Practical Considerations in Complying with the US Patriot Act of 2001 By
Am I Doing Business With a Terrorist? Practical Considerations in Complying With the US Patriot Act of 2001
By W. Scott O’Connell1
I. Executive Summary
In the aftermath of the horrific September 11th events, the resolve of the Congress to protect against further domestic threats resulted in a comprehensive legislative enactment know by its anachronym “USA PATRIOT ACT of 2001(the “Act”).2 On October 26, 2001, the Act became law and sweeping new and comprehensive anti-money laundering requirements where created for all manner of financial service providers including banks and their broker-dealer and trust affiliates. The Act contains a broad range of provisions designed to strengthen the federal government’s ability to investigate, prosecute and seize the assets of terrorist organizations. The Act provides the Secretary of the Treasury with special powers to regulate and/or prohibit transactions involving suspected money launderers or involving jurisdictions deemed uncooperative in the anti-money laundering effort. The Act also provides prosecutors with new tools for gathering and investigating electronic evidence to prosecute cyber-based crimes. These changes add to and extend already existing legislation which puts anti-money laundering procedural burdens on such institutions, including the:
§ BANK SECRECY ACT OF 1970 § MONEY LAUNDERING CONTROL ACT OF 1986 § ANTI-DRUG ABUSE ACT OF 1988
1 Scott O’Connell is the Leader of Nixon Peabody LLP’s Financial Transaction Disputes Team which focuses on litigation arising from complex financial relationships between parties. Team FTD has considerable experience with disputes requiring internal investigations of financial matters, forensic audits and compliance reviews. Team FTD litigation focus extends to closely-held corporate disputes, shareholder buy-outs and dissenters' rights litigation, entity governance litigation, post-transaction valuation litigation, and lender liability claims. Mr. O’Connell is a partner resident in the Manchester, N.H. office. He is admitted to practice in all state and federal courts in New Hampshire, Massachusetts, Maine, Vermont, and the District of Columbia, as well as the First, Second and Tenth Circuit Courts of Appeal. Mr. O’Connell gratefully acknowledges the contributions of David Ryan, Esq. to portions of this analysis.
Copyright © 2002 by Nixon Peabody LLP. All rights reserved.
§ Section 2532 of the CRIME CONTROL ACT OF 1990 § Section 206 of the FEDERAL DEPOSIT INSURANCE CORPORATION IMPROVEMENT ACT OF 1991
As part of the Act, Congress adopted the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001 ("IMLA"). IMLA authorizes the Secretary of the Treasury, in consultation with the heads of other government agencies, to adopt special measures applicable to banks, bank holding companies, or other financial institutions. These measures may include enhanced record keeping and reporting requirements for certain financial transactions that are of primary money laundering concern, due diligence requirements concerning the beneficial ownership of certain types of accounts, and restrictions or prohibitions on certain types of accounts with foreign financial institutions. Covered Financial Institutions also are barred from dealing with foreign "shell" banks. In addition, IMLA expands the circumstances under which funds in a bank account may be forfeited and requires Covered Financial Institutions to respond under certain circumstances to requests for information from federal banking agencies within 120 hours.
Treasury regulations implementing the due diligence requirements must be issued no later than April 24, 2002. Whether or not regulations are adopted, the law becomes effective July 23, 2002. Additional regulations are to be adopted during 2002 to implement minimum standards to verify customer identity, to encourage cooperation among financial institutions, federal banking agencies, and law enforcement authorities regarding possible money laundering or terrorist activities, to prohibit the anonymous use of "concentration accounts," and to require all Covered Financial Institutions to have in place a Bank Secrecy Act compliance program. IMLA also amends the Bank Holding Company Act and the Bank Merger Act to require the federal banking agencies to consider the effectiveness of a financial institution's anti-money laundering activities when reviewing an application under these acts.
The major features of the Act involve requirements relating to:
§ The establishment of money laundering compliance programs, including the promulgation of internal policies and controls, continuing employee education and audit programs
§ The verification and identification of persons seeking to open accounts, including the maintenance of records including identifying information, address and other contact information and consulting lists of known terrorist organizations
(Footnote continued from previous page) 2 The formal name of the act is “Uniting and Strengthening America By Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) of 2001.
§ The reporting of "suspicious activities"
§ New due diligence for accounts opened by or for non-US persons, either directly or through Correspondent Accounts
§ Heightened scrutiny and new procedure for deposits into concentration accounts and other commingled accounts
§ The establishment of new civil and criminal penalties for violations of certain provisions of the Act
§ New tools for law enforcement to track suspected criminal activity
Some of the provisions of the Act were effective immediately, while others require further regulatory action. To date, the Department of the Treasury has already issued final, interim and proposed regulations bearing upon reporting requirements for, and certain limitations on activities by, financial and non-financial institutions and related persons. While Treasury Regulations will likely continue to attempt to clarify the troublesome open-endedness of issues such as the minimum extent of identification, record keeping, audit scope, and compliance programs, as well as what constitutes suspicious activities and the extent of due diligence and other "know your customer" requirements, many practical issues will remain unanswered.
All account opening procedures must be reviewed, and some changed, especially in the electronic account establishment area. Also, regulations that require an institution to establish its own detailed compliance procedures are typically more difficult to live with than more definitive regulations. If the internal procedures and controls go further than the regulations may contemplate (or, in hindsight, be seen to contemplate), adherence to the internal program rather than compliance with the law and regulations can become the criteria for violation and sanction. Further, although institutions are granted broad protections from liability to customers for disclosures of information required to be obtained and recorded, it is not at all clear that the actions of institutions in attempting to comply with the new Act and regulations are totally free from all actions based on existing statutory and common law concerning privacy.
The real challenge for affected financial service companies will be to make sure that properly trained personnel and state of the art systems are capable of carrying out the information gathering, record keeping, reporting, audit, control and monitoring functions necessitated by the Act and its Regulations.
II. The Anti-Money Laundering Provisions of the Patriot Act
As previously referenced, Title III of the Act is known as the “International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 (“IMLA”). This section concentrates on anti-money laundering activities.
A. Who is Required to Take Action Under the Anti-Money Laundering Provisions of the Act?
The Act defines comprehensively the financial institutions, which are affected by the Act. Interestingly, the universe of affected entities is defined into two groups, the broadest being “Financial Institutions.” 3 The principle burden imposed by the Act on these entities is that of record keeping.
3 The full definitions of financial institutions and financial agencies are as follows: (1) “financial agency” means a person acting for a person (except for a country, a monetary or financial authority acting as a monetary or financial authority, or an international financial institution of which the United States Government is a member) as a financial institution, bailee, depository trustee, or agent, or acting in a similar way related to money, credit, securities, gold, or a transaction in money, credit, securities, or gold. (2) “financial institution” means— (A) an insured bank (as defined in section 3(h) of the Federal Deposit Insurance Act (12 U.S.C. §1813(h))); (B) a commercial bank or trust company; (C) a private banker; (D) an agency or branch of a foreign bank in the United States; (E) an insured institution (as defined in section 401(a) of the National Housing Act (12 U.S.C. §1724(a))); (F) a thrift institution; (G) a broker or dealer registered with the Securities and Exchange Commission under the Securities Exchange Act of 1934 (15 U.S.C. §§78a et seq.); (H) a broker or dealer in securities or commodities; (I) an investment banker or investment company; (J) a currency exchange; (K) an issuer, redeemer, or cashier of travelers’ checks, checks, money orders, or similar instruments; (L) an operator of a credit card system; (M) an insurance company; (N) a dealer in precious metals, stones, or jewels; (O) a pawnbroker; (P) a loan or finance company; (Q) a travel agency; (R) a licensed sender of money; (S) a telegraph company; (T) a business engaged in vehicle sales, including automobile, airplane, and boat sales; (U) persons involved in real estate closings and settlements; (V) the United States Postal Service; (W) an agency of the United States Government or of a State or local government carrying out a duty or power of a business described in this paragraph; (X) a casino, gambling casino, or gaming establishment with an annual gaming revenue of more than $ 1,000,000 which— (i) is licensed as a casino, gambling casino, or gaming establishment under the laws of any State or any political subdivision of any State; or (ii) is an Indian gaming operation conducted under or pursuant to the Indian Gaming Regulatory Act other than an operation which is limited to class I gaming (as defined in section 4(6) of such Act [25 U.S.C. §2703(6)]); (Y) any business or agency which engages in any activity which the Secretary of the Treasury determines, by regulation, to be an activity which is similar to, related (Footnote continued on next page)
The second group—upon whom the bulk of compliance requirements fall—are “Covered Financial Institutions.”4 The requirements on the latter are much more draconian than those—at least currently—placed upon the broader range of Financial Institutions. “Covered Financial Institutions” which are those that generally have a depository relationship with their customers, are required to undertake many new initiatives to root out money laundering or terrorist financing activity.
B. New Prohibitions With Regard to Correspondent Accounts
A principle target of the Act is the heightened review of “Correspondent Accounts” to ensure that they are not being used for money laundering or terrorist financing activities.5 The new prohibitions and requirements are as follows:
1. Covered Financial Institutions shall not establish, maintain, administer or manage a Correspondent Account in the United Sates for or on behalf of a foreign shell bank
Effective December 25, 2001, Covered Financial Institutions were required to terminate all Correspondent Accounts in the United States for certain foreign shell banks. See 31 §5318(j). Under the Act, a Shell Bank is a foreign bank without a physical presence in any country. Foreign shell banks that are regulated affiliates of foreign banks which maintain a physical presence in a foreign country and which is subject to supervision by a banking authority that regulates the foreign bank affiliate is exempted from this prohibition.
In order to assess whether a foreign bank is a shell, important inquires must be made including whether the bank: (1) maintains a physical place of business at a fixed address where its banking activity is undertaken; (2) has any full time employees; (3) maintains operating records for its transactions; (4) is subject to regulation, oversight or inspection by a bank regulatory entity in its home jurisdiction. Banks, which lack such formalities, are susceptible to a determination of being a shell bank for which Correspondent Account relationships is prohibited.
(Footnote continued from previous page) to, or a substitute for any activity in which any business described in this paragraph is authorized to engage; or (Z) any other business designated by the Secretary whose cash transactions have a high degree of usefulness in criminal, tax, or regulatory matters. See 31 U.S.C. §5312.
4 Section 313(a) of the Act defines “Covered Financial Institution” to include: (1) any insured bank; (2) a commercial bank or trust company; (3) a private banker; (4) an agency or branch of a foreign bank in the U.S.; (5) a credit union; (6) a thrift institution; and (7) a broker or dealer registered with the Securities and Exchange Commission 5 For purposes of banks, a “Correspondent Account” is defined in the Act as “An account established to receive deposits from, make payments on behalf of a foreign financial institution, or handle other financial transactions related to such institution.”
In Treasury’s interim guidance concerning compliance with the new anti-money laundering requirements of the Act issued November 27, 2001, the Department detailed a certification process Covered Financial Institutions could follow in order to assess whether an entity was a foreign shell which fell into the prohibitions of the Act. See Exhibit A attached to this article. Pursuant to the certification process, the Covered Financial Institution could obtain an undertaking from the entity in question that: (1) it is not a shell bank; (2) it is a shell bank that is a regulated affiliate; or (3) is a shell bank that is not a regulated affiliate, in which case a Covered Financial Institution is prohibited from establishing or maintaining a Correspondent Account. The Treasury Department provided a specific certification form, which is attached to the interim guidance.
In this certification, the entity is requested to provide sufficient information to demonstrate that it is not a prohibited foreign shell bank. The Covered Financial Institution, which receives this certification, is charged with reviewing and accepting the information provided. In accepting this certified information, the Covered Financial Institution must exercise care to ensure that the certification and information provided is in order. The civil money penalties for failing to comply with this section have been increased to $1,000,000. Thus, the stakes are extremely high and proper training of personnel charged with reviewing these certifications is essential. In order to demonstrate reasonable care, the protocols for accepting these certifications should include confirming the information presented. For example, the Covered Financial Institution should: (1) consider an actual visit to the physical location identified; (2) obtaining independent confirmation that the entity is subject to foreign banking supervision; (3) obtain official governing documents of the entity; (4) review records maintained at the physical location; (5) obtain undertakings from employees at the entity. What the government actually requires remains unclear. Regrettably, the clarity of what the Treasury expects from which protocols and actions can be developed will probably only be come into focus in the context of enforcement proceedings against Covered Financial Institutions which fail to respond adequately to the Act.
2. Covered Financial Institutions shall take reasonable steps to ensure that a Correspondent Account is not being used by a foreign bank to provide indirectly banking services to a foreign shell bank
In addition to the termination of Correspondent Accounts with shell banks, the Act requires that Covered Financial Institutions take reasonable steps to ensure that foreign shell banks are not indirectly using Correspondent Accounts of other foreign banks. The “nesting” by prohibited foreign shell banks is believed to be an equally menacing problem as are Correspondent Accounts with foreign shell banks directly.
As part of the interim guidance provided by Treasury, the certification form provided requires the foreign bank to represent that the Correspondent Account is not being used by a prohibited foreign shell bank. See Exhibit A. Thus, the Act requires not
simply for a Covered Financial Institution to “know its clients,” but it must “know its clients’ clients” as well. The same training and analysis issues for employees referenced above apply to the rooting out of information pertaining to nesting by foreign shell banks in otherwise lawful Correspondent Accounts. See 31 U.S.C. §5318(j).
Apart from review and acceptance of this form, it is unclear what other reasonable steps the Treasury Department will require of Covered Financial Institutions in order to ensure that prohibited shell banks are not indirectly using Correspondent Accounts of foreign banks.
3. Covered Financial Institutions which maintain a Correspondent Account of a foreign bank shall maintain records identifying the beneficial owners of the foreign bank in the United States
Section 319(b) of the Act requires Covered Financial Institutions to make inquiries into the ownership of foreign banks which maintain Correspondent Accounts and to maintain this information in the United States. See 31 U.S.C. §5318(k). By obtaining ownership information, it is believed that the Covered Financial Institutions will be better equipped to identify suspected money launderers or terrorist financiers as that information is developed and published by the Treasury Department or law enforcement.
The certification developed by the Treasury Department also requires disclosure of this ownership information. See Exhibit A.
4. Covered Financial Institutions must require foreign banks with a Correspondent Account to appoint a United States resident to accept service of process for records concerning the Correspondent Account.
To ensure that law enforcement authorities have access to all of the documents concerning the Correspondent Account, Section 319(b) requires the Foreign Bank to appoint a person residing in the United States authorized to accept service of legal process for all records concerning the account. See 31 U.S.C . 5318(k). Thus, in order to maintain a correspondent relationship, the Foreign Bank essentially needs to provide regulatory and law enforcement authorities a means by which all information concerning such account can be produced in this Country.
Requests for this information by a law enforcement officer must be complied with within seven days. Requests for this information from bank regulators must be responded to within 120 hours. See 31 U.S.C. §5318(k). These tight deadlines place special emphasis on the need to adequately train affected employees to ensure compliance.
The Act provides the Treasury or the U.S. Attorney General with authority to a direct a Covered Financial Institution through written notice to terminate its relationship with a foreign correspondent bank that has refused to comply with—or lawfully challenge-- a subpoena or summons. The penalty on a Covered Financial Institution for failing to terminate such an account within 10 days could result in a civil money penalty of up to $10,000 per day. Once again, the short response times makes it imperative that the Covered Financial Institution create the necessary procedures and protocols to timely respond to this directive.
Also, with such short parameters in which to terminate the Correspondent Account relationship, it is important for Covered Financial Institutions to ensure that contractual obligations are not assumed which would prevent the timely termination of the relationship. Failure to review and address this part of the relationship may result in civil liability owed to the foreign bank.
5. Financial Institutions must establish appropriate, specific and where necessary, enhanced due diligence procedures reasonably designed to detect and report instances of money laundering through Correspondent Accounts of Foreign Banks or Private Banking Accounts
The Act imposes due diligence requirements on all financial institutions that maintain, administer or manage private banking accounts or Correspondent Accounts in the United States for non-United States persons. The Act requires that the financial institutions must have “appropriate, specific and, where necessary, enhanced due diligence policies, procedures, and controls that are reasonably designed to detect and report instances of money laundering through those accounts.” See 31 U.S.C. §5318(I). Specific regulations on the nature and extent of this due diligence are due by April 24, 2002. Regardless of whether regulations issue, the provision is effective on July 23, 2002.
In addition to general due diligence standards, the Act requires special additional measures for Correspondent Accounts for banks licensed by particular jurisdictions that are (1) designated by intergovernmental groups (such as the Financial Action Task Force) as non-cooperative with international anti-money laundering standards, and (2) designated by Treasury as warranting special measures due to money laundering concerns. In those areas of heightened due diligence, the Covered Financial Institution must conduct enhances scrutiny of Correspondent Accounts to identify suspicious transactions.
Covered Financial Institutions will need to develop practices and protocols that regularly absorb information about particular jurisdictions subject to heightened scrutiny so that the screening process for affected Correspondent Accounts is effective.
With regard to Private Banking Accounts—accounts with minimum deposits of $1 million that are assigned to or managed by a person who acts as a liaison between a
financial institution and the beneficial owners—similar due diligence is required. Also, the financial institution must report suspicious transactions and keep records of (1) the names of all nominal and beneficial owners, and (2) the source of the funds deposited in those accounts. If the private banking is being performed for or on behalf of foreign senior political figures, immediate family members or close associates, the financial institution is required to perform enhanced scrutiny of the account to detect proceeds of foreign corruption. See 31 U.S.C. §5318(i).
Recognizing at least in part that these requirements become effective on July 23, 2002, regardless of whether Treasury issues applicable regulations, certain industry players have issued suggested guidelines to establish uniform practices in correspondent banking for compliance with the Act. For example, The New York Clearing House Association LLC has issued guidelines, which specifically address the risk of money laundering in correspondent banking (the “Guidelines”).6 See Exhibit C attached. Updated versions of these Guidelines may be found at http://www.nych.org)
With regard to due diligence and enhanced due diligence, the guidelines make the following suggestions for compliance with the Act:
· Establishing that the Applicant has been duly organized and is in good standing in its jurisdiction of organization; · Obtaining the Applicant’s annual report and financial statements (audited, if available); · Identifying Key Senior Management of the Applicant; · Reviewing the anti-money laundering or due diligence policies, procedures and controls of the Applicant, which review may include, but need not be limited to, a discussion with Key Senior Management of the Applicant; · Reviewing reports by bank rating agencies regarding the Applicant, if available; · Determining the Applicant’s primary lines of business; · Inquiring into the Applicant’s local market reputation, through review of media reports or by other means; · Evaluating the Applicant’s creditworthiness (where credit is being extended); · Obtaining one or more bank references; · Determining the expected activity of the Applicant through the Correspondent Account; · Requesting general information on the Applicant’s categories of customers, including such categories as Shell Banks, Offshore Banks and other High Risk Respondent Banks; · Determining whether the Applicant is a public or private institution;
6 Members banks of the New York Clearing House Association LLC are: Bank of America, National Association; The Bank of New York; Bank One, National Association; Bankers Trust Company; Citibank, NA; First Union National Bank; Fleet National Bank; HSBC Bank USA; JPMorgan Chase Bank; LaSalle Bank National Association; and Wells Fargo Bank, National Association.
· For privately held Applicants, ascertaining the identity of each of the Owners of the Applicant, and performing an appropriate level of due diligence with regard to such Owners; · Determining the type of and restrictions under the Applicant’s license; · Ensuring that the Bank remains in full compliance with the requirements established by U.S. bank regulators with regard to Payable Through Accounts; · Taking into account information, if available, from U.S. law enforcement agencies or U.S. banking authorities, as appropriate, with respect to the Applicant; · Documenting steps taken (for example, by preparing a Respondent Bank due diligence checklist) prior to the opening of a Correspondent Account for the Applicant;
See Exhibit C, The Guidelines, at ¶2.6.1
For purposes of enhanced due diligence concerning Correspondent Accounts of high risk respondent banks, the Guidelines make the following suggestions for action:
· Taking reasonable steps to ascertain for any such Applicant, the shares of which are not publicly traded, the identity of each of the Owners of the Applicant, and the nature and extent of the ownership interest of each Owner; · Taking reasonable steps, such as the following, to ascertain whether such Applicant provides Correspondent Accounts to other Foreign Banks and, if so, the identity of those Foreign Banks and related due diligence information, as appropriate: · Determining if the Applicant has reasonably designed due diligence policies, procedures and controls for correspondent banking, through discussions with Key Senior Management of the Applicant or otherwise; · Requesting the names and addresses of the Foreign Banks for which the Applicant maintains Correspondent Accounts, and if such information is not obtained, taking such action (including closing the account or determining not to open the account) as the Secretary of the Treasury directs; and · Whether before or after opening of the Correspondent Account, requesting appropriate due diligence information from the High Risk Respondent Bank on any Foreign Bank for which it maintains a Correspondent Account where the Bank has reason to suspect that the Foreign Bank is or may be of heightened money laundering concern, whether as a result of information obtained from U.S. law enforcement agencies, U.S. banking authorities or otherwise, and if such information is not obtaining, taking such action (including closing the account or determining not to open the account) as the Secretary of the Treasury directs.
· Determining changes in the ownership or Key Senior Management of the Applicant during the past five years; · Determining the relationship between the Applicant and the government of its home country jurisdiction, including whether the Applicant is a government- owned entity; · Reviewing pronouncements of United States governmental agencies and multilateral organizations with regard to the adequacy of bank regulation and supervision and counter money laundering and counter terrorist legislation in the Applicant’s home country jurisdiction; · To the extent reasonable, reviewing publicly available information to determine whether the Applicant has been the subject of a money laundering or other criminal investigation, criminal indictment or conviction, any civil enforcement action based on violations of counter money laundering laws or regulations or any investigation, indictment, conviction or civil enforcement action relating to financing of terrorists; · Meeting with Key Senior Management of the Applicant at its offices or the offices of an Affiliate of the Applicant, as appropriate, to discuss opening of the Correspondent Account; and · Requiring that the Respondent Bank due diligence checklist regarding the Applicant, or other documentation of the due diligence performed with regard to the Applicant, be reviewed by the Bank’s compliance department, risk management department, or other appropriate department.
See Exhibit C, The Guidelines, at ¶2.6.2
To the extent that Treasury fails to issue regulations on due diligence and enhanced due diligence, adoption of guidelines such as those issued by the New York Clearing House Association will help to ensure compliance with the Act.
C. Availability of Bank Records for Regulatory and Law Enforcement
As previously referenced, one of the new burdens placed upon the Covered Financial Institutions is the short time periods in which to respond to regulatory or law enforcement requests for information concerning Correspondent Accounts. See U.S.C. §5318(k).
With regard to requests from regulators, records responsive to requests concerning anti-money laundering compliance must be produced within 120 hours of the request.
With regard to subpoenas issued by law enforcement, records responsive including records held abroad concerning deposits made into the Correspondent Accounts, must be produced within seven days. Upon written notice, the Treasury or the U.S. Attorney General may direct termination of the Correspondent Account for failure to comply with the subpoena.
D. Financial Institutions Must Create Anti-Money Laundering Compliance Programs
The Act requires financial institutions to establish anti-money laundering compliance programs that include, at a minimum:
(i) The development of internal policies, procedures and controls; (ii) The designation of a compliance officer; (iii) An ongoing employee training program; and (iv) An independent audit function to test programs.
Financial institutions must establish such programs within 180 days from the enactment of the Act, or April 24, 2002.
E. Treasury Will Issue Standards for Verification of Customer Identification
Effective October 25, 2002, the Treasury is required to issue minimum standards for customer identification at account opening. Among other things, financial institutions will be required to verify customer identification; maintain records of this verification and compare this verification against established government lists of known or suspected terrorists.
F. Financial Institutions Must Report Suspicious Activity
1. Financial Institutions may share information about suspicious activity
It has long been the obligation of federally insured financial institutions to submit Suspicious Activity Reports (“SARs”) to law enforcement agencies and bank regulators. The Act changes in a fundamental way what was once only a one way reporting structure to the government. Under Section 314 of the Act, however, financial institutions are now encouraged to share suspicious activities of persons or entities with other financial institutions.
On March 4, 2002, the Financial Crimes Enforcement Network (“FinCEN”), a bureau of the Treasury Department, issued interim rules to enact the information sharing requirements of Section 314(a) of the Act. These interim regulations require the financial institutions affected by this section to maintain adequate procedures to protect the security and confidentiality of the shared information. Among other things, financial institutions must annually certify to FinCEN that the information shared and obtained not be used for any purpose other than identifying suspicious activity. The interim rules require the financial institution to identify a specific individual as a point of contact for information sharing and account monitoring. Also, the interim rules require that
procedures be developed which protect the disclosed information. The sharing of information process does not involve the sharing of the SARs themselves as financial institutions are still prohibited from disclosing those reports.
One of the tensions, which arise under this provision, is the privacy rights of the individuals about whom the information is shared. Recognizing this potential conflict, the Act expressly provides that the sharing of information contemplated in this section of the Act will not constitute a privacy violation of the Gramm-Leach-Bliley Act. Given the countervailing efforts to create privacy rights for customers over matters of financial affairs, this may be an area of possible exposure for financial institutions if the regulations fail to provide appropriate safe harbors for the sharing of information. See 31 U.S.C. §5318 (Clarification of Safe Harbors for SARs).
2. FinCEN is Charged with creating a secure filing network for SARs
The Act requires that FinCEN develop a highly secure electronic network through which reports—including SARs—may be filed and from which information about suspicious activity can be disseminated. This network is to be operational by July 23, 2002.
3. Filing of SARs is expanded to Broker/Dealers
Section 356 of the Act requires the Treasury to issue regulations requiring registered securities brokers and dealers to file SARs. This is a whole new area for much of the broker dealer industry and will require considerable attention to create the mechanisms under which such reporting will occur.
G. Treasury Has Sweeping Authority to Issue “Special Measures” for Certain Jurisdictions, Financial Institutions, International Transactions and Accounts
Section 311 of the Act provides the Treasury with broad regulatory authority to affect a host of other business through the exercise of its “special measures” powers. Under this section, Treasury has the authority to demand additional record keeping and reporting with regard to: (1) particular financial institutions operating outside of the United States; (2) financial institutions operating in particular jurisdictions; (3) certain types of accounts; and (4) certain types of transactions. The Treasury must determine that the jurisdiction, account or transactions are of “primary money laundering concern.”
Once determined, the longer list of financial institutions previously referenced may be called upon by regulation or order to maintain records, maintain information about certain accounts or transactions, and/or provide the beneficial ownership of funds used in the transaction or account. The Treasury could impose certain due diligence on certain types of accounts or transactions. To the extent that non-banks may be affected by the issuance of special measures, the Treasury will have to provide guidance on the terms “account,” “beneficial ownership,” and transaction.
Although the term “transaction” is not defined in the Act, it is defined broadly by the regulations governing the Currency Act as follows:
[T]ransaction means a purchase, sale, loan, pledge, gift, transfer, delivery or other disposition, and with respect to a financial institution includes a deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, purchase or sale of any stock, bond, certificate of deposit, or other investment security or monetary instrument, or any other payment, transfer, or delivery by, through, or to a financial institution, by whatever means effected.
31 C.F.R. 103.11 (2001). This definition encompasses nearly every conceivable transfer of funds, including distributions of partnership profits.
The content of the information and/or recording keeping that my be required should special measures be invoked include the following:
(i) The identity and address of the participants in a transaction or relationship, including the identity of the originator of any funds transfer; (ii) The legal capacity in which a participant in any transaction is acting; (iii) The identity of the beneficial owner of the funds involved in any transaction, in accordance with such procedures as the Secretary determines to be reasonable and practicable to obtain and retain the information; and (iv) A description of any transaction.
See Section 311(b)(1)(B). Thus, the Secretary may require a financial institution or financial agency to take affirmative steps to determine the “beneficial owner” of funds involved in a transaction. The Act does not define the term “beneficial owner”.
Thus, the potential reach of the Treasury’s “special measures” is considerable and may implicate scores of businesses for which compliance with the Act is not part of the core business. Special care must be taken by the entities to ensure compliance with the Act and any special measure regulations or orders issued under it.
H. The New Enhanced Penalties for Failing to Comply With the Act
As referenced previously, the monetary penalties for violations of portions of this Act have been raised substantially. Violations of the due diligence requirements for Correspondent and Private Banking Accounts, 31 U.S.C. §5318(i), and the shell bank prohibitions, 31 U.S.C. §5318(j), now have civil money penalties of up to $1 million. Failure to terminate a corresponding relationship with a foreign bank, which has failed to
respond to a subpoena from law enforcement, has a civil money penalty of up to $10,000.00 per day. Thus, the money at risk for non-compliance is considerable.
A greater concern is the reputational harm and damage to the franchise occasioned by being tarred with money laundering and/or terrorist activities. The loss of good will resulting from being tarnished by such activities could be considerable. This point is easily understood when one remembers the harm suffered by the whole of Arthur Anderson for the association and activities of a comparable few on behalf of Enron Corporation. Thus, non-compliance has risks and penalties that can devastate the financial institution.
III. Enhanced Law Enforcement Tools to Investigate Cyber-Based Crime and Collect Electronic Evidence to Prosecute the Same
In order to enable prosecutors to fully investigate cyber-based crimes and terrorist, the Act has significantly overhauled existing statutes to provide more powers than previously existed. None of these changes are limited to the investigation of terrorist activity and are available, therefor, to investigate all manner of computer-based crimes. Thus, internet service providers and other companies that maintain electronic internet-based communication may receive under this Act more far-reaching requests for information than available under previous law. Companies that receive subpoenas for electronic evidence should be mindful of the following changes to the statutory landscape.
· Section 202-- Provides new authority to intercept voice communications in computer hacking investigations for breach of the Computer Fraud and Abuse Act. (sunset on December 31, 2005);
· Section 209-- Allows voice mail and other stored voice communication to be obtained by search warrant rather than wire tap order (sunset on December 31, 2005);
· Section 210—Increases the amount of electronic evidence that can be obtained by search warrant. Information specific to internet sessions, (time and durations and network addresses) as well as means and source of payment can be obtained;
· Section 211—Provides clarification to the prohibitions under the Cable act 47 U.S.C. §2510 now allowing investigators to subpoena internet records of customers (cable information is still protected);
· Section 212—Permits Internet Service Providers (ISPs) to disclose to law enforcement either content or customer records in emergencies involving immediate risk of death or serious physical injury to any person. This does not create an affirmative obligation to review records for such information. This section also permits disclosure of non-content information in order for
the providers to protect their rights and property. (sunset on December 31, 2005);
· Section 216—Modifies the pen register and trap and trace statutes which govern the collection of non-content communications in three ways: (1) clarifies that pen/trap orders can be used to trace activity on the internet; (2) pen/trap orders issued by federal courts have nationwide effect; (3) special report filed with the issuing court is required whenever a pen/trap order is used to install a monitoring device on computers belonging to a public provider;
· Section 217—Permits victims of computer attacks to authorize persons “under color of law” to monitor trespassers on their computer systems. The owner must authorize interception; the interceptor must be engaged in a lawful ongoing investigation; the interceptor must have a reasonable belief that the contents of the intercepted message will be relevant to an ongoing investigation; and only communications from the trespasser may be intercepted;
· Section 220-- Provides for nationwide search warrants for e-mail to compel records from outside the district. (sunset on December 31, 2005);
· Section 814—Increases penalties to deter and prevent Cyberterrorism by: (1) Raising the maximum penalty for damaging protected computers to 10 years (first offense) and 20 for repeat offenders; (2) clarifying the mens rea requiring that the hacker need only intend to cause damage not a particular consequence or degree of damage; and (3) losses can be aggregated;
· Section 815—Additional defense to civil action under the Electronic Communications Privacy Act for preserving records in response to government requests
IV. Conclusion
The Patriot Act changes materially the landscape in which financial institutions operate with foreign entities. Careful and thoughtful compliance with these new requirements is necessary to prevent substantial monetary and reputational harm. The problems created by money laundering and terrorist financing are fluid circumstances that the Act broadly attempts to address. In an effort to be broad and sweeping, many questions remain open and un-addressed creating a level of regulatory uncertainty from which individual institutional uncertainty may result. Financial institutions will need to be vigilant in their efforts to flush out the ambiguities of this Act. Close scrutiny of new regulations, interim guidance and enforcement actions will be necessary to ensure compliance. The costs of non-compliance are too great to ignore.