FinCEN’s proposed rule establishes the framework for a limited-duration pilot program that would allow financial institutions to share suspicious activity reports with their foreign business units.

On January 24, 2022, the Financial Crimes Enforcement Network (FinCEN) released a Notice of Proposed Rulemaking (the Proposed Rule) that would establish a limited-duration pilot program expanding upon existing authority and permitting participant financial institutions to share Suspicious Activity Reports (SARs) with their foreign branches, subsidiaries, and affiliates (the Pilot Program).[1] The Proposed Rule would require financial institutions to submit a written application to FinCEN for admission into the Pilot Program, and participation would include additional confidentiality, information-security, internal control, reporting, and recordkeeping requirements.

The Anti-Money Laundering Act of 2020 (AMLA), enacted by Congress on January 1, 2021, requires the Secretary of the Treasury to establish a pilot program that permits financial institutions to share SARs and related information with their foreign branches, subsidiaries, and affiliates. FinCEN has taken the first step in establishing the Pilot Program by issuing the Proposed Rule. The Pilot Program would run through January 1, 2024 and could be extended by up to two years. FinCEN has invited public comment on questions related to the establishment of the Pilot Program, such as expected costs and benefits, technical challenges, the merits of quarterly reporting requirements, and how to protect SAR confidentiality. The comment period closes on March 28, 2022.

The Proposed Rule is an extension of previous FinCEN guidance, which allowed financial institutions to share SARs with foreign head offices, controlling companies (domestic and foreign), and certain domestic affiliates. According to FinCEN, “the pilot program will provide valuable feedback to FinCEN as longer-term approaches towards SAR sharing with foreign affiliates are considered.” For years, international financial institutions have wanted to share SARs throughout their global networks. Though the Pilot Program could improve the ability of financial institutions to identify and report illicit transactions, the Proposed Rule imposes significant requirements on participants. Institutions considering participation will need to consider whether the benefits of the Pilot Program outweigh the costs of compliance.

Background

The Bank Secrecy Act (BSA) prohibits a financial institution and its directors, officers, employees, and agents from notifying any person involved in a suspicious transaction that a SAR was filed in connection with the transaction, or from otherwise revealing any information that would reveal that the SAR has been filed.[2] FinCEN has construed this confidentiality provision as generally prohibiting a depository institution from disclosing a SAR, or any information that would reveal the existence of a SAR,[3] to any person or entity, subject to certain exceptions for disclosures to Federal, state, or local law enforcement agencies and regulatory authorities with jurisdiction over BSA compliance.

AMLA requires the Secretary of the Treasury to establish a pilot program that permits financial institutions to share SARs and related information with their foreign branches, subsidiaries, and affiliates for the purposes of combating illicit finance risks. In doing so, the Secretary must ensure that international SAR sharing is “limited by the requirements of Federal and State law enforcement operations, takes into account potential concerns of the intelligence community, is subject to appropriate standards and requirements regarding data security and the confidentiality of personally identifiable information, and excludes sharing with foreign branches, subsidiaries, and affiliates in certain jurisdictions.”

The Proposed Rule is the first step towards fulfilling the SAR sharing requirement of AMLA and builds upon previous guidance issued by FinCEN and the Federal Banking Agencies (FBAs) on financial institutions’ sharing SARs and related information with affiliates. Issued in January 2006, the FBAs’ Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies (the 2006 Guidance) permitted a U.S. branch or agency of a foreign bank to a SAR with its head office and a U.S. bank or savings association to share a SAR with its controlling company (whether domestic or foreign).[4] In November 2010, FinCEN issued additional guidance that permitted a depository institution that has filed a SAR to share the SAR, or information that would reveal the existence of a SAR, with an affiliate that is subject to U.S. SAR regulation (the 2010 Guidance).[5] Under the 2010 Guidance, U.S. banks are generally prohibited from sharing a SAR, or any information that would reveal the existence of a SAR, with their foreign branches, because foreign branches of U.S. banks are regarded as foreign banks for purposes of the BSA and thus are considered to be “affiliates” that are not subject to a SAR regulation.

Participation in the Pilot Program

The Pilot Program permits financial institutions to share SARs and related information with foreign branches, subsidiaries and affiliates, subject to an application, certain standards and requirements regarding data security and the confidentiality of personally identifiable information, and reporting and recordkeeping obligations.

Eligibility and application process

Financial institutions eligible to apply for the Pilot Program include banks; casinos and card clubs; money services businesses; brokers or dealers in securities; mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; loan or finance companies; and housing government sponsored enterprises. Participation in the Pilot Program is determined by a formal application process. The written application must include the following information:

  1. The applicant’s point of contact for Pilot Program-related correspondence;
  2. A list of the foreign branches, subsidiaries, and affiliates with which the applicant intends to share SARs and related information, including the operational jurisdictions of these entities, as well as whether such entities will be providing reciprocal information to the applicant;  
  3. The purposes for which the foreign branches, subsidiaries, and affiliates intend to use SARs and related information;
  4. An estimated commencement date for the applicant’s participation in the Pilot Program; and
  5. A description of all internal controls that the applicant has implemented to prevent unauthorized disclosures of SARs and related information.

According to FinCEN, a formal application and approval process is necessary to “ensure that adequate safeguards are in place before allowing a financial institution to share SARs and related information with its foreign branches, subsidiaries, and affiliates.” FinCEN will seek to provide responses within 90 days of receipt of an application to participate in the Pilot Program.

Reporting requirements

Pilot Program participants are required to submit quarterly reports to FinCEN, which must include: (1) the total number of SARs and related information shared; (2) the name and jurisdiction of each entity that received SARs and related information, the relationship between such entity and the participant financial institution, and the intended purposes and uses for which the SARs and related information were shared; (3) legal and compliance issues encountered; (4) technical difficulties and challenges; (5) enhancements to the financial institution’s AML/CFT program enabled as a result of participating in the pilot program; and (6) lessons learned, which is to include any inefficiencies that the participant financial institution has identified in its own compliance program.

According to the Proposed Rule, the quarterly reports provide FinCEN with critical information and data about the success of the Pilot Program. In addition, FinCEN notes that it will share the reported information with the relevant Federal functional regulators, allowing the agencies to identify Pilot Program-related internal control deficiencies that may need to be addressed as a condition for continued participation in the Pilot Program.

AML program requirements

By participating in the Pilot Program, financial institutions are required to implement and maintain policies, procedures, and internal controls that are reasonably designed to ensure that its foreign affiliates do not permit unauthorized disclosure of SARs and related information that are shared pursuant to the Pilot Program. FinCEN expects these controls to include:

  1. Confidentiality agreements specifying that all personnel in foreign affiliates granted access to SARs and related information pursuant to the Pilot Program will safeguard the confidentiality of such information;
  2. Provisions for the secure transmission and storage of SARs and related information between the financial institution and its affiliates; and
  3. Processes and procedures for personnel located in the U.S. to review any request from foreign law enforcement, foreign regulators, or an outside foreign party for SARs and related information shared pursuant to the Pilot Program and to immediately notify FinCEN of such requests.[6]

FinCEN may require an applicant to implement additional internal controls as a condition for participation in the Pilot Program. FinCEN may also require a Pilot Program participant to implement additional internal controls at any time post-approval. Once admitted to the Pilot Program, Pilot Program participants have limited authority to amend their SAR-related internal controls framework without FinCEN approval—in order for a financial institution to pursue any material modifications from the internal controls specified in its application, or any additional FinCEN-imposed requirements, the participant will need to first obtain FinCEN’s written approval.[7] Further, the requirements imposed under the Pilot Program, and the information reported to FinCEN, are subject to examination by each financial institution’s financial regulator and FinCEN.

Finally, as required by AMLA, the Proposed Rule expressly prohibits Pilot Program participants from offshoring BSA compliance by establishing or maintaining any operation located outside of the United States if the primary purpose of the operation is to use the information-sharing authority granted by the Pilot Program to ensure compliance with the BSA by the U.S. financial institution. The Proposed Rule does not address whether this particular requirement would prohibit U.S. financial institutions from offshoring aspects of their SAR processes (e.g., alert disposition and escalation), where governance and control over the process resides in the U.S. and is subject to oversight by the institutions’ regulators, or offshoring to existing affiliates whose primary purpose is to ensure compliance with requirements other than the BSA.

Termination

According to the Proposed Rule, FinCEN may terminate a financial institution’s participation in the Pilot Program at any time. Grounds for termination include, but are not limited to: actual, or unreasonable risk of, unauthorized disclosures of SARs and related information; significant internal control deficiencies identified while participating in the Pilot Program; failure to adhere to the specific requirements for participation; or any other issues that indicate that a participant financial institution is unable to adequately safeguard against unauthorized disclosures of SARs and related information or to ensure adequate data security and confidentiality of personally identifiable information.

Limitations on foreign jurisdictions

Pursuant to AMLA, the Proposed Rule prohibits participant financial institutions from sharing SARs or related information with foreign affiliates located in: (1) the People’s Republic of China; (2) the Russian Federation; (3) jurisdictions that are state sponsors of terrorism;[8] (4) jurisdictions subject to sanctions imposed by the U.S. Government;[9] and (5) jurisdictions that the Secretary of the Treasury has determined cannot reasonably protect the security and confidentiality of such information.[10]

Issues for public comment

FinCEN has requested comment on all aspects of the proposed rule and requires comments to be submitted by March 28, 2022. Notable issues for comment include:

  • Expected costs and associated burdens. FinCEN seeks feedback on the costs of complying with the Pilot Program requirements. The compliance costs for Pilot Program participants include the costs to file an initial application with, and provide quarterly updates to, FinCEN, as well as costs associated with ensuring that adequate controls are in place.
  • Offshore compliance operations. FinCEN seeks feedback on the expected impact, including costs and/or associated burdens, of complying with the statutory prohibition on offshoring compliance operations within the Pilot Program.
  • Technical challenges. FinCEN seeks comment on the expected technical challenges to implementation that could make it harder or more expensive for financial institutions to participate in the Pilot Program.
  • Benefits of participation. FinCEN seeks comment on the expected benefits to financial institutions from being permitted to share SARs and related information with a foreign branch, subsidiary, or affiliate, and whether such sharing would enable the financial institution to shift or allocate resources to higher-priority AML/CFT risks.
  • Confidentiality requirements. FinCEN seeks feedback on the proposed confidentiality requirements of the program, including whether the agency has struck a reasonable balance between facilitating information sharing and imposing conditions to protect the confidentiality and prevent unauthorized disclosures of SARs and related information.
  • Challenges in protecting confidentiality. FinCEN poses a series of questions on the potential challenges of protecting the confidentiality of SARs and related information, and preventing  unauthorized disclosure in connection with participation in the Pilot Program.
  • Quarterly reporting requirements. In addition to the specific metrics currently required in quarterly reports in the Pilot Program, FinCEN seeks comment on whether there are other metrics that should be included in the quarterly reports submitted to FinCEN.
  • Application timeline. Under the Proposed Rule, FinCEN seeks to respond to application requests within 90 days of receipt. FinCEN requests feedback on whether the proposed timeline is reasonable, and how such a timeline might encourage participation in the Pilot Program.
  • Length of Pilot Program. FinCEN requests comment on whether it should consider a broader, longer-term SAR sharing program, compared to the limited-duration Pilot Program. 

Looking forward

For years, international financial institutions have wanted to share SARs throughout their organizations. The Pilot Program will open the door to broader international SAR sharing and likely result in an overall improvement in suspicious activity reporting, monitoring, and prevention. However, while the Pilot Program may be generally well-received by financial institutions, the associated reporting and AML program requirements could be burdensome. In addition, because the Pilot Program does not provide any safe harbor protections, any information shared with FinCEN, as well as compliance with the program requirements, is subject to review during examinations and could be used against Pilot Program participants in enforcement proceedings. Accordingly, financial institutions should determine whether the benefits of participating in the Pilot Program outweigh the additional compliance burdens, and ensure they are capable of meeting the somewhat extensive requirements of participating in the program. Specific concerns about these burdens or other aspects of the Proposed Rule can also be raised through FinCEN’s notice and comment process, and FinCEN may make changes to the Proposed Rule in response to industry comments.

 

[1] Pilot Program on Sharing of Suspicious Activity Reports and Related Information With Foreign Branches, Subsidiaries, and Affiliates, 87 Fed. Reg. 3719 (Jan. 24, 2022).

[2] 31 U.S.C. 5318(g)(2)(A), as amended by section 6212(b) of the AML Act.

[3] Filers are not prohibited from: (i) the disclosure of the underlying facts, transactions, and documents upon which a SAR is based, including, but not limited to, disclosures related to filing a joint SAR and in connection with certain employment references or termination notices; and (ii) the sharing of a SAR, or any information that would reveal the existence of a SAR, within a depository institution’s corporate organizational structure for purposes consistent with Title II of the BSA, as determined by regulation or in guidance.

[4] The 2006 Guidance also states that depository institutions, as part of their anti-money laundering (AML) programs, must have written confidentiality agreements or arrangements in place specifying that the head office or controlling company must protect the confidentiality of the SARs through appropriate internal controls. The 2006 Guidance requires that the confidentiality agreements or arrangements must also address concerns about the ability of the foreign entity to protect the SAR in light of possible requests for disclosure abroad that may be subject to foreign law.

[5] An affiliate of a depository institution under the 2010 Guidance means any company under common control with, or controlled by, that depository institution. ‘‘Under common control’’ means that another company (1) directly or indirectly or acting through one or more other persons owns, controls, or has the power to vote 25 percent or more of any class of the voting securities of the company and the depository institution; or (2) controls in any manner the election of a majority of the directors or trustees of the company and the depository institution. ‘‘Controlled by’’ means that the depository institution (1) directly or indirectly has the power to vote 25 percent or more of any class of the voting securities of the company; or (2) controls in any manner the election of a majority of the directors or trustees of the company. See, e.g., 12 U.S.C. § 1841(a)(2).

[6] The Proposed Rule also directs the foreign requesting authority to both contact FinCEN about obtaining the requested SAR or related information and to seek to obtain such records or information through a request to the United States pursuant to a mutual legal assistance treaty or another appropriate mechanism for obtaining records from the United States.

[7] Pilot Program participants must submit a written request to FinCEN that details the nature and extent of the requested changes to applicable internal controls before implementing any such modifications. FinCEN, in consultation with relevant Federal functional regulators, as needed, would approve or reject such requests for modification, or condition its approval on implementation of additional controls, as appropriate.

[8] According to the Proposed Rule, a “state sponsor of terrorism” is a jurisdiction so determined by the U.S. Department of State.

[9] Jurisdictions “subject to sanctions imposed by the Federal Government” include jurisdictions with governments whose property and interests in property in U.S. jurisdiction are blocked pursuant to U.S. sanctions authorities, as well as jurisdictions subject to broad prohibitions on transactions by U.S. persons involving that jurisdiction, such as prohibitions on importing or exporting goods, services, or technology to the jurisdiction or dealing in goods or services originating from the jurisdiction, pursuant to U.S. sanctions authorities. Currently, those jurisdictions would include the Crimea region of Ukraine, Cuba, Iran, North Korea, Syria and Venezuela.

[10] The Secretary of the Treasury may make exceptions, on a case-by-case basis, for a financial institution located in the People’s Republic of China or the Russian Federation by notifying the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services that such an exception is in the national security interest of the United States. See 31. U.S.C. 5318)g)(8)(C)(i)-(ii).


This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.