An introduction to the Anti-money Laundering Laws
In the United States, the primary legal apparatus for the enforcement of AML norms is the Bank Secrecy Act (“BSA”)[1] and its associated implementing regulations.[2] The BSA and associated regulations are administered by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network, popularly known as “FinCEN.” Among other things, the BSA requires certain designated financial institutions to assist government agencies in detecting and preventing money laundering by keeping accurate records of cash purchases and negotiable instruments; filing reports of cash transactions exceeding $10,000 per day in the aggregate; and reporting suspicious activity that might implicate money laundering, tax evasion, or other forms of illicit finance.
Since the enactment of the BSA in 1970, the Congress has amended its provisions on multiple occasions to impose additional requirements on certain financial institutions, the most sweeping of which included changes mandated by the USA PATRIOT Act of 2001 (“PATRIOT Act”).[3] Under the PATRIOT Act, the Congress further required financial institutions to engage in more detailed due diligence efforts and to implement programs to verify customer identity. In addition, the PATRIOT Act extended AML program requirements across the financial services industry and mandated that a financial institution’s AML record be considered as part of any Bank Merger Act application. More recently, the Congress enacted additional AML/CFT reforms in the context of the Anti-Money Laundering Act of 2020 (“AMLA 2020”).[4] The most notable features of the AMLA 2020 include the establishment of a national beneficial ownership database, the expansion of the BSA to encompass virtual currencies and antiquities, and the enhancement of civil and criminal penalties for repeat and egregious violators.
Core BSA/AML compliance program elements
The United States Department of the Treasury is the chief arm of the federal government responsible for the promulgation of regulations under the auspices of the BSA, which in turn, delegates the administration of these regulations to FinCEN. FinCEN—along with several other banking regulators, including the Office of the Comptroller of the Currency (“OCC”), Federal Reserve Board (“The Fed”), and Federal Deposit Insurance Commission (“FDIC”)—are collectively charged with ensuring that covered financial institutions adhere to current compliance requirements and can initiate enforcement actions against non-compliant institutions (falling under their respective remits) for violating these requirements.
Under current BSA/AML regulations, covered financial institutions are required to institute—and vigilantly maintain—a formal compliance program which includes, at a minimum: (1) internal controls sufficient to ensure adherence to BSA/AML requirements; (2) procedures for independent testing of these requirements, either internally or externally; (3) the designation of persons responsible for the coordination and monitoring of the financial institution’s compliance program; (4) appropriate BSA/AML training; and (5) adoption and utilization of a customer identification program with risk-based procedures that permit covered institutions to form a reasonable belief that it knows the true identity of its customers. The compliance program must be written, approved by the board of directors, and noted in the minutes of the financial institution in question. To maximize effectiveness, moreover, the financial institution’s BSA/AML program should be aligned with the institution’s risk profile with respect to money laundering and terrorist financing.
The internal controls requirement of the BSA is perhaps the fundamental cornerstone of BSA/AML requirements. Pursuant to applicable regulations, financial institutions are required to adopt and ensure adherence to specific policies, procedures, and processes that are devised to mitigate and manage the risk of money laundering, terrorist financing, and other forms of illicit financial activity. Notably, internal controls must be commensurate with the financial institution’s size, operational complexity, and overall corporate structure. In ascertaining whether the financial institution’s internal controls are sufficient, bank examiners are directed to consider: (1) whether the compliance program incorporates the financial institution’s BSA/AML risk assessment results; (2) whether the program provides for continuity, despites changes to operations, management, employee composition, or structure; (3) whether information technology resources and systems relied on by the financial institution in question are subject to proper oversight; (4) whether the compliance program is capable of adopting timely updates in the midst of regulatory change; (5) whether the program incorporates dual controls and segregation of duties as constituent components of ensuring that the financial institution’s employees are not in a position to exercise improper discretion (e.g., in both filing appropriate currency transaction reports and granting exemptions from filing such reports); (6) whether sufficient mechanisms exist to inform the board of directors and senior management of the financial institution of BSA/AML compliance initiatives, program deficiencies, corrective actions, and suspicious activity reports (“SARs”); and (6) whether the compliance program in question both identifies and establishes specific BSA compliance responsibilities for bank personnel and provides sufficient oversight for the execution of those responsibilities.
Under the rubric of independent testing, financial institutions are required to assess whether its BSA/AML compliance program actually works in practice. While federal regulations do not prescribe the frequency with which such independent testing should occur, regulator guidance suggests that this testing occur no more than once every twelve to eighteen months, commensurate with the financial institution’s risk profile. In this vein, the financial institution should rely on an internal audit team, or other qualified staff who are not involved in the function being tested, for a fulsome review of its deterrent activities respecting money laundering, terrorist financing, and other forms of illicit financial activity. Specifically, financial institutions are required to evaluate all internal controls, information technology sources, systems and processes used to support the BSA/AML compliance program. Regulator guidance also emphasizes that financial institutions consider how the introduction of new product lines, services, customer types, as well as geographic expansion activities, affect its overall risk profile and call for the adjustment of internal controls. Independent testing forms the basis of ensuring that the financial institution’s board of directors and senior management are sufficiently apprised of any programmatic weaknesses and deficiencies. Specific factors to be considered in connection with periodic independent testing required by BSA/AML regulations include: (1) whether the financial institution’s BSA/AML risk assessment aligns with the financial institution’s actual risk profile; (2) whether its policies, procedures, and processes align with its risk profile; (3) whether the financial institution in question regularly adheres to its policies, procedures, and processes for BSA compliance purposes; (4) whether the financial institution adheres to BSA recordkeeping and reporting requirements; (5) whether the financial institution’s process for identifying and reporting suspicious activity is sufficient; (6) whether its information technology resources, systems, and processes used to support compliance program activities are complete and accurate; (7) whether sufficient BSA/AML training is provided to the financial institution’s personnel and customized based on function and position; and (8) whether management took appropriate and timely action to appropriately address any violations or deficiencies noted in the context of previous independent testing and evaluation exercises.
The third core element of a BSA/AML compliance program is the specific designation of a qualified individual or individuals to serve as a financial institution’s BSA compliance officer, with ultimate responsibility for monitoring day-to-day BSA/AML compliance activities and ensuring adherence to banking regulations. While the board of directors remains ultimately responsible for the financial institution’s BSA/AML compliance, the BSA compliance officer serves an important role in implementing the financial institution’s BSA/AML policies, procedures, and processes and should be both sufficiently empowered by the board and equipped with the resources needed to fulfill his or her regulatory responsibilities. Among other things, the BSA compliance officer should regularly report the state of the financial institution’s ongoing compliance with the BSA to the board of directors and senior management to allow them to fulfill their oversight responsibilities. Importantly, the BSA compliance officer must be competent to exercise the duties and responsibilities incumbent upon an occupant of that role. Accordingly, government guidance recommends that the BSA compliance officer demonstrate sufficient knowledge of BSA/AML regulations, familiarity with the financial institution’s compliance program, and a thorough understanding of the organization's risk profile in relation to illicit financial activity.
Training is another constituent component of an effective BSA/AML compliance program. In this vein, financial institutions are required to provide both foundational and more advanced BSA/AML training to its employees commensurate with their role in the organization. According to government guidance, foundational training should be comprised of exposure to core BSA requirements, discussion of supervisory guidance, and review of the organization’s internal BSA/AML policies, procedures, and processes. More advanced training for specific units and departments within the financial institution with exposure to elevated money laundering and terrorist financing risks (e.g., lending, trust services, foreign correspondent banking, and private banking services) is also recommended. Crucially, government guidance emphasizes the need for such training to be practically-oriented and employ concrete examples of money laundering activity that may be faced by the employee group in question. Training must also be delivered to the organization’s board of directors and senior management, sufficient to provide these groups with a sufficient understanding of the financial institution’s specific risk profile. Crucially, all such training should be appropriately documented and materials preserved for future audit and inspection purposes.
Finally, organizations must adhere to specific customer identification program requirements, and due diligence responsibilities in connection with new and existing account activity. Customer identification program activities include verification of a customer’s identity through documentary or non-documentary means, screening of customers against government sanctions and watchlists, and certain recordkeeping requirements. In contrast, due diligence responsibilities include a financial institution's obligation to ensure that it has a sufficient understanding of the nature and purpose of each customer relationship through the gathering and analyzing of information that substantiates the nature and purpose of the account in question. Under the due diligence requirements, financial institutions must adopt a risk-based approach to information collection, synthesis and analysis concerning potential customers. Where a higher-than-average risk of money laundering or terrorist financing activity is present, it is incumbent upon the financial institution to collect more detailed information to discount the possibility that the account in question will be utilized for illicit purposes. This information includes, but is not limited to, information concerning the source of funds and wealth; the occupation or type of business associated with the owner of the account; the collection of financial statements for business customers; a detailed description of the customer’s business operations; the location where the business customer is organized; and the proximity of the customer’s operations to the financial institutional in question. Importantly, customer due diligence now includes the collection of ultimate beneficial ownership (“UBO”) information at a certain threshold regardless of the customer’s risk profile.
Bank examinations and enforcement actions in relation to BSA compliance
BSA/AML compliance is primarily assessed in connection with a “safety and soundness” evaluation conducted by an examiner affiliated with the appropriate regulatory agency. During this portion of a financial institution’s examination, regulators apply the framework listed above to ascertain whether the organization in question maintains a BSA compliance program that is sufficient to address its particular money laundering and terrorist financing risks. Any deficiencies uncovered during an examination may be addressed at the discretion of the examiner with the financial institution’s management through informal and formal discussions, supervisory letters and other written communications, or explicit findings contained in an official report of examination that identifies the deficiency, and/or advises the board of directors that the financial institution is in violation of a regulatory requirement. Where the financial institution fails to take appropriate remedial action, the appropriate banking regulator may opt to initiate an enforcement action to compel the institution in question to address the regulator’s concerns. In the most serious of cases—where a banking regulator has concerns about systemic flaws in the financial institution’s BSA/AML compliance program or where a financial institution has wholly failed to remediate an identified problem—a formal enforcement action may be initiated that requires the financial institution to comply with the terms of a cease-and-desist order and/or pay considerable civil monetary penalties for infractions of the banking regulations.