As we discussed in our recent client alert, this year’s National Defense Authorization Act (NDAA) represents the most significant change to US anti-money laundering (AML) laws, including the Bank Secrecy Act (BSA), since 2001’s USA PATRIOT Act. Our prior alert explores two of the most important changes in the Anti-Money Laundering Act (AMLA) within the NDAA: (1) a mandatory beneficial ownership registry for companies incorporated in the United States or doing business in the United States; and (2) expanding the US government’s subpoena powers to investigate accounts held at certain non-US banks. Among the AMLA’s many other notable changes to US AML law and practice, however, is Section 6101(b)(2) of the NDAA, which (as written) appears to require regulated institutions to run their mandatory AML compliance programs from US territory. Pending further clarity from the United States Department of the Treasury (Treasury) or Treasury’s Financial Crimes Enforcement Network (FinCEN), this provision may have important implications particularly for global financial institutions that have operations in the United States but are headquartered elsewhere (or operate significant parts of their compliance functions from outside of the United States).
Do BSA / AML compliance professionals need to be based in the United States?
The BSA (and the USA PATRIOT Act, which amended it) broadly require regulated financial institutions to establish and maintain compliance programs to detect and prevent money laundering and terrorism financing. For years, global banks have complied with this obligation by deploying personnel around the world to monitor and implement their BSA-mandated AML policies throughout their international operations. Section 6101(b)(2) of the NDAA, however, requires that “establish[ing], maintain[ing] and enforc[ing]” an institution’s program for AML and countering the financing of terrorism (CFT) must “remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator” (emphasis added). This section is a wholly new addition to the BSA / PATRIOT Act provisions codified at 31 U.S.C. § 5318, which previously did not govern the specific duties of compliance personnel, much less their physical location. The scope and significance of this requirement (which entered the NDAA late in the legislative process, during conference committee deliberations) is not clear from the plain text. While the Joint Explanatory Statement of the NDAA’s Congressional Committee of Conference generally emphasizes Congress’s desire to increase coordination and communication between regulators and financial institutions, neither the Statement nor the AMLA’s legislative history sheds light on the intended scope of Section 6101(b)(2).
That said, the use of the word “remain” strongly suggests that Congress understood that these functions already occurred in the United States and, thus, that Section 6101(b)(2) was not intended to effect a sea change in BSA / AML law and practice. It is possible that Congress inserted this language in light of Section 6212 of the NDAA, authorizing a pilot program permitting regulated financial institutions to share information regarding suspicious activity reports (SARs) with their “foreign branches, subsidiaries, and affiliates,” which was previously prohibited. Accordingly, Congress may have intended to clarify that, notwithstanding increased coordination with non-US affiliates, the core elements of an institution’s BSA compliance program must be centered in the United States.
We note also that the Federal Financial Institutions Examination Council’s BSA / AML Examination Handbook (the FFIEC Handbook) states that a regulated “bank’s board of directors must designate a qualified individual or individuals to serve as the [bank’s] BSA compliance officer” (as required by 31 U.S.C. § 5318(h)(1)(B)). Critically, however, the FFIEC Handbook does not state that these individual(s) all must be located within the United States. To the contrary, the FFIEC Handbook recognizes the important role that non-US-based compliance professionals can play in a regulated institution’s BSA / AML compliance program. For example, the FFIEC Handbook acknowledges that a U.S. bank’s “[f]oreign branch and office compliance and audit structures can vary substantially based on the scope of operations (e.g., geographic locations) and the type of products, services and customers” and these foreign operations “are frequently overseen by regional compliance and audit staff.” This guidance — especially the reference to “regional compliance and audit staff” — would be irrelevant if all the bank’s AML program personnel needed to operate from the United States. Lastly, reading Section 6101(b)(2) expansively — to mean that all of a bank’s AML compliance operations must be performed exclusively by persons based in the United States — would run counter to the longstanding general principle that regulated institutions enjoy considerable discretion and are encouraged to design risk-based AML policies and procedures tailored to their specific operations and customer base. This principle appears in the FFIEC Handbook and other agency guidance; indeed, the NDAA itself affirms that AML / CFT programs should be “risk-based” as opposed to adopting a one-size-fits-all approach.
Looking Ahead
We expect that FinCEN or other units at Treasury may provide clarity on this point as the NDAA’s AML provisions make their way through the regulatory process (the NDAA broadly directs Treasury, banking regulators, and other federal agencies to promulgate rules updating various provisions of the BSA). A requirement that all BSA / AML compliance personnel be physically based in the United States would not only be hugely impractical, but (as noted above) also potentially inconsistent with the guidance in the FFIEC Handbook. Compliance oversight and enforcement at regulated institutions’ non-US operations are often far more effective when conducted by personnel with local knowledge and insights (especially where regulated institutions may not already have a significant physical presence in the United States).
While awaiting further guidance, financial institutions should consider ensuring that they have sufficient US-based persons acting as BSA-mandated compliance officers and also that those US-based individuals have adequate authority and oversight over the bank’s BSA / AML systems and controls. This will be a critical point for international financial institutions as they prepare to update their compliance programs in response to the new law.
The NDAA affords institutions many ways to engage with Treasury and other authorities regarding their AML/CFT obligations, including through the notice-and-comment rulemaking process and participating in industry forums or advisory committees. Regulated entities may wish to consider seeking clarity on this provision through these processes (whether on their own or through industry groups), including emphasizing the critical importance of having supporting regional compliance professionals based in the jurisdictions in which the bank operates.