Federal Agencies Provide Guidance on BSA/AML Enforcement and Due Diligence Requirements

Recent statements by the Board of Governors of the Federal Reserve System (“Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), and the Office of the Comptroller of the Currency (“OCC”) (together, the “Federal Banking Agencies”), along with the Financial Crimes Enforcement Network (“FinCEN”) (collectively, the “Agencies”) provide new guidance on Bank Secrecy Act (“BSA”)/anti-money laundering (“AML”) enforcement, particularly relating to customer due diligence (“CDD”) obligations.  This guidance reflects increasing cooperation between the Federal Banking Agencies and FinCEN in the wake of recent discussions about BSA/AML reform.

On August 13, 2020, the Federal Banking Agencies provided guidance on the circumstances in which they will issue a mandatory cease and desist order for noncompliance with BSA/AML requirements, including those relating to CDD. Although this statement supersedes prior 2007 guidance, it explicitly does not create new expectations or standards, but rather is intended to further clarify the Federal Banking Agencies’ enforcement of the BSA.

On August 18, FinCEN issued its own statement outlining its approach to BSA enforcement.  This statement appears to be the first of its kind from FinCEN, the primary regulator and administrator of the BSA.  In an accompanying news release, FinCEN Director Kenneth A. Blanco said that “FinCEN is committed to being transparent about its approach to BSA enforcement.  It is not a ‘gotcha’ game.”[1]

Finally, on August 21, the Agencies issued a joint statement clarifying that FinCEN’s 2016 CDD Final Rule did not create a new regulatory requirement or supervisory expectation that financial institutions employ CDD procedures specific to politically exposed persons (“PEPs”).

Key Takeaways:

• The Agencies said that they issued their statements to enhance transparency in BSA/AML enforcement. Although it is too soon to tell, these statements may signal a trend towards increased Agency guidance on BSA/AML issues.
• The Federal Banking Agencies emphasized that isolated or technical violations of BSA/AML compliance requirements, standing alone, will not result in enforcement action.
• FinCEN underscored its focus on enforcing violations of BSA statutes and regulations, not “noncompliance with a standard of conduct announced solely in a guidance document.”^[2]
• FinCEN also outlined the factors it considers in evaluating enforcement of actual or possible BSA violations, including a history of similar violations, cooperation, and voluntary disclosure.
• For enforcement purposes, the Federal Banking Agencies evaluate compliance with CDD requirements as part of the internal controls pillar of a BSA/AML compliance program.
• While financial institutions are not expected to have unique, additional CDD procedures for PEPs, they should continue to consider risks posed by PEPs in CDD risk profiles.

Updated Enforcement Guidance from the Federal Banking Agencies.

In an effort to increase transparency, Federal Banking Agencies issued updated guidance on how they evaluate enforcement actions when financial institutions fail to meet their BSA/AML obligations.[3]  The statement reiterated much of the Federal Banking Agencies’ prior 2007 guidance, although the provisions relating to CDD, and the guidance about isolated or technical violations or deficiencies, are new.

Financial institutions are required to maintain a BSA/AML compliance program “reasonably designed to assure and monitor the institution’s compliance” with BSA requirements and including certain pillars: internal controls, independent compliance testing, designated BSA/AML compliance personnel, and training.[4]  As part of the internal controls pillar, the Federal Banking Agencies will consider whether banks employ risk-based procedures for conducting ongoing CDD, including developing customer risk profiles, monitoring for suspicious transactions, and taking reasonable steps to ascertain the true identity of customers and beneficial owners of legal entity customers.  The internal controls component of a BSA/AML compliance program must also include procedures to address other BSA reporting and recordkeeping requirements, such as those relating to beneficial ownership and foreign correspondent banking. 

Failure to implement a BSA/AML compliance program that adequately covers the pillars, and/or failure to correct “substantive deficiencies” with respect to one or more pillars, may result in a cease and desist order.[5]  Enforcement decisions are based on “careful review of all relevant facts and circumstances,” including whether failures or deficiencies are so significant and pervasive so as to render the compliance program ineffective as a whole.  On the other hand,  BSA/AML violations or deficiencies that are determined to be isolated or technical generally do not constitute problems that would trigger enforcement action.[6]

FinCEN’s Statement on BSA/AML Enforcement.

FinCEN’s first-ever stand-alone statement on the enforcement of the BSA emphasized the importance of establishing violations based on applicable BSA statutes and regulations.  FinCEN stated that it will not base an enforcement action on a “standard of conduct announced solely in a guidance document,” and said that regulated parties will be given the opportunity to respond to the legal and factual basis underlying an enforcement action.^[7]

In evaluating an enforcement action, FinCEN considers both compliance with specific BSA/AML requirements—such as registration, recordkeeping, and reporting requirements—as well as the adequacy of the overall BSA/AML compliance program.  Other key factors include the nature and seriousness of the conduct, resulting harm, and the history and pervasiveness of wrongdoing within an entity, including complicity of management.  Financial institutions may secure a more favorable disposition by taking prompt action upon discovery of violations, including timely disclosure to FinCEN and cooperation with FinCEN and other relevant agencies.  FinCEN also said it would take into account the magnitude of financial gain resulting from violations, and any enforcement action taken by another agency.

FinCEN may ultimately issue warning letters and seek injunctions, and/or civil monetary penalties.  In some cases, FinCEN may make a criminal referral. 

Agencies Clarify Due Diligence Requirements for PEPs

The Agencies also issued a joint statement[8] specifically addressing BSA/AML CDD for PEPs.[9]  The Agencies clarified that FinCEN’s 2016 CDD Final Rule did not create a new regulatory requirement or supervisory expectation that banks employ PEP-specific due diligence procedures.  Rather, banks should tailor the level and type of CDD to the particular risk presented by a PEP.

The Agencies noted that not all PEPs are high risk based solely on their PEP status.  Certain PEPs could reasonably be characterized as having lower customer risk profiles due to factors such as limited transaction volume, a low-dollar deposit account with the bank, known legitimate sources of funds, or limited access to more tightly regulated products or services.  In developing an accurate customer risk profile, banks may consider a variety of factors, including:

• Geography-specific money laundering, corruption, and terrorist financing risks;
• Nature of the customer’s public office, responsibilities, and influence;
• Products and services used, volume, nature and geography of transactions; and
• The customer’s access to significant government assets or funds.

Developing robust customer risk profiles may have important implications for a bank’s compliance with other regulatory requirements, because BSA/AML compliance programs are built around a bank’s risk assessment.  The Agencies reiterated that PEPs do in many cases present serious national security or criminal threats, particularly when such persons engage in illicit activity through the banking system.  Banks must be conscious of the money laundering threat posed by corruption involving foreign officials, and should endeavor to implement and maintain any risk-management practices they deem necessary to effectively manage this risk.

We will continue to monitor and report on further BSA/AML compliance developments.

                                                                                                               *    *    *

[1]        Fin. Crimes Enf’t Network, FinCEN Statement on Enforcement of the Bank Secrecy Act (Aug. 18, 2020), available here.

[2]       Fin. Crimes Enf’t Network, “Financial Crimes Enforcement Network (FinCEN) Statement on Enforcement of the Bank Secrecy Act” (Aug. 18, 2020), available here (“FinCEN BSA Enforcement Statement”).

[3]       Off. of the Comptroller of the Currency, News Release 2020-105: Federal Banking Agencies Issue Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (Aug. 13, 2020), available here.

[4]       Bd. of Dirs. of the Fed. Reserve Bank, Fed. Deposit Ins. Corp., Nat’l Credit Union Admin. & Off. of the Comptroller of the Currency, “Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements” (Aug. 13, 2020) at 3, available here.

[5]       Id. at 6.

[6]       Id. at 9.

[7]       FinCEN BSA Enforcement Statement at 1.

[8]       Bd. of Governors of the Fed. Reserve Bank, Fed. Deposit Ins. Corp., Fin. Crimes Enf’t Network, Nat’l Credit Union Admin. & Off. of the Comptroller of the Currency, “Joint Statement on Bank Secrecy Act Due Diligence Requirements for Customers Who May Be Considered Politically Exposed Persons” (Aug. 21, 2020), available here (“PEP Statement”).

[9]       As the term is commonly used in the financial industry, PEPs are foreign individuals who, by virtue of a prominent public position or relationship to a public functionary, may present a higher risk that their funds may be the proceeds of corruption or other illicit activity.  The term PEP is not defined in the BSA/AMLS regulations, and should not be confused with the term “senior foreign political figure” (SFPF), which is defined under the BSA private banking regulation.  PEP Statement at 1.