Last week, on January 24, 2022, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (Proposed Rule) that seeks public comment on a proposed pilot program that would enhance financial institutions’ ability to take a global approach to AML by allowing them to share Suspicious Activity Reports (SARs) and related information with their foreign branches, subsidiaries, and affiliates (Pilot Program).
The Pilot Program is intended to enhance financial institutions’ AML compliance programs and provide FinCEN with valuable feedback on longer-term approaches towards SAR sharing with foreign affiliates.
Financial institutions eligible to apply for the Pilot Program may benefit from the increased ability to coordinate cross-border and the opportunity to better integrate their processes. But while many global financial institutions with U.S. branches have long wanted to share their SARs with their non-U.S. affiliates, it bears underscoring that the Pilot Program also includes significant regulatory obligations that banks will want to weigh and, if they choose to take advantage of the Pilot Program, approach with adequate care. Global institutions may also wish to consider whether sharing SARs with non-U.S. affiliates could create disclosure obligations outside the U.S. and whether to limit the sharing of SARs accordingly, even if allowed under the Proposed Rule.
FinCEN’s Guidance on SAR Sharing
In 2021, Congress passed the Anti-Money Laundering Act of 2020 (AMLA), which required that the Secretary of the Treasury establish a program permitting financial institutions with SAR reporting obligations to share SARs with their foreign branches, subsidiaries, and affiliates. The Proposed Rule is the next step towards implementing greater intra-institutional transparency around SARs.
Pursuant to regulations under the Bank Secrecy Act (BSA), U.S. financial institutions and their directors, officers, employees, and agents are prohibited from notifying any person involved in a suspicious transaction that a SAR was filed in connection with the transaction, or generally from otherwise disclosing any information that would reveal the existence (or non-existence) of the SAR, including to most affiliates. Over the past two decades, FinCEN has issued guidance clarifying the scope of SAR confidentiality, including guidance that U.S. financial institutions could share SARs with their head offices or controlling companies (whether domestic or foreign) as well as certain domestic affiliates to the extent those entities are subject to SAR reporting obligations. Notably, however, FinCEN’s earlier guidance took the position that “a U.S. bank that has filed a SAR may not share the SAR, or any information that would reveal the existence of the SAR, with its foreign branches.”
Given the potentially severe consequences, including civil and criminal penalties, of failing to maintain SAR confidentiality, global financial institutions have had to exercise care in investigating and reporting on cross-border suspicious activity while fulfilling multijurisdictional AML obligations. This tightrope walk has been somewhat balanced, however, by regulatory rulemaking commentary that has distinguished between, on the one hand, improperly revealing the existence of a SAR and, on the other hand, sharing the underlying facts, transactions, and documents upon which a SAR may have been based, as well as “abstract information or general discussions of suspicious activity.” The Proposed Rule provides a further means for information sharing.
Key Considerations for Pilot Program Applicants
The Pilot Program is expected to run through January 1, 2024, and could be extended by up to two years. FinCEN has invited public comment on questions related to anticipated costs and benefits of participation, technical challenges, the merits of quarterly reporting requirements, and how to protect SAR confidentiality. The comment period closes on March 28, 2022.
Financial institutions must apply to participate in the Pilot Program, comply with a variety of reporting and AML program requirements, and adhere to specified confidentiality and data security standards:
- Application Process: Eligible institutions must formally apply to FinCEN and include in the application (among other things): (1) a list of the applicant’s foreign branches, subsidiaries, and affiliates with which the applicant intends to share SARs; (2) the purposes for which foreign branches, subsidiaries, and affiliates intend to use SARs; and (3) a description of all internal controls that the applicant has implemented to prevent unauthorized disclosures of SARs.
- Reporting Requirements: Pilot Program participants must submit quarterly reports to FinCEN detailing (1) the total number of SARs shared pursuant to the Pilot Program; (2) the name and jurisdiction of each entity that received SARs, the relationship with the entity, and the intended purposes and uses for which the SARs were shared; (3) any legal and compliance issues encountered; (4) technical difficulties and challenges; (5) enhancements to the financial institution’s AML program enabled as a result of participating in the Pilot Program; and (6) lessons learned, including any inefficiencies that the financial institution has identified in its own compliance program.
- AML Program Requirements: Pilot Program participants are also required to implement and maintain policies, procedures, and internal controls reasonably designed to ensure that its foreign affiliates protect against unauthorized disclosure of SAR information shared pursuant to the Pilot Program. These controls include (1) confidentiality agreements specifying that all personnel in foreign affiliates granted access to SARs will safeguard the confidentiality of such information; (2) provisions for the secure transmission and storage of SARs between the participating financial institution and its affiliates; and (3) processes and procedures for personnel located in the United States to review any request from foreign law enforcement, foreign regulators, or an outside foreign party for SARs shared pursuant to the Pilot Program and to immediately notify FinCEN of such requests.
In accordance with AMLA, the Pilot Program generally prohibits the sharing of SARs with foreign affiliates located in the People’s Republic of China, the Russian Federation, jurisdictions that are state sponsors of terrorism and/or subject to US sanctions, and those jurisdictions that the Secretary of the Treasury determines cannot reasonably protect the security and confidentiality of SAR related information.
Notably, the Proposed Rule allows FinCEN to terminate a financial institution’s participation at any time for various reasons, including identification of internal control deficiencies or other issues that indicate that the financial institution is unable to adequately safeguard against the unauthorized disclosures of SARs.
FinCEN’s Pilot Program presents the unique opportunity for financial institutions to streamline and integrate their AML compliance programs across borders in ways tailored to their risk profiles. In addition to providing FinCEN with information that may influence future AML policy, the Pilot Program may provide institutions with a broader view of their own customer base, facilitating better detection, reporting, and prevention of money laundering and other illicit financial activities.
Those institutions that have already established and implemented processes for sharing SARs with foreign head offices (in accordance with FinCEN’s prior guidance on SAR sharing) may be able to take advantage of this groundwork to find efficiencies relevant to the Pilot Program. Although as AMLA and the Proposed Rule make clear, Pilot Program participants are prohibited from offshoring AML and BSA compliance, including through the information-sharing authority granted by the Pilot Program.
On balance, financial institutions considering participation in the Pilot Program will likely want to consider the potential benefits and burdens of participation, which may create opportunities for more streamlined and holistic detection and compliance but are also likely to lead to expanded regulatory engagement and reporting obligations, and possibly even heightened enforcement exposure including, for example, if the Pilot Program’s requirements are not met.