resolution, the AML Commission decided it will make the U.S., Canadian, and U.K. denied party lists available on the AML Commission’s webpage. This way financial institutions and other regulated persons can use them as a reference for enhanced due diligence when dealing with individuals on one or more of the lists.

Switzerland Actions: On March 28, Switzerland adopted restrictive measures which align with the measures adopted by the EU on November 13, 2017, and January 22, 2018, as a result of the human rights violations and the undermining of democracy in Venezuela. Swiss sanctions, which usually follow the respective EU sanctions regime, now do so in the case of Venezuela. Switzerland has also imposed an embargo on military equipment that could be used for internal repression, as well as equipment used for surveillance purposes. Swiss measures also include a travel ban, an asset freeze, and a prohibition to make funds available to certain individuals. Institutions or persons having or managing assets that are subject to the asset-freeze must report it to the State Secretariat for Economic Affairs (SECO) without delay. The list of individuals subject to the asset-freeze and the travel ban can be found here. These measures entered into force on March 28.

These new Swiss sanctions may have an outsized impact because, while less broad than U.S. sanctions, Venezuelan officials are thought to have assets in Switzerland.

Venezuelan Response: The GoV condemned both the Swiss and Panamanian measures, identifying them as illegal coercive measures against Maduro’s regime.

Further, the GoV announced the suspension of its commercial relations with several Panamanian officials and companies, including Copa Airlines. The retaliatory measure forced Copa to suspend its flights into Venezuela, despite being one of the few airlines still operating in the country after most airlines canceled or reduced their services due to currency exchange restrictions combined with security concerns in the country. By virtue of these controls, Venezuela reportedly owes foreign airlines around $ 4 billion. Depending on how their investments are structured into the country, airlines – and other companies in the same situation – may have the ability to make claims against the GoV for their stranded funds under free transfer provisions found in numerous Bilateral Investment Treaties (BITs) with Venezuela.

For more information on how BITs may aid in the recovery of monies owed by Venezuela, please click here for a short paper in English and Spanish.

The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 require the UK regulated sector to apply enhanced customer due diligence to high-risk countries.

In response to recent statements from the Financial Action Task Force (FATF), HM Treasury advises firms to consider the following:

Consider as high risk and apply counter measures and enhanced due diligence measures in accordance with the risks Consider as high risk and apply enhanced due diligence measures in accordance with the risks Take appropriate actions to minimise the associated risks, which may include enhanced due diligence measures in high risk situations
DRPK* Iran* Ethiopia, Iraq*, Serbia, Sri Lanka, Syria*, Trinidad and Tobago, Tunisia*, Vanuatu, and Yemen*

 

*These jurisdictions are subject to sanctions measures at the time of publication of this notice which require firms to take additional measures. For details, please click here.

On October 25, 2016, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a new Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime as well as a related list of Frequently Asked Questions (FAQs).

The Advisory provides guidance to financial institutions on FinCEN’s expectations with regard to: (1) reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs); (2) including relevant and available cyber-related information (e.g., Internet Protocol (IP) addresses with timestamps, virtual-wallet information, device identifiers) in SARs; (3) collaboration within regulated institutions between Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) units and in-house cyber-security units to identify suspicious activity; and (4) sharing cyber-related information among financial institutions under existing safe harbor mechanisms used to identify and report potential terrorist activities and money laundering.

The Advisory is characterized as interpretive guidance that does not change existing BSA requirements or impose additional regulatory obligations on financial institutions. However, some of the expectations in the guidance are likely to be new to most financial institutions, and have the potential to increase SAR reporting burdens substantially, both by expanding the types of events that must be reported as SARs and by expanding the types of information that must be gathered and included in all SARs.

The financial institutions affected by the Advisory and FAQs include not only banks but also casinos; money services businesses; broker-dealers; mutual funds; insurance companies offering particular types of insurance; futures commission merchants; introducing brokers in commodities; non-bank residential mortgage lenders or originators; and housing-related government-sponsored enterprises like Fannie Mae and Freddie Mac.

Definitions

FinCEN uses the following definitions in the Advisory:

  • Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.
  • Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, or identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.
  • Cyber-Related Information: Information that describes technical details of electronic activity and behavior, such as IP addresses, timestamps, Indicators of Compromise (IOCs), and device identifiers. Cyber-related information also includes, but is not limited to, data regarding the digital footprint of individuals and their behavior.

Mandatory Reporting of Cyber Events

Under the BSA, financial institutions must report any transaction conducted or attempted by, at, or through the institution that involves an aggregate of $5,000 or more in funds or other assets (or $2,000 for money services businesses) and which the institution knows, suspects, or has reason to suspect: (1) involves funds derived from illegal activities or is intended or conducted to hide or disguise funds or assets derived from illegal activities as part of a plan to violate or evade any Federal law or regulation or to avoid any transaction reporting requirement under Federal law or regulation; (2) is designed to evade any reporting or other requirements under the Bank Secrecy Act; (3) has no business or apparent lawful purpose, or is not the sort in which the particular customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts; or (4) involves the use of the institution to facilitate criminal activity. In addition to the required reporting above, a financial institution may file a SAR voluntarily on any “suspicious transaction that it believes is relevant to a potential violation of any law or regulation.”

FinCEN’s new Advisory instructs that a financial institution should file a SAR if it “knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions.” FinCEN recognizes that this standard may require the filing of SARs even in circumstances where no actual financial transactions ultimately occur or are attempted in connection with the cyber-event. For purposes of determining whether the $5,000 threshold for reporting is triggered, the Advisory instructs financial institutions to “consider in aggregate the funds and assets involved in or put at risk by the cyber-event.” This includes, for example, the amount of funds present in accounts potentially affected by a cyber-event, as well as amounts that may become available to cyber criminals as a result of data theft (e.g., credit card numbers).

The Advisory provides specific examples of situations that require reporting under this standard, including a malware intrusion that a bank determines to have put $500,000 of customer funds at risk, as well as a cyber-event that exposes sensitive customer information such as account numbers, credit card numbers, and passwords that might be useful to conduct, affect, or facilitate transactions aggregating to at least $5,000. In both examples, the Advisory counsels that a financial institution must file a SAR, reasoning that although “no actual transactions may have occurred,” the circumstances “could reasonably lead the financial institutions to suspect the events were intended to be part of an attempt to conduct, facilitate, or affect” an unauthorized transaction or series of transactions aggregating to at least $5,000 in funds or assets. In addition, the FAQs accompanying the Advisory explain that reporting is required regardless of whether the cyber-event at issue is considered to have been “successful,” so long as there is reason to believe that the cyber-event was intended to or could affect a transaction or series of transactions conducted or attempted by, at, or through the financial institution that exceed the reporting threshold. In the same vein, FinCEN provides a third example of mandatory reporting where a distributed denial of service (DDoS) attack on a money services business is reportable because it is determined to have been likely conducted as distraction to prevent cyber-security or other personnel from detecting and stopping an unauthorized transaction through the institution.

Anticipating that many financial institutions may see large numbers of cyber events, FinCEN provides in the FAQs that financial institutions may report multiple cyber-events in a single SAR when these are too numerous to be reported individually and (1) are similar in nature and share common identifiers; and (2) are believed to be related, connected, or part of a larger scheme. At the same time, the FAQs make clear that a financial institution is not required to file a SAR “each time an institution’s system or network is scanned or probed,” given that such reporting would be impractical and could detract from other efforts to guard against cyber threats, though they note that financial institutions may include such information about the scanning and probing of their systems and networks when filing a SAR on an otherwise reportable cyber-event.

According to the Advisory and FAQs, SARs relating to cyber-events should include the following:

  • Description and magnitude of the event
  • Source and destination information, including:
    • IP address and port information with respective date timestamps in UTC
    • Attack vectors
    • Command-and-control nodes
  • File information, including:
    • Suspected malware filenames
    • MD5, SHA-1, or SHA-256 hash
    • E-mail content
  • Subject user names, including:
    • E-mail addresses
    • Social media account/screen names
  • System modifications, including:
    • Registry modifications
    • Indicators of Compromise
    • Common vulnerabilities and exposures (CVEs)
  • Involved account information, including:
    • Affected account information
    • Involved virtual currency accounts
  • Known or suspected time, location, and characteristics or signatures of the event
  • Other relevant IP addresses and their timestamps
  • Device identifiers
  • Methodologies used
  • Other information the institution believes is relevant

The existing SAR reporting form already contains fields for some types of cyber-related information, such as IP addresses, website/URL addresses, and e-mail addresses. FinCEN suggests that other cyber-related information should be put into the narrative fields of SARs, and also may be supplemented by attachments in a tabular format, for example in a comma separated value (CSV) file.

Separately, FinCEN notes that, even where reporting of a cyber-event is not mandatory under BSA regulations, other laws may require reporting of these events, and financial institutions remain subject to any other such obligations. In particular, the federal banking agencies have their own requirements for the reporting of cyber-events, and these are cross-referenced in the Advisory.

Voluntary Reporting of Cyber Events

The Advisory also encourages, though it does not require, financial institutions to report “egregious, significant, or damaging cyber-events and cyber-enabled crime” regardless of whether such events ordinarily would require the filing of a SAR. To illustrate, the Advisory provides the example of a DDoS attack on a financial institution’s website that results in a disruption of service for customers for a significant period of time but does not involve any related transactions or compromise of customer data. Although such an attack in isolation may not reasonably trigger SAR reporting requirements if no customer funds or assets were placed at risk, FinCEN notes that reporting of such cyber-events is nevertheless “highly valuable in law enforcement investigations.”

Including Cyber-Related Information in SARs

The Advisory also explains FinCEN’s expectation that financial institutions will include cyber-related information (including the data fields identified for cyber-event reporting above), whenever it is available, for any SAR, regardless of whether or not the SAR relates to a cyber-event. This has the potential to substantially increase the amount of information that must be reported in the thousands of SARs that financial institutions now file on an annual basis, and seems likely to require compliance personnel to understand how to identify the availability and relevance of such information for inclusion in SAR reporting, or to have access to other financial institution personnel who will. FinCEN reasons that providing such information is part of a financial institution’s obligation to provide complete and accurate reporting when filing a SAR.

Collaboration In-House Between BSA/Anti-Money Laundering (AML) Units and Cyber-security Personnel

Accordingly, while the FAQs explain that a financial institution’s BSA/AML personnel are not specifically required to be knowledgeable about cyber-security and cyber-events, FinCEN notes that collaboration with cyber-security, anti-fraud, and other knowledgeable personnel within a financial institution may assist AML compliance units in detecting cyber events and other suspicious activity that must be reported and in identifying relevant cyber-related information that must be included in SARs. FinCEN also specifically encourages financial institutions to incorporate cyber-related information into their AML monitoring efforts and to use cyber-related information to improve their AML risk assessments. Conversely, FinCEN suggests that cyber-security personnel will be able to use information provided by BSA/AML units to improve their ability to guard against cyber-events and cyber-related crime.

Sharing Cyber-Related Information Externally Among Financial Institutions

Finally, the Advisory encourages financial institutions to make use of Section 314(b) of the USA PATRIOT Act and its implementing regulations, which allow financial institutions to register with FinCEN and then to share information with other registered institutions for the purpose of identifying and reporting activities that may involve money laundering or terrorist activity, as a means for increased sharing of cyber-related information. The Advisory explains that information such as specific malware signatures, IP addresses and device identifiers, and seemingly anonymous virtual currency addresses “can help identify the individuals, entities, organizations, or countries involved or responsible for [a] cyber-event or cyber-enabled crime linked to money laundering or terrorist activities.”

Practical Considerations

 

FinCEN’s guidance is effective immediately. Banks and other affected financial institutions should begin now to consider what personnel, technology, and methodology they will use to: (1) identify cyber-events and assess when these require reporting under the new guidance, recognizing that, unlike traditional SARs, cyber-events may require reporting even where no financial transaction is ever conducted, and even where an attempted intrusion is unsuccessful; (2) identify cyber-related information that must be reported when filing any SAR, whether it relates to a cyber-event or not; and (3) incorporate cyber-event and cyber-related information into AML risk assessments for the institution and into AML transaction monitoring and resolution. Given that many financial institutions experience thousands of attempts each day to improperly access their information, the first of these items may be especially resource-intensive. All of these likely will require close collaboration with and reliance on financial institution cyber-security personnel, and perhaps new technology. Because most banks already are required to report intrusions and cyber-crime by their prudential banking regulators, the burden of the new guidance will fall most heavily on non-bank financial institutions subject to SAR reporting requirements. Affected financial institutions also should be aware of the other cyber reporting obligations they may have apart from those required under the BSA (some of which are mentioned in the Advisory), and seek to take advantage of any efficiencies from combining reporting processes. Finally, although financial institutions should seek opportunities to make use of 314(b) to share cyber-related information, it is worth remembering, as FinCEN notes more than once, that the safe harbor for information sharing under the regulations implementing Section 314(b) is limited to the sharing of information for the purpose of identifying and reporting activities that may involve money laundering or terrorist activity. Similarly, the financial institution that receives the information may use it only for such purposes.