August 23 2002

Continuing Compliance with the USA Patriot Act

Sidley Austin LLP | Banking & Financial Services - USA

Connie M. Friesen

USA Patriot Act
Anti-money Laundering Programme
Customer Identification - 'Know Your Customer'
Suspicious Activity Reports
Regulation of Correspondent Accounts
Reporting Currency Transactions
Improvement of Information Sharing
Enhanced Due Diligence
Comment


For financial institutions, compliance obligations related to the fight against terrorism and money laundering have increased dramatically over the past 10 months. This update traces the development of these new regulatory requirements and makes some suggestions for ongoing compliance.

USA Patriot Act

On October 26 2001 President George W Bush signed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA Patriot Act),(1) an ambitious and broadly focused anti-money laundering statute enacted in the wake of the events of September 11 2001. The act's main purpose is to give law enforcement agencies the necessary tools to detect and prevent future terrorist attacks. Title 3 of the act contains significant new compliance requirements for financial institutions with respect to the detection and prevention of money laundering, and amends portions of the Bank Secrecy Act 1970.(2)

One of the major initiatives introduced by the act is the extension of anti-money laundering requirements to many different types of financial institution. The act uses the same definition of 'financial institution' as that found in the Bank Secrecy Act.(3) The term includes, among other entities:

  • any insured bank;

  • a commercial bank or trust company;

  • a private banker;

  • an agency or branch of a foreign bank in the United States;

  • a thrift institution; and

  • a loan finance company.

Some of the act's provisions apply only to 'covered financial institutions', a term meant to define a smaller subset of the broader term found in the Bank Secrecy Act. These include banks, branches and agencies of foreign banks, trust companies and private bankers. The act provides rulemaking authority over its provisions to the secretary of the Treasury, the Federal Reserve Board and several other federal agencies.

Implementation
The Treasury has issued proposed rules, interim final rules and final rules with impressive speed over the past 10 months. The following discussion explains what the new requirements are and the position which financial institutions are expected to have reached at this point in the implementation timeline of the USA Patriot Act. Although banks have long been subject to currency transaction reports under the Bank Secrecy Act, they are finding it difficult to determine precisely what rules apply in verifying customer identity, filing suspicious activity reports and monitoring correspondent account relationships. In this respect, the plethora of Treasury rules have created some confusion.

Some Treasury rules - such as that requiring financial institutions to establish anti-money laundering programmes - have been adopted as interim final rules. These are effective until they are replaced by a final rule. Other Treasury rules - such as that requiring financial institutions to verify the identity of persons seeking to open accounts - have been published as proposed rules. These do not have legal effect and are released in order to receive public comments on the provisions. The Treasury's publication of numerous proposed rules has led to some situations in which financial institutions have a statute that is applicable to their activities, but no final guidance on how to comply with the statute.

The most significant change resulting from the act has been the broadly based requirement that each financial institution adopt an anti-money laundering programme. This programme and related policies and procedures are expected to include:

  • new customer identification or 'know your customer' procedures;

  • greater attention to suspicious activity reporting;

  • a certification programme for correspondent accounts;

  • more broadly based reporting of certain currency transactions;

  • information-sharing policies and procedures; and

  • enhanced due diligence for certain correspondent accounts and private banking accounts.

Anti-money Laundering Programme

Before the initial April 24 2002 deadline for financial institutions to adopt anti-money laundering programmes, there was considerable confusion about precisely what should be included in such programmes and which types of financial institution were required to adopt them. Section 352 of the act requires a financial institution to adopt an anti-money laundering programme that contains four key elements:

  • policies and procedures meant to detect money laundering;

  • designation of a compliance officer to oversee the implementation and enforcement of anti-money laundering policies and procedures;

  • ongoing employee training in the prevention and detection of money laundering; and

  • adoption of an independent audit programme to test the financial institution's overall compliance.

On April 23 2002, just before the deadline for anti-money laundering programme adoption, the Treasury issued four interim final rules under Section 352 of the act. These interim final rules related to different types of financial institutions and have different compliance deadlines. Under the terms of the April 23 2002 interim final rules entities such as banks, savings associations and credit unions were given an April 24 2002 deadline for compliance. Money services businesses, operators of credit cards and mutual funds had a July 24 2002 deadline for compliance. Other entities - such as loan finance companies and private bankers - have an October 24 2002 deadline.

Customer Identification - 'Know Your Customer'

A cornerstone of the act is attention to the sometimes troublesome customer identification requirement commonly referred to as 'know your customer' (KYC). While nearly everyone associated with existing anti-money laundering efforts seems to concur that KYC rules are important, there has been disagreement over precisely what information is required and how it should be obtained, recorded and verified. Section 326 of the act requires financial institutions to implement KYC policies and procedures to verify the identity of persons wishing to open an account with the financial institution. Section 326 also requires that financial institutions maintain accurate records of the persons and entities that hold accounts with the financial institution. Additionally, Section 326 requires that financial institutions verify that these persons are not on government lists of terrorist persons or terrorist organizations.

One of the primary government lists is maintained by the Department of the Treasury's Office of Foreign Assets Control (OFAC). This releases lists of so-called 'specially designated nationals' and sanctioned countries and territories. Financial institutions may face stiff fines and even imprisonment if they are found to be conducting business with an OFAC-blocked or designated entity or geographic area. Certain software systems are available which search financial institution transactions and databases to flag transactions or accounts with such parties and locations so they can be blocked or so other necessary steps may be taken, such as the freezing of accounts or the required notification.

Implementation
On July 17 2002 the Treasury issued five proposed rules, sometimes referred to as the Customer Identification Programme rules, to implement Section 326 of the act. Under the act, final rules implementing Section 326 must be effective by October 25 2002. Thus, the Treasury must adopt a final rule under Section 326 that requires financial institution compliance by October 25 2002. The proposed rules set forth the Section 326 requirements separately for certain types of entity, including:

  • banks and trust companies;

  • savings associations and credit unions; and

  • non-federally regulated banking institutions.

In issuing the proposed rules the Treasury recognized that Section 326 covers all financial institutions, as that term is defined in the Bank Secrecy Act. Nonetheless, in the interest of meeting the October 25 2002 deadline, the proposed rules only prescribe regulations for certain types of entity, including those mentioned above.

The proposed rules specify that certain identifying information must be obtained from customers, including the customer's name, address, date of birth and an identification number (for US persons a social security number and for non-US persons a similar number from a government-issued document). Customers with signature authority over business accounts must also furnish substantially similar information. The financial institution must also have procedures for employees on how to verify the accuracy of the information provided, and other procedures on what steps the employee may take if the employee is unable to verify the identity of the customer or the information provided. It is contemplated that financial institutions will generally use the same methods of identity verification that they have in place, such as examining driver's licences, passports, credit reports and other similar means. The proposed rules all require financial institutions to maintain customer records for at least five years after the date on which the account is closed.

Suspicious Activity Reports

Section 356 expands the types of financial institution required to file reports on 'suspicious transactions'.(4) Based on suspicious activity reporting requirements of the Bank Secrecy Act, the expanded suspicious activity reporting requirements mandated by Section 356 have sometimes been confusing and difficult to implement. The reports, called suspicious activity reports, are filed with the Department of the Treasury's Financial Crimes Enforcement Network (FinCEN). Suspicious activity information is made available by electronic means to law enforcement officials and is used to prosecute persons involved in criminal activity. Banks, bank holding companies and broker-dealers that are affiliates and subsidiaries of banks and bank holding companies already had suspicious transaction reporting obligations prior to the passage of the act.

On June 28 2002 the Treasury issued a final rule under Section 356 of the act that extends the suspicious activity reporting requirements to all broker-dealers registered with the US Securities and Exchange Commission (SEC) that are located in the United States, irrespective of whether such broker-dealers are affiliated with banks. The effective date for compliance by broker-dealers is January 1 2003.

Regulation of Correspondent Accounts

Obtaining required correspondent account certifications under the act has been difficult for many financial institutions. While the Treasury has helpfully provided a sample certification form for banks, covered financial institutions have generally found it difficult to determine the parameters of a correspondent account that gives rise to the requirement for certification. The act defines the term 'account' so broadly that many types of customer relationships seem to require certification. To date, many covered financial institutions are struggling to determine the precise terms of the correspondent account certification requirement for their institution.

Correspondent accounts for foreign shell banks
On November 20 2001 the Treasury first provided interim guidance with respect to Sections 313(a) and 319(b) of the act, both of which deal with correspondent accounts. Sections 313(a) and 319(b) became effective on December 26 2001; however, the Treasury has not yet issued a final rule on how to interpret either section. While the prohibition on maintaining correspondent accounts for foreign shell banks seems fairly settled, interpretation of certain other provisions in Section 313(a) and Section 319(b) is still unclear.

Section 313(a) prohibits covered financial institutions from maintaining correspondent accounts in the United States for foreign shell banks - basically, foreign banks without a physical presence in any country.(5) A 'correspondent account' is defined as "an account established to receive deposits from, make payments on behalf of a foreign financial institution, or handle other financial transactions related to such institution". 'Accounts' include:

  • accounts to purchase, sell, lend or otherwise hold securities for or on behalf of the foreign bank or its customers;

  • prime brokerage accounts that consolidate trading done at a number of firms;

  • accounts for trading foreign currency;

  • custody accounts;

  • over-the-counter derivative accounts; and

  • futures accounts maintained by broker-dealers that are dually registered as futures commission merchants.

Section 313(a) also requires that covered financial institutions take reasonable measures to ensure that any correspondent account provided to a foreign bank is not being used indirectly to provide banking services to a foreign shell bank. The interim guidance provides a certification form for use by covered financial institutions that requires foreign banks which maintain correspondent accounts with the covered financial institution to attest that the foreign bank is not a shell bank, and to attest as to whether it provides any services to foreign shell banks. A covered financial institution that recognizes it maintains an account for a foreign shell bank (that is not a regulated affiliate) must close the account immediately.

On December 20 2001 the Treasury issued a proposed rule that codified the November interim guidance. The proposed rule carried forward the model certification first proposed in the interim guidance, but added some modifications. The proposed rule includes a requirement that covered financial institutions verify the information contained in the certification every two years, or when the covered financial institution believes such information may no longer be accurate. The proposed rule includes a model 'recertification' form, receipt of which from a foreign bank would serve as a safe harbour with respect to that bank.

In the interim guidance, the Treasury indicated its intent to consult with the SEC regarding applicable standards for broker-dealer compliance with Section 313(a). Specifically, the Treasury sought SEC guidance on the types of accounts maintained by broker-dealers that are similar to the correspondent accounts maintained by depository institutions. Based on this analysis, the proposed rule states that broker-dealers must comply with the requirements of Section 313(a) for any account they provide in the United States for a foreign bank that allows the foreign bank to engage in securities transactions, funds transfers or other financial transactions. Covered account types include:

  • certain prime brokerage accounts;

  • accounts to trade foreign currency;

  • custody accounts for foreign banks and their customers; and

  • derivatives accounts and futures accounts, provided the broker-dealer is dually registered as a futures commission merchant.

Records maintenance for correspondent accounts of foreign banks
Section 319(b) requires covered financial institutions that provide a correspondent account in the United States to a foreign bank to maintain (i) records identifying the foreign bank's owners, and (ii) the name of an agent for the foreign bank located in the United States designated to accept service of legal process for records regarding the correspondent account. Section 319(b) was added to the Bank Secrecy Act through the addition of Section 5318(k) to Title 31 of the US Code.

The proposed rule defines 'owners' as large direct owners, indirect owners and reportable small direct owners. This includes persons who individually, or acting as group, directly or indirectly own 25% or more of a foreign bank's voting shares or voting interests. Section 319(b) also authorizes the Treasury and the US attorney general to issue a summons or subpoena to any foreign bank that maintains a correspondent account in the United States, and to request records relating to such account, including records maintained outside the United States, relating to the deposit of funds into the foreign bank. If a foreign bank fails to comply with or contest the summons or subpoena, a covered financial institution with which the foreign bank maintains a correspondent account must terminate the account upon notice from the Treasury or the attorney general.

Reporting Currency Transactions

While banks and broker-dealers have been required to file reports with respect to large customer cash or currency transactions for some time, the act extended the currency transaction reporting requirement to anyone engaged in a trade or business.

On December 20 2001 the Treasury issued an interim final rule under Section 365 of the act that amends the Bank Secrecy Act by requiring "any person engaged in a trade or business" to file a currency transaction report with FinCEN and the US Internal Revenue Service (IRS) on Form 8300 (a joint reporting form) for any single cash transaction in excess of $10,000 or related cash transactions that together exceed $10,000.(6) The interim final rule became effective on January 1 2002. Financial institutions that already file currency transaction reports with the IRS do not need to separately file a currency transaction report with FinCEN. For transactions involving currency or bearer instruments exceeding $10,000 that are shipped or transported outside of the United States, financial institutions must complete a US Customs Form 4790, or a report of international transportation of currency or monetary instruments. A financial institution would not need to complete a currency transaction report or a report of international transportation of currency or monetary instruments if it has a strictly enforced 'no cash' policy.

Improvement of Information Sharing

On February 26 2002 the Treasury issued one proposed rule and one interim final rule related to information sharing. The proposed rule, issued under Section 314(a) of the act, seeks to strengthen existing communication links between FinCEN, federal law enforcement agencies and financial institutions. Under the proposed rule, federal law enforcement officials will provide the names of and other information regarding suspected money launderers or terrorists to FinCEN. FinCEN will then send this information to financial institutions and will request that the financial institutions check their account records for the names. If a match is found, financial institutions are asked to report the match by either emailing FinCEN ([email protected]) or by calling the Financial Institutions Hotline (+1 866 566 3974). Federal law enforcement officials will follow up with the financial institution directly.

The interim final rule, adopted in accordance with Section 314(b) of the act, allows financial institutions to share information with other financial institutions concerning suspected money launderers and terrorists. In order to participate, a financial institution must file a certificate each year with FinCEN. If, as a result of sharing information, a financial institution suspects terrorist activity, the financial institution is asked to call the Financial Institutions Hotline and, where appropriate, to file a suspicious activity report with FinCEN. The interim final rule adopting Section 314(b) became effective on March 4 2002.

Enhanced Due Diligence

Required levels of due diligence
The act cites various required levels of due diligence with respect to scrutiny of certain types of correspondent account and private banking relationships deemed to present greater potential for money laundering abuses. Section 312 of the act requires financial institutions to have "appropriate, specific and, where necessary, enhanced due diligence" designed to detect and report money laundering through correspondent accounts or private banking accounts held in the United States for non-US persons. The precise requirements attached to 'appropriate', 'specific' and 'enhanced' due diligence are detailed.

Section 312 also requires financial institutions to conduct enhanced due diligence for correspondent accounts held for foreign banks which:

  • operate under an offshore banking licence;

  • are licensed in a 'non-cooperative' jurisdiction; or

  • reside in jurisdictions which the secretary of the Treasury has designated as warranting special measures due to money laundering concerns.

Enhanced due diligence procedures must, at a minimum, take reasonable steps to:

  • determine the owners of the foreign bank;

  • conduct enhanced scrutiny of the account and report suspicious activity; and

  • determine whether the foreign bank maintains correspondent accounts for other banks, and if so, identify these banks.

Section 312 defines 'private banking account' as an account for one or more individuals with a minimum aggregate deposit of $1 million that is administered or managed by a liaison between the financial institution and the direct or beneficial owner. Section 312 states that financial institutions must take reasonable steps to identify the nominal and beneficial owner of the private banking accounts and the sources of the account funds. Financial institutions that maintain private banking accounts for senior foreign political figures, immediate family members and close associates must undertake enhanced scrutiny against the laundering of proceeds from foreign corruption. The Treasury has provided no guidance to date as to who is a 'senior' foreign political figure.

Implementation
The provisions in Section 312 became effective on July 23 2002. The Treasury issued a proposed rule on May 23 2002 to implement Section 312. On July 19 2002, with the July 23 2002 deadline looming, the Treasury issued an interim final rule acknowledging that its compliance with the July 23 2002 deadline was not possible. The Treasury has indicated that it will issue a final rule under Section 312 by October 25 2002. The interim rule states that banks (including branches and agencies of foreign banks in the United States), saving associations and credit unions were required to comply with the terms of Section 312 by July 23 2002. Under the interim rule broker-dealers, futures commission merchants and introducing brokers were required, by July 23 2002, to comply with Section 312 only with regards to private banking accounts held for non-US persons. The Treasury has deferred application of the section to all other financial institutions - including mutual funds, money services businesses and operators of credit cards - until adoption of the final rule.

Section 312 differs from Section 319(b) in that the latter only requires a financial institution to maintain records of the owners of foreign banks who hold correspondent accounts with it, along with the name of a US agent for service of legal process. Section 312, on the other hand, is much broader, in that it requires a financial institution to conduct due diligence for any correspondent account held in the United States for a non-US person. Thus, maintaining the names of the owners of foreign banks and US agents for service of process is not sufficient for overall compliance with the act. Instead, financial institutions must undertake additional due diligence to ensure that non-US persons holding correspondent accounts with them are not engaged in money laundering.

Correspondent accounts held by banks
Financial institutions must establish due diligence policies and procedures designed to detect and report money laundering for correspondent accounts maintained in the United States for non-US persons. The interim rule states that a due diligence programme should focus compliance efforts on the correspondent accounts that pose a high risk of money laundering, based on an overall risk assessment of the potential for money laundering by the foreign correspondent institution.

The interim rule adds that the Treasury expects banks to accord priority to high-risk foreign banks, with a special focus on correspondent accounts used to provide services to third parties. Further, the interim rules also states that the Treasury expects banks to give priority to high-risk foreign financial institutions, such as money transmitters, especially with respect to applying due diligence to accounts opened on or after July 23 2002.

The Treasury expects that banks will adopt a due diligence policy that comports with existing best practices and industry standards for correspondent accounts held for foreign banks. It also expects financial institutions to act with good-faith intent to expand existing due diligence procedures to cover foreign financial institutions as well as foreign banks.

High-risk foreign banks
Under the interim rule, the enhanced due diligence programme for foreign banks that have an offshore banking licence or are licensed in a non-cooperative jurisdiction or a jurisdiction warranting special measures is reasonable if it comports with existing best practices standards for banks that maintain correspondent accounts for foreign banks. The Treasury expects banks to accord priority in applying enhanced due diligence to accounts opened on or after July 23 2002.

Private banking accounts
Under the interim rule a private banking account due diligence programme is reasonable if it focuses on those private banking accounts that pose a high risk. Financial institutions are asked to look to due diligence guidelines promulgated by the Federal Reserve and the Treasury regarding the use of proceeds from foreign corruption as guidance. Again, the Treasury expects financial institutions to accord priority to private banking accounts opened on or after July 23 2002.

Comment

While all financial institutions are required to comply with the act, there have been substantial practical differences in the approaches taken by the Treasury and other federal regulators depending on the particular type of financial institution involved. There has been greater certainty with respect to the treatment of banks than with respect to, for example, broker-dealers, insurance companies and hedge funds. Nevertheless, 10 months after the passage of the act, it is possible to identify some key elements of anti-money laundering programmes which should be adopted by various types of financial institutions, either as a matter of absolute requirement or of best practices. These are as follows:

  • Establish an anti-money laundering programme. Financial institutions should establish and periodically review and revise an anti-money laundering programme that provides for (i) comprehensive policies and procedures to detect money laundering (with special attention to KYC, correspondent account and suspicious activity reporting); (ii) the designation of a compliance officer to oversee the implementation and enforcement of anti-money laundering policies and procedures; (iii) ongoing employee training in the prevention and detection of money laundering; and (iv) the adoption of an independent review programme (either internal or external) to test the financial institution's overall compliance.

  • Revise customer identification and verification procedures. Financial institutions should revise their account-opening or KYC due diligence policies and procedures in order to assess adequately the money-laundering risk of any potential customers. Financial institutions should check customer names against government terrorist lists (including with OFAC) at the moment a customer opens an account. Financial institutions should also maintain accurate customer records for at least five years after the account is closed.

  • Adopt procedures on reporting suspicious activity to FinCEN. Banks, bank holding companies and broker-dealers should adopt policies and procedures to report suspicious activity to FinCEN. The policies and procedures should include employee training on how to complete a suspicious activity report, and how and when to contact FinCEN.

  • Terminate correspondent accounts with foreign shell banks. Covered financial institutions should promptly terminate their account relationships with any foreign shell banks. A covered financial institution should also obtain a certification or other assurance that its correspondent foreign bank customers do not have foreign shell banks as customers. A covered financial institution should renew the certification every two years or earlier if it suspects that the information provided is no longer accurate.

  • Complete the correspondent account certification process. Covered financial institutions should be nearing the end of the correspondent account certification process mandated by the act and implemented by the Treasury

  • File currency transaction reports for transactions in excess of $10,000. All persons "engaged in a trade or business" should file currency transaction reports via joint IRS/FinCEN Form 8300 for cash transactions in excess of $10,000. For transactions involving currency or bearer instruments in excess of $10,000 that are shipped or transported outside of the United States, all financial institutions should file a report of international transportation of currency or monetary instruments.

  • Adopt a policy on information sharing with other financial institutions. Financial institutions should consider filing a certificate under Section 314(b) to enable the sharing of information with other financial institutions concerning suspected money laundering. Prior to filing such a certificate, an appropriate policy on sharing information should be adopted

  • Adopt due diligence procedures for correspondent and private banking accounts. Financial institutions should institute due diligence policies for correspondent accounts and private banking accounts maintained on behalf of non-US persons, with special focus on high-risk accounts and those accounts opened on or after July 23 2002.



For further information on this topic please contact Connie Friesen at Sidley Austin Brown & Wood LLP by telephone (+1 212 839 5507) or by fax (+1 212 839 5599) or by email ([email protected]).


Endnotes

(1) See Public Law 107-56.

(2) See 31 USC Sections 5311 et seq.

(3) See 31 USC Section 5312(a)(2).

(4) See 31 USC 5318(g).

(5) 'Physical presence' means a place of business that is maintained by a foreign bank and located at a fixed address, other than a post office box or electronic address, in a country where the foreign bank is authorized to conduct bank activities, at which location the foreign bank:

  • employs one or more individuals full time;

  • maintains operations and banking-related records; and

  • is subject to inspection by the banking authority that licensed the foreign bank to conduct banking activities.

There is an exception for foreign shell banks that are 'regulated affiliates'. A regulated affiliate is a foreign shell bank that (i) is an affiliate of a depository institution, credit union or foreign bank that maintains a physical presence in the United States or a foreign country, and (ii) is subject to supervision by a banking authority in the country regulating such affiliate.

(6) Adoption of the interim final rule would result in a new Section 31 CFR 103.30 in order to implement 31 USC 5331, as added to the Bank Secrecy Act by Section 365 of the USA Patriot Act.