What to Know About FinCEN’s Proposed Pilot Program on SAR Sharing
On January 24, 2022, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking1 (NPRM) pursuant to Section 6212(a) of the Anti-Money Laundering Act of 2020 (AML Act)2 for a pilot program that would permit financial institutions to share suspicious activity reports (SARs) and related information with their foreign branches, subsidiaries, and affiliates (foreign affiliates) 3 for the purpose of combatting illicit finance risks. Although the proposed rule would provide participating institutions with greater flexibility to share SARs internationally throughout their organizations, financial institutions will need to evaluate whether the benefits of the pilot program justify the additional compliance and reporting obligations.
Comment letters are due on March 28, 2022.
Under the Bank Secrecy Act of 1970 and FinCEN’s implementing regulations (BSA), SARs are subject to strict confidentiality requirements. A filing entity cannot notify anyone involved in the suspicious transaction that the transaction has been reported.4 And, historically, under FinCEN’s implementing regulations, the filing entity could only reveal the existence of the SAR to law enforcement agencies, banking regulators, and FinCEN.
In 2006 and 2010, FinCEN issued guidance confirming that under the BSA: (a) a US branch or agency of a foreign bank may share SARs and related information with its head office; (b) a US depository institution may share SARs and related information with its controlling entity (whether domestic or foreign);5 and (c) a US depository institution may share SARs and related information with any US affiliates within the US financial institutions’ corporate structure provided that the affiliate is subject to a SAR regulation.6
The AML Act of 2020 provided, for the first time, a mechanism to allow financial institutions to lawfully share SARs and related information with their foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risks;7 however, until FinCEN’s pilot program is operational, sharing SARs with a foreign affiliate remains prohibited.
The Proposed Pilot Program
The most notable feature of the proposed pilot program is the additional set of compliance obligations that would be imposed on financial institutions that opt in. As described in more detail below, a financial institution interested in sharing SARs and related information with its foreign affiliates would be required to apply to FinCEN, receive approval, notify FinCEN that it intends to begin sharing information, submit quarterly reports, and of course, maintain proper internal controls to protect the confidentiality of the SARs and any related information. Any unauthorized disclosure of a SAR or related information would be required to be immediately reported to FinCEN, and foreign affiliates would be held liable for those unauthorized disclosures.
- Application Process. Before sharing any SAR, a financial institution would be required to apply to and receive approval from FinCEN. The application would include (1) a designated point of contact for pilot program-related correspondence; (2) a list of the foreign affiliates with which the financial institution plans to share any SARs; (3) an explanation of the purpose(s) for which the foreign affiliates would use the SARs, “including the operational jurisdictions of such entities” and whether the foreign entities will provide reciprocal information to the applicant financial institution;8 (4) an estimated date of when the institution would begin sharing information with foreign affiliates; and (5) a description of the internal controls that the foreign affiliate will have in place to protect SAR confidentiality and to prevent any unauthorized disclosures.
- Approval. As proposed, FinCEN would have sole discretion 9 to approve or deny applications to participate in the pilot program, and FinCEN could condition approval of an application on the applicant institution adopting additional controls. Once an application is approved, a participating financial institution could not materially modify the policies and procedures outlined in the application without written approval from FinCEN. Additionally, FinCEN, in its sole discretion, could terminate a financial institution’s participation in the pilot program for good cause, including that termination would be consistent with the considerations in 31 U.S.C. § 5318(g)(8)(A).10 Given that the pilot program, which is not yet in place, could end on January 1, 2024, FinCEN stated that it will make every effort to expeditiously review applications and will seek to provide decisions on applications within 90 days of receipt. Although there are only about 26 months between the end of the comment period and the scheduled end of the pilot program, the Treasury Secretary may extend the pilot program for up to two years upon notice to Congress.11
- Pre-Commencement Notice. Even after receiving approval from FinCEN to participate in the program, a financial institution would also be required to provide FinCEN with “advance written confirmation of the commencement date” on which the financial institution intends to begin sharing SARs and related information with its foreign affiliates.12
- Quarterly Reports. Once a financial institution begins to provide its foreign affiliates with SARs or related information, the institution would be required to provide FinCEN with quarterly reports. The quarterly reports would include information on: (1) the total number of SARs that were shared; (2) the name and jurisdiction of each foreign affiliate that received a SAR or related information as well as (a) the affiliate’s relationship to the financial institution and (b) the purposes for which the SAR was shared; (3) any legal or compliance issues that the financial institution experienced as a result of its participation in the program; (4) any technical difficulties or challenges that the financial institution encountered while participating; (5) any enhancements that the participating institution made to its AML/CFT program “including reallocation of resources to higher-priority AML/CFT risks enabled as a result of the financial institution’s participation in the pilot program”; and (vi) “[l]essons learned arising from the financial institution’s participation in the pilot program, to include any identified deficiencies.”13 Importantly, FinCEN intends to share the quarterly reports, which may include information on legal or compliance issues that the financial institution experienced as a result of its participation in the program, with the financial institution’s federal functional regulator.14
- Internal Controls. A financial institution interested in sharing SARs with its foreign affiliates should have “reasonably designed” policies in place to protect the confidentiality of those SARs and related information. The controls would need to include: (1) written confidentiality agreements or arrangements for any personnel working at foreign affiliates who would receive access to SARs and related information; (2) policies and provisions for the secure transmission and storage of SARs and related information; (3) policies and procedures for personnel in the US to use any time the financial institution or its foreign affiliate receives a request from foreign authorities for information on a SAR;15 and (4) recordkeeping procedures sufficient to “readily report” to FinCEN which foreign affiliates have received any specific SARs or related information. Note that under the proposed rule, FinCEN can request copies of these policies and procedures and can share them with other relevant agencies.
- Unauthorized Disclosures. Participating financial institutions would be required to notify FinCEN immediately if they discover that there has been an unauthorized disclosure of a SAR or any related information. The proposal also provided that foreign affiliates that receive SARs and related information through the pilot program could be held liable for the unlawful disclosure of that information.
Notably, the application, pre-commencement notice, and quarterly reports are not directly mandated by statute. Rather, the AML Act gives FinCEN the authority to promulgate rules that will ensure that any SAR information that is shared is (i) limited by the requirements of federal and state law enforcement, (ii) takes into account any concerns of the intelligence community, and (iii) “is subject to appropriate standards and requirements regarding data security and the confidentiality of personally identifiable information.”16
Several additional aspects of the new rule bear emphasis.
- Not all SARs. The pilot program would only apply to SARs filed under 31 U.S.C. § 5318(g). SARs filed under the regulations of the federal banking agencies, such as SARs filed on insider abuse (e.g., 12 C.F.R. §§ 21.11(c)(1), 163.180(d)(3)(i), 208.62(c)(1), 353(a)(1)), 748.1(c)(1)(i)), are excluded from the pilot program.
- Certain Affiliates Excluded. The pilot program would exclude foreign affiliates located in (1) the People’s Republic of China; (2) the Russian Federation; or (3) “a jurisdiction that is a state sponsor of terrorism, that is subject to sanctions imposed by the Federal Government, or that the Secretary [of the Treasury] has determined cannot reasonably protect the security and confidentiality of such information.”17 However, the Secretary of the Treasury may make exceptions on a case-by-case basis for institutions located in China or the Russian Federation so long as notice is provided to the House Committee on Financial Services and the Senate Committee on Banking, Housing, and Urban Affairs.18
- No Offshoring Compliance. Financial institutions cannot use the pilot program to establish or maintain BSA/AML operations outside the US.19
Request for Comment
Interested parties may comment on any aspect of the proposed rule, but FinCEN has specifically requested comments in response to nine questions assessing the merits of the program as currently designed:
- Describe the expected costs and associated burdens of complying with the proposed pilot program requirements, to the extent that a financial institution chooses to participate.
- Describe the expected impact, including costs and/or associated burdens, of complying with the statutory prohibition on offshoring compliance operations within the context of the proposed pilot program.
- Describe expected technical challenges to implementation that could make it harder or more expensive to participate in the pilot program.
- Describe the expected benefits to a financial institution from being permitted to share SARs and related information with a foreign branch, subsidiary, or affiliate for the purpose of combating illicit finance risks. Would the proposed sharing of SARs and related information enable a financial institution to shift or allocate resources to higher priority AML/CFT risks?
- Has FinCEN struck a reasonable balance between facilitating information sharing of SARs and related information permitted under the pilot program and imposing conditions to protect the confidentiality and prevent unauthorized disclosures of SARs and related information? If not, how could FinCEN more reasonably balance these considerations?
- Describe potential challenges in protecting the confidentiality of SARs and related information and preventing unauthorized disclosures in connection with participation in the pilot program. Are there additional provisions FinCEN could include in the pilot program that would better enable a financial institution to comply with the program confidentiality requirements and ensure accurate reporting? How does a financial institution expect to protect SAR confidentiality and prevent unauthorized SAR disclosures if foreign regulatory examinations of foreign affiliates of U.S. financial institutions requests access to such foreign institutions’ files? Are there jurisdictions in which this information would be subject to disclosure to non-government parties by legal process?
- For the quarterly reports FinCEN is proposing to require, are there any other particular metrics FinCEN should include in the current list for required feedback?
- Is FinCEN’s proposed timeline of 90 days to respond to application requests reasonable? Would such a timeline encourage financial institutions to participate in the pilot program?
- Should FinCEN consider a broader, longer-term program that would enable financial institutions to share SARs and related information with their foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risks?
FinCEN also proposed an additional four “General Questions for Comment”:
In addition to the questions listed above, FinCEN invites comment on: (a) whether the proposed collection of information is necessary for the proper performance of the functions of FinCEN, including whether the information will have practical utility; (b) the accuracy of the estimated burden associated with the proposed collection of information; (c) how the quality, utility, and clarity of the information to be collected may be enhanced; and (d) how the burden of complying with the proposed collection of information may be minimized, including through the application of automated collection techniques or other forms of information technology.
Although the financial services industry has long requested that financial institutions be allowed to share SARs with their foreign affiliates, the pilot program—as currently designed—may not prove popular with many financial institutions. Because the proposed pilot program requires financial institutions to volunteer to jump through several additional regulatory hoops and take on additional reporting obligations, many institutions with SAR filing requirements may decide that participating in the pilot program is not worth the trouble or additional regulatory scrutiny. On the other hand, because FinCEN intends to use the pilot program to gather feedback as it develops a longer-term approach to SAR sharing, institutions with a vested interested in having the ability share SARs with foreign affiliates may find the program (and the notice and comment process) to be a useful opportunity to influence FinCEN’s decision-making.
Financial institutions interested in commenting on the NPRM have until March 28, 2022 to submit a comment letter.
* * * * *
Financial institutions with questions about the proposed rule or the notice and comment process can reach out to the authors or any of their colleagues in Arnold & Porter’s Financial Services Group.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Pilot Program on Sharing of Suspicious Activity Reports and Related Information with Foreign Branches, Subsidiaries, and Affiliates, 87 Fed. Reg. 3719 (proposed Jan. 25, 2022).
The AML Act was enacted on January 1, 2021 as part of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021. The current proposed rule is one of many required by Congress under the new law. For a longer discussion of the changes made by the AML Act, see Arnold & Porter, BSA/AML Reform Under the NDAA(Jan. 5, 2021).
The definition of “affiliate” under 31 U.S.C. § 5318(g)(11) (and the pilot program itself) is “an entity that controls, is controlled by, or is under common control with another entity.” According to FinCEN, the “broad nature of that definition,” means that the word “affiliate” is functionally synonymous with the phrase “foreign branches, subsidiaries, and affiliates” for the purposes of the pilot program. See Pilot Program on Sharing of Suspicious Activity Reports and Related Information with Foreign Branches, Subsidiaries, and Affiliates, 87 Fed. Reg. 3719, 3724 (proposed Jan. 25, 2022). In keeping with that understanding, in talking about the pilot program, we will use the term “foreign affiliates” to refer to “foreign branches, subsidiaries, or affiliates.”
FinCEN, Board of Governors of the Federal Reserve System (FRB), Office of the Comptroller of the Currency (OCC), Federal Depository Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS), Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies (Jan. 20, 2006).
FinCEN, FIN-2010-G006, Sharing Suspicious Activity Reports by Depository Institutions with Certain U.S. Affiliates (Nov. 23, 2010).
If the foreign affiliates will share reciprocal information on suspicious transactions, the information received from the foreign affiliate will be subject to the confidentiality requirements described in 31 U.S.C. § 5318(g)(1).
Although FinCEN is not required to consult a financial institution’s regulators, FinCEN has indicated that it will consult with the financial institution’s functional federal regulators. Pilot Program on Sharing of Suspicious Activity Reports and Related Information with Foreign Branches, Subsidiaries, and Affiliates, 87 Fed. Reg. 3719, 3722, n.37 (proposed Jan. 25, 2022).
These considerations are that SAR sharing (1) “is limited by the requirements of Federal and State law enforcement operations;” (2) “takes into account potential concerns of the intelligence community;” and (3) “is subject to appropriate standards and requirements regarding data security and the confidentiality of personally identifiable information.” 31 U.S.C. § 5318(g)(8)(A).
Pilot Program on Sharing of Suspicious Activity Reports and Related Information with Foreign Branches, Subsidiaries, and Affiliates, 87 Fed. Reg. 3719, 3723 (proposed Jan. 25, 2022). The January 1, 2024 sunset provision was mandated by Congress in the AML Act.
Pilot Program on Sharing of Suspicious Activity Reports and Related Information with Foreign Branches, Subsidiaries, and Affiliates, 87 Fed. Reg. 3719, 3728 (proposed Jan. 25, 2022).
Pilot Program on Sharing of Suspicious Activity Reports and Related Information with Foreign Branches, Subsidiaries, and Affiliates, 87 Fed. Reg. 3719, 3728 (proposed Jan. 25, 2022).
Pilot Program on Sharing of Suspicious Activity Reports and Related Information with Foreign Branches, Subsidiaries, and Affiliates, 87 Fed. Reg. 3719, 3723 (proposed Jan. 25, 2022).
A financial institution must notify FinCEN any time the financial institution or its foreign affiliate receives a request for information on a SAR from foreign law enforcement, foreign regulators, or other foreign entities.