Banks that are seeking to establish direct branches or subsidiaries outside of their home jurisdictions have the added requirement of complying with all the regulations imposed in each jurisdiction in which they operate. The US is a particularly complicated jurisdiction due to the vigilance and activity of the regulators and the complexity of the regulations. It has a series of laws dealing with AML/ CTF, which for the most part are consolidated in the Bank Secrecy Act. The Bank Secrecy Act has been amended many times since its enactment in 1970, most notably by the USA Patriot Act, which was enacted after the September 11, 2001, terrorist attacks in the United States.1 The primary regulator responsible for enforcing these laws is the Financial Crimes Enforcement Network (FinCEN), a unit of the US Treasury Department, which has promulgated regulations to implement the statutory provisions.2 FinCEN has jurisdiction over US branches and agencies of non-US banks regardless of where the bank is headquartered.
Pursuant to a delegation from FinCEN, US branches and agencies of non-US banks are examined for AML compliance by either the Board of Governors of the Federal Reserve System (Federal Reserve Board) for state-licensed branches and agencies of non-US banks, the Comptroller of the Currency (OCC) for federal branches and agencies of non-US banks licensed by the US Treasury Department, and the Federal Deposit Insurance Corporation (FDIC) for those few branches of non-US banks that carry federal deposit insurance.
A significant number of enforcement actions brought by US banking regulators against non-US banks have come about because of lax compliance with AML laws and regulations – since 2013, there have been at least five enforcement actions brought against US offices of non-US banks by the Federal Reserve Board. Remedial actions ordered included a comprehensive review by an outside consultant approved by the Federal Reserve Board, preparation and submission of an enhanced AML compliance programme and preparation and submission of a plan to enhance management oversight of the AML compliance programme.
A summary of significant AML laws and regulations applicable to a US branch or agency of a non-US bank are provided below.
Every bank must have an AML compliance programme that at a minimum:
- Provides for a system of internal controls to assure ongoing compliance
- Provides for independent testing for compliance to be conducted by bank personnel or by an outside party
- Designates an individual or individuals responsible for coordinating and monitoring day-today compliance
- Provides training for appropriate personnel.
Customer ID programme4
Every bank must establish a customer identification programme (CIP), which requires a bank to obtain, verify and retain certain information about each customer. When establishing a new banking relationship, the bank must first obtain certain basic identifying information about the customer (name, address, date of birth, identification number). The CIP must include riskbased procedures for verifying the identity of each customer in order to enable the bank to form a reasonable belief that it knows the true identity of each customer. These procedures must be based on the bank’s assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank’s size, location, and customer base.
Suspicious transaction reporting5
One of the key requirements of the AML laws and regulations is the requirement that certain financial institutions such as banks file suspicious activity reports (SARs). Every bank must file a SAR with respect to a possible violation of law or regulation. Even when not required, a bank may use the SAR to report any suspicious transaction that it believes is relevant to the possible violation of any law or regulation.
For a transaction conducted or attempted by, at, or through a bank and which involves or aggregates at least US$5,000 in funds or other assets, an SAR is required where the bank knows, suspects, or has reason to suspect that:
- The transaction involves funds derived from illegal activities, or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities as part of a plan to violate or evade any US law or regulation or to avoid any transaction reporting requirement under US law or regulation.
- The transaction is designed to evade any AML law or regulatory requirement
- The transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.
SARs must be filed with FinCEN no later than 30 calendar days after the date of initial detection by the bank of facts that may constitute a basis for filing a SAR. Additional SARs may need to be filed periodically containing updated information for continuing violations. In situations involving violations that require immediate attention (such as ongoing criminal activity) the bank must immediately notify by telephone an appropriate law enforcement authority, in addition to filing a SAR.6
Generally, a bank, and its directors, officers, employees, or agents, are prohibited from disclosing a SAR or any information that would reveal the existence of a SAR. However, provided that no person involved in activity leading to the filing of the SAR is notified, the bank (and its directors, officers, employees, or agents) may disclose information that would reveal the existence of a SAR to FinCEN or to any applicable Federal, State, or local law enforcement or regulatory agency; disclose the underlying facts, transactions, and documents upon which a SAR is based to another financial institution for the preparation of a joint SAR or in connection with certain employment references or termination notices; and disclose the SAR and related information within the bank’s corporate organisational structure for purposes consistent with AML laws and regulations.
A bank that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to the SAR reporting requirement or any other authority, including a disclosure made jointly with another institution, is protected from liability for any such disclosure and for failure to provide notice of such disclosure to any person identified in the disclosure.
If a bank provides correspondent banking accounts for non-US banks, the bank must establish a due diligence programme that includes risk-based policies, procedures, and controls ‘reasonably designed’ to enable the bank to detect (and report, as necessary) on an ongoing basis, any known or suspected money laundering activity conducted through or involving the correspondent account. The required policies, procedures, and controls must include an assessment of the money laundering risk presented by the account, based on a consideration of all relevant factors, including the nature of the bank’s business and customers, the categories of activities in which the bank engages in through that account; and any available information about the correspondent bank’s own AML record and a periodic review of the activity in the correspondent account to determine consistency with information obtained about the type, purpose and anticipated activity of the account.
Additional enhanced risk-based procedures are required if the correspondent bank has an offshore banking licence (a banking licence that prohibits the bank from conducting business with citizens in the jurisdiction which granted the licence) or a banking licence issued by a country that has been identified as a money laundering concern. The enhanced due diligence procedures require the US bank to conduct heightened scrutiny of the correspondent account to guard against money laundering and to identify and report any suspicious transactions in accordance with applicable law and regulation. This heightened scrutiny must include obtaining and assessing the sufficiency of the correspondent bank’s own AML compliance programme and monitoring transactions to, from, or through the correspondent account in a manner reasonably designed to detect money laundering and suspicious activity.
In addition, if the correspondent bank maintains its own correspondent bank accounts for other non-US banks, then the US bank must obtain information about those other non-US banks in order to assess the money laundering risks associated with those other accounts.
Politically exposed persons8
In addition to special rules for correspondent accounts, a US bank also must maintain a special due diligence programme for certain private bank accounts it establishes for certain non-US individuals. The programme includes policies, procedures, and controls that are reasonably designed to detect and report any known or suspected money laundering or suspicious activity conducted through or involving those private banking accounts. This applies to banking accounts established by or for the benefit of non-US persons with a minimum of US$1 million in assets and assigned to a special private banking relationship manager. The due diligence programme must: (i) identify all nominal and beneficial owners of the private banking account and determining whether any of them are current or former senior non-US governmental or political figures or close friends and family members (collectively known as politically exposed persons or PEPs); (ii) determine the source(s) of funds deposited into the private banking account and the purpose and expected use of the account; (iii) undertake a periodic review of the activity of the account to ensure that it is consistent with the information obtained about the client’s source of funds and expected use of the account; and (iv) scrutinise the account for suspicious activity and determine the need to file a SAR.
If any PEP is a beneficial owner of the private banking account, then the bank’s due diligence programme must require enhanced scrutiny to detect and report transactions that may involve the ‘proceeds of foreign corruption’. This would include any asset or property acquired by, through, or on behalf of a PEP through misappropriation, theft, or embezzlement of public funds; the unlawful conversion of property of a foreign government; or through acts of bribery or extortion.
A US bank is prohibited from establishing correspondent accounts for non-US banks that maintain no physical presence in any country (shell banks). The US bank must take reasonable steps to ensure that correspondent accounts for non-US banks are not being used to indirectly provide banking services to shell banks. This includes obtaining a certification from each of its non-US correspondent banks declaring the account is not being used to provide services to shell banks. A bank must obtain the name and street address of a person who resides in the United States and is authorised, and has agreed to be an agent, to accept service of legal process for records regarding each account. The US bank also must maintain records in the United States identifying the owners of each non-US correspondent bank whose shares are not publicly traded, unless the non-US correspondent bank regularly files a list of its owners with the Federal Reserve Board.
The certification must be renewed at least once every three years. Many non-US banks maintain these certifications on their websites for their own convenience and the convenience of US banks.
Cash reporting requirements10
US banks must report each deposit, withdrawal, exchange of currency or other payment or transfer, by, through, or to a financial institution where it involves a transaction in currency of more than US$10,000. These reports are filed electronically with FinCEN. Multiple currency transactions during the same business day must be treated as a single transaction if the bank has knowledge that they are by or on behalf of the same person and aggregate more than US$10,000. Structuring cash transactions to avoid the reporting requirements is illegal.
Records of each cash transaction report must be maintained for at least five years. In addition, a bank also must maintain a sufficient record of its operations in order to recreate a customer’s transactions.