Adapting global operations to the US anti-money laundering regulatory environment

In this article, we look at the impact of increased regulatory scrutiny regarding money laundering globally and explore the regulatory requirements a foreign bank must comply with when establishing offices or subsidiary banks in the United States.

Money laundering relies upon the ability to introduce into the global financial network funds that originated as a result of criminal activity and to hide the connection to their illicit origins. The holder of the funds conceals their origins through a series of complex transactions, often involving offshore banks, front companies and opaque ownership structures. The funds are ultimately reintroduced into legitimate financial institutions where, if the process was successful, their illegal origins can no longer be traced. Financial institutions in leading financial centres – including Singapore and Hong Kong – are particular targets for the receipt of such ‘tainted’ funds for reintroduction into the financial system because less scrutiny is applied to funds emanating from these institutions into the global financial network.

Regulators have placed financial institutions under increased pressure to control money laundering as part of a global effort which includes stemming the flow of funds that could be sent to terrorist organisations. To combat money laundering and terrorism financing, governments across the world have introduced a series of regulations and requirements which financial institutions must comply with to ensure that they remain aware of the identity of their customers, the legitimacy of the source of the funds and the customers’ intended use of the funds. The regulations are in many respects consistent as they endeavour to comply with the recommendations issued by the Financial Action Task Force (FATF), the intergovernmental policy-making body whose objective is to promote the implementation of legal, regulatory and operational measures to combat money laundering and terrorism financing. The FATF reviews the progress of member countries in implementing its recommendations and issues public reports that would indicate any deficiencies found during that review. The recommendations of the FATF are widely followed, despite having no legal force and effect, because being labelled ‘non-compliant’ by the FATF can have a negative impact on the country’s risk profile, credit rating and access to the international banking system. Countries across Asia have responded to the deficiencies indicated by the FATF in a number of ways: in Hong Kong, the Securities and Futures Commission introduced a new set of guidelines on anti-money laundering/counter-terrorism financing (AML/CTF); Vietnam has enacted a Money Laundering and Counter- Terrorism Law; and in Singapore, the Monetary Authority of Singapore (MAS) has amended its regulatory guidelines relating to money laundering (e.g. MAS Notice 626).

A number of financial institutions have taken a negative view of the increased attention to and augmentation of money laundering regulations in Asia, raising concerns that these measures will increase their regulatory burden and slow financial transactions globally. Despite the objections of these financial institutions, the global convergence towards similar requirements is a welcome step in requiring banks in Asia to develop uniform practices that they will need when operating in jurisdictions already subject to these standards.

Banks that are seeking to establish direct branches or subsidiaries outside of their home jurisdictions have the added requirement of complying with all the regulations imposed in each jurisdiction in which they operate. The US is a particularly complicated jurisdiction due to the vigilance and activity of the regulators and the complexity of the regulations. It has a series of laws dealing with AML/ CTF, which for the most part are consolidated in the Bank Secrecy Act. The Bank Secrecy Act has been amended many times since its enactment in 1970, most notably by the USA Patriot Act, which was enacted after the September 11, 2001, terrorist attacks in the United States.¹ The primary regulator responsible for enforcing these laws is the Financial Crimes Enforcement Network (FinCEN), a unit of the US Treasury Department, which has promulgated regulations to implement the statutory provisions.² FinCEN has jurisdiction over US branches and agencies of non-US banks regardless of where the bank is headquartered.

Pursuant to a delegation from FinCEN, US branches and agencies of non-US banks are examined for AML compliance by either the Board of Governors of the Federal Reserve System (Federal Reserve Board) for state-licensed branches and agencies of non-US banks, the Comptroller of the Currency (OCC) for federal branches and agencies of non-US banks licensed by the US Treasury Department, and the Federal Deposit Insurance Corporation (FDIC) for those few branches of non-US banks that carry federal deposit insurance.

A significant number of enforcement actions brought by US banking regulators against non-US banks have come about because of lax compliance with AML laws and regulations – since 2013, there have been at least five enforcement actions brought against US offices of non-US banks by the Federal Reserve Board. Remedial actions ordered included a comprehensive review by an outside consultant approved by the Federal Reserve Board, preparation and submission of an enhanced AML compliance programme and preparation and submission of a plan to enhance management oversight of the AML compliance programme.

A summary of significant AML laws and regulations applicable to a US branch or agency of a non-US bank are provided below.

Compliance programme³

Every bank must have an AML compliance programme that at a minimum:

• Provides for a system of internal controls to assure ongoing compliance
• Provides for independent testing for compliance to be conducted by bank personnel or by an outside party
• Designates an individual or individuals responsible for coordinating and monitoring day-today compliance
• Provides training for appropriate personnel.

Customer ID programme⁴

Every bank must establish a customer identification programme (CIP), which requires a bank to obtain, verify and retain certain information about each customer. When establishing a new banking relationship, the bank must first obtain certain basic identifying information about the customer (name, address, date of birth, identification number). The CIP must include riskbased procedures for verifying the identity of each customer in order to enable the bank to form a reasonable belief that it knows the true identity of each customer. These procedures must be based on the bank’s assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank’s size, location, and customer base.

Suspicious transaction reporting⁵

One of the key requirements of the AML laws and regulations is the requirement that certain financial institutions such as banks file suspicious activity reports (SARs). Every bank must file a SAR with respect to a possible violation of law or regulation. Even when not required, a bank may use the SAR to report any suspicious transaction that it believes is relevant to the possible violation of any law or regulation.

For a transaction conducted or attempted by, at, or through a bank and which involves or aggregates at least US$5,000 in funds or other assets, an SAR is required where the bank knows, suspects, or has reason to suspect that:

• The transaction involves funds derived from illegal activities, or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities as part of a plan to violate or evade any US law or regulation or to avoid any transaction reporting requirement under US law or regulation.
• The transaction is designed to evade any AML law or regulatory requirement
• The transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.

SARs must be filed with FinCEN no later than 30 calendar days after the date of initial detection by the bank of facts that may constitute a basis for filing a SAR. Additional SARs may need to be filed periodically containing updated information for continuing violations. In situations involving violations that require immediate attention (such as ongoing criminal activity) the bank must immediately notify by telephone an appropriate law enforcement authority, in addition to filing a SAR.⁶

Generally, a bank, and its directors, officers, employees, or agents, are prohibited from disclosing a SAR or any information that would reveal the existence of a SAR. However, provided that no person involved in activity leading to the filing of the SAR is notified, the bank (and its directors, officers, employees, or agents) may disclose information that would reveal the existence of a SAR to FinCEN or to any applicable Federal, State, or local law enforcement or regulatory agency; disclose the underlying facts, transactions, and documents upon which a SAR is based to another financial institution for the preparation of a joint SAR or in connection with certain employment references or termination notices; and disclose the SAR and related information within the bank’s corporate organisational structure for purposes consistent with AML laws and regulations.

A bank that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to the SAR reporting requirement or any other authority, including a disclosure made jointly with another institution, is protected from liability for any such disclosure and for failure to provide notice of such disclosure to any person identified in the disclosure.

Correspondent banking⁷

If a bank provides correspondent banking accounts for non-US banks, the bank must establish a due diligence programme that includes risk-based policies, procedures, and controls ‘reasonably designed’ to enable the bank to detect (and report, as necessary) on an ongoing basis, any known or suspected money laundering activity conducted through or involving the correspondent account. The required policies, procedures, and controls must include an assessment of the money laundering risk presented by the account, based on a consideration of all relevant factors, including the nature of the bank’s business and customers, the categories of activities in which the bank engages in through that account; and any available information about the correspondent bank’s own AML record and a periodic review of the activity in the correspondent account to determine consistency with information obtained about the type, purpose and anticipated activity of the account.

Additional enhanced risk-based procedures are required if the correspondent bank has an offshore banking licence (a banking licence that prohibits the bank from conducting business with citizens in the jurisdiction which granted the licence) or a banking licence issued by a country that has been identified as a money laundering concern. The enhanced due diligence procedures require the US bank to conduct heightened scrutiny of the correspondent account to guard against money laundering and to identify and report any suspicious transactions in accordance with applicable law and regulation. This heightened scrutiny must include obtaining and assessing the sufficiency of the correspondent bank’s own AML compliance programme and monitoring transactions to, from, or through the correspondent account in a manner reasonably designed to detect money laundering and suspicious activity.

In addition, if the correspondent bank maintains its own correspondent bank accounts for other non-US banks, then the US bank must obtain information about those other non-US banks in order to assess the money laundering risks associated with those other accounts.

Politically exposed persons⁸

In addition to special rules for correspondent accounts, a US bank also must maintain a special due diligence programme for certain private bank accounts it establishes for certain non-US individuals. The programme includes policies, procedures, and controls that are reasonably designed to detect and report any known or suspected money laundering or suspicious activity conducted through or involving those private banking accounts. This applies to banking accounts established by or for the benefit of non-US persons with a minimum of US$1 million in assets and assigned to a special private banking relationship manager. The due diligence programme must: (i) identify all nominal and beneficial owners of the private banking account and determining whether any of them are current or former senior non-US governmental or political figures or close friends and family members (collectively known as politically exposed persons or PEPs); (ii) determine the source(s) of funds deposited into the private banking account and the purpose and expected use of the account; (iii) undertake a periodic review of the activity of the account to ensure that it is consistent with the information obtained about the client’s source of funds and expected use of the account; and (iv) scrutinise the account for suspicious activity and determine the need to file a SAR.

If any PEP is a beneficial owner of the private banking account, then the bank’s due diligence programme must require enhanced scrutiny to detect and report transactions that may involve the ‘proceeds of foreign corruption’. This would include any asset or property acquired by, through, or on behalf of a PEP through misappropriation, theft, or embezzlement of public funds; the unlawful conversion of property of a foreign government; or through acts of bribery or extortion.

Shell banks⁹

A US bank is prohibited from establishing correspondent accounts for non-US banks that maintain no physical presence in any country (shell banks). The US bank must take reasonable steps to ensure that correspondent accounts for non-US banks are not being used to indirectly provide banking services to shell banks. This includes obtaining a certification from each of its non-US correspondent banks declaring the account is not being used to provide services to shell banks. A bank must obtain the name and street address of a person who resides in the United States and is authorised, and has agreed to be an agent, to accept service of legal process for records regarding each account. The US bank also must maintain records in the United States identifying the owners of each non-US correspondent bank whose shares are not publicly traded, unless the non-US correspondent bank regularly files a list of its owners with the Federal Reserve Board.

The certification must be renewed at least once every three years. Many non-US banks maintain these certifications on their websites for their own convenience and the convenience of US banks.

Cash reporting requirements¹⁰

US banks must report each deposit, withdrawal, exchange of currency or other payment or transfer, by, through, or to a financial institution where it involves a transaction in currency of more than US$10,000. These reports are filed electronically with FinCEN. Multiple currency transactions during the same business day must be treated as a single transaction if the bank has knowledge that they are by or on behalf of the same person and aggregate more than US$10,000. Structuring cash transactions to avoid the reporting requirements is illegal.

Record-keeping requirements¹¹

Records of each cash transaction report must be maintained for at least five years. In addition, a bank also must maintain a sufficient record of its operations in order to recreate a customer’s transactions.

AML laws and regulations allow for information sharing between government agencies and financial institutions, and information sharing between financial institutions¹².

Information sharing between government and financial institution

FinCEN – acting on its own behalf, on behalf of another unit in the Treasury Department, or at the request of a federal, state, local or foreign law enforcement agency investigating terrorist activity or money laundering – may request the solicitation of certain information from a financial institution. If a request has been submitted to FinCEN, it must be accompanied by a written certification that states that each person or entity about which the law enforcement agency is seeking information is engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering, and includes enough identifying information (including date of birth, address, and social security number), that would permit a financial institution to differentiate between common or similar names.

Once the financial institution has received the request from FinCEN, then the financial institution must ‘expeditiously’ search its records to determine whether it maintains or has maintained any account for, or has engaged in any transaction with, each person or entity named in the request. Unless otherwise specified in the information request, a financial institution need only search its records for current accounts and accounts maintained during the preceding 12 months, as well as recent transactions.

The information contained in the request from FinCEN is considered confidential and cannot be used by the financial institution for any purpose other than reporting the results of the search conducted pursuant to the request, determining whether to establish or maintain an account, or to engage in a transaction, or assisting the financial institution in complying with any other AML requirement. The financial institution is also prohibited from disclosing to any person (other than FinCEN or the requesting agency named in the information request), including the target of the request, the fact that FinCEN has requested or obtained information pursuant to the request, except to the extent necessary to comply with such an information request. The financial institution is required to have policies, procedures and controls in place to protect the security and confidentiality of these requests. A financial institution is not required to take any action with respect to the account or transaction for a target (such as declining a transaction or closing an account).

Information sharing between financial institutions

A financial institution may – without fear of liability for disclosing such information – transmit, receive, or otherwise share information with any other financial institution regarding individuals, entities, organisations and countries for the purposes of identifying and, where appropriate, reporting activities that the financial institution suspects may involve possible terrorist activity or money laundering. Prior to doing this, the financial institution must file with FinCEN a notice on an annual basis indicating that it intends to engage in information sharing.

Prior to sharing information, the financial institution must take reasonable steps to verify that the other financial institution with which it intends to share information has also submitted to FinCEN an informationsharing notice. It can either obtain this verification directly from the other financial institution or it can review a list that FinCEN periodically makes available of financial institutions that have filed an information sharing notice.

Information shared between financial institutions may not be used for any purpose other than identifying and, where appropriate, reporting on money laundering or terrorist activities; determining whether to establish or maintain an account, or to engage in a transaction; or assisting the financial institution in complying with any other AML regulations. Each financial institution that engages in the sharing of information must maintain adequate procedures to protect the security and confidentiality of such information. If, as a result of the information shared, a financial institution knows, suspects, or has reason to suspect that an individual, entity, or organisation is involved in, or may be involved in, terrorist activity or money laundering, it must file a SAR if it is subject to that requirement.

Section 311 of the USA Patriot Act gives FinCEN the authority to issue regulations imposing special measures against a non-US jurisdiction, institution, class of transaction, or type of account that is considered to be of ‘primary money laundering concern.’ The special measures can include prohibiting the opening or maintaining of correspondent accounts for a financial institution against which special measures have been imposed and conducting due diligence to prevent a correspondent account from being used indirectly by such an institution. Since 2002, the Director of FinCEN has imposed special measures against several non-US financial institutions.

Violations of these AML laws and regulations carry civil and criminal penalties¹⁴.

Criminal penalties range from imprisonment for up to 5–10 years and criminal fines ranging from US$250,000 to US$500,000. Any person convicted of knowingly making any false, fictitious or fraudulent statement or representation in any required report can be fined not more than US$10,000 or be imprisoned not more than five years, or both.

Civil penalties range from US$500 for negligent violations, US$1,000 for record-keeping violations, and between US$25,000 and US$100,000 for other violations. Civil penalties up to the amount of money involved in the transaction may be imposed for any wilful violation of the structuring prohibitions. Civil penalties are usually imposed by the regulatory agencies through an administrative enforcement action and can amount to millions of dollars. For example, on June 15, 2015, FinCEN announced a US$4.5 million civil money penalty against Bank of Mingo of Williamson, West Virginia (Mingo), for wilfully violating the Bank Secrecy Act, due to ‘severe and systemic failures’ in its AML compliance programme. FinCEN noted that those failures led to the bank processing millions of dollars in structured and suspicious cash transactions.¹⁵